Archive for December, 2008

Great 64-bit resources

Posted: December 23, 2008 in 64-Bit, Posts

Since we’ve been highlighting issues and insights in Vista 64-bit security, we thought we’d send readers off for the holidays with a link to a great resource on that topic:

x(perts)64

This is a blog edited by Charlie Russel, friend of VPN Haus and consummate expert on all things x64. His site is an absolute treasure trove of wisdom related to x64 security issues and more. Great reading for a cold night curled up by the fire!

PCI DSS VPN issues

Posted: December 17, 2008 in PCI, Posts

Received an interesting message from an end user the other day…

We are a large website that deals with a user’s credit card data and therefore must be PCI (Payment Card Industry) compliant.  Some of our workstations are running Windows 2008 Server 64-bit which the Cisco VPN client doesn’t support. However, your NCP VPN client does!

Our own network administrators have informed us that using another client against our Cisco VPN server would violate PCI compliance. I’m not sure if this is the actual picture or just a part of the picture.

Do you have any knowledge of why our scenario would violate PCI compliance?

Can anyone help us understand PCI compliance stipulations around VPNs? Is there something in there about using different vendors for client and server?

What we’re reading, week of 12/15

Posted: December 15, 2008 in Highlights

From TaoSecurity…
Jeremiah Grossman on Justifying Security Spending
Richard Bejtlich points us to Jeremiah Grossman’s list of five ways to justify security spending. A very well-reasoned contribution to the “security ROI in a recession” debate.

From Rational Survivability…
Beyond the Sumo Match: Crosby, Herrod, Skoudis and Hoff…VirtSec Death Match @ RSA!
Christofer Hoff announces that he’ll be speaking on a virtualization security panel at RSA alongside executives from Citrix, VMware, and InGuardians. A sumo suit wrestling match may be involved.

From Security Fix…
Microsoft: Big Security Hole in All IE Versions
Brian Krebs reports on a critical security hole in all versions of Internet Explorer. “Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems.”

From Zero Day…
Firefox tops list of 12 most vulnerable apps
Meanwhile, Ryan Naraine points out that Firefox is having some problems of its own. Other unlikely candidatesd in the the top 12 list of vulnerable programs included iTunes, Adobe Acrobat and MSN Messenger.

The Good and Bad in 64-Bit Vista

Posted: December 10, 2008 in 64-Bit, Posts

We’ve written before about the trouble with VPN support for Vista x64. This week in PC Magazine (syndicated to ExtremeTech), Michael Miller discusses again the surprises users may encounter when using Vista x64 to connect to a Cisco VPN:

And finally, I come to the program that has caused me the most trouble: the Cisco VPN client. The traditional client, which uses the IPSEC protocol to connect with a corporate server, does not support 64-bit; and currently Cisco has no announced plans to do a version that supports it. Instead, the company suggests switching to its AnyConnect VPN software, but that requires an SSL connection – a major change to a company’s security infrastructure that is far more complex than buying a new PC. I’m annoyed and disappointed at Cisco’s decision here.

Any readers dealing with this issue in either the corporate or personal sphere? We’re interested in hearing if you’ve negotiated the switch to AnyConnect, refrained from using Vista x64 in your environment, or come up with another way to meet the needs of users working on an OS that is incompatible with the company’s security infrastructure. Please leave a comment with any feedback!

What we’re reading, week of 12/8

Posted: December 8, 2008 in Highlights

From DevCentral…
Security is not a luxury item
Lori MacVittie writes about the mistakes some corporations might be tempted to make when evaluating security budgets in a tough economic time. “In times when budgets are tight, the trick is not only to determine what’s necessary, but also to squeeze the most functionality out of every investment.”

From ITSecurity…
Don’t Overlook Cheap Security Devices
File this one in the “back down to earth” column – ITSecurity reminds us that common sense security is still key. Invest in a paper shredder. It’s always important to remember that the most advanced technology and strategic thinking won’t save you if you’ve failed to cover the basics.

From Schneier on Security…
Prisoner Escapes by Mailing Himself Out of Jail

Bruce Schneier points us to this week’s most eyebrow-raising security story. The moral of the story this week? Take some time to consider what may have been overlooked!