Links Directory

Here are some links of interest.

Thank-you for those who take the time to reach out to us regarding any questions or comments about the link directory. Please note that while we appreciate the heads up we sometimes receive about dead links or outdated links, we do not update this list often.

Access Control

Bank (http://www.privcom.gc.ca/media/nr-c/2008/nr-c_081127_e.asp)

We usually think of access control in terms of identification, authentication, and authorization: accountability tends to get left to last. This story was interesting in that the problem stems from a failure of accountability.

Calculus CAPTCHA (http://www.theregister.co.uk/2011/03/09/calculus_based_captcha/)

A bit more sophisticated than optical character recognition.

DataLossDB (http://datalossdb.org/)

The Open Security Foundation’s (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a “top ten” list, and other references you can use in security awareness materials, or for risk analysis.

facebookpriv (http://www.allfacebook.com/2009/02/facebook-privacy/)

Little known and seldom used settings that can help improve the privacy and security of your Facebook account. Similar settings may be available (and unused) on other social networking sites as well.

Flash settings (http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html)

The Flash security settings panel, particularly the microphone and Webcam setting.

MiFare presentation at DEFCON (http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf)

This is the presentation that was banned by a Boston court, detailing the specifics of how to defeat the “protections” on the Boston transit MiFare card. The same system is also in use elsewhere.

Pentest Standard (http://www.pentest-standard.org/index.php/Main_Page)

An attempt at a standard for penetration testing. Given the complexity of drawing up a pentest contract, I’m all for the idea, but I’m not sure how well this one works out. Probably needs more work.

SSN algorithm (http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-t…)

Given the importance and wide use of US Social Security Numbers (even though the use is legally restricted), this article on how to determine SSNs is fairly important.

Web SSO (http://sso-analysis.org/)

An analysis of current Web-based federated ID and single-signon systems. Research paper, online checking tool, and a discussion forum.

Authorization

“Trusted Computing” FAQ (http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html)

Luhn formula (MOD 10 check) http://www.darkcoding.net/index.php/credit-card-numbers/

Role-Based Access Control (http://csrc.nist.gov/rbac/)

Biometrics

Biometric Consortium (http://www.biometrics.org/)

Might have been better in vendors, but …

Biometrics article (http://www.cccure.org/Documents/HISM/033-037.html#Heading3)

Good article from ISMH 1998 edition

Face Recognition Vendor Tests( http://www.nist.gov/itl/iad/ig/frvt-home.cfm)

US government and military sponsored program to assess face recognition biometric products.

Irises (http://www.photographyserved.com/Gallery/Your-beautiful-eyes/428809)

Some great high-resolution shots of human irises. The detail here shows why iris scanning can be used as a distinguishing biometric.

Pawsense keystroke analysis (http://www.bitboost.com/pawsense/index.html)

Pawsense is a program to determine whether a cat has been walking across your keyboard, and to disable the keyboard input until reactivated. It’s a bit of a joke, but an example of keystroke analysis biometrics.

Passwords and Passphrases

CAPTCHA (http://www.captcha.net/)

hard passwords (http://www.time.com/time/magazine/article/0,9171,2089349,00.html)

Cute essay about password choice (although not much useful help).

Inkblot password generator/reminder (http://research.microsoft.com/displayArticle.aspx?id=417)

Naked password (http://www.nakedpassword.com/)

OK, this is probably a bad idea, but it does make some points about password choice. This is a system that you can install along with your password choice, or password change, feature. As the user enters the password, the password is analyzed for strength (length, characters, non-alpha, etc). The stronger the password the more of a picture of a lady is … revealed. On the one hand, it provides motivation for choosing stronger passwords. On the other, it may distract the user from memorizing the password. On the third hand, it may violate company policy, or open you to sexual harassment charges. Any takers for finding some other means of motivation that is less distasteful or troublesome?

Top 500 worst passwords (http://www.whatsmypass.com/?p=415)

When having a discussion about passwords, if someone is recalcitrant, might be an idea to point them at this, and see if they turn red …

Top 500 worst passwords (http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time)

A list of the top 500 most frequently used (and therefore eminently guessable) passwords. If you see yours, change it.

WPACracker (http://www.wpacracker.com/)

Polly wanna crack a WPA network? A cloud based cluster is offering to help out, for a small fee. You send them a data capture, and they run a 130 million word dictionary against it, in as little as 20 minutes. Do you trust them? Are they going to be used to crack WPA networks? Is this sufficient impetus to move to WPA2? Are you going to create a longer passphrase?