After a lot of hard work, we are today unveiling our new website and logo to the world at http://geminisecurity.com.

Also stay tuned later today for a press release involving the SAFE-BioPharma Association.

CDC has announced a software tool allowing people to leverage Google’s massive store of information to identify possible flaws in websites. The software, termed “Goolag Scanner,” is open source and available for free. It might be an interesting addition to the toolkits of security researchers.

According to the article :

The tool lets people with fundamental programming skills check websites or Internet domains for weaknesses that could be exploited by hackers…
The group said it uncovered “some pretty scary holes” through random tests of the tool in North America, Europe, and the Middle East.

Worth checking out— the source and specifications are available on the Goolag Scanner homepage .

CSOOnline has a story highlighting 8 landmarks in information security history.

1971: Captain Crunch Whistle
1988: Morris Worm
1994: Citibank Heist
1995: The Celebrity of Kevin Mitnick
2004: Witty Worm
2005: Titan Rain
2005: ChoicePoint Debacle
2007: Storm Worm

Have others to add? Think they got this set wrong? Comment below!

While the title Polish teen derails tram after hacking train network is a little deceiving, note that the 14-year-old modified a TV remote to control track junctions along the tram line in the Polish city of Lodz. Pretty impressive work. Now for the scary part:

Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz’s tram network was hacked, even by these low standards, is still a bit of an eye opener.

I’ll say.

OK, this one is just theoretical…

I presented at the MS-HUG Tech Forum today in Redmond. The title of my presentation was Saving Lives with PKI and SAFE Digital Signatures, and it provided information about Microsoft’s Identity Management solutions and the Office 2007 SAFE Signature Plugin we wrote. I co-presented with Avi Ben-Menahem, Lead Program Manager for PKI and Smart Card technologies at Microsoft.

The presentation is available for download in pptx and pdf formats.

I welcome any comments or questions!

Pretty neat – allowing a user to recognize their own handwriting to authentication themselves.

On the contrary Dynahand needs no extra hardware or memory. You simply need to submit a variety of handwriting samples to open a Dynahand account. And to log on you need to select your own handwriting from the list displayed.

Of course there are many problems with this – family, friends, and eve ex-boyfriends will probably know what you’re handwriting looks like. You could however write in a certain way that you’re sure to recognize – maybe dot your “i“s a bit to the left or something like that. It takes time to set up though, and is best as a goodie to protect items that are likely to get in the hands of strangers – PDAs and laptops for example.

[via Slashdot ]

This attack is very cool [via Schneier on Security ]

With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time. Because they come through in order you just have to stack them up. And Kuhn has worked out how to decode the colour of each pixel from its particular wave form.

Here is an image that was taken using this method:

In case you’re wondering laptops are not immune either.

I like this potential information stealing method because it goes for a very weak component of the system much like keystroke loggers do.

It’s the computer way of kicking a mugger in the groin, using caltrops to stop car chases, or feeding sharks before swimming with them so they don’t eat you.

Well almost 7. A bunch of them. [via SANS ]

The folks at Dark Reading have a story on called What to Do When Your Security’s Breached.

The following are six steps you should take if you encounter a possible security breach. Some experts recommend eight, some have 10, but these are the ones that most authorities agree on. Oh, and they also agree on this: You should have done the first three steps before you had the breach.
1. Assemble an incident response team.
2. Assess the initial damage and the risk for more.
3. Develop a notification plan.
4. Begin remediating the problem.
5. Document everything.
6. Develop a strategy for stopping the next attack.

It’s worth a read. And, you should really consider working on those first three steps…