Secure Computing Magazine explains what the Trusted Platform Module (TPM) is, and what it can be used for. It stops short of explaining how to use it but has links to other sites that do so. The TPM is a hardware crypto module on a chip, pre-installed by the manufacturers in ~100 million PCs. Being hardware based makes it more resistant to attacks than pure software based crypto systems - note 'more resistant to' not 'totally secure against'. I'm sure it's only a matter of time before some enterprising hacker hacks the TPM, perhaps using side channels (e.g. power consumption) or electron microscopy, attacks that have worked to some extent against smart cards. Meanwhile, TPM is considered stronger than normal software-based password vaults etc. Here's a list of the top 10 uses for TPM, extracted from the article: 1. Multi-factor authentication. 2. Strong login authentication. 3. Machine binding. 4. Digital signatures. 5. Password vaults. 6. File and fold

We've just released our latest security awareness module on "information security risk management". The title is deliberately a bit ambiguous - in fact it cover mostly risk management in an information security context, plus a bit of information security management and a sprinkling of IT operations for good measure. Identifying and managing information security risks is of course a key objective for information security managers. The module dispenses sage advice to managers and IT professionals on exactly what is involved in the infosec risk management process. For general employees, we emphasize the "What's in it for me?" aspect by drawing parallels between managing infosec risks at home and at work. You'll need to subscribe to NoticeBored to see the whole module in all its glory, and receive another one each month. We work this way to encourage customers to deliver rolling/continuous awareness programs. It seems to us a month is long enough to

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers . Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically. So fa

At last! Indiana has seen the light! A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably). "Public Law 136 (House Enrolled Act 1197) requires businesses to notify consumers when any of their personal information is contained on a laptop that has been lost or stolen unless that information is encrypted," Pierce said. Current law does not require consumers to be notified about a lost or stolen laptop if personal information about them on the laptop is protected by a simple password. The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system

A survey by CompTIA on security for mobile IT devices reveals the continuing lamentable and rather puzzling lack of investment in security awareness: "Seventy-one per cent of respondents said their organizations allow mobile and remote employees to access data and networks, but only 39 per cent said their organizations have implemented security awareness training and education. Only 19 per cent said they intend to implement such training in 2008. The good news is that of the organizations that have implemented security awareness training for remote and mobile employees, 92 per cent of respondents said they believe the number of major security breaches has been reduced." So, security awareness works but few organizations are using it. More fool them! Jay Cline, writing in Computerworld , describes the top five mistakes of privacy awareness programs: 1. Doing separate training for privacy, security, records management and code of ethics. 2. Equating "campaign" wi

ICANN's Security and Stability Committee has released a 12-page advisory on ' registrar impersonation phishing attacks ' - in other words, phishing attacks targeting domain name owners ("registrants" in ICANN-speak). Owners' contact details are usually published and can be interrogated for free through WHOIS. Putting the target person's contact details together with the fact that they have registered a domain name provides the phishing hook. Owners are invited to 'login and update their contact details', whereupon the phisher steals the login credentials and, presumably, manipulates the DNS entries for their own nefarious purposes.