Great 64-bit resources

Since we’ve been highlighting issues and insights in Vista 64-bit security, we thought we’d send readers off for the holidays with a link to a great resource on that topic: x(perts)64 This is a blog edited by Charlie Russel, friend of VPN Haus and consummate expert on all things x64. His site is an absolute treasure trove of wisdom related to x64 security issues and more. Great reading for a cold night curled up by the...

PCI DSS VPN issues

Received an interesting message from an end user the other day… We are a large website that deals with a user’s credit card data and therefore must be PCI (Payment Card Industry) compliant.  Some of our workstations are running Windows 2008 Server 64-bit which the Cisco VPN client doesn’t support. However, your NCP VPN client does! Our own network administrators have informed us that using another client against our Cisco VPN server would violate PCI compliance. I’m not sure if this is the actual picture or just a part of the picture. Do you have any knowledge of why our scenario would violate PCI compliance? Can anyone help us understand PCI compliance stipulations around VPNs? Is there something in there about using different vendors for client and...

What we're reading, week of 12/15

From TaoSecurity… Jeremiah Grossman on Justifying Security Spending Richard Bejtlich points us to Jeremiah Grossman’s list of five ways to justify security spending. A very well-reasoned contribution to the “security ROI in a recession” debate. From Rational Survivability… Beyond the Sumo Match: Crosby, Herrod, Skoudis and Hoff…VirtSec Death Match @ RSA! Christofer Hoff announces that he’ll be speaking on a virtualization security panel at RSA alongside executives from Citrix, VMware, and InGuardians. A sumo suit wrestling match may be involved. From Security Fix… Microsoft: Big Security Hole in All IE Versions Brian Krebs reports on a critical security hole in all versions of Internet Explorer. “Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems.” From Zero Day… Firefox tops list of 12 most vulnerable apps Meanwhile, Ryan Naraine points out that Firefox is having some problems of its own. Other unlikely candidatesd in the the top 12 list of vulnerable programs included iTunes, Adobe Acrobat and MSN...

What we’re reading, week of 12/15

From TaoSecurity… Jeremiah Grossman on Justifying Security Spending Richard Bejtlich points us to Jeremiah Grossman’s list of five ways to justify security spending. A very well-reasoned contribution to the “security ROI in a recession” debate. From Rational Survivability… Beyond the Sumo Match: Crosby, Herrod, Skoudis and Hoff…VirtSec Death Match @ RSA! Christofer Hoff announces that he’ll be speaking on a virtualization security panel at RSA alongside executives from Citrix, VMware, and InGuardians. A sumo suit wrestling match may be involved. From Security Fix… Microsoft: Big Security Hole in All IE Versions Brian Krebs reports on a critical security hole in all versions of Internet Explorer. “Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems.” From Zero Day… Firefox tops list of 12 most vulnerable apps Meanwhile, Ryan Naraine points out that Firefox is having some problems of its own. Other unlikely candidatesd in the the top 12 list of vulnerable programs included iTunes, Adobe Acrobat and MSN...

The Good and Bad in 64-Bit Vista

We’ve written before about the trouble with VPN support for Vista x64. This week in PC Magazine (syndicated to ExtremeTech), Michael Miller discusses again the surprises users may encounter when using Vista x64 to connect to a Cisco VPN: And finally, I come to the program that has caused me the most trouble: the Cisco VPN client. The traditional client, which uses the IPSEC protocol to connect with a corporate server, does not support 64-bit; and currently Cisco has no announced plans to do a version that supports it. Instead, the company suggests switching to its AnyConnect VPN software, but that requires an SSL connection – a major change to a company’s security infrastructure that is far more complex than buying a new PC. I’m annoyed and disappointed at Cisco’s decision here. Any readers dealing with this issue in either the corporate or personal sphere? We’re interested in hearing if you’ve negotiated the switch to AnyConnect, refrained from using Vista x64 in your environment, or come up with another way to meet the needs of users working on an OS that is incompatible with the company’s security infrastructure. Please leave a comment with any...