Tuesday 12 April 2011

Switzerland, Hotel Check in and the Police

An interesting item on Swiss National Radio DRS1 (German) this morning. In certain cantons, when you check-in to stay in a hotel, your details go straight to the police electronically. The police will then check to see if the hotel guest is a person of interest.

The Data Protection Officer for Canton Zurich is not happy with this situation and is looking to get it changed. In the meantime, he suggests submitting as  little information as possible on checking in to the hotel. The other cantons mentioned are Lucerne and Basel Stadt. 

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Sunday 10 April 2011

BBC Article on CEOP Website Security

There is an article on the BBC about a security vulnerability found on the Child Exploitation and Online Protection Centre (CEOP) website. According to the BBC:

"A member of the public found a form on the Child Exploitation and Online Protection Centre's website - to report alleged offenders - was unencrypted.
Security experts have described the breach of data as a serious error which could have put children at risk.
There will now be a full investigation by the Information Commissioner's Office.
The unencrypted pages meant personal details entered on the site could have been visible to anyone with a sinister motive."

So it looks like  the non-use of SSL on a website is a serious error which warrants a full invesitigation by the ICO.  Granted the CEOP processes sensitive information.

What does all this mean? What about the gazillion other websites that children use and which don't force the use of SSL? Answers on a postcard......

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Thursday 7 April 2011

OWASP Zürich Meeting Tuesday April 12th - I am Speaking

I am speaking at the OWASP Zürich Meeting on Tuesday April 12th at 17:00. It looks like it will be held in the refined surroundings of the Rheinfelder Bierhalle in Niederdorf.

The title of the talk is not really defined - but the Security Requirements Quick Reference will do for now .... or maybe the Security Requirements Cheat Sheet

I intend covering the Security Requirements (Section 2) of my SDLC Quick Reference.  Basically how do you go about specifying the security requirements that your web application should meet. Topics will include data classification, data flow diagrams, threat analysis, etc.. The talk will use a simple ficticious website as a basis.

So if you are interested in how you go about gathering security requirements for your application please come along.

More details on the  OWASP Switzerland mailing list.

PS: .....And if you can't attend the meeting do have a look at the  SDLC Quick Reference on this blog

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot