There's a good bluesnarfing story over at Slashdot
March 2004 Archives
Martin McKeay's Network Security Blog: Scary uses for Google
Found a link to an interesting story at seccurityfocus about using google for looking for things like passwords that the owners of the pages probably don't realise are public.
Also got another blog for my blogroll :o)
Eweek are carrying a story covering some forrester research comparing vulnerability levels and response times across a range of vendors.
The thing that always strikes me about this kind of research is whether they are comparing like with like. For example if they are comparing ALL vulnerabilities on Microsoft software with ALL vulnerabilities in software in a given Linux Distrabution, then thats really a bit meaningless in the real world. I mean who's going to have all that software installed in a given environment.
A far more meaningful way of presenting the information would be to establish typical usage profiles, for example "corporate desktop" or "web server" state what packages those would contain and then measure the vendors based on the vulnerability levels present.
My gut feeling, although I could be wrong, is that Microsoft would probably come out worst in that kind of analysis, as many of the vulnerabilities they have had recently have been in core parts of their system (ASN.1 being a good example) which would appear in every loadset, and of course the fact that they're overall strategy seems to involve a lot of integration of systems, leading to a larger overall attack surface.
NewsForge | Open Source Vulnerability Database Goes Live
There's a story over at newsforge covering a new Open Source Vulnerability database. It's not too clear to me at the moment how this differs from things like CERT?
This Story over at Zone-H.org makes an interesting point about Eeye's outstanding vulnerabities which they've reported to Microsoft.
One point of view that you could take from this is that Microsoft is pretty famous for the amount of integration in its products, and as the number of products and the amount of code in those products increases, the cost and time required to fix a vulnerability will also increase. On the Eeye page you can see that they've got vulnerabilites that they reported to Microsoft 200+ days agot which they regard as critical and which have not been patched.
Given Eeye's approach of non-disclosure this isn't too serious a problem, however if we assume that Microsoft has been working hard to patch these problems (and we've no reason to assume that's not the case), what would happen if they got an equally serious vulnerability from a source who believed in publishing after only say 10 days of notification or even worse one who decided to post expkoit code first and ask questions later!
If it takes 200+ days to patch the problem, that would leave a pretty large window of exploitation and potentially a lot of damage to systems around the world.
ISS slammed for 'selling' security patches - ZDNet UK News
This story over at ZDnet is covering ISS's insistance that only customers with maintenance contracts will get patches for the vulnerability in their products caused by the witty worm...
I really hope this isn't a continuing theme amoungst software vendors as the only result will be an increasing number of machines that will never be patched against malicious code.
Also I've got to say that I'm really suprised to see this stance from a vendor of security products, as you would think that they of all people would understand the consequences of leaving people with faulty firewall software!
Security links, tietoturvalinkkejä
an excellent listing of PKI links
Talisker Security Products and Service Website provides a good categorised set of links on various security/firwalls/forensic topics
First off I'm thinking of a ethernet style tap not a water one ;op
I was thinking today, more and more people are connected to broadband these days, if I was selling information appliances, by which I'm thinking about dedicated pieces of hardware which process information (like the Amstrad emailer), I'd want to be able to tap into the broadband connection, but I wouldn't want to try and guide non-technical users through the hassle of setting up some form of internet connection sharing (NAT) be it software or hardware.
So, what if I just tapped into the connection.... If you attached a network bridge to the ethernet side of a ADSL modem (between the PC and the ADSL modem) you'd be able to see all the traffic as it goes by...
Then use UDP to send traffic upstream to your server, that way it doesn't matter if you don't have an IP address for your device, UDP data is stateless so no problem...
Then there's the reverse, i.e. can the server send to the device? That part would require the device to work out what the IP address of the PC it's installed next to is, but given that it can see traffic as it goes by, it can just pull the address from the packet stream. So once it's got the address it gives that to its server and then if the server sends UDP traffic to that IP address (obviously on a port that the PC isn't listening on) the tap will pick it up and be able to use it....
The advantage to all this is that you can send traffic on a users broadband connection without disturbing their existing environment at all..
there are some downsides though. You'd need to put all the intelligence in things like authentication into the application level of the device (otherwise you'd be a great target for forged traffic from unscrupulous types)
Over at Securitynews.net they've got a cool example of using graphical elements to create the illusion of a secure site... Of course if you're not running IE on windows XP it just looks odd.
Although with enough work that might be possible to overcome, by detecting the user agent requesting the page and presenting a suitable fake UI experience.... (of course you could always foil them by using Lynx ;op)
I'm definately with Joat on this one.joatBlog: Appliances are better?
The article over at nwfusion.com presents the argument that spam management appliances are better than a software on general purpose OS. Sure there are advantages in that you don't have another server to manage all the software on, but from a security point of view I'm dubious as to whether they are superior.
One reason is that you're dependant on the vendor for patches for any operating system level attacks that come out, as these appliances are usually based on commodity operating systems customised for the task.
Also it becomes difficult to know whether you have any machines with a specific vulnerability as you will probably not know what software the vendor has loaded on the appliance...
Over here, at joatBlog: USB security is a pointer to some information about booktable USB drives....
I'm really in two minds with regards to bootable USB drives, on the one hand they're an immensly useful means of transferrring ever larger quantities of data.
But, from an IT Security point of view they're a danger, both from an information leakage aspect and also, with bootable drives, they present the possibility of someone coming to an enterprise and booting an environment to allow them to attack the network....
Now I know, at this point people will be saying "well they're no different than bootable CD's" as you can get some nice bootable security focused Linux distros (like the one over at Local Area Security, which in the wrong hands could be quite dangerous. However many corporates will deploy desktop PC's without CD drives, however you can't deploy a PC these days without USB ports.
It definately will lead to the point where some companies deicde to disable USB all together, or if possible, only the USB mass storage functionality. When that happens I forsee some ..... interesting.... discussions because as I mentioned, they are very useful devices....
Got a link from rootsecure over to this nice list of Security tutorials and presentations, posted from an ISP P.O.V...
Saw this link to an interesting tutorial today over at Infosecwriters.com
... useful if you interested in Buffer Overflows, or potentially if you need to explain more about it to programming staff...
I ran across an interesting looking wiki based information security encyclopedia today at securitygroup.org.
One thing I've noticed when the subject of penetration testing is raised is that commonly the goal is seen as being finding a vulnerability in a system and expoliting it. This is seen as a successful penetration test.
But, the question I think really is, why was that vulnerability there in the first place? Say for example that a penetration test finds that a web server has default scripts left on it. The main value of that finding is discovering why that was the case, was it because the default build for the company has that vulnerability, was the server that was tested built manually as a one-off..... The main benefit for the company is in realising where it's procedures or policies need amended to make sure that the vulnerability does not occur again rather than a report which says "yep that server was vulnerable"...
I came across an interesting article on nist.gov which goes into some details on the strength of various passwords in bits of entropy per character, amongst other things. One point that interested me was that in most of the projections the marginal gain in entropy decreased as the password length increased, so going from say 4 characters to 5 characters would gain you more entropy than going from 29 to 30.
Of course that assumes you're not using totally random strings for passwords, but then who does that (apart from people with extremely good memories of course....!)
one thing that occurred to me recently when reading a security mailing list is the extent to which analogies to the physical world tend to be drawn as soon as the subject of computer crime starts being discussed. For example whenever a discussion of the legality of port scanning starts you can generally expect to see people starting to compare it to "rattling the doors on a house".
It seems to me that this is a good indication of the lack of laws regarding Internet/computer crime, as people can't definitively say whether something is or is not illegal so they are forced to draw analogies, which are unlikely to ever be 100% accurate.
I read an interesting article on phishing last week over at netcraft which seems to show that it is possible for a phisher to create a SSL session and display the familiar padlock item, without having a valid certificate..... However I've since seen some disagreement about whether the "plain text" SSL method would work in that way, one of them is at rtfm.com .
So it remains to be seen if this is actually a problem. If it is it will be a blow to a lot of the advice handed out by banks on this subject, as it's usually accepted that the best way of telling whether you are at the correct site is to examine the certificate
However, whilst it may be the best way in a browser situation I am not sure it is a good way. It relies on users to understand to a limited extent domain names, so as to realise that a certificate issues to www.mybank.com is NOT the same as one issued to www.my-bank.com which is a pretty hard point to get across to non-technical users.
There are ways however that banks and other institutions can make this kind of attack more difficult to execute. One option is to use a two-stage login procedure and provide feedback after the first page which if the user doesn't see they would know that something was not right.
So for example the bank asks for login name/password. Once the user enters that he gets a screen saying something like "welcome back Mr Jones, the first line of your address is 1 Acacia Avenue" and asks for a second authenticator. ..
Looks like there are a couple of very interesting new books out if you're interested in software security...
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
and
Exploiting Software: How to Break Code
I wonder if this is the start of a trend along the lines of all the network security related books of the Hacking Exposed genre..
One good thing that may come out about this, is hopefully it will lessen the number of times that the argument that "no-one in my company would know how to do this" is used with regards to application hacking stops people from spending on internal application security.
Anyway, definately two for my bookshelf.
Saw an interesting link mentioned on a patch management mailing list which gives a listing of Microsoft Security Bullitins by product, here
Well, after being subscribed to bloglines, and reading a large number of excellent blog on the subjects of security and IT , I decided to give it a shot. Also I'm hoping this will give me a way of keeping track of all the interesting documents and URL's I come across in my wanderings.....
