November 2004 Archives

Over at Schneier on Security, there's a refreshingly sensible piece on Google's desktop search.

As Bruce points out, all that information that people are getting so worried about being found by the tool is ALREADY THERE, so if there's a shared PC and you're worried about people seeing the data of other users... Don't give them the rights to see those areas!!

If you're worried that users using Internet Cafe's will expose corporate data by it being indexed when it's put on the Internet Cafe PC, set your policy and technical controls so that you're users don't put corporate data on untrusted machines!!

Sorry, but the flow of "Google desktop is evil" stories made me cranky...

Is Microsoft creating tomorrow's IE security holes today? | The Register

Quite an interesting piece, wondering whether Microsoft is creating problems for itself in the future with IE, with amongst other things, tight integration with the OS.

I do disagree with one or two point made though, especially "Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features"
My memory of it was that IE wasn't that much more featureful than Netscape Navigator, and if you want to know my opinion of why Microsoft won that war it is the plain and simple fact of being bundled on the desktop when Navigator wasn't. Non-technical users do not go looking for alternate products, so long as the default one they're provided with does a reasonable job.

In fact it's telling that Firefox is gaining ground on IE, as that says to me that a percentage of Internet users no longer regard IE as doing a reasonable job.

Back to the story, I'd agree that tight OS integration is to my mind a problem for IE. I see no reason why an Operating system has to have an Internet Browser. Definately for server operating systems it seems totally redundant (although in several use cases I add that a GUI on a server is a waste of resouces).

From a security point of view having components so tightly integrated into the OS that an administrator cannot easily remove (not disable) them just increases the amount of code that needs maintained and increases the likelihood that code on the server will have an exploitable security vulnerability....

Some more information on the Bofra Iframe attack

http://isc.sans.org/diary.php?date=2004-11-21
http://isc.sans.org/diary.php?date=2004-11-20

some data on security vulnerabilities in IE
http://secunia.com/product/11/

A story regarding Microsoft working to patch the vulnerability

http://news.zdnet.co.uk/0,39020330,39175165,00.htm

Well I didn't really want to go down this route with this blog, as I don't like forced registrations on the web, but after a couple of comment spamming incidents, I've removed anonymous comments from the config of my blog and set it to only allow comments from registered people....

Bofra exploit hits our ad serving supplier | The Register

While I'm not sure if this is the "major UK Site" referred to in the previous posting, there's some information about a compromise of one of the registers advert suppliers in the story above..

It's really quite a cunning plan by whoever carried it out, as they've realised that you only need to compromise one set of servers (the advertising company) in order to potentially infect many of their clients.....

One thought that occurs to me from this is that you have to wonder whether sites should be taking steps to validate adverts and any other 3rd party content which is provided by frames on their site..... (heck imagine if someone managed to compromise the servers which provide those advertising boxes provided by search engine companies!!!)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Over at the ISC handlers diary there's mention of a major (unnamed) uk website which has a pointer to a site hosting the Bofra/IFrame Internet Explorer exploit (for which there is currently no patch!)

Another really good reason not to use Internet Explorer on the web unless you really have to...

There's a link to a Interesting article over at Michael Howards Blog

He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required.

Also there's information on a useful technique to reduce your privileges when running specific applications, aimed at providing a safer web browsing experience.

First one's the story that Phishing scam forces NatWest services offline - vnunet.com. What I find somewhat odd about this is that they took the step of disabling some functionality on their site...

They must have had quite a few of these scams by now and I find it hard to believe that they're disabling parts of their websites every time they get hit, as that would seem a bit like a self-imposed Denial-Of-Service...

Another story about how some customers are dealing with phishing here . Basically the guy in this story is blanket deleting mails looking for personal info. seems like a sound idea to me!.

Personally I think that standard SMTP e-mail is just about dead as a Business to Consumer communication method. Between SPAM, phishing and malware there's no way consumers and home users are going to keep using this. Really companies should not have been using what has always been a really insecure mechanism to communicate with their customers.

The thing is though, it's REALLY cheap compared with most other forms of communications (notably this is what the spammers depend on as well to make money) so they've been very reluctant to stop.

My expectation is that they will have to find some way to clearly and securely provide communications with their customers to bridge the gap left by E-Mail. Not that that's an easy problem to solve...

Pete Finnigan - Oracle and Oracle security information

Loads of good information on Oracle Security here...

There's a review of Network vulnerability assessment tools over at nwfusion.com

I thought it was interesting to see that there are several products in the review based on the nessus engine...

Also one point that intruiged me when I read it was the companies that declined to take part. Maybe it's just me, but when I read that it tends to make me think "I wonder what was wrong with their product" ie If you think that your product is the best on the market, I would expect that you'd be very keen to see it reviewed and recognised as such....

NSA Posts Mac OS X 10.3.x security guide

There's a blog entry pointing to a new NSA security guide, this one for Mac OS X.

I'm definately in favour of these guides, as it's nice to get a source of non-vendor security advice (I always feel that their more likely to point out any potential product issues than the vendor themselves)

MercuryNews.com | 11/02/2004 | Stolen computers have Wells Fargo customer data

There's what I think is an interesting point in this article about the loss of customer data from Wells Fargo. The loss didn't occur from Wells Fargo systems, it occured from those of a partner company.

What I find interesting, is that I wonder how many companies can honestly say that they ensure the security of data which they "own" (for want of a better term) no matter where it may reside.

Especially in these days of outsourcing.... It's all very well for companies to spend a lot of money securing their data centres and other obvious places where data lies, but it's really quite pointless if that data (or the credential used to access it ) is not as secure when it's processed or stored outside of those data centres.....

SecurityFocus HOME Infocus: SSH User Identities

A useful guide on setting up and using public/private key encryption in conjunction with SSH

Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

handy information from Microsoft covering some of the potential issues of hardening Windows boxes.

Sun BluePrints OnLine - Archives By Subject

very useful links with a large amount of white papers from sun covering security amongst other areas.

There's an article over at InfoWorld looking at the various measures that companies have been using to try and mitigate the current rising trend in phishing attacks.

My money's on server-based mitigations as opposed to client-based ones (like the anti-phishing toolbars mentioned in the article). There are several good reasons for this.

1. Companies don't and won't control the client environment, so they're not in a good position to dictate the client environment. Also given the current trend in spyware and virii, there's no way companies can place trust in a client based solution.

2. There are literally millions of clients out there which would need to be "fixed" to make a solution work, but for each company there is only one location that needs fixed...

Personally my monies on the deployment of 2-factor authentication like secureID. Most banks already use it internally, the main reason it hasn't been deployed for customers is cost... well if phishing starts placing a significant cost on the banks, then suddenly it starts being much more viable to deploy....

Of course there are some more complications involved as SecureID can still be vulnerable to a MITM attack, but it would still be a great step forward.....

Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework -- MSDN Magazine, November 2004

Interesting article on the code security features in .NET 2..

there've been a couple of sites pointing in the direction of what looks like an interesting security publiscation Security Journal