Well I had a chance to download and have a quick test of the metasploit framework which I talked about earlier.
It definately does what it says on the tin! I downloaded it, ran the web server version (one command), fired up a known vulnerable Virtual machine, and very soon had a remote administrator exploit against IIS5 launched.
I think it could be very useful in the securtiy industry from the point of view of convincing companies that level of technical knowledge required to hack into their systems is not high.... This is needed as a common reason given by management in companies for not doing things like patch management of internal servers is that "well no-one would know how to do that" with the thought that hacking a server requires a high level of technical expertise...
There's an interesting article over at Local Area Security which talks about the prelude IDS framework. It's a application which provides, amongst other things, a console for viewing alerts which can be pulled in and aggregated from a number of sources...
information security: RoSI: R.I.P.
There's an interesting link over at Axel Eble's blog to a report that, hopefully, people are geting round to the throught that security is not something that you calculate the R.O.I on, more that you view it like insurance or fire control system, as loss avoidance.
The problem with calculating ROSI has always been quantification, and it's always struck me that people that suggest it as a good way of justifying security spend, come up very short on specifics when asked, how it would actually be implemented.....
A online portscanner, to go with grc's shields up and the less flashy one over at yashy.com
An interesting article over at computerworld Spyware in the office .
The existance of spyware on corporate networks is definately not a good thing. Apart from the obvious reasons or potential leaks of confidential information or excess traffic being generated, there is the problem that deploying code on a complex platform could cause other, business critical, applications to stop working...
Over at ZDNet there's an article PGP software gains antivirus defense .
This capability is very useful, getting round one of the problems of encrypted mail, which is that the content is hidden from any security or other inspection mechanisms, like A-V.
Slashdot | Port Knocking in Action
there's a story on slashdot.org covering a port knocking proof of concept. Ironically there's better links in one of the early comments than in the story itself! I've made a list of them below for reference.
portknocking.org
An article at Linux Journal
An article at Linuxsecurity.com
A tutorial at Librenix
For those of you wondering "what the stuff is port knocking anyway?" here's a definition I got from the UNIX FAQ at aplawrence.com
" Port knocking is a security technique to allow access to people who know the "secret knock". The basic idea is this: packets addressed to certain ports are silently ignored but are logged. If you contact the right series of ports in the right sequence, possibly with the additional condition of holding the ports open for a certain period of time, the firewall rules will be adjusted to allow you access.
The interesting things about this technique include the fact that you can obviously transmit information with the pattern or duration of the "knocks". That means that you could request that some other ip be allowed access, or just request that certain information be sent to you. Another interesting aspect is that because the packets are silently dropped, there's no way to scan a host and determine that it is using a port knocking technique. Even if you knew that it was using such a technique, but didn't know the algorithm, any brute force attempt would be effectively impossible"
There's a handy link to a site called securitydocs.com over at Dana Epp's Blog, for a site which collates security white papers.
Quite a few of the random ones I looked at were from the SANS reading room (in itself an excellent resource).
Dana Epp's ramblings at the Sanctuary : Forensic Analysis of a Live Linux System
There's a post referring on to an intereting set of presentations about Linux Forensics over at Dana Epp's Blog...
I was pointed to this interesting sourceforge project by another Rory... asleap home page
It's a piece of software which exposes the weaknesses in Cisco's LEAP protocol.... This is the second thing I've seen recently regarding lack of security in Ciscos products recently... odd for a vendor with a relatively good reputation for security...
UK firms failing security challenge - ZDNet UK News
This is one of the stories that always emerge when the large consultancy companies do their annual security surveys. In amongst alot of stats there are some meaningful pieces of information. This story focuses on the state of wireless security (poor).
I'm not at all suprised that 50+% of companies haven't deployed security on their wireless LANS, however it is very worrying as they are essentially allowing the man on the street (literrally) to wander into their corporate LAN without any restriction.
Given that most companies practice the "warm smarty" method of network security (crunchy on the outside, soft and squishy on the inside), this is especially worrying.
Well the April Microsoft patches came out today, and depending what article you read about it there are either 4 [securityfocus.com] or 20 [nwfusion.com] .
The cynic in me would say that this was Microsoft trying to keep the apparent number of vulnerabilities in Windows down and I reckon that for certain industry analysts and studies it might well work, as if you don't go into the technical detail of the vulnerability it's not apparent that more than one flaw is getting fixed by each patch.
What I actually find more concerning is that several of the vulns appear to affect Windows 2003/Windows XP. I think that this shows that Microsoft has a very long road ahead of it to improve the security of its products. As whilst it may be ensuring the quality of all new code that is produced, there is obviously a lot of legacy code that will be causing problems for some time to come.....
Over at the New Scientist there's an interesting note for an attack on a mail server.
I always find attacke like this interesting asa they're essentially a case of mis-use of a protocol. Also given that tthe return of undeliverable e-mail is usually taken as a given on the Internet and it becomes unlikely that this kind of DoS attack will be going away anytime soon.
The Metasploit Project is a collection of exploits with an interface to allow them to be easily executed.
Whilst I can see the value of this kind of project from the point of view of going one step beyond a vulnerability scanner and actually demonstrating an exploit getting, for example, remote root access on a system, the other uses of this kind of work will lower the knowledge barrier for a range of cracking activities....
Cisco Security Advisory: A Default Username and Password in WLSE and HSE Devices
This is a pretty nasty vulnerability for someone like Cisco to have, as you'd have thought that their development process would have noticed this kind of mistake. Also given that WLSE is a piece of security software, in that it monitors for rogue AP's amongst other things it is suprising that this got through.
I think that the only saving grace of this is that the kind of equipment it occured in, will probably be managed by networking professionals who will check for security advisories....
TESTVIRUS.org lets you send EICAR test strings to any e-mail address using a variety of obfuscations, to see if your mail server will catch them all...
There's a Browser Security Test over here that allows you to check you're browser configuration to see if it's vulnerable.
could be handy if you're unsure of whether patches have taken correctly, or if you're looking to demo how insecure unpatched versions of major browsers can be
Security tools target inside jobs
This article is talking about some new products which are focusing on business/application level analysis of a companies traffic. I'm a little cynical about this kind of thing, as I would expect that the same kind of "data flood" problem which affects network level IDS systems to affect this kind of solution.
also working at an application level is far harder as it is relatively easy for an automated system to recognise things like HTTP traffic, however an automated system looking at that and saying "thats confidential information from the payroll system" would be very very difficult to set up....
In an article Help Net Security - The Future of Phishing, presents an interesting idea for combating the current (and potential future) phishing attacks by communicating transactions out-of-band (for example by SMS message) and then getting the user to authorize that transaction by putting in a one-time password sent to them via the SMS message.
There's an interesting program over at sourceforge, ICMP-Chatwhich gives allows you to communicate with someone purely over ICMP (you can choose which type of ICMP message is used).
This provides a good illustration of the dangers in security of assuming that a system or protocol will only be used for its intended, or well known, purpose.
In this example this program could probably be used to bypass firewall infrastructure in some companies, as many people allow ICMP through for troubleshooting purposes, where all TCP and UDP connections will be locked down.
That brings me on to another point, which is the futility of disallowing protocols based on the fact that they can be used for file-transfer. In some setups I've seen people will block incoming FTP but not HTTP. Now that doesn't make a lot of sense when you realise that HTTP is a generic content transfer protocol and can be used for a wide variety of things like file transfer and, of course, remote control.
You don't see many companies allowing inbound connections for protocols like PC-Anywhere, but with HTTP allowed, services like GoToMyPC allow very similar functionality.
An mitigation for this kind of risk is to apply more application level controls over all protcols allowed through security perimiters, as at the application layer there is a better understanding of what the purpose of the communication is...
well I think ive finally found the right handheld computer for me... A sharp Zaurus c860. Its linux based, has lots of good security software available, can take SD and CF cards, has an excellent 640x480 display and isnt too bulky or heavy.
also the keyboard is fairly good... as Im writing this entry using it.....
ATAC: Abusable Technologies Awareness Center: Used Hard Disks Packed with Confidential Information
Interesting information about the types and quantity of sensitive information that is available on old hard disks....