Dana Epp's ramblings at the Sanctuary : Microsoft releases new Threat Modeling Tool
An interesting post over a Dana Epp's blog, regarding a new Microsoft tool (and a forthcoming book) focusing on Threat modelling. One to download and look at when I get a chance (shame they've not made a Linux version ;op)
Slashdot | Password Memorability and Securability
There's an interesting story on Slashdot, linking to a study on password quality, it has a couple of interesting conclusions amongst some other confirmations of common themes in password quality. Most interesting is probably the conclusion that in practice mnemonic passwords are as strong as randomly chosen passwords and are far easier to remember....
An Interesting Penetration Testing Guide provided by corsaire.
Has some good points about choosing Pen Testing consultantcies and also some good resources at the end...
Over at RouterGod there's a very informative series of articles about various Cisco topics. They're in the News Archives section and they've got an..... interesting way of presenting the information ...
A Good List of Linux Live CDs, there are quite a few useful ones from the Security point of view, including the very useful Local Area Security distro .
Anyone who's not had time to play with Linux LiveCD's, really should, as they are immensly useful tools for work like forensics and system administration....
New evidence points to Cisco network hack
An article providing some more info on the Cisco code theft, over at Network World. One point mentioned in it that I would disagree with though is the comment that
"Unlike open source software products, the security of Cisco's systems, like those of other proprietary software vendors, depends on the source code being kept out of public view, he said"
This is a bit on the sweeping side really... Although it is a salutory lesson that companies shouldn't rely on the secrecy of their code to provide security.
Redmond enlists security vendors to automate policy compliance
An interesting idea talked about over at Network world, is Microsoft working with A-V vendors on the idea of security policy compliance software. If I'm reading it correctly, the idea is that when an machine tries to log onto a Microsoft network it's agent software will transmit information about things like it's A-V pattern files and patch level and if these don't meet defined standards it will not be able to connect, until it was updated.
It's a good idea for things like laptop users, who perhaps aren't in the office often enough to get updates. That said I like the idea of this being tied into the network switch/router infrastructure more.
The reason being is that even if a PC can't log onto a windows domain it can still connect to other client-server applications, whereas if the switch the PC is connected to, won't let it communicate with anything other than the update server untill it is patched, it will be a more effective control.
Martin McKeay's Network Security Blog: How to get into Network Security
A link to an interesting article at securityfocus talking about the prerequisites for getting into network security. My path was train as an accountant, get lucky and move over to IT before having to do any accounts, spend 5 years in Networking and general IT, then move into IT security. I've found my background in IT to be very useful when having security related conversations with IT staff, it definately helps to understand where they're coming from and also if they might be being "economical" with the truth...
There's another reference to this story over at Joat's blog , which mentions coding as a required skill. I've picked up bits of a couple of languages over the years, and I'd like to learn more, but I've never been sure which language would be best to focus on, with the inevitable result that I've not really learned any of them....
An interesting link over at Michael Howard's blog to a column on Security Management
There's a article which runs though a good example of social engineering here . The methods used give examples of how easy it is to gain access to information or goods without authorisation. It does require a talent for thinking on your feet though....
An interesting article over at vnunet.com quoting gartner on the levels of loss in the US from phishing scams. I'm definately suprised that it is as high as $1.2 billion, but if those figures are accurate, I'd hope to see the financial institutions involved moving to authentication schemes which are more resistant to this kind of attack, maybe like the ones I mentioned here
This one is one of my recurrant rants, so I thought I'd post it while I think about it....
Why do large corporations, spend loads of money securing their perimiter, a fair quantity on their core line of business servers and very little securing corporate desktops...
If someone can compromise a desktop PC, they can get all the rest of the access they need very easily, they can also easily compromise your core servers...
Here's one scenario of many.
1st step - Get local administrator rights on a corporate PC running windows. Easily done by booting off a CD grabbing the SAM file and cracking the password. In most networks I've seen the local admin password is the same on all the PC's
2nd step - find out the IP address or machine name of an admin level persons desktop. shouldn't be too hard if you are in the same building, if you're not something like an HTML e-mail with a web-bug in it would do the trick.....
3rd step - connect to their PC using the local administrator account and install a keylogger.
4th step - grab all the passwords as they type them! if you're feeling fancy, install a remote control program on their workstation then log on to their machine as them and connect to the servers they administer. At that point it would be very hard for mechanisms like IDS to know that you're not the administrator of the system.....
How do you mitigate this?
One way would be to deploy 2-factor authentication for all your admins. If you use RSA tokens or some other form of one-time password, it would cut back on the window of opportunity.
Another option would be to put desktop firewalls on all admin (or potentiallly all) PC's and configure a reasonable ruleset on them which only allows inbound connections from specific subnets, as required to maintain the system.
Another option (only applicable to this particular attack) would be to specify different local administrator passwors for each PC (might be a bit hard to administer though)
Over at the BBC they're carrying the story that " Teen 'confesses' to Sasser worm". What worries me most about this, is if this guy turns out to be the author of the Sasser worms and the Netsky virii (which some other newswires are suggesting), he has managed to cause millions of pounds of damage on his own... one teenager.....
Given that, what level of damage could be done by an organised, well funded group of people, looking to maximise the damage done to the Internet...? Not a comforting thought really.
A little while back, I was giving some thought as to how to mitigate the risk of rogue DHCP servers on internal networks.
The risk, briefly, is that if someone can get their rogue DHCP server to hand out an address faster than the real one, then they can control things like the default gateway and DNS server of client PC's. Once they've set that up they can sniff any and all traffic that goes by and also modify traffic if required.
One of the standard technological controls for stopping people putting rogue devices on a network, static MAC address assignments on the switch ports, isn't likely to be effective here as it would be very onerous to maintain that on client subnets... Likewise other ones like an IDS system aren't likely to be deployed in what is perceived generally as "low risk" segments of the network...
So, an idea which might work (and it may already exist, I'd be interested to hear if it does) would be to have something like NMAP scanning round the subnets on a regular basis looking for new services coming online... all that would be needed is an interface for admins to define what to look for (eg, there should be only ports 137-139 and 445 on this subnet) and an alerting system... Would also help for detecting unauthorised web servers and the like in large corps...
Over at David Cartwright's Home Page there's some comments on a debate about the relative security of open and close source software. It pretty much sums up how I feel about it.
There are potentially going to be security flaws, either malicious or accidental, in any software much more compicated than "Hello World", be it open or close source. My personal opinion is that at least with open source software if it's sufficiently important to you to mitigate that risk you *can* get the source code reviewed. This cannot be the case with closed source software as even if you are given a copy of the code to review (for example with Microsoft through their shared source initiative) you have no guarantee that the code you reviewed is the code that was compiled to create the software you get on the CD.....
Leads me on to another thought actually which is, I wonder if any of the shared source licensees have been able to comile something like Win2003 server from the source they've been given to create a running OS.....?
There's an article over on SecurityFocus by Tim Mullen titled " Stop Being a Victim". I'm undecided as to whether it's a troll or not. He appears to be suggesting that the way to improve the security for Internet users is for those users understand and care enough to secure their computers.... It's a nice idea, but having been a network admin in the past and having supported a lot of users in my time, my initial thought on reading it was "BWA HA HA HA HA"
The idea of getting the X million people currently connected to the Internet to understand what is required to secure a computer on the Internet is quite amusing, given that professional IT people in large corporations regularly get it wrong looking at the ease with which hackers like Adrian Lamo have penetrated their networks.
So, what is the answer then?? There are a couple of ideas which come to my mind.
1. Make ISPs and network access providers responsible (and legally liable) for traffic from their networks. Of course, the knock on effect of that would be a huge rise in Internet access costs and greatly reduced functionality as ISPs would have to install outbound filtering to stop attacks originating from their networks infecting others...
2. Split the Internet. One answer for some users would be for the recreation of walled Internet communities (like AOL and CompuServe of old). Where there is no access to the mainstream Internet from the community (or very controlled access). That would, however, need to be combined with more control over the end-users of the service.... and again far higher charges for access as the provider provided security services to the subscribers...
3. Improve software to make it more secure, and less vulnerable to attack.... This is the one that's currently being tried out by Microsoft, with them improving software quality and adding security feature to their operating systems. However I'm not convinced that this will ever really have the desired effect... At the moment, my perception is that Worm/Virus attacks are on the up and also the number of patches coming out of Redmond is going up, not down....
I'd mention the idea of regulation as a concept, except for in a global Internet, the chances of getting all the worlds governments lined up behind decent legislation is what I can only describe as, extremely unlikely...
So where does that leave us? The answer is, I'm not sure. Sorry, this isn't some published article so I don't have to have a silver bullet solution ;op