SecurityFocus HOME Infocus: Packet Crafting for Firewall & IDS Audits (Pa
An interesting 1st part in a series of articles looking at packet crafting....
There's a report on an interesting survey over here, stating that 85% of users asked would open an attachment from a friend or collegue ! No wonder spam and virii are still doing well.....
An interesting post on Dana Epp's blog talking about running as least privilege (or in this example not) in Windows (also you can read the odd comments from someone I can only assume was trolling ?!)
It's real nice to see that the windows world is moving more towards the UNIX paradigm of not running as root unless you have to. I hope this will have a positive effect for end users too... Less of the frustration when being told that you have to be an administrator to install a media player !!! (apple quicktime in this example) would be nice....
There's an article about a MasterCard program which combats phishing. I've got to say that I'm not that impressed by this kind of approach to combating phishing.
If what's in the article is accurate it basically amounts to looking through content from the entire Internet for potential phishing scams and then shutting them down when they're found..... This approach just strikes me as far to reactionary and prone to missing things. I would expect that currently a phishing scam will make most of it's money in the first 24 hours of its operation and I'll be a little suprised if Mastercards approach will be effective in shutting down these scams in that time frame.
There are other ways to combat this kind of attack (I linked to one before ). Another option would be 2-stage authentication by the service provider, where the user enters initial credentials, then the site responds with a secret (be it a phrase, word or fact about the users account) and asks for a secondary authentication. In this model the phisher will be able to get the inital credentials but will have a significantly lower rate at getting the secondary ones (of course some social engineering would still get some credentials out of people I'm sure)
Personally I think that this kind of system, or more probably, some form of 2-factor authentication will be the best way to combat these attacks. If running around stomping on sites as they popped up worked well, I'm sure we'd have considerably less SPAM and Virii doing the rounds......
In an article over at Yahoo we're told Mail Security Service Model Marches On. Its interesting as there definately is an interesting proposition on outsourcing things like management of e-mail security. However I must say, I'd not be too comfortable outsourcing something as critical as e-mail without some very good assurances and SLA's surrounding it.
for example I'd hate to be the e-mail admin who has to troubleshoot their mail delivery when I didn't control the whole path for the mail out to the recipient, especially if there's a possibility of false positives as there is with many e-mail spam/virus management packages.....
Now I'll start this post with the obligatory IANAL, but there's a story over at Security pipeline, which seems to be saying that Security Managers Could Face Court Penalties for poor security or for making lists of top measures that companies should follow and then not implementing them all...
I've got to say that the examples sound a bit over dramatised to me, but it's an interesting theory from the point of view of convincing management of the importance of being seen to be proactive in the field of InfoSec...
Slashdot | Dan Kaminsky Suggests Having Fun with DNS
There's a story over at slashdot covers a presentation from Dan Kaminsky (of paketto Keiretsu fame) covering some... very interesting ideas about using DNS as a communications channel for arbitrary data (in a similar fashion to things like httptunnel ).
Cool stuff this 'cause it drives home the point that it is wrong to think of a network service as just a means of transferring a specific type of data, as many can transfer any type of data you like , it's just usually used for a given type of data. Which does make the point that traditional security measures like firewalls become a lot less effective as soon as you allow even on protocol across them....
One other thing that occured to me when reading the slides about transmitting ISO images using TXT records, is I wonder what would happen if you caused a caching DNS server to run out of disk space by requesting lots of these records...
I would hope that it would just start purging the records in oldest first order, but I suppose it might DoS some servers...
A interesting article at LURHQ presents - Scanrand Dissected. It's a great explanation of how scanrand works and also a speed comparison between it and nmap, although the author does point out that nmap has far more functionality than scanrand....
Looks like a great tool for quickly scanning networks for rogue servers....
An interesting article at nwfusion give us The scoop on security policies. There are some good points in the article about keeping the policy short and to the point, although I've tended to find that in larger companies it is a real challenge to convey all the information that you need to, to your userbase in a very short policy. There are other alternatives of course, like splitting the information up over multiple documents, but that can lead to people reading the first one and none of the rest.
One other point to note, is that even more important that the security policy itself is the communication method and the periodic reminders. If you only give someone the policy once and then never revisit it, most people WILL forget whats in it.......
There's a good list of wardriving tools over at The Official WorldWide WarDrive site...
Also there are some interesting stats about the number of Wi-fi networks around.
As Details emerge of first cell phone worm, it shouldn't really be a suprise to anyone that this has happeneed as more and more functionality is added to phones and the codebase size increases, we can expect to see more malicious code taking advantage of those vulnerabilities (I wonder when we'll see the first mobile phone A-V software ;op)
Whilst the current virus hasn't really had a huge impact, it is quite easy to see how one could be pretty devastating. For example the current one is spread via bluetooth which is fairly short range, however if a virus was able to cause a phone to dial all the numbers in it's phonebook and transmit itself over this channel (or perhaps via a text message) you could see a pretty fast and wide spread....
One point that, at the moment, mobile phones have in their favour over the PC world is that there is no one dominant OS or vendor, so any virus would automatically have a limited spread...
I came across an interesting site called Linux-Forensics.com. It's a good resource dedicated to the use of Linux in computer forensics
Whilst in general I like the idea of using Linux in alot of places, it'll have a uphill struggle in this area, I think, up against the likes of Encase . One reason for this is that, at least in the UK, Encase is recognised by the police and the courts as being a reliable forensic tool, the evidence from which can be admissable in court. So it would be a brave forensic investigator who used something else, which he would doubtless have more trouble justifying in court.
That said not every forensic analysis ends up in court and encase is a tad on the pricy side.....
Web Services Are Biggest Security Challenge
An interesting article reporting on Netsec 2004, it focuses on some of the challenges facing web services security. I definately agree with the point that's made in the article about the problem of how contracts between web services will be negotiated. Initially when I saw information about UDDI I thought it looked cool for internal applications, but for external B2B, there needs to be something more, as suppliers will inevitably want to charge for their webservices and customers will inevitably want some guarantees about the service they'll be getting....
Here's another article around the idea of policy enforcement, this time on Switches.
As I said previously I think that this is the right way to go about it. If it is possible to block a machine from getting on the network if it doesn't meet certain criteria, then it would be possible not only to reduce the incidence of virii/worms in corporate networks, it might also provide some defence from non-corporate machines being placed on the network.
SecurityFocus HOME Infocus: Wireless Attacks and Penetration Testing (part 2
Second part of an interesting article on Wireless Pen Testing.
Came across an interesting sourceforge site with lots of hints and tips on things like Linux, MySQL and bash, oddly it's called Souptonuts
SecurityFocus HOME Infocus: TCP/IP Skills for Security Analysts (Part 2)
The second part of the article on TCP/IP skills for security analysts is up on securityfocus.com
The story over at SecurityFocus HOME News: Unpatched IE vuln exploited by adware provides an example of a valuable point, which is that it is not just "white hat" security researchers that are looking for bugs in Microsoft, and other, products. Which is why it's important that vendors get their patches out as soon as they can and don't take up to 200 days to release it...
Over at www.xmethods.net there's a really cool list of functional web services.
With each there's a link so you can try them out. It's a pretty diverse bunch including practical things like curency conversion and less practical things like... random George W Bush quotes
It definately looks like Wireless insecurity issues will be here to stay for the time being. With 2 vulnerabilities in popular wifi products being announced here and here .
The main problem with these types of vulnerabilities is that I don't think that they will be patched anytime soon in the majority of affected devices. People are hardly waking up to the concept that software needs to be regularly patched, let alone the idea that hardware requires patches as well... Also a lot of wifi products tend to be deployed in smaller organisations and homes, where there is, typically, less security knowledge than in larger firms...
Also a problem is as noted here in a lot of cases you don't even need a vulnerability to hack into a wireless network as many vendors ship Access Points in a wide open config!
Microsoft, Sun Security Paths Diverge
Well here's a suprise (sorry being a tad cynical) Microsoft and Sun will be working to 2 different standards WRT identity management... VHS and Betamax anyone...
Wired News: Complex Passwords Foil Hacks
There's an interesting form of 2-factor authentication mentioned in this article on Wired. Scratchcards that reveal one-time passwords. One thing that does occur to me is that I suppose they will need to be used in sequence (so that only one is valid at any one time), so what would happen if you wanted to skip one, for example if the cover on one rubbed off in your wallet and you weren't sure if someone else had seen it...
Information Security - Downloads
Some downloadable information on information security from the Department of Trade and Industry in the UK
InfoWorld: Network Associates is granted broad antispam patent: June 01, 2004: By : SECURITY
Looks from this article like we'll be seeing some patent lawsuits soon in the security world. This is a good example of what I don't like about software patents, an overly broad patent, for which there may well be prior art, but in order to challenge it there will now have to be an expensive court case out of which no-one will win but the lawyers!!!
sigh
Dana Epp's ramblings at the Sanctuary : Economics of Information Security
Dana has a link from a link on Axel's blog to a great article about Security and economics by Ross Anderson(Gee blogging gets a bit overly linked at times :op)...
As with a lot of Ross Andersons writings it's very thought provoking, with many interesting ideas in it. A recommended read even if you're not into InfoSec as it provides one possible explanation for things like why Microsoft dominates certain computing markets....
One of the many interesting ideas in it was an analysis of why even the best funded security team can fall foul of a relatively poorly funded attacked in the computing world (starts on Page 4)