March 2005 Archives
A write up at Arstechnica of another successful social engineering excercise in London.... of course there's the usual point about how much of the information gathered is actually accurate, but I think it's still a good example of why humans can, in many cases, be the weak link in a security solution.
handy site for accessing FTP sites from locations where you only have HTTP access. Of course, if you're paranoid like me then you wouldn't trust this service to transfer any sensitive data in the clear, as while they say they won't use any of the info. gained there's nothing to guarantee that..... (not that I'm implying they will, I'm just paranoid !!)
This is a good walkthough on using SSH to tunnel other protocols through firewalls.
Usually though, I find that the protocols which are left open on firewalls these days are HTTP and sometimes SMTP....
Of course HTTP is all you need as things like SSL VPNS can be used to tunnel arbitrary protocols.... over HTTPS... while I think of it, there's a handy free one called SSL explorer
Cool security info. from Microsoft.....
A pointer to an interesting article to read...
Well this isn't a good thing for security research in my opinion. Whilst I don't always think that security companies getting press by releasing exploits is a good thing, it is one of the main ways that software companies seem to be put under pressure to improve the security of their software.
Ideally companies would always be proactive about improving the security of their systems, but in the real world other things tend to take precedence, unless it's made a priority for them by external people, either security researchers pointing out flaws, or "black hats" exploiting their software...
Arguably if Microsoft hadn't developed such a bad reputation for security a couple of years ago, we wouldn't have seen all the excellent initiative their producing now.....
Some interesting comment about the study comparing Redhat and Windows Server 2003 over at Robert Hensings blog.
As people'll know if they've been following slashdot, it turns out that this study was sponsored by Microsoft
At first glance I like the principles behind the methodology used, ie use a specific server role, rather than a generic install. I'll hopefully get a chance to read it in more detail, but a couple of things do niggle at me from my first read through.
When they go through the nmap results for the "minimal" linux install, it appears to have ports open that weren't there on the full install! (631/tcp for cups) I find that a bit hard to believe, and even if there is a flaw in the install process, any competant admin will shut down and remove cups as soon as they realise it's running.
Also any competant admin will shut down other services like the rpc ports mentioned (111/tcp and 32768/tcp) and remove the software using them.
Not being too up on my MS stuff at the moment I can't comment whether simple hardening steps would improve it's performance (As far as I can recall shutting down ports like 445 is nigh-on impossible outside of firewalling the host)
All-in-all it's an interesting study and definately shows that the more modern Microsoft products have a much better stance in relation to security.
[rant] If only their marketing people would allow them to abandon their "you must install irrelevant components and then we'll make it really hard to remove them" stance, they'd be onto a real winner!
why do Microsoft insist that you need an Internet browser on a server! for that point why do you have to install a GUI on a server! it's irrelevant in many cases. The server will be put in a rack in a datacentre and no-one will physically log onto it again![/ rant]
Handy link to loads of security mailing lists
Came across this page, looks like a good source of information about 7799.
On this page there's a write-up of a service called MarketScore which tracks your movements on the Internet by becoming an Internet proxy for your browser, if you sign up to it. Now that's maybe something you wouldn't want, but there's more.
As part of the installation they install their own root certificates into your browser and then proxy all your SSL connections!!!
So this means that all your online banking passwords could be intercepted by this company, or if their servers were to be successfully attacked, by the attacker, and I would expect that this kind of company would prove a very tempting target for hackers (why compromise individual PC's when you can get all the traffic passing through a proxy)
Apart from anything else, I would expect that using a services which interrupts the SSL connection to your bank or other service, may violate their Terms of Service (allowing someone else access to your sign-on credentials)
Whilst there's limited information available on this attack, what's being mentioned so far is that the attackers used keylogging software to gather passwords etc.
Now this comes onto a pet crusade of mine (I've mentioned it before here ). Companies need to realise that access to all their critical information assets is through client devices, so it's pretty pointless to spend lots of money securing network perimeters and key servers and then leave the client devices which connect to them open to attack!
At the least devices used by people with elevated privileges (eg, sys admins) should get additional protection like host firewalls and IDS, and where possible should be in a physically secure location, as it's very difficult to secure the device once the attacker has physical access to it.
Handy link to a free online book on Windows security for .NET developers.
Looks like as alternate browsers get more popular, we'll start seeing more attacks levelled at them, although there is some irony that this one uses Internet Explorer to actually effect the compromise.
Another interesing piece, on SCADA security, from Bruce Schneier's blog. It's a good example of unintended consequences. When SCADA systems were designed it looks like most weren't expected to ever be connected to a general corporate network (let alone the Internet) and as such rarely had the kind of security built in that you would expect from systems controlling critical infrastructure pieces.
There's some interesting commentary on this piece as well and some good links on SCADA security....
This story covers an an angle of the Regulatory compliance issue, where companies Compliance burdens are leading them to purchase additional IT Security systems...
I hope this story is only telling one piece of the story for these companies 'casue without decent policies and procedures, a whole load of new tools won't help you much in proving to regulators that you have a well controlled IT environment....
Handy guide to hashing
Interesting perspective on SOx in this article, that the huge amounts of data being assembled for SOx compliance purposes will cause frauds to go unnoticed... I did notice that the quote came from a company whose business involves selling data analysis tools!
Interesting to see new categories of attacks gaining in popularity, as highlighted in this handlers' diary entry.
Adding malicious content to hosted websites is a handy way for malware authors to ensure that their code will be executed, rather than relying on e-mails with links which (hopefully) are a less useful vector (Surely by now a decent percentage of Internet users don't go around clicking links sent in e-mail....)
Also another good example (as if anyone needed more) of why patching is critical to protecting PC's at the moment.
An interesting post over at financial crpytography looks at the practical implications of a recent paper on collisions in MD5 and possible effects on the security of certificates.
I'd agree that the paper has been taken out of context in a lot of stories, but then that seems to happen a lot when the journalists covering something aren't maybe experts in that field, also I suppose there must be a temptation for the researchers to talk up their findings...
well the blog's been offline for about 2 months, not really to plan....
Caused by a series of hardware failures in the old server, 1st the motherboard/processor and then the system disk, 2 days later!
Combined with a 3 week holiday in India, left me sans server for quite a while...
But I'm back up and running now better than ever, the servers gone from a PII-450 to a Athlon64 2800+ which should make things a bit nippier.....