August 2005 Archives

Started putting stuff on here again after a long while off... have been busy doing things with Wireless networks and the like which I may get round to posting some time.

I've also been trying my hand at website design. After looking at many Content Management Systems and not really finding any that suited what I wanted (a quick simple site with content about a given subject, no forums, no news section, no logins...) I reverted to the fine art of the text editor, a book on HTML and CSS and some websites..

At the end of it is a site about Scottish Artist Isobel Ellis (or the mother-in-law as she's also known!)

InformationWeek > SSL > Banks Abandoning SSL On Home Page Log-Ins > August 23, 2005

Interesting story noting that some big financial players in the US are changing their banking login pages from SSL for the whole page, to just creating an SSL session when the credentials are submitted...

The obvious point is made in the story, that this makes a Man in the Middle attack against the bank far easier as the content of the page can be modified without any pesky encryption getting in the way...

Security Fix

story covering a conversation with the alleged author of the zotob worm. What's interesting from this is that his goal appears to have been to make it easy for spyware and other nasties to get installed on PC's through the modification of IE security levels...

It's a nasty attack as I bet most people wouldn't notice that the change had been made... (when was the last time you checked your IE Security Levels...)

SecuriTeam.com ™ - IIS Information Disclosure

(NB I've not tested/run this yet so dunno if it does what it says on the tin)

Interesting looking new exploit for IIS over at securiteam... This may allow you to get access to error information on IIS6 which would be very handy when looking for SQL injection /XSS vulnerabilities...

Security Fix

story referring to a new IE vulnerability, sounds reasonably nasty. According to the advisory here it affects XP SP2, which is interesting.

Upatched at the moment... so time to use Firefox/Opera for a while :o)

Bluetooth adverts spark virus fears - vnunet.com

Story discussing a new advertising technique whereby content is transmitted directly to bluetooth phones, and pointing out the risks of getting users in the habit of accepting content beamed to them.

The comments from the company making the advertising mechanism are interesting. They seem to be saying it's ok because their campaigns only contain music and video and not applications, and that users should never install unrecognised applications...

To me this seems either a bit naive. If you look at the PC market, you see exploits where malicious code pretending to be music or video files can be executed due to vulnerabilities in media players. Also you're relying on users to be able to tell the difference, and spyware makers have proven very good at getting people to believe that their content is not an "unrecognised application" in order to get installed....

ISO 17799 and BS7799 User Group

A useful source of information about 17799.

BBC NEWS | Technology | Tracking a suspect by mobile phone

A decent description of the ease with which people can be tracked, based on their mobile phones. In this case used to track down a terrorist suspect.

Also describes potential methods of phone tapping used by the police.