Security musings (reflectorium)
Security musings (reflectorium)
Friday, December 19, 2003
Overreliance on Powerpoint leads to simplistic thinking(0) comments
This article points out that the simplicification made in Powerpoint slides tends to break up conclusive arguments and to omit important accompanying information. NASA hinted that this might have been one of the causes behind the Columbia disaster. - I think that this should not be blamed to the software, but the overall culture of how we do presentations today. (too many bullet points and wiggly graphics, too little reasoning and actual communication)
Thursday, December 18, 2003
Another reason you don't want Edonkey/Overnet on your network(0) comments
Bugtraq has a very interesting thread on "Edonkey/Overnet Plugins capable of Virus/Worm behavior". As Julian Ashton put it: " I am writing the FastTrack plugin for Edonkey/Overnet and during this process have realized that this is by far the worst and most insecure plugin architechture I have ever seen in my life." - His list of access given to bad plugins includes: local code execution, unlimited disk access and "basically anything you can imagine in the world that can be done to a windows os machine." - Bear in mind that lots of users run edonkey/overnet.
This has the potential to create huge zombie networks e.g. for Distributed-Denial-Of-Service attacks. Because of the decentralised nature of the peer-to-peer networks, it would be easy for an attacker to control it (and potentially introduce changes to the code). I have the strange feeling that 2004 will be the year of the p2p malware.
It's a really interesting thread and should definitely discourage you...
Free BS7799.2:2002 checklist at SANS(0) comments
SANS has a free checklist / questionnaire for BS7799 (ISO17799) implementation for download. - This should be very interesting to all the newcomers to the field of security management, that haven't got a hold of the standards, yet. (BS7799 part 2 is pretty much a checklist.) Also for all CISSPs-in-training...
Wednesday, December 17, 2003
New version of Beast(0) comments
Rumour has it that a new version of the Beast trojan is around on the Net. There's a good article on it here. - Good background on dll injection, too.
Microsoft RPC attack vectors(0) comments
Core Security Technologies has a nice write-up here.
Trojans doing peer-to-peer communication(0) comments
The Internet Storm Center's handler diary today points out an increase in 53/udp traffic. This appears to be tied to W32/Calypso (aka: Backdoor.Sinit). This trojan appears to build a peer-to-peer network by communicating via 53/udp to random hosts.
More details can be found at LURHQ and at this site by George Bakos.
CD-based Linux distros - LNX-BBC, eloop, others(0) comments
I tried quite a few Linux distributions that can be run directly off the CD. I found LNX-BBC Linux an excellent solution for running sshd on laptops and doing *serious* stuff. F.I.R.E. is another interesting one. There's now a lot of development happening based on the Knoppix distribution.
I plan to give eloop a try soon. Eloop is creates a serpent encrypted filesystem on a windows partition and helps you to encrypt personal files. At least, I want to be able to recognize a eloop-ed system, when I see one.
Serpent was an AES-candidate developed by Ross Anderson et al.
SSH, SCP in a Java Applet(0) comments
During the weekend, John hinted to me that there's a Java applet that gives you ssh and scp. After some searching, I think that he might have meant this one. Very nice, handy and GPL'ed.
Tuesday, December 16, 2003
Company-internal communications made public - make Diebold look not so good(0) comments
This is almost a case study, on how bad things can go if internal company mails are made public. Or very public as in this case. (Securityfocus Article with link to the original archive)
Bluetooth insecurity (SNARF and BACKDOOR)(0) comments
Bluestumbler.org has some friendly advice on bluetooth security and on a related note this article on heise (in German) discusses a universal password in d-link's bluetooth access point.
Friday, December 12, 2003
Famous failures of physical perimeter protection - WSIS 2003(0) comments
A group of privacy researchers managed to get past physical security at the WSIS (Word Summit on the Information Society) in Geneva on Dec 10th, 2003. They found RFIDs... (Here's their site.)
Famous failures of physical perimeter protection - Menwith Hill(0) comments
On July 3rd, 2001, Greenpeace activists stormed Menwith Hill in the UK (a quite famous sigint site). When I first read this, I was amazed how this could have happened. On second thought.. (Here's the article.)
Wednesday, December 10, 2003
Federal Agency Security Practices (FASP)(0) comments
This is an interesting site, with best practices, security awareness briefings and checklists for setting up systems.
There's a very interesting section on this page, that has material by Marianne Swanson et al on security metrics. She's the co-author of "SP 800-55 Security Metrics Guide for Information Technology Systems", which among other documents can be retrieved at http://csrc.nist.gov/publications/nistpubs/index.html - I found here materials very thought-provoking, please have a look.
Computer security report card issued by the US House Government Reform Subcommittee on Technology(0) comments
While US government agencies overall received a "D" grade for computer security, Department of Homeland Security received an "F". (Media coverage, "the source")
Tuesday, December 09, 2003
German Mcert launched(0) comments
A German public-private initiative has launched mcert, a German CERT for medium-sized companies. They have a price list up, and the future will show how effective they will be.
Also, the German government launched an informational site to help these companies to use the Internet more securely.
U.S. Federal Trade Commission (FTC) probes into e-business security(0) comments
An article at securityfocus.com covers recent US FTC probes into the security of US e-businesses, e.g. how secure customer data is kept. Several large companies are mentioned. The FTC uses its "anti-consumer fraud mandate" in these cases. Special focus seems to be on SQL injection attacks. This is interesting as it should make US companies take a more active stance towards periodic vulnerability scans of internet-facing systems. (Good security management argument).
Monday, December 08, 2003
Security management papers at ZDNet(0) comments
ZDNet has a couple of vendor-written security management whitepapers. Of course, the trick is - how do the vendors know?
Distributed trojans or self-replicating peer-to-peer networks(0) comments
There's an interesting article at ArsTechnica that looks into a new motivation behind trojans: creating peer-to-peer networks.
Internet Engineering Task Force(0) comments
I'm a participant of the Internet Engineering Task Force (IETF), more precisely the Extended Incident Handling "inch" working group. (Something that has been lingering in my mind for quite a while.) The charters of the security area working groups can be found here. This is a very wortwhile effort, so please consider supporting it.
Thursday, December 04, 2003(0) comments
A good place to drown in information?(0) comments
Infosyssec.net/ is at first glance overwhelming, but has some really nice corners, e.g. on Standards and Regulations , ... An other nice place to find more of these is http://www.diffuse.org/secure.html
- And finally ISM Ant's Security Matters gives a nice view on what "governance", "policies", "standards" and "guidelines" might be. (incl. seasoned links)
Wednesday, December 03, 2003
CI Security(0) comments
They have benchmarks, tools and they do share.
Tuesday, December 02, 2003
SQL Server Security(0) comments
from searchdatabase.com: SQL Server security tips, part 2, How SQL Server is hacked, Top 10 SQL Server security blunders, part I, Top 10 SQL Server security blunders, part II
Selected Securityfocus Articles(0) comments
A really nice article on securityfocus on the value of security blogs, RRS aggregators and how you can put it to work to more efficiently. There's also a part two, which goes into RRS details (and why it's a good thing). [Wished I had one.]
Also, in another excellent securityfocus article, Mark Rasch, looks at the Wells Fargo case with a special emphasis on californian law SB 1386: "In July of this year, a new law took effect in California, SB 1386, that requires all companies that do business in the state to "promptly" notify any individuals whose personally identifiable information was potentially compromised by a cyber attack...."
More Security Ressources(0) comments
Gideon Rasmussen is keeping a list of security management-oriented security ressources. I like the random security awareness tips.
RSS Feed now atom.xml!
Essential Security Web-Sites
Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
ARCHIVES11/01/2003 - 12/01/2003
/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010