Raesene's Ramblings

here's an interesting list of online security scanners.

Jeremiah Grossman: The difference between Security Assessments and Penetration Tests
Interesting post from Jeremiah Grossman on the differences between security assessments and Penetration Tests.
He's pretty much captured all the salient points and it's well worth reading as it's a pretty common point of confusion (even amongst general InfoSec people)
One thing that strikes me about it, is it leads to the question "When would I want a penetration test then?". The answer seems to me to be "only when you're pretty confident that it won't find anything!"
The reason for this is that until everything is locked down and sorted you should be doing security assessment style reviews which try to find all the available security weaknesses and only when you're comfortable that it should all be right do you engage with a penetration testing team to try that black box "try and break in" approach.
The other point would be, if you can only afford to have one type of review done, a penetration test probably isn't a good idea, in that whilst it will prove if you can be broken into (at a given point in time by a given person), there's still the likelihood that there are other ways of breaking in that haven't been found as the penetration tester probably won't keep looking once they're in...

Here's one that I think will be a growing problem... 3rd party extension security. I'll use Firefox as an example as it uses this kind of system, but I don't think that the problem is limited to Firefox.
So you've got a piece of software from an organisation you trust (whether you should or not's a different question), in this case the Firefox browser. You download it and install it from the main site (hey if you're good you even check the MDS5SUM to make sure it's as packaged)
Now one of the best features of Firefox is the extensive range of extensions that are available to add useful functionality to the browser. things like noscript or web developer are real handy things to have and I definitely install them every time I install Firefox.
Now here's the problem... do you trust the people that wrote those plug-ins, or an even wider question, do you trust the security of the environment that those plug-ins were developed in? Do you even know who the person who wrote the plug-in is?
Some people may say "why do I care it's just a browser", yeah but do you do E-Commerce and put your credit card details into webpages? Do you do on-line banking? do you use a browser for it?
A very brief read uncovered one instance of a rogue plug-in last year (more here and here ) but I doubt it'll be the last.
One thing I've not read up on yet is what security model there is for what actions a plug-in can take when installed... my instinct says that in this case there's not too much restriction, but worth investigating anyway.

Came across this handy feedburner security blog network here
Some of the blogs I've seen before, but there's a fair quantity of new interesting ones as well which I've been busily adding to seachinfosec

This advisory on Cisco's site could be very nasty.
It appears that there's a vulnerability in IOS that can be exploited by sending crafted packets, and can result in DoS or remote code execution.
If an exploit for this becomes available then expect a lot of problems...

ryanlrussell: Vulnerability Pimps
Some very interesting commentary which follows on from a posting on Marcus Ranums site here which is in itself very interesting..
All good stuff if your interested in Software security but the piece that caught my eye is right at the end of the comments section

I'm hearing from the vulnerability pimps that, yes, code security is improving. They are reporting that it's much harder to find a remote hole in the current operating systems.

So security on operating systems is getting better... not really a surprise given the battering they've had and the level of resource that people like Microsoft are putting into it.
But... reckon that the hackers will go home now ? Of course not, they'll move on and I reckon that the place they'll go is all those other software applications that people install on their systems that come from vendors who maybe haven't woken up to the necessity of secure coding.
Sure it'll be harder for hackers to get coverage on as many systems 'cause there aren't all that many software monopolies out there, but I'm sure that's where they'll go.
So a good time to be asking the suppliers of all your applications what they do about software security. Do they do security code audits? what tools to they use for those audits? Have all their developers had secure development training?

Interesting post from Nitesh dhanjani here pointing out a problem with Gmail contact lists being available to malicious website owners.
Now this only works if you're logged into gmail, but if you've used it recently and not explicitly logged out... then it'll keep you logged in...
Now google should obviously fix this problem, but I think that there is a wider point here. Don't leave yourself logged in to websites and be very wary about what you let your browser manage for you security-wise as it's not very security wise (oh I crack myself up ;o)

There's a new freeware database security scanner available called scuba from Imperva.
The front page looks quite interesting so I'll be sure to have a look at it. However not today, as I'm not in fromt of a windows machine.
And here's the really weird bit. When I heard about it I noted that it's a Java program..... "great" I thought it'll run nicely on Linux (which I use almost exclusively at home, apart from the odd game) but.. it's a java program that requires windows!!
What the heck is the point of that!
"No problem" I thought "I'll just download the archive and there'll be a JAR file there that I can run manually"....
no
when you download the program it extracts one .exe file!
Why bother programming something in Java if you're going to tie it to windows!!

I was just thinking that there's lots of little advances in technology that you don't really think about but that add up to make a real difference to what you can do..
This time it's a combo of SSL VPN's and free broadband Internet in hotels that's letting me sit here and listen to any music from my home music collection without having to tote around player with me (that I always forget to charge!)
And the great thing is... it's all free.
The SSL VPN is courtesy of the excellent sslexplorer. the community edition is stored on my CentOS server at home which has a port forward from my little ipcop firewall..
The next piece of the puzzle is slimserver which is designed to support Slim devices squeeze boxes , but which they release as a free download whether you use their product or not... This lets me set up a stream over HTTP of any music I like, that I can connect to with any media player (windows media etc)
Actually what occurs to me is that the common piece of all this is Open source software. Without that all this would cost me a fortune and very likely I wouldn't have it at all...! Yay open source.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
This post on the sans handlers log has some really useful information about the use of netstat to detect connection information on windows boxes, with some features that I wasn't aware of.
Also put me on to something else that I've been woefully ignorant of . wmic
This looks like a really handy command-line tool for getting information out of windows boxes. from what I can see so far, there's a load of interesting information that you can get from it. To get started just type "wmic" from a command prompt then type /? for a list of "aliases" that wmic uses for information retrieval.
Some of the commands I've found so far which seem handy "process list brief" and nicconfig list brief" but you can use the /? switch after anything to get some useful help about options...