There's some information on a very nasty Solaris telnet vulnerability over at the Computer Defense blog.
Now hopefully this'll have limited impact 'cause all the solaris admins out there are running SSH already...
Doubt it though, I've heard quite a few unix/router guys argue against dropping telnet in the past, so there's probably quite a few boxes out there using it...
There's a really interesting posting at Visual Complexity that provides a good illustration of what I think Microsofts main remaining problem in regards to security is.
MS have done tons of work in improving their code quality, improving their default builds and adding features like Address space layout randomization (ALSR) to make hacking into their products harder.
The one area that's left is complexity. Ultimately the more code that is installed on a system the more code there is to be attacked, either remotely or locallly. what the graphs from visual complexity show is that for web servers IIS on windows has more potentially active code that Apache on Linux.
Hopefully some of the other stories that have surfaced recently will lead to the possibility of having a very stripped down Windows OS if you need it...
here's an interesting list of online security scanners.
Jeremiah Grossman: The difference between Security Assessments and Penetration Tests
Interesting post from Jeremiah Grossman on the differences between security assessments and Penetration Tests.
He's pretty much captured all the salient points and it's well worth reading as it's a pretty common point of confusion (even amongst general InfoSec people)
One thing that strikes me about it, is it leads to the question "When would I want a penetration test then?". The answer seems to me to be "only when you're pretty confident that it won't find anything!"
The reason for this is that until everything is locked down and sorted you should be doing security assessment style reviews which try to find all the available security weaknesses and only when you're comfortable that it should all be right do you engage with a penetration testing team to try that black box "try and break in" approach.
The other point would be, if you can only afford to have one type of review done, a penetration test probably isn't a good idea, in that whilst it will prove if you can be broken into (at a given point in time by a given person), there's still the likelihood that there are other ways of breaking in that haven't been found as the penetration tester probably won't keep looking once they're in...
Here's one that I think will be a growing problem... 3rd party extension security. I'll use Firefox as an example as it uses this kind of system, but I don't think that the problem is limited to Firefox.
So you've got a piece of software from an organisation you trust (whether you should or not's a different question), in this case the Firefox browser. You download it and install it from the main site (hey if you're good you even check the MDS5SUM to make sure it's as packaged)
Now one of the best features of Firefox is the extensive range of extensions that are available to add useful functionality to the browser. things like noscript or web developer are real handy things to have and I definitely install them every time I install Firefox.
Now here's the problem... do you trust the people that wrote those plug-ins, or an even wider question, do you trust the security of the environment that those plug-ins were developed in? Do you even know who the person who wrote the plug-in is?
Some people may say "why do I care it's just a browser", yeah but do you do E-Commerce and put your credit card details into webpages? Do you do on-line banking? do you use a browser for it?
A very brief read uncovered one instance of a rogue plug-in last year (more here and here ) but I doubt it'll be the last.
One thing I've not read up on yet is what security model there is for what actions a plug-in can take when installed... my instinct says that in this case there's not too much restriction, but worth investigating anyway.
Came across this handy feedburner security blog network here
Some of the blogs I've seen before, but there's a fair quantity of new interesting ones as well which I've been busily adding to seachinfosec
This advisory on Cisco's site could be very nasty.
It appears that there's a vulnerability in IOS that can be exploited by sending crafted packets, and can result in DoS or remote code execution.
If an exploit for this becomes available then expect a lot of problems...
ryanlrussell: Vulnerability Pimps
Some very interesting commentary which follows on from a posting on Marcus Ranums site here which is in itself very interesting..
All good stuff if your interested in Software security but the piece that caught my eye is right at the end of the comments section
I'm hearing from the vulnerability pimps that, yes, code security is improving. They are reporting that it's much harder to find a remote hole in the current operating systems.
So security on operating systems is getting better... not really a surprise given the battering they've had and the level of resource that people like Microsoft are putting into it.
But... reckon that the hackers will go home now ? Of course not, they'll move on and I reckon that the place they'll go is all those other software applications that people install on their systems that come from vendors who maybe haven't woken up to the necessity of secure coding.
Sure it'll be harder for hackers to get coverage on as many systems 'cause there aren't all that many software monopolies out there, but I'm sure that's where they'll go.
So a good time to be asking the suppliers of all your applications what they do about software security. Do they do security code audits? what tools to they use for those audits? Have all their developers had secure development training?
Interesting post from Nitesh dhanjani here pointing out a problem with Gmail contact lists being available to malicious website owners.
Now this only works if you're logged into gmail, but if you've used it recently and not explicitly logged out... then it'll keep you logged in...
Now google should obviously fix this problem, but I think that there is a wider point here. Don't leave yourself logged in to websites and be very wary about what you let your browser manage for you security-wise as it's not very security wise (oh I crack myself up ;o)
There's a new freeware database security scanner available called scuba from Imperva.
The front page looks quite interesting so I'll be sure to have a look at it. However not today, as I'm not in fromt of a windows machine.
And here's the really weird bit. When I heard about it I noted that it's a Java program..... "great" I thought it'll run nicely on Linux (which I use almost exclusively at home, apart from the odd game) but.. it's a java program that requires windows!!
What the heck is the point of that!
"No problem" I thought "I'll just download the archive and there'll be a JAR file there that I can run manually"....
no
when you download the program it extracts one .exe file!
Why bother programming something in Java if you're going to tie it to windows!!
