SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
Another new 0-day for Internet explorer.. This has the potential to be quite nasty as there's Proof-Of-Concept code in the wild and there's no patch available as yet..
Ethical Hacking and Computer Forensics: Fuzzers - The ultimate list
Link to a cool list of fuzzers which could be very useful for doing application security reviews.
TaoSecurity
Some interesting comment on BP's new deperimeterisation moves (more information here )
I'd agree with the sentiments expressed in TaoSecurity, I agree with the Jericho Forums position that every device should be able to stand on its own from a security perspective, however the idea of deliberately weakening the security afforded to laptops by connecting them directly to the Internet when they're on the Corporate LAN seems like a very bad plan, as it reduces the numbers of layers of protection afforded to them needlessly.
Also it renders the security of the laptops very brittle, so if for example there is a problem with a change deployed to these devices which leaves them vulnerable to an attack, they won't have the safety net of being behind a corporate firewall to allow the IT team time to fix the problem before it has an impact...
I've also been thinking, how is this going to work in practice? If the laptops are on the Internet, surely they'll need to connect to Corporate IT assets, so they'll need a VPN tunnel into the company. Also surely BP will still want to take advantage of centralised web site monitoring, Email Anti-Virus etc... So all the traffic from these laptops sitting in corporate offices will go through a VPN tunnel back into the corporate LAN then potentially back out onto the internet.... Surely that's not a great plan from a cost perspective..
Google Maps Mania: More Google Maps Creation Tools and Resources
It's amazing what people are doing with google Maps these days.
Also this is , to me, a good demonstration of what Google are best at. Innovative service with a good programmable interface, leads to huge number of people getting involved...
Of course, the question remains, as with a lot of google's newer services, How will they make money off it?
Schneier on Security: Impressive Phishing Attack
Wow phishers with genuine SSL certs, issued by Certificate authoritys that are installed, by default, in every browser on the planet...
Just goes to show, when there's money involved the criminals will evolve and get real smart real quick...
As to the SSL cert providers assertions that they rigourously check SSL cert applications... well yeah.
Insights into Information Security: IPSEC everywhere? Bad idea
Excellent post pointing out why encryption can be a bad thing. It sounds counter-intuitive at first, in that security people will spend a lot of time telling you to use things like SSH instead of telnet and SFTP instead of FTP because the they use encryption...
but too much encryption can be a bad thing. It can blind devices like Intrusion detection systems and actually help an attacker, if that attacker has already broken into an endpoint system, and in the majority of attack scenarios that will be the case...
so the net effect of encrypting everything is actually a decrease in security...
Sunbelt BLOG: Tracking down spammers
An interesting looking list of online tools for tracking down spammers..
Nmap 4.00 with Fyodor
Well NMAP 4's out and from the link it looks like there are a fair number of cool new features and enhancements to it...
One to try out over the next couple of days.
Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com)
An interesting posting on a somewhat neglected area of risk to client machines.
The point that potentially exploitable 3rd party Active X controls will be installed on many, if not all client PC's is a good one.
I've seen companies that more or less successfully patch browsers and audit client software, but I'm not aware of any that track Active X component versions...
Sounds like a good reason to lock down Active X installations on Corporate Clients..
Security Briefs: Security Enhancements in the .NET Framework 2.0 -- MSDN Magazine, Visual Studio 2005 Guided Tour
Interesting looking developer-level view of some of the new security related features in .NET 2
