Raesene's Ramblings

Following on from Marcus Ranum's piece on the six dumbest ideas in computer security which I talked about earlier there's been some chat on the CISSPforum which mentions some companies which have software which moves away from the idea of badness enumerators and more towards the idea of whitelists for allowed software...
I've not had a good chance to review the products, but sounds very interesting in concept at least.
these are the two I've seen mentioned, but I'd be interested to hear of any others....
http://bit9.com/products.html
http://www.sanasecurity.com/

Microsoft: Software Security Trendsetter?
Interesting article on Microsofts continued moved to improve the security in their new applications...
It's good stuff and I'm very happy to see the quantity of information about software security that Microsoft make available for free on their website... Hopefully will encourage windows developers in general to take software security more seriously...
Now all Microsoft need to do is allow users to not to have to install millions of lines of unnecessary code on servers (hint think Media player, Internet Explorer etc) and re-write the older legacy code that still seems to cause problems, and they'll be sorted :o)

Hacking Network Printers (Mostly HP JetDirects, but a little info on the Ricoh Savins)
Really interesting article on fun things to do with hacking HP jetdirect boxen...

Schneier on Security: Marcus Ranum's "The Six Dumbest Ideas in Computer Security"
Link from Bruce Schneir's blog to an article by Marcus Ranum. As always some interesting thoughts, this time about the dumbest ideas in security, some of which I agree with and some which I'm not so sure about.
The 1st, default permit I'd agree with. Default Permit is all over IT. One example which I think is interesting but not mentioned is URL filtering. Any company I've seen run a default permit and blacklist concept for web traffic filtering. Whilst I can see why that would work from a usability perspective, it's next to useless from a security standpoint. As soon as you allow access to unknown sites, you're allowing access to everything as users can use one of the variety of tunnelling or proxying programs to get access to all the content you've blocked, as can any virii or worms that might get installed..
Enumerating badness, yeah, I like it in principle, although I do think that Marcus is understating the level of complexity in enumerating the goodness. Sure there may be only 20-30 programs you use in an interactive sense, there are many more pieces of code executed that you're not aware of...
Penetrate and Patch. This is a well made point, in that code should be designed to be secure, as should systems. However I'm not convinced of the wortlessness of penetration testing. Once you've designed your secure system and implemented it, shouldn't someone test that it actually is secure?
Number four's a bit of a "yeah but no" point. Yeah hacking isn't cool (in the criminal sense of hacking) but understanding how you're current adversary operates, is to my mind, useful.....
Number Five... nah ain't buying it. The implication of this point is that user education has done nothing for security, because there are still some users who don't behave securely... so should we not take any countermeasures unless they're going to be 100% successful!? User education has done a lot for security it's just, like all other countermeasuers not perfect...
Number Six, I'll go along with, the number of people who seem ready to jump on the latest security bandwagon, whilst still not doing the fundamentals of good security operations well never ceases to amaze me...
All interesting stuff though and well worth a read...

CSIA - CSIA Claims Tested (CCT) mark
site on the new CSIA IT Security accreditation for Software products. What I thought was very handy was that online they've got a list of the claims that the product vendor is making for their product in relation to security *that they are actually willing to have tested*, which implies that they think those claims are justified . Might be useful if you suspected marketing hype from a vendor....
also the sample report I read, the test lab included handy hints about the products usage...

Security Blog
as with all media stuff I wonder how much the time story has been changed to read well, but interesting stuff all the same....

I've been giving some thought as to whether it's possible to be completely anonymous when connected to the 'net. Whilst I can think of obscure cases where it might be possible to track this setup, I reckon using the following list it would be next to impossible to track the user.
* Laptop with Wireless card
* bootable Linux Distro (preferrably from something like a Magazine cover disc purchased with cash). Use a different distro each time you boot.
* No persistant storage in the laptop at all (remove the hard disk)
* Change the MAC address of the Wireless and Wired Network cards on boot. Use a different one each time you boot.
* Find free wireless access, for this use something like the backnet nodes..
* use a decent gain antenna, so you can be further from the Wireless AP.
* Connect to the TOR network and direct all traffic through it.
* Don't put ANY personal information into any site
Now some of the steps there, eg, changing distro and using only magazine cover discs are only for the extremely extremely paranoid, but a basic version where you boot off the CD change the mac address connect over wireless and use TOR, would make it very difficult to tie up Internet activity to any real-world person....

Inside the new ValidateRequest feature
Good posting on the XSS protection features in .NET v1.1 from a developer perspective.
From the PenTesters P.O.V I reckon the most interesting bit is the comments on what fields are not run through this validation, by default...

Firefox Extensions for Web App Testing | SecGuru
I've use some of the plugins here, mainly webdeveloper (way cool) and switchproxy (also handy). But some of them I'll have to try out on the next test....

Commonly Asked Cross-Site Scripting Questions | SecGuru
There's a good guide to how Cross site Scripting attacks occur and some of the ways to defend against them over at secguru.
One thing I'd add, is that if you're working in a Microsoft world, using ASP.NET is a very good idea as the default config. seems to make XSS a lot harder to execute (can't remember the exact settings at the moment, ust remembering my frustration last time I had to test an asp.net site...)