Raesene's Ramblings

Security Clinics & Labs
Cool security info. from Microsoft.....

Martin McKeay's Network Security Blog: Still trying to absorb this one
A pointer to an interesting article to read...

Legal threat stops flaw info release - Computerworld
Well this isn't a good thing for security research in my opinion. Whilst I don't always think that security companies getting press by releasing exploits is a good thing, it is one of the main ways that software companies seem to be put under pressure to improve the security of their software.
Ideally companies would always be proactive about improving the security of their systems, but in the real world other things tend to take precedence, unless it's made a priority for them by external people, either security researchers pointing out flaws, or "black hats" exploiting their software...
Arguably if Microsoft hadn't developed such a bad reputation for security a couple of years ago, we wouldn't have seen all the excellent initiative their producing now.....

Robert Hensing's Secure Windows Initiative Blog : Windows Server 2003 spanks Red Hat's monkey?
Some interesting comment about the study comparing Redhat and Windows Server 2003 over at Robert Hensings blog.
As people'll know if they've been following slashdot, it turns out that this study was sponsored by Microsoft . More information and a link to the report source here
At first glance I like the principles behind the methodology used, ie use a specific server role, rather than a generic install. I'll hopefully get a chance to read it in more detail, but a couple of things do niggle at me from my first read through.
When they go through the nmap results for the "minimal" linux install, it appears to have ports open that weren't there on the full install! (631/tcp for cups) I find that a bit hard to believe, and even if there is a flaw in the install process, any competant admin will shut down and remove cups as soon as they realise it's running.
Also any competant admin will shut down other services like the rpc ports mentioned (111/tcp and 32768/tcp) and remove the software using them.
Not being too up on my MS stuff at the moment I can't comment whether simple hardening steps would improve it's performance (As far as I can recall shutting down ports like 445 is nigh-on impossible outside of firewalling the host)
All-in-all it's an interesting study and definately shows that the more modern Microsoft products have a much better stance in relation to security.
[rant] If only their marketing people would allow them to abandon their "you must install irrelevant components and then we'll make it really hard to remove them" stance, they'd be onto a real winner!
why do Microsoft insist that you need an Internet browser on a server! for that point why do you have to install a GUI on a server! it's irrelevant in many cases. The server will be put in a rack in a datacentre and no-one will physically log onto it again![/ rant]

Sharp Ideas: List of Information Security Mailing Lists (more than just Bugtraq and Full-Disclosure)
Handy link to loads of security mailing lists

IS 17799 & BS 7799-2 White Papers (index)
Came across this page, looks like a good source of information about 7799.

Scams, Frauds & Viruses
On this page there's a write-up of a service called MarketScore which tracks your movements on the Internet by becoming an Internet proxy for your browser, if you sign up to it. Now that's maybe something you wouldn't want, but there's more.
As part of the installation they install their own root certificates into your browser and then proxy all your SSL connections!!!
So this means that all your online banking passwords could be intercepted by this company, or if their servers were to be successfully attacked, by the attacker, and I would expect that this kind of company would prove a very tempting target for hackers (why compromise individual PC's when you can get all the traffic passing through a proxy)
Apart from anything else, I would expect that using a services which interrupts the SSL connection to your bank or other service, may violate their Terms of Service (allowing someone else access to your sign-on credentials)

BBC NEWS | UK | London police foil huge bank raid
Whilst there's limited information available on this attack, what's being mentioned so far is that the attackers used keylogging software to gather passwords etc.
Now this comes onto a pet crusade of mine (I've mentioned it before here ). Companies need to realise that access to all their critical information assets is through client devices, so it's pretty pointless to spend lots of money securing network perimeters and key servers and then leave the client devices which connect to them open to attack!
At the least devices used by people with elevated privileges (eg, sys admins) should get additional protection like host firewalls and IDS, and where possible should be in a physically secure location, as it's very difficult to secure the device once the attacker has physical access to it.

HomePage
Handy link to a free online book on Windows security for .NET developers.

Slashdot | IE Vulnerable to Cross-Browser Spyware Attack
Looks like as alternate browsers get more popular, we'll start seeing more attacks levelled at them, although there is some irony that this one uses Internet Explorer to actually effect the compromise.