Raesene's Ramblings

SecurityFocus HOME Infocus: How ITIL Can Improve Information Security
Internesting article on ITIL and InfoSec.

Martin McKeay's Network Security Blog: KYE Trend Analysis
An interesting entry over at Martin McKeay's blog covering the info. from the Honeynet Project about trends seen in compromise of systems on the Internet from their research..
Looks like Linux systems are getting harder to compromise out of the box, while the time to compromise windows systems goes down..
Hopefully the windows time will go up as more machines ship with SP2 on by default (thus giving the user enough time to get the patches, before they're compromised)

Interesting article at SecurityFocus SecurityFocus on new tools which are available, which can crack WEP keys much more quickly than you'd expect based on their key length...
Time to start using WPA!

Not really security related at all, but I thought I'd post about a really cool media player I've been using recently on Linux... Amarok has many cool features, but the ones I like best are..
- Catalogues all your songs reading all the tags and sorting by artist
- Cover manager, automatically grabs the covers for the CD's from amazon
- Nice statistics down the left side with things like "other albums by this artist" and "most popular song"
- looks really nice...

HNS - Sarbanes-Oxley: An Opportunity for Security Professionals
This is a quite interesting article presenting Sarbanes-Oxley as an opportunity for Information Security teams to prove their worth to businesses.

BBC NEWS | Business | 'Chip and pin' security warning
Interesting article over at the BBC where Ross Anderson (author of the excellent "Security Engineering") is questioning the security of the new (in the UK) Chip and PIN rollout.
He makes an interesting point, which is that if crooks can create fake readers they can set up business and use them to gather credit card details...
Now I'd like to think that this shouldn't be possible (or at least easy), I'd have expected something like a mutual authentication between card and reader or something like that to mitigate this kind of attack, however the quote on the story from the representitive of the Chip and PIN companies doesn't make me feel too comfortable

"We don't think they can use fake machines because the machines themselves are engineered to read the chip so they must be reading the chip very carefully. That makes the transaction itself extremely secure."
Now that kind of implies to me that they're relying on the difficulty of creating a reader to protect the card details, I really hope there's more to it than that, because we've been shown that that kind of protection doesn't last...

Massive IE phishing exploit discovered - ZDNet UK News
Well if anyone needed another reason to avoid using Internet Explorer, I think that this vulnerability provides it.
If you have a look at the demonstration at secunia you get a very scary (if you're responsible for the security of an e-commerce site) demonstration.
As far as I can remember, this is the first vulnerability I've seen where the SSL padlock is useless as an indicator of what site you're on, with the closest phishers have got in the past being graphical representations of the toolbar which were far from flawless.
The reason this is scary, is that if you look at the advice given by many banks and e-commerce sites, checking the SSL certificate via the padlock plays a major part in confirming you're on the right site, so now if a customer gets caught by this there's almost nothing they can do to tell they're on a fake site...
nasty....

Over at Schneier on Security, there's a refreshingly sensible piece on Google's desktop search.
As Bruce points out, all that information that people are getting so worried about being found by the tool is ALREADY THERE, so if there's a shared PC and you're worried about people seeing the data of other users... Don't give them the rights to see those areas!!
If you're worried that users using Internet Cafe's will expose corporate data by it being indexed when it's put on the Internet Cafe PC, set your policy and technical controls so that you're users don't put corporate data on untrusted machines!!
Sorry, but the flow of "Google desktop is evil" stories made me cranky...

Is Microsoft creating tomorrow's IE security holes today? | The Register
Quite an interesting piece, wondering whether Microsoft is creating problems for itself in the future with IE, with amongst other things, tight integration with the OS.
I do disagree with one or two point made though, especially "Rapid development cycles won the browser wars, and it wasn't the strong-arming or the marketing that motivated users to switch browsers, it was the features"
My memory of it was that IE wasn't that much more featureful than Netscape Navigator, and if you want to know my opinion of why Microsoft won that war it is the plain and simple fact of being bundled on the desktop when Navigator wasn't. Non-technical users do not go looking for alternate products, so long as the default one they're provided with does a reasonable job.
In fact it's telling that Firefox is gaining ground on IE, as that says to me that a percentage of Internet users no longer regard IE as doing a reasonable job.
Back to the story, I'd agree that tight OS integration is to my mind a problem for IE. I see no reason why an Operating system has to have an Internet Browser. Definately for server operating systems it seems totally redundant (although in several use cases I add that a GUI on a server is a waste of resouces).
From a security point of view having components so tightly integrated into the OS that an administrator cannot easily remove (not disable) them just increases the amount of code that needs maintained and increases the likelihood that code on the server will have an exploitable security vulnerability....

Some more information on the Bofra Iframe attack
http://isc.sans.org/diary.php?date=2004-11-21
http://isc.sans.org/diary.php?date=2004-11-20
some data on security vulnerabilities in IE
http://secunia.com/product/11/
A story regarding Microsoft working to patch the vulnerability
http://news.zdnet.co.uk/0,39020330,39175165,00.htm