Well I didn't really want to go down this route with this blog, as I don't like forced registrations on the web, but after a couple of comment spamming incidents, I've removed anonymous comments from the config of my blog and set it to only allow comments from registered people....
Bofra exploit hits our ad serving supplier | The Register
While I'm not sure if this is the "major UK Site" referred to in the previous posting, there's some information about a compromise of one of the registers advert suppliers in the story above..
It's really quite a cunning plan by whoever carried it out, as they've realised that you only need to compromise one set of servers (the advertising company) in order to potentially infect many of their clients.....
One thought that occurs to me from this is that you have to wonder whether sites should be taking steps to validate adverts and any other 3rd party content which is provided by frames on their site..... (heck imagine if someone managed to compromise the servers which provide those advertising boxes provided by search engine companies!!!)
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis
Over at the ISC handlers diary there's mention of a major (unnamed) uk website which has a pointer to a site hosting the Bofra/IFrame Internet Explorer exploit (for which there is currently no patch!)
Another really good reason not to use Internet Explorer on the web unless you really have to...
There's a link to a Interesting article over at Michael Howards Blog
He makes some very valid points about why running Windows machines as an administrator is a very bad idea(tm) unless absolutely required.
Also there's information on a useful technique to reduce your privileges when running specific applications, aimed at providing a safer web browsing experience.
First one's the story that Phishing scam forces NatWest services offline - vnunet.com. What I find somewhat odd about this is that they took the step of disabling some functionality on their site...
They must have had quite a few of these scams by now and I find it hard to believe that they're disabling parts of their websites every time they get hit, as that would seem a bit like a self-imposed Denial-Of-Service...
Another story about how some customers are dealing with phishing here . Basically the guy in this story is blanket deleting mails looking for personal info. seems like a sound idea to me!.
Personally I think that standard SMTP e-mail is just about dead as a Business to Consumer communication method. Between SPAM, phishing and malware there's no way consumers and home users are going to keep using this. Really companies should not have been using what has always been a really insecure mechanism to communicate with their customers.
The thing is though, it's REALLY cheap compared with most other forms of communications (notably this is what the spammers depend on as well to make money) so they've been very reluctant to stop.
My expectation is that they will have to find some way to clearly and securely provide communications with their customers to bridge the gap left by E-Mail. Not that that's an easy problem to solve...
Pete Finnigan - Oracle and Oracle security information
Loads of good information on Oracle Security here...
There's a review of Network vulnerability assessment tools over at nwfusion.com
I thought it was interesting to see that there are several products in the review based on the nessus engine...
Also one point that intruiged me when I read it was the companies that declined to take part. Maybe it's just me, but when I read that it tends to make me think "I wonder what was wrong with their product" ie If you think that your product is the best on the market, I would expect that you'd be very keen to see it reviewed and recognised as such....
NSA Posts Mac OS X 10.3.x security guide
There's a blog entry pointing to a new NSA security guide, this one for Mac OS X.
I'm definately in favour of these guides, as it's nice to get a source of non-vendor security advice (I always feel that their more likely to point out any potential product issues than the vendor themselves)
MercuryNews.com | 11/02/2004 | Stolen computers have Wells Fargo customer data
There's what I think is an interesting point in this article about the loss of customer data from Wells Fargo. The loss didn't occur from Wells Fargo systems, it occured from those of a partner company.
What I find interesting, is that I wonder how many companies can honestly say that they ensure the security of data which they "own" (for want of a better term) no matter where it may reside.
Especially in these days of outsourcing.... It's all very well for companies to spend a lot of money securing their data centres and other obvious places where data lies, but it's really quite pointless if that data (or the credential used to access it ) is not as secure when it's processed or stored outside of those data centres.....
SecurityFocus HOME Infocus: SSH User Identities
A useful guide on setting up and using public/private key encryption in conjunction with SSH
