Raesene's Ramblings

There's a link to a very interesting over at Michael Howard's blog commenting that the Security issue of MSDN is out today.
The article linked from the posting is very interesting as well in that it talks about reducing attack surface.
On the whole, I'm really happy that this is getting focus from a company like Microsoft, because if anyone can make developers sit up and listen it's Microsoft (commercial one's 'cause they're all involved with Microsoft somehow, and Open Source one's 'cause if nothing else they'll be out to try and prove that they do it better than Microsoft ;op)
However that said I think that there's something missing from Microsofts definitions of how to reduce attack surface. In the article they mention 3 ways of helping to reduce attack surface
* Reduce the amount of code executing by default
* Reduce the volume of code that is accessible to untrusted users by default
* Limit the damage if the code is exploited
However I think they're should be a fourth, although it primarily relates to operating systems, it could also apply to other software.
* Reduce the amount of code installed.
This is important especially on operating systems the more code that is installed the higher the likelihood that some of it will have security vulnerabilities (especially if you follow the oft-quoted truism that there will be 1 security related problem in every 1000 lines of code).
I think this is important at the moment as you see both Microsoft and the Linux distribtution vendors shipping more and more code with their operating systems and the default install sizes going up and up. Well if nothing else that just causes a nasty patch management problem as, the more code you have deployed the more you have to patch..
I could follow on to a rant about the relative ease of removing unneeded software from servers (cough cough web browser cough cough), but I think I'll leave that for another day...

Well it's taken far longer than it should have to get this up and running again, but I've had some issues getting everything setup at the new house (and indeed this is still running through a bit of a hack, using Dynamic DNS, some redirection and some port forwarding.....
but t'was getting annoying not having this here, so I thought it better to get it up and running in this way rather than wait for the complete solution, as a result the domain name's not the same as was, so it'll be a little while before it's all working properly....

The blog's been a bit erratic over the last couple of weeks as I've been out of town and we've had the odd power problem (good excuse for buying a UPS!!)
Anyway I'm moving house this week so unless I get a chance to move the DNS temporarily and put the blog on a hosted site somewhere I'll be out for a couple more weeks while I get access set up at the new house........

SecurityFocus HOME Infocus: Packet Crafting for Firewall & IDS Audits (Pa
An interesting 1st part in a series of articles looking at packet crafting....

There's a report on an interesting survey over here, stating that 85% of users asked would open an attachment from a friend or collegue ! No wonder spam and virii are still doing well.....

Dana Epp's ramblings at the Sanctuary : Microsoft, You're not setting a very good example. I am disappointed.
An interesting post on Dana Epp's blog talking about running as least privilege (or in this example not) in Windows (also you can read the odd comments from someone I can only assume was trolling ?!)
It's real nice to see that the windows world is moving more towards the UNIX paradigm of not running as root unless you have to. I hope this will have a positive effect for end users too... Less of the frustration when being told that you have to be an administrator to install a media player !!! (apple quicktime in this example) would be nice....

There's an article about a MasterCard program which combats phishing. I've got to say that I'm not that impressed by this kind of approach to combating phishing.
If what's in the article is accurate it basically amounts to looking through content from the entire Internet for potential phishing scams and then shutting them down when they're found..... This approach just strikes me as far to reactionary and prone to missing things. I would expect that currently a phishing scam will make most of it's money in the first 24 hours of its operation and I'll be a little suprised if Mastercards approach will be effective in shutting down these scams in that time frame.
There are other ways to combat this kind of attack (I linked to one before ). Another option would be 2-stage authentication by the service provider, where the user enters initial credentials, then the site responds with a secret (be it a phrase, word or fact about the users account) and asks for a secondary authentication. In this model the phisher will be able to get the inital credentials but will have a significantly lower rate at getting the secondary ones (of course some social engineering would still get some credentials out of people I'm sure)
Personally I think that this kind of system, or more probably, some form of 2-factor authentication will be the best way to combat these attacks. If running around stomping on sites as they popped up worked well, I'm sure we'd have considerably less SPAM and Virii doing the rounds......

In an article over at Yahoo we're told Mail Security Service Model Marches On. Its interesting as there definately is an interesting proposition on outsourcing things like management of e-mail security. However I must say, I'd not be too comfortable outsourcing something as critical as e-mail without some very good assurances and SLA's surrounding it.
for example I'd hate to be the e-mail admin who has to troubleshoot their mail delivery when I didn't control the whole path for the mail out to the recipient, especially if there's a possibility of false positives as there is with many e-mail spam/virus management packages.....

Now I'll start this post with the obligatory IANAL, but there's a story over at Security pipeline, which seems to be saying that Security Managers Could Face Court Penalties for poor security or for making lists of top measures that companies should follow and then not implementing them all...
I've got to say that the examples sound a bit over dramatised to me, but it's an interesting theory from the point of view of convincing management of the importance of being seen to be proactive in the field of InfoSec...

Slashdot | Dan Kaminsky Suggests Having Fun with DNS
There's a story over at slashdot covers a presentation from Dan Kaminsky (of paketto Keiretsu fame) covering some... very interesting ideas about using DNS as a communications channel for arbitrary data (in a similar fashion to things like httptunnel ).
Cool stuff this 'cause it drives home the point that it is wrong to think of a network service as just a means of transferring a specific type of data, as many can transfer any type of data you like , it's just usually used for a given type of data. Which does make the point that traditional security measures like firewalls become a lot less effective as soon as you allow even on protocol across them....
One other thing that occured to me when reading the slides about transmitting ISO images using TXT records, is I wonder what would happen if you caused a caching DNS server to run out of disk space by requesting lots of these records...
I would hope that it would just start purging the records in oldest first order, but I suppose it might DoS some servers...