SecurityFocus HOME Infocus: Packet Crafting for Firewall & IDS Audits (Pa
An interesting 1st part in a series of articles looking at packet crafting....
There's a report on an interesting survey over here, stating that 85% of users asked would open an attachment from a friend or collegue ! No wonder spam and virii are still doing well.....
Dana Epp's ramblings at the Sanctuary : Microsoft, You're not setting a very good example. I am disappointed.
An interesting post on Dana Epp's blog talking about running as least privilege (or in this example not) in Windows (also you can read the odd comments from someone I can only assume was trolling ?!)
It's real nice to see that the windows world is moving more towards the UNIX paradigm of not running as root unless you have to. I hope this will have a positive effect for end users too... Less of the frustration when being told that you have to be an administrator to install a media player !!! (apple quicktime in this example) would be nice....
There's an article about a MasterCard program which combats phishing. I've got to say that I'm not that impressed by this kind of approach to combating phishing.
If what's in the article is accurate it basically amounts to looking through content from the entire Internet for potential phishing scams and then shutting them down when they're found..... This approach just strikes me as far to reactionary and prone to missing things. I would expect that currently a phishing scam will make most of it's money in the first 24 hours of its operation and I'll be a little suprised if Mastercards approach will be effective in shutting down these scams in that time frame.
There are other ways to combat this kind of attack (I linked to one before ). Another option would be 2-stage authentication by the service provider, where the user enters initial credentials, then the site responds with a secret (be it a phrase, word or fact about the users account) and asks for a secondary authentication. In this model the phisher will be able to get the inital credentials but will have a significantly lower rate at getting the secondary ones (of course some social engineering would still get some credentials out of people I'm sure)
Personally I think that this kind of system, or more probably, some form of 2-factor authentication will be the best way to combat these attacks. If running around stomping on sites as they popped up worked well, I'm sure we'd have considerably less SPAM and Virii doing the rounds......
In an article over at Yahoo we're told Mail Security Service Model Marches On. Its interesting as there definately is an interesting proposition on outsourcing things like management of e-mail security. However I must say, I'd not be too comfortable outsourcing something as critical as e-mail without some very good assurances and SLA's surrounding it.
for example I'd hate to be the e-mail admin who has to troubleshoot their mail delivery when I didn't control the whole path for the mail out to the recipient, especially if there's a possibility of false positives as there is with many e-mail spam/virus management packages.....
Now I'll start this post with the obligatory IANAL, but there's a story over at Security pipeline, which seems to be saying that Security Managers Could Face Court Penalties for poor security or for making lists of top measures that companies should follow and then not implementing them all...
I've got to say that the examples sound a bit over dramatised to me, but it's an interesting theory from the point of view of convincing management of the importance of being seen to be proactive in the field of InfoSec...
Slashdot | Dan Kaminsky Suggests Having Fun with DNS
There's a story over at slashdot covers a presentation from Dan Kaminsky (of paketto Keiretsu fame) covering some... very interesting ideas about using DNS as a communications channel for arbitrary data (in a similar fashion to things like httptunnel ).
Cool stuff this 'cause it drives home the point that it is wrong to think of a network service as just a means of transferring a specific type of data, as many can transfer any type of data you like , it's just usually used for a given type of data. Which does make the point that traditional security measures like firewalls become a lot less effective as soon as you allow even on protocol across them....
One other thing that occured to me when reading the slides about transmitting ISO images using TXT records, is I wonder what would happen if you caused a caching DNS server to run out of disk space by requesting lots of these records...
I would hope that it would just start purging the records in oldest first order, but I suppose it might DoS some servers...
A interesting article at LURHQ presents - Scanrand Dissected. It's a great explanation of how scanrand works and also a speed comparison between it and nmap, although the author does point out that nmap has far more functionality than scanrand....
Looks like a great tool for quickly scanning networks for rogue servers....
An interesting article at nwfusion give us The scoop on security policies. There are some good points in the article about keeping the policy short and to the point, although I've tended to find that in larger companies it is a real challenge to convey all the information that you need to, to your userbase in a very short policy. There are other alternatives of course, like splitting the information up over multiple documents, but that can lead to people reading the first one and none of the rest.
One other point to note, is that even more important that the security policy itself is the communication method and the periodic reminders. If you only give someone the policy once and then never revisit it, most people WILL forget whats in it.......
There's a good list of wardriving tools over at The Official WorldWide WarDrive site...
Also there are some interesting stats about the number of Wi-fi networks around.
