Raesene's Ramblings

A Link to a handy IP address location service...

It definately looks like Wireless insecurity issues will be here to stay for the time being. With 2 vulnerabilities in popular wifi products being announced here and here .
The main problem with these types of vulnerabilities is that I don't think that they will be patched anytime soon in the majority of affected devices. People are hardly waking up to the concept that software needs to be regularly patched, let alone the idea that hardware requires patches as well... Also a lot of wifi products tend to be deployed in smaller organisations and homes, where there is, typically, less security knowledge than in larger firms...
Also a problem is as noted here in a lot of cases you don't even need a vulnerability to hack into a wireless network as many vendors ship Access Points in a wide open config!

Microsoft, Sun Security Paths Diverge
Well here's a suprise (sorry being a tad cynical) Microsoft and Sun will be working to 2 different standards WRT identity management... VHS and Betamax anyone...

Wired News: Complex Passwords Foil Hacks
There's an interesting form of 2-factor authentication mentioned in this article on Wired. Scratchcards that reveal one-time passwords. One thing that does occur to me is that I suppose they will need to be used in sequence (so that only one is valid at any one time), so what would happen if you wanted to skip one, for example if the cover on one rubbed off in your wallet and you weren't sure if someone else had seen it...

Information Security - Downloads
Some downloadable information on information security from the Department of Trade and Industry in the UK

InfoWorld: Network Associates is granted broad antispam patent: June 01, 2004: By : SECURITY
Looks from this article like we'll be seeing some patent lawsuits soon in the security world. This is a good example of what I don't like about software patents, an overly broad patent, for which there may well be prior art, but in order to challenge it there will now have to be an expensive court case out of which no-one will win but the lawyers!!!
sigh

Dana Epp's ramblings at the Sanctuary : Economics of Information Security
Dana has a link from a link on Axel's blog to a great article about Security and economics by Ross Anderson(Gee blogging gets a bit overly linked at times :op)...
As with a lot of Ross Andersons writings it's very thought provoking, with many interesting ideas in it. A recommended read even if you're not into InfoSec as it provides one possible explanation for things like why Microsoft dominates certain computing markets....
One of the many interesting ideas in it was an analysis of why even the best funded security team can fall foul of a relatively poorly funded attacked in the computing world (starts on Page 4)

Dana Epp's ramblings at the Sanctuary : Microsoft releases new Threat Modeling Tool
An interesting post over a Dana Epp's blog, regarding a new Microsoft tool (and a forthcoming book) focusing on Threat modelling. One to download and look at when I get a chance (shame they've not made a Linux version ;op)

Slashdot | Password Memorability and Securability
There's an interesting story on Slashdot, linking to a study on password quality, it has a couple of interesting conclusions amongst some other confirmations of common themes in password quality. Most interesting is probably the conclusion that in practice mnemonic passwords are as strong as randomly chosen passwords and are far easier to remember....

An Interesting Penetration Testing Guide provided by corsaire.
Has some good points about choosing Pen Testing consultantcies and also some good resources at the end...