SecurityFocus HOME Infocus: TCP/IP Skills for Security Analysts (Part 2)
The second part of the article on TCP/IP skills for security analysts is up on securityfocus.com
The story over at SecurityFocus HOME News: Unpatched IE vuln exploited by adware provides an example of a valuable point, which is that it is not just "white hat" security researchers that are looking for bugs in Microsoft, and other, products. Which is why it's important that vendors get their patches out as soon as they can and don't take up to 200 days to release it...
Over at www.xmethods.net there's a really cool list of functional web services.
With each there's a link so you can try them out. It's a pretty diverse bunch including practical things like curency conversion and less practical things like... random George W Bush quotes
A Link to a handy IP address location service...
It definately looks like Wireless insecurity issues will be here to stay for the time being. With 2 vulnerabilities in popular wifi products being announced here and here .
The main problem with these types of vulnerabilities is that I don't think that they will be patched anytime soon in the majority of affected devices. People are hardly waking up to the concept that software needs to be regularly patched, let alone the idea that hardware requires patches as well... Also a lot of wifi products tend to be deployed in smaller organisations and homes, where there is, typically, less security knowledge than in larger firms...
Also a problem is as noted here in a lot of cases you don't even need a vulnerability to hack into a wireless network as many vendors ship Access Points in a wide open config!
Microsoft, Sun Security Paths Diverge
Well here's a suprise (sorry being a tad cynical) Microsoft and Sun will be working to 2 different standards WRT identity management... VHS and Betamax anyone...
Wired News: Complex Passwords Foil Hacks
There's an interesting form of 2-factor authentication mentioned in this article on Wired. Scratchcards that reveal one-time passwords. One thing that does occur to me is that I suppose they will need to be used in sequence (so that only one is valid at any one time), so what would happen if you wanted to skip one, for example if the cover on one rubbed off in your wallet and you weren't sure if someone else had seen it...
Information Security - Downloads
Some downloadable information on information security from the Department of Trade and Industry in the UK
InfoWorld: Network Associates is granted broad antispam patent: June 01, 2004: By : SECURITY
Looks from this article like we'll be seeing some patent lawsuits soon in the security world. This is a good example of what I don't like about software patents, an overly broad patent, for which there may well be prior art, but in order to challenge it there will now have to be an expensive court case out of which no-one will win but the lawyers!!!
sigh
Dana Epp's ramblings at the Sanctuary : Economics of Information Security
Dana has a link from a link on Axel's blog to a great article about Security and economics by Ross Anderson(Gee blogging gets a bit overly linked at times :op)...
As with a lot of Ross Andersons writings it's very thought provoking, with many interesting ideas in it. A recommended read even if you're not into InfoSec as it provides one possible explanation for things like why Microsoft dominates certain computing markets....
One of the many interesting ideas in it was an analysis of why even the best funded security team can fall foul of a relatively poorly funded attacked in the computing world (starts on Page 4)
