Over at RouterGod there's a very informative series of articles about various Cisco topics. They're in the News Archives section and they've got an..... interesting way of presenting the information ...
A Good List of Linux Live CDs, there are quite a few useful ones from the Security point of view, including the very useful Local Area Security distro .
Anyone who's not had time to play with Linux LiveCD's, really should, as they are immensly useful tools for work like forensics and system administration....
New evidence points to Cisco network hack
An article providing some more info on the Cisco code theft, over at Network World. One point mentioned in it that I would disagree with though is the comment that
"Unlike open source software products, the security of Cisco's systems, like those of other proprietary software vendors, depends on the source code being kept out of public view, he said"
This is a bit on the sweeping side really... Although it is a salutory lesson that companies shouldn't rely on the secrecy of their code to provide security.
Redmond enlists security vendors to automate policy compliance
An interesting idea talked about over at Network world, is Microsoft working with A-V vendors on the idea of security policy compliance software. If I'm reading it correctly, the idea is that when an machine tries to log onto a Microsoft network it's agent software will transmit information about things like it's A-V pattern files and patch level and if these don't meet defined standards it will not be able to connect, until it was updated.
It's a good idea for things like laptop users, who perhaps aren't in the office often enough to get updates. That said I like the idea of this being tied into the network switch/router infrastructure more.
The reason being is that even if a PC can't log onto a windows domain it can still connect to other client-server applications, whereas if the switch the PC is connected to, won't let it communicate with anything other than the update server untill it is patched, it will be a more effective control.
Martin McKeay's Network Security Blog: How to get into Network Security
A link to an interesting article at securityfocus talking about the prerequisites for getting into network security. My path was train as an accountant, get lucky and move over to IT before having to do any accounts, spend 5 years in Networking and general IT, then move into IT security. I've found my background in IT to be very useful when having security related conversations with IT staff, it definately helps to understand where they're coming from and also if they might be being "economical" with the truth...
There's another reference to this story over at Joat's blog , which mentions coding as a required skill. I've picked up bits of a couple of languages over the years, and I'd like to learn more, but I've never been sure which language would be best to focus on, with the inevitable result that I've not really learned any of them....
An interesting link over at Michael Howard's blog to a column on Security Management
There's a article which runs though a good example of social engineering here . The methods used give examples of how easy it is to gain access to information or goods without authorisation. It does require a talent for thinking on your feet though....
An interesting article over at vnunet.com quoting gartner on the levels of loss in the US from phishing scams. I'm definately suprised that it is as high as $1.2 billion, but if those figures are accurate, I'd hope to see the financial institutions involved moving to authentication schemes which are more resistant to this kind of attack, maybe like the ones I mentioned here
Diceware Passphrase Home Page
A link to an ... interesting ... method of generating passphrases
This one is one of my recurrant rants, so I thought I'd post it while I think about it....
Why do large corporations, spend loads of money securing their perimiter, a fair quantity on their core line of business servers and very little securing corporate desktops...
If someone can compromise a desktop PC, they can get all the rest of the access they need very easily, they can also easily compromise your core servers...
Here's one scenario of many.
1st step - Get local administrator rights on a corporate PC running windows. Easily done by booting off a CD grabbing the SAM file and cracking the password. In most networks I've seen the local admin password is the same on all the PC's
2nd step - find out the IP address or machine name of an admin level persons desktop. shouldn't be too hard if you are in the same building, if you're not something like an HTML e-mail with a web-bug in it would do the trick.....
3rd step - connect to their PC using the local administrator account and install a keylogger.
4th step - grab all the passwords as they type them! if you're feeling fancy, install a remote control program on their workstation then log on to their machine as them and connect to the servers they administer. At that point it would be very hard for mechanisms like IDS to know that you're not the administrator of the system.....
How do you mitigate this?
One way would be to deploy 2-factor authentication for all your admins. If you use RSA tokens or some other form of one-time password, it would cut back on the window of opportunity.
Another option would be to put desktop firewalls on all admin (or potentiallly all) PC's and configure a reasonable ruleset on them which only allows inbound connections from specific subnets, as required to maintain the system.
Another option (only applicable to this particular attack) would be to specify different local administrator passwors for each PC (might be a bit hard to administer though)
