There's a Browser Security Test over here that allows you to check you're browser configuration to see if it's vulnerable.
could be handy if you're unsure of whether patches have taken correctly, or if you're looking to demo how insecure unpatched versions of major browsers can be
Security tools target inside jobs
This article is talking about some new products which are focusing on business/application level analysis of a companies traffic. I'm a little cynical about this kind of thing, as I would expect that the same kind of "data flood" problem which affects network level IDS systems to affect this kind of solution.
also working at an application level is far harder as it is relatively easy for an automated system to recognise things like HTTP traffic, however an automated system looking at that and saying "thats confidential information from the payroll system" would be very very difficult to set up....
In an article Help Net Security - The Future of Phishing, presents an interesting idea for combating the current (and potential future) phishing attacks by communicating transactions out-of-band (for example by SMS message) and then getting the user to authorize that transaction by putting in a one-time password sent to them via the SMS message.
There's an interesting program over at sourceforge, ICMP-Chatwhich gives allows you to communicate with someone purely over ICMP (you can choose which type of ICMP message is used).
This provides a good illustration of the dangers in security of assuming that a system or protocol will only be used for its intended, or well known, purpose.
In this example this program could probably be used to bypass firewall infrastructure in some companies, as many people allow ICMP through for troubleshooting purposes, where all TCP and UDP connections will be locked down.
That brings me on to another point, which is the futility of disallowing protocols based on the fact that they can be used for file-transfer. In some setups I've seen people will block incoming FTP but not HTTP. Now that doesn't make a lot of sense when you realise that HTTP is a generic content transfer protocol and can be used for a wide variety of things like file transfer and, of course, remote control.
You don't see many companies allowing inbound connections for protocols like PC-Anywhere, but with HTTP allowed, services like GoToMyPC allow very similar functionality.
An mitigation for this kind of risk is to apply more application level controls over all protcols allowed through security perimiters, as at the application layer there is a better understanding of what the purpose of the communication is...
well I think ive finally found the right handheld computer for me... A sharp Zaurus c860. Its linux based, has lots of good security software available, can take SD and CF cards, has an excellent 640x480 display and isnt too bulky or heavy.
also the keyboard is fairly good... as Im writing this entry using it.....
ATAC: Abusable Technologies Awareness Center: Used Hard Disks Packed with Confidential Information
Interesting information about the types and quantity of sensitive information that is available on old hard disks....
There's a good bluesnarfing story over at Slashdot
Martin McKeay's Network Security Blog: Scary uses for Google
Found a link to an interesting story at seccurityfocus about using google for looking for things like passwords that the owners of the pages probably don't realise are public.
Also got another blog for my blogroll :o)
Eweek are carrying a story covering some forrester research comparing vulnerability levels and response times across a range of vendors.
The thing that always strikes me about this kind of research is whether they are comparing like with like. For example if they are comparing ALL vulnerabilities on Microsoft software with ALL vulnerabilities in software in a given Linux Distrabution, then thats really a bit meaningless in the real world. I mean who's going to have all that software installed in a given environment.
A far more meaningful way of presenting the information would be to establish typical usage profiles, for example "corporate desktop" or "web server" state what packages those would contain and then measure the vendors based on the vulnerability levels present.
My gut feeling, although I could be wrong, is that Microsoft would probably come out worst in that kind of analysis, as many of the vulnerabilities they have had recently have been in core parts of their system (ASN.1 being a good example) which would appear in every loadset, and of course the fact that they're overall strategy seems to involve a lot of integration of systems, leading to a larger overall attack surface.
NewsForge | Open Source Vulnerability Database Goes Live
There's a story over at newsforge covering a new Open Source Vulnerability database. It's not too clear to me at the moment how this differs from things like CERT?
