Raesene's Ramblings

This Story over at Zone-H.org makes an interesting point about Eeye's outstanding vulnerabities which they've reported to Microsoft.
One point of view that you could take from this is that Microsoft is pretty famous for the amount of integration in its products, and as the number of products and the amount of code in those products increases, the cost and time required to fix a vulnerability will also increase. On the Eeye page you can see that they've got vulnerabilites that they reported to Microsoft 200+ days agot which they regard as critical and which have not been patched.
Given Eeye's approach of non-disclosure this isn't too serious a problem, however if we assume that Microsoft has been working hard to patch these problems (and we've no reason to assume that's not the case), what would happen if they got an equally serious vulnerability from a source who believed in publishing after only say 10 days of notification or even worse one who decided to post expkoit code first and ask questions later!
If it takes 200+ days to patch the problem, that would leave a pretty large window of exploitation and potentially a lot of damage to systems around the world.

ISS slammed for 'selling' security patches - ZDNet UK News
This story over at ZDnet is covering ISS's insistance that only customers with maintenance contracts will get patches for the vulnerability in their products caused by the witty worm...
I really hope this isn't a continuing theme amoungst software vendors as the only result will be an increasing number of machines that will never be patched against malicious code.
Also I've got to say that I'm really suprised to see this stance from a vendor of security products, as you would think that they of all people would understand the consequences of leaving people with faulty firewall software!

<a title="Security links, tietoturvalinkkej

Talisker Security Products and Service Website provides a good categorised set of links on various security/firwalls/forensic topics

First off I'm thinking of a ethernet style tap not a water one ;op
I was thinking today, more and more people are connected to broadband these days, if I was selling information appliances, by which I'm thinking about dedicated pieces of hardware which process information (like the Amstrad emailer), I'd want to be able to tap into the broadband connection, but I wouldn't want to try and guide non-technical users through the hassle of setting up some form of internet connection sharing (NAT) be it software or hardware.
So, what if I just tapped into the connection.... If you attached a network bridge to the ethernet side of a ADSL modem (between the PC and the ADSL modem) you'd be able to see all the traffic as it goes by...
Then use UDP to send traffic upstream to your server, that way it doesn't matter if you don't have an IP address for your device, UDP data is stateless so no problem...
Then there's the reverse, i.e. can the server send to the device? That part would require the device to work out what the IP address of the PC it's installed next to is, but given that it can see traffic as it goes by, it can just pull the address from the packet stream. So once it's got the address it gives that to its server and then if the server sends UDP traffic to that IP address (obviously on a port that the PC isn't listening on) the tap will pick it up and be able to use it....
The advantage to all this is that you can send traffic on a users broadband connection without disturbing their existing environment at all..
there are some downsides though. You'd need to put all the intelligence in things like authentication into the application level of the device (otherwise you'd be a great target for forged traffic from unscrupulous types)

Over at Securitynews.net they've got a cool example of using graphical elements to create the illusion of a secure site... Of course if you're not running IE on windows XP it just looks odd.
Although with enough work that might be possible to overcome, by detecting the user agent requesting the page and presenting a suitable fake UI experience.... (of course you could always foil them by using Lynx ;op)

I'm definately with Joat on this one.joatBlog: Appliances are better?
The article over at nwfusion.com presents the argument that spam management appliances are better than a software on general purpose OS. Sure there are advantages in that you don't have another server to manage all the software on, but from a security point of view I'm dubious as to whether they are superior.
One reason is that you're dependant on the vendor for patches for any operating system level attacks that come out, as these appliances are usually based on commodity operating systems customised for the task.
Also it becomes difficult to know whether you have any machines with a specific vulnerability as you will probably not know what software the vendor has loaded on the appliance...

Over here, at joatBlog: USB security is a pointer to some information about booktable USB drives....
I'm really in two minds with regards to bootable USB drives, on the one hand they're an immensly useful means of transferrring ever larger quantities of data.
But, from an IT Security point of view they're a danger, both from an information leakage aspect and also, with bootable drives, they present the possibility of someone coming to an enterprise and booting an environment to allow them to attack the network....
Now I know, at this point people will be saying "well they're no different than bootable CD's" as you can get some nice bootable security focused Linux distros (like the one over at Local Area Security, which in the wrong hands could be quite dangerous. However many corporates will deploy desktop PC's without CD drives, however you can't deploy a PC these days without USB ports.
It definately will lead to the point where some companies deicde to disable USB all together, or if possible, only the USB mass storage functionality. When that happens I forsee some ..... interesting.... discussions because as I mentioned, they are very useful devices....

NANOG Security Curriculum
Got a link from rootsecure over to this nice list of Security tutorials and presentations, posted from an ISP P.O.V...

Saw this link to an interesting tutorial today over at Infosecwriters.com
... useful if you interested in Buffer Overflows, or potentially if you need to explain more about it to programming staff...