Raesene's Ramblings

I ran across an interesting looking wiki based information security encyclopedia today at securitygroup.org.

One thing I've noticed when the subject of penetration testing is raised is that commonly the goal is seen as being finding a vulnerability in a system and expoliting it. This is seen as a successful penetration test.
But, the question I think really is, why was that vulnerability there in the first place? Say for example that a penetration test finds that a web server has default scripts left on it. The main value of that finding is discovering why that was the case, was it because the default build for the company has that vulnerability, was the server that was tested built manually as a one-off..... The main benefit for the company is in realising where it's procedures or policies need amended to make sure that the vulnerability does not occur again rather than a report which says "yep that server was vulnerable"...

I came across an interesting article on nist.gov which goes into some details on the strength of various passwords in bits of entropy per character, amongst other things. One point that interested me was that in most of the projections the marginal gain in entropy decreased as the password length increased, so going from say 4 characters to 5 characters would gain you more entropy than going from 29 to 30.
Of course that assumes you're not using totally random strings for passwords, but then who does that (apart from people with extremely good memories of course....!)

one thing that occurred to me recently when reading a security mailing list is the extent to which analogies to the physical world tend to be drawn as soon as the subject of computer crime starts being discussed. For example whenever a discussion of the legality of port scanning starts you can generally expect to see people starting to compare it to "rattling the doors on a house".
It seems to me that this is a good indication of the lack of laws regarding Internet/computer crime, as people can't definitively say whether something is or is not illegal so they are forced to draw analogies, which are unlikely to ever be 100% accurate.

I read an interesting article on phishing last week over at netcraft which seems to show that it is possible for a phisher to create a SSL session and display the familiar padlock item, without having a valid certificate..... However I've since seen some disagreement about whether the "plain text" SSL method would work in that way, one of them is at rtfm.com .
So it remains to be seen if this is actually a problem. If it is it will be a blow to a lot of the advice handed out by banks on this subject, as it's usually accepted that the best way of telling whether you are at the correct site is to examine the certificate
However, whilst it may be the best way in a browser situation I am not sure it is a good way. It relies on users to understand to a limited extent domain names, so as to realise that a certificate issues to www.mybank.com is NOT the same as one issued to www.my-bank.com which is a pretty hard point to get across to non-technical users.
There are ways however that banks and other institutions can make this kind of attack more difficult to execute. One option is to use a two-stage login procedure and provide feedback after the first page which if the user doesn't see they would know that something was not right.
So for example the bank asks for login name/password. Once the user enters that he gets a screen saying something like "welcome back Mr Jones, the first line of your address is 1 Acacia Avenue" and asks for a second authenticator. ..

Looks like there are a couple of very interesting new books out if you're interested in software security...
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
and
Exploiting Software: How to Break Code
I wonder if this is the start of a trend along the lines of all the network security related books of the Hacking Exposed genre..
One good thing that may come out about this, is hopefully it will lessen the number of times that the argument that "no-one in my company would know how to do this" is used with regards to application hacking stops people from spending on internal application security.
Anyway, definately two for my bookshelf.

Saw an interesting link mentioned on a patch management mailing list which gives a listing of Microsoft Security Bullitins by product, here

Well, after being subscribed to bloglines, and reading a large number of excellent blog on the subjects of security and IT , I decided to give it a shot. Also I'm hoping this will give me a way of keeping track of all the interesting documents and URL's I come across in my wanderings.....