Stories For Discussion
1) Fixing Code To Allow Virues to Run? - "Linus Torvalds has recently patched the Linux kernel to fix a small bug that was revealed during the testing of a proof-of-concept cross platform virus."
2) Ars Technica - One New York county has solved the "problem" of unauthorized access to unsecured wireless networks by passing a new law. Businesses operating in Westchester County will soon need to turn on security settings for their WiFi networks if they are used to access financial information for their customers. Check out the Security Catalyst 27 (Wireless Law!, Compliance Advice, Your top 5?).
3) A mailing list that will remain unamed has some interesting points about Password security and the defense of Account lockouts, specifically related to DOS attacks by locking people out of their accounts.
1. Account lockouts are an anachonism. They were there in the old days when sysadmins had no way to detect password enumeration attacks or the sysadmin was just plain lazy and didn't monitor the logs. I believe a DOS attack on accounts is more severe than a password enumeration attack.
a. good password strength policies reduce the possibility of a successful enumeration attack. Even the dreaded password aging feature can help here. [Pauldotcom - users don't choose good passwords, period.] b. The automated attacks we see here could lock out thousands of accounts in a short period of time and do so repeatedly. [Pauldotcom - What benefit is that to the attacker other than to cause a DoS that would alert the admins? I've seen this happen, but certainly I don't believe it was intentional] c. Every login failure generates a record of some sort and if you have a syslog or eventlog scanner that monitors the logs for such failures and notifies you, then you know you're under attack and can adjust your defenses. [Pauldotcom - I don't know about you, but I don't want to work weekends and nights responding to brute force attempts!] d. If a site uses account lockouts, they have to adjust the numbers to avoid a DOS attack from impacting their operations. This seems to defeat the purpose of the lockout. [Pauldotcom - Even a lockout with generous timing makes it a thousand times harder to brute force] e. Does setting the lockout period to a short period of time actually prevent anything? Is it smoke and mirrors?
[Pauldotcom - The best thing I can find when pen testing a site are organizations who don't use an account lockout. I setup hydra with a custom dictionary in the begining of the test and let it run until my time is up. Sometimes I am successful and this could have been prevented with a simple account lockout]
4) - M$ Password Checker - Maybe we should remind our users that it's a BAD idea to possible give out your passwords on the interweb. This point is driven home in the ISC post, but may be worth mentioning. Maybe we could suggest an alternative? Maybe there is an alternative that people could download and run localy for themselves or their Corporations/Institutions. [Andy - I thought this is somewhat recycled news, but can spark a debate on a topic I know we cover in security basics] [Pauldotcom - This is the worst password checker ever, defeats the purpose]
5) - ISC.sans.org - Multiple vulnerabilities have been reported in Apple Mac OS X and applications. Proof of Concept code has already been posted along with the information regarding the vulnerabilities. At this time no patches or workarounds appear to be available for the majority of the vulnerabilities. The impact is Denial of Service or arbitrary code executed remotely, and severity is highly critical. [Nick - I will hold back the laughter on this one :-P ] [Pauldotcom - What, Linux never had any vulnerabilities? And NO ONE can talk when it comes to browser vulnerabilities, because they all have them, and lots of them. Safari is no different. Oh btw, check out these kernel vulnerabilities http://www.securityfocus.com/bid/17587 and http://www.securityfocus.com/bid/17593. Hey twitchy, are you done compiliing your kernel yet? How about now?]
Other Stories Of Interest
- CIOUpdate.com - The biggest bank heist in history was successful via hardware keystroke loggers. Does anyone consider this a threat to security? All the encryption and firewalls in the world can be foiled by a single device the size of my thumb and its available at ThinkGeek.com. [PaulDotCom - Why two stories about bank hacking? Pick one, then let it segway into the other maybe] [Nick - Spend millions on securing your network and worrying about threats on the outside only to be foiled by a simple hardware keystroke logger on the inside. Something to think about. Lets ask how others have delt with this as well as suggestions. ]
Hacker Con Videos - Tons of em'! Go check them out!
securewebbank.com - A list of banks and the web security they offer. How does your bank rate? The first national bank of Twitchy offers two-factor bio authentication just to pee in the bathroom. [Nick Always make sure that little golden lock shows up at the bottom right of your browser to make sure your always encrypted, Never bank online when using wireless.. EVER! As we all know and have shown you could be in a man in the middle or someone could just be sniffing the traffic, Switch banks!]
Malware: To Go! - I'll take my malware to go please...