Related link: http://www.securityfocus.com/archive/1/358914/2004-03-27/2004-04-02/2
As reported in this bugtraq post “IE has birthed us the first zero day worm.” Admittedly, the impact of this malware is tiny, but it is still interesting that the worm uses the flaw that has no patch available from Microsoft at the time of the worm release. Of course, purists might disagree that it is not a true “zero day”, since the vulnerability itself was known for some time (weeks), but the lack of a patch makes it at least “the most zero day” of all the publicly known worms…
Related link: http://www.infoworld.com/article/04/03/12/11FEidstips_1.html
This little insightful article has some of the greatest network IDS and IPS tips I’ve seen in a long time. It also presents them in a nice vendor-neutral kind of way. In addition, it covers some of the good use cases for a network IPS, such as perimeter protection and a small number of critical networks. I was also very happy to see the requirement for the correlation technology in addition to the NIDS and NIPS.
The paper reads especially well together with
my article on IDS mistakes.
Related link: http://ptech.wsj.com/archive/ptech-20040311.html
These two articles show a radical and fun difference of opinion on the controversial subject of “who to blame for security problems?”. Vendor should take care of it, says the WSJ article and goes on to say “They [i.e. technology vendors] would rather dump the security mess in the laps of users than solve it at the level where a solution really belongs: in the operating system, or the hardware, or the online provider’s servers.” Users can’t blame the vendors, says CW article, the users are the ones ultimately responsible. The customer “was going to be held responsible for the failure of its vendor” in a recent law suit.
I’d love to have the following poll for as broad an audience as possible:
Who is to blame for current security problems?
- Technology users
- Technology vendors
- Malicious hackers
- Somebody else
Anybody want to host it?
Related link: http://infosecwriters.com/
Here is a cool relatively little known infosecurity website, that is worth bookmarking. I think it deserves much higher profile than it currently gets. The site has lots of fun infosec technical content (there are even security writing contests with prizes there), book reviews and a newsletter. It also links to many currently running security games and challenges (including my current Honeynet Project Challenge).
Related link: http://www.newsforge.com/article.pl?sid=04/02/28/0130209
Robin Miller (Roblimo) has posted a great interview with Andrew D. Kirch, security administrator, Abusive Hosts Blocking List (AHBL). AHBL provides typical DNS blackhole services– it’s actually a replacement for the Summit BL– and they’re developing some other interesting services as well.
Kirch has spent some time on IRC, monitoring the activities of various blackhat channels and script kiddies. Though most of his revelations will come of no surprise to the security community, it’s nice to see coverage with this level of detail, rather than the typical misinterpretations that ensue when other outlets cover this topic.
I would like to see Miller post the full text of the interview and conduct some follow-up with Kirch, or others, though what he provides is an excellent start.
Post links to similar coverage, or your own anecdotes.
Related link: http://jeremy.zawodny.com/blog/archives/001683.html
…Jeremy Zawodny would be at the top of a short list. Once again, he speaks for the silent majority. That’s just my opinion.
Do you feel like your views as an open source user, developer, or fan are often misrepresented?
Related link: http://www.computerworld.com/securitytopics/security/hacking/story/0,10801,90447…
This paper seeks to provide guidance on “how to protect your company from ‘zero-day’ exploits”. It is a fun read, althought I am not entirely convinced that Network Intrusion Prevention Systems (NIPS) can help here. Definitely, good security practices will help.Maybe host-based kernel-level prevention systems can do some of it. However, trying to make an automated blocking decision without the sufficient information (always the case for the 0days) seems very tough. I wonder how this and other vendors are really doing it.
Related link: http://www.honeynet.org/scans/scan30
Honeynet Project Scan of the Month Challenges are back with a vengeance! They are a great chance to test your intrusion analysis skills using the provided attack and intrusion data from the live honeypot, run by the Project members.
Today Honeynet Project announces a new type of challenge: an Analysis Challenge. Scan of the Month #30 offers you an opportunity to draw your own conclusions from a massive pool of honeynet firewall log data (and even earn a prize in the process). Questions to guide your creativity in the analysis process are provided as well.