Saturday, 27 November 2010

Police to ask Nominet to close 'criminal' domains

This is of concern to me.

While it is right, proper and for the common good for criminal sites to be removed, there is a danger that 'grey' area websites will fall foul of this law.

For example, if a website is set up to provide hacking tutorials, discussions and tools to the community, it might be deemed by the police that the site is 'criminal' and it's registration removed without any recourse for the owner. It is conceivable that such a site, while possibly frequented by criminal hackers, it could also be a hugely useful resource for ethical hackers and security professionals.

There are plenty of other sites that could be described as 'dual purpose' to one degree or another and having the police decide which remain and which go is suggesting the principal of 'Innocent until proven guilty' is all but dead.

Wednesday, 24 November 2010

New Windows 0day vulnerability

All Windows XP/Vista/7 32bit and 64bit are vulnerable to a new 0day attack.

The vulnerability does not have any known exploits but it will only be a matter of time before they are seen in the wild.

The vulnerability centres on the win32k.sys NtGdiEnableEUDC API which is not validating some inputs correctly, allowing it to be exploited via a stack overflow. The result is that an attacker can cause their malicious code to be executed  with kernel mode privileges, meaning, even if the malicious code is executed by an account with restricted privileges, the resultant code would  be executed with the highest privileges, bypassing the need for confirmation via UAC in Vista and Windows 7.

The vulnerability is not remotely explotable but it would be susceptible to standard delivery methods such as email, drive by and,more recently, USB infection.

Sunday, 21 November 2010

Security Awareness Training

An interesting article here:,294698,sid14_gci1523943,00.html?track=sy160

I was very pleased to see that Tony Neate was highlighting the virtues of providing security awareness training to help organisational users improve their own, personal online security. I have been using this strategy for several years now and I have found attendence is improved and audiences are more attentive and retain more information.
The only section of the organisation I have found to be resistant to security awareness training tends to be the IT support section but since I work closely with them, I am given the opportunity to point out where they are breaching security and why it is a Bad Idea. I think they hate me.

Saturday, 20 November 2010

52 percent of firms have no IT security guidelines for staff

OK, the headline is misleading, the UK survey, carried out by AVG, suggests that 52% of 'Small Firms' have no security policy for their staff.
That's still disappointing although not suprising.
It's disappointing as it takes very little effort to produce a basic policy document, without which the employees of the organisation are pretty much given free reign to take whatever actions they see fit. This may engender a culture of achiving the organisational goals but it exposes the organisation to risks of software piracy, copyright infringements and malware. When users of a system are given such freedom, it is often the organisation that is held accountable (and liable) when the proverbial hits the fan.
There is a very high chance that some of these organisations are processing personal information which makes this even more worrysome. Data protection Act, anyone?

Adobe Reader X

Fianlly, and after some long wait, Adobe hae announced Adobe Reader X.
Only available for Windows at the time of writing, the new version of this heavily exploited software has sandbox functionality, thus greatly reducing the possibility of malware being delivered via PDF documents.

I have noticed a worrying trend among many organisations to ensure all their Microsoft estate is fully patched and up to date via WSUS or a similar mechanism where other software, and Adobe Reader is probably the most widespread, is largely ignored.