MBSA (Microsoft’s Baseline Security Analyzer) tool is now available. I’ll be downloading to play with it later.

I’ve stopped (hopefully) people using my bandwidth to host their forum signatures by preventing hotlinking on this site. Hopefully that will reduce the amount of people requesting images without affecting anything else weird on the site. If you spot anything that is wrong then please let me know!

I was looking at xetrade (online currency conversion from GB pounds to US dollars and there are a few security issues I’m not happy about. Looking at Loosewires post on phishing they have the same issues – they will ring you back to confirm some bank details (which could be open to interception/spoofing.)
They then have some more worrying security issues.

1. They require you to fax or email copies of your passport/social security number/birth certificate to an email address (which is stored on an exchange public folder). The fact that email is not secure is drummed into people yet they are using this method of communication to verify data. Surely a secure upload facility should be enabled on the website (the rest of the login procedure is ssl encrypted).
2. Their SSL certificate expires in 3 days time – this makes me nervous.
3. The “contact us if you have any security questions” link at https://www.xe.com/fx/background.htm is broken, tells you to inform the webmaster but doesn’t have a link to the webmaster for this site (it assumes the referring link comes from another site.

I’ve put these questions in an email to xetrade – will be interesting to see what they say.
Update
xetrade reply, answering all the questions I posed (phew!)

1) We do offer a secure upload service which can be found at:

https://www.xe.com/sft/

As you can see from the address (https) this is located on our secure server and will upload the files directly to our system with no public exposure.

2) The security certificate has of course been renewed and is already on our server. However, in order to complete the process we need to re-start the web server which is something we do not like to do without preparation. For your information, the new certificate should be uploaded within the next 24 hours, and most likely some time later this afternoon. Please feel free to check back at any stage to see the new certificate.

I have reported the broken link and this has now been updated. We are very careful to ensure that all of our links work correctly and I am very sorry that this link was broken. Thank you for bringing this to our attention.

3) We do understand this concern. Generally, we initiate the call to you using the supplied telephone numbers which helps us to ensure we are dealing with the person who signed up for the account. Once we have initiated the call and spoken to you, we are happy for you to call back to us to continue the conversation on our contact numbers in order for you to cross reference and check that the person you are speaking to is part of our organization.

Once again, we do fully understand your concerns, Andy, and are happy to work with you as necessary so that you are confident you are dealing with the correct people. We must however do this from within the frameworks that we are provided to ensure that we are not helping clients to launder money or fund terrorism.

I hope that this helps answer your questions but if you require anything else do not hesitate to contact us.

Whoppix is a customised knoppix bootcd for security testing (and hacking) and the main website also has some very good video tutorials on how to use some of the tools. One of them shows how to crack wep in 10 minutes (although the wep they crack is a 64 bit code and if you are using wep then you *are* using a longer key aren’t you????). As an aside, my firefox seems to hang at the end of the camtasia show but it does eventually get back to my control.
Security Forest also contains some information too.

I sat through the Social engineering webcast from the Digital Blackbelt website which had some interesting ideas about how successful social engineering hacks can be. I had actually read/heard about most of them from various sites but it did have some good ideas. (Google Hacking for penetration testers is a great source for things like this and a very interesting read. Written by Johnny-I-Hack-Stuff)
The weird thing is that it was aimed at developers, but none of the things discussed were really aimed at developer accounts, more at physical security, passwords etc. I was really expecting things on how to code to avoid possible social engineering attempts – such as when providing “forgotten password” functions on the page, don’t insist that users have to use your secret questions as often mothers maiden names are not actually that secret. (I’m the Andy that gets quoted at the end of the talk (twice))

Don’t get shocked or excited! I went to look at my site at the library yesterday and found that it was blocked. This is the first time that I am aware of that my site has made the filtering engines and been classified. Apparently it was blocked as it is on a server that hosts pornography or free sites. I know for a fact that it doesn’t host free pages and there may be some sites on the server that have adult content. However, blocking by ip address seems pretty drastic as using ip to get to the server fails as it relies on the hostheaders to direct you to the appropriate virtual server/directory on the machine – instead you get a “no website exists at this site” message.
I’ve contacted the library and SecureComputing.com who make the filter to see if I can be removed. (The library assistant didn’t have the correct password to temporarily override the filter when I asked)

There’s a patch available for Mambo, where Tar.php is exposed to XSS injection. I’ve upgraded our installation (and also upgraded the mambo installation to the version prior to this update too

There’s a work around for the idn flaw which involves creating a file on the local machine. Looks complicated for a non-techie to install but works by only allowing alphanumeric (a-z and 1-9) as characters in a url. I guess it won’t be long before an official patch comes along though.

I’m amazed that some of Microsoft’s MVP’s on Security are 14 and 17 years old. Just how do they manage to know all this stuff and get all those qualifications by their age?