The Symantec Security Response weblog has a good entry today on DNS security. Its worth reading. The problem I see is that its short on solutions. Sure its a nice observation that SSL will warn you, but what else can you do?
I appreciate that they didn’t go with the “use OpenDNS” kneejerk response that I see a lot. Depending on your ISP, the OpenDNS servers may be more secure. But if you’re a large company, you want your ISP to be certified and accredited. That may be easier to force your ISP to obtain (you’re paying them a lot of money after all). As the article states, the DNS response is still vulnerable to spoofing
There were a couple of points not covered by the article.
1. What if you get infected and the infection changes your DNS server settings. Will you catch that?
2. DNSSEC if it were ever implemented would provide some protection. I would have been interested in the author’s take on that.
Archive for October 2007
DNS Security
McAfee buys Safeboot
This is interesting, McAfee has purchased Safeboot for $350 million.
Safeboot seems to be the name I hear most when talking to people at other companies about what FDE products they use. I wonder if ePO will be extended to manage this software in the next few years. That would be pretty cool. I found Safeboot to be rather buggy in my eval. But it seems similar problems occur in any FDE product.
That McAfee would make this purchase shows that they think this will continue to be a big market. One wonders what other companies may be on the market.
It takes a thief
Russell Shaw blogging on the front page of zdnet finds it hard to believe that someone who hasn’t been on the Internet can be on a jury that finds someone guilty of illegally using Kazaa to share copywrite protected material.
I don’t know if Russell is starting with the default assumption that all music should be free. It certainly seems as if the anti-RIAA forces believe that at their heart. I do kind of wonder if he extends that thinking to other crimes. Should I not be allowed to be on a jury that convicts a thief unless I’ve stolen myself? I guess I just dont feel that thieving is all that different in cyberspace. Good for them for not falling for the specious argument that “it wasn’t me, it was my insecure wireless therefore I am blameless.”
I also think its kind of funny that Russell thinks funeral directors are supposed to be compassionate therefore they should give light penalties during the sentencing phase of a trial.
Blue Coat DRTR adds anti-phishing capability
Blue Coat announced today that its Dynamic Real-Time Rating (DRTR) will now catagorize phishing sites on the fly in addition to pornography and gambling sites. DRTR is used to catagorize previously uncatagorized sites.
JAVA Updates
SUN has an update available for the Java Runtime Environment versions 1.3.1, 1.4.2, 5.0 and 6.0. When I looked at the fix list for 6, I really couldn’t tell if this update was necessary from a security perspective or not. After reviewing an article at Techworld, I’ve decided I need to get this on the update schedule.
[quote]
Although Sun does not assign threat scores or label its advisories with terms such as “critical” or “low,” Danish bug tracking vendor Secunia collectively tagged the five advisories and their 11 patches as “highly critical,” its second-highest ranking.
[/quote]
What have we learned from history
Saw this on the McAfee blog.
Quicktime Update Released
Apple released a Quicktime update tonight bringing us to 7.2.0.245.
Download Link
The patch is issued to resolve “a command injection issue exists in QuickTime’s handling of URLs in the qtnext field in QTL files.”
It would have been nice if they’d updated the file version of quicktimeplayer.exe or updated the version information in add remove programs. Now I have to either talk the SMS guys into adding QuickTime.qts to the software inventory or just go ahead and run this patch one time on anything that has Quicktime 7.2.
Why isn’t full disk encryption from manufactures a slam dunk?
I saw a post today on the Security Basics mailing list asking “Why isn’t full disk encryption from manufactures a slam dunk?”
I think the answer is that it is still rather new. The problem is its new so some people are waiting to see if its defeated by attackers. Others made recent investments in softwarae FDE. Dell just made the Seagate available in the Latitude line at the end of July. Give it some time. I expect within three years hardware FDE will be the norm.
I received a Dell Lat 830 with a Seagate Momentus 5400.2 FDE drive on Tuesday. I need to remove the software encryption the help desk loaded on their, but I should have some comments later this week.
Google Strengthens their email security for Business Customers
Ars Technica reports that Google is now giving Postini protection to its enterprise customers who use its hosted email services. That’s great, but I dont really trust them with my data let alone my customers. For smaller businesses wth less in house expertise, I can see that as a good play.
