Many DNS Servers Still Vulnerable To Attack - InfoSec News: Many DNS Servers Still Vulnerable To Attack: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=212001592

By Tim Wilson
DarkReading
Nov 10, 2008

More than six months after the discovery of security flaws in the
Internet's core addressing system, many Domain Name System (DNS) servers [...] [InfoSec News Mailing List]

Microsoft publishes great technical information - Microsoft publishes great technical information [IBM Internet Security Systems Frequency X Blog]

It hasn't been common in the past to see anyone give Microsoft kudos in the area of information security, so it is very interesting to see blogs like this. I've had the pleasure of seeing some of the benefit of the massive cultural shift at Microsoft in the last 5 years or so, and I'm pretty excited to have had the opportunity to see the change that "Trusted Computing" has brought.

IDG says "Once thought safe, WPA Wi-Fi encryption is cracked"... its not quite that simple, but this is important news anyway.

Once thought safe, WPA Wi-Fi encryption is cracked - InfoSec News: Once thought safe, WPA Wi-Fi encryption is cracked: http://www.networkworld.com/news/2008/110608-once-thought-safe-wpa-wi-fi.html

By Robert McMillan
IDG News Service
11/06/2008

Security researchers say they've developed a way to partially crack the
Wi-Fi Protected Access (WPA) encryption standard used to protect data on
many wireless networks. [...] [InfoSec News Mailing List]

It has been an interesting last few weeks, or at least potentially interesting since Dan Kaminsky's DNS bombshell this summer. I think, strife and frustration aside, things went well in terms of how he chose to deal with the issue. I've seen similar opportunities go... less well.

I have enabled OpenID logins for the site, so that authentication is much more secure that it has been. One of the downsides of the hosting arrangement for securedaemon.net is that I do not currently have access to SSL.

For details around how OpenID works with Drupal, check out:
http://drupal.org/node/310977

There are a number of OpenID providers that you can choose from:
http://openid.net/get/

Boston Court's Meddling With 'Full Disclosure' Is Unwelcome -

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

Although Dan Kaminsky's DNS research got most of the pre-show attention relating to Black Hat this year, some other research is raising a bit of concern post-show. The amount of concern and noise level around Mark Dowd and Alex Sotirov's research (Impressing Girls with Vista Memory Protection Bypasses) varies significantly depending on which opinions you read.

Dan Kaminsky delivered his presentation today at Black Hat in Las Vegas. He provided some commentary on a number of ways to exploit flaws in unpatched recursive DNS resolvers, including impact to SSL sites.

framework3/trunk/modules/auxiliary/spoof/dns/baliwicked_host.rb

If you aren't sure what that is, then read on.

Details of DNS Flaw Leaked; Exploit Expected by End of Today -

Despite Dan Kaminsky's efforts to keep a lid on the details of the critical DNS vulnerability he found, someone at the security firm Matasano leaked the information on its blog yesterday, then quickly pulled the post down. But not before others had grabbed the information and reposted it elsewhere, leading Kaminsky to post an urgent 0-day message on his blog reading, "Patch. Today. Now. Yes, stay late."

Hackers are furiously working on an exploit to attack the vulnerability. HD Moore, creator of the Metasploit tool, says one should be available by the end of the day.

[Wired: Threat Level]