I realize that I've been a bit light on infosec subjects lately, so thought that I'd better get back on topic. :) There are three bits out today that I've found particularly interesting.
First, more information has been released by the Payment Card Industry regarding their DSS 6.6 requirement on application security. It's a very insightful read and should help calm the nerves of those doing compliance.
Second, TippingPoint has broken into the Kraken botnet, to the tune of potentially controlling 25,000+ compromised hosts. They're now debating the ethics of using the infection to clean and secure the infected hosts. This issue is not nearly as simple as some might imagine. For one thing, to do so could be illegal. For another, who knows how much liability could be involved, especially when considering the law of unintended consequences.
Third, it's been disclosed that Microsoft has been providing law enforcement with free USB pendrive toolkits for forensics response purposes. It's not clear what all is on these devices, though one might assume many of the SysInternals tools are included (MS bought them a while back). Some have raised questions about the quality of evidence collected using these tools, since many of us doubt that write protection is enabled, etc. These devices appear to be designed for live response and requires physical access to the box. I am curious about how they're bypassing the login screen, where they're capturing data to (is MS playing custodian for network-based data capture?), and what toys they've included. Hopefully there aren't any secret backdoors that will be subsequently exploited. :(
