A free script is available from Alan Renouf to check vCenter clusters for compliance with the Epping/Denneman book on HA and DRS.

This is not to be used as a replacement for the HA and DRS book, quite the opposite, it is used to compliment the book and tells you which pages to look at for information within the book.

So far I have only read the first 50 pages so all the information in V1.0 of the script is related to the first 50 pages but as I read more I will add more checks and update the script.

BIND is being updated under CVE-2011-1910 (CVSS Score: 7.8) due to a buffer size check error revealed over the past weekend.

A negative cache is setup by BIND to improve performance. In other words a negative response like “NXDOMAIN” or “NODATA/NOERROR” can be saved for reference and better response time. Sending a very large set of resource records associated with a name (RRSet) in a negative response can cause an off-by-one error (OBOE) and crash named, resulting in a denial of service condition.

The nature of this vulnerability would allow remote exploit. An attacker can set up a DNSSEC signed authoritative DNS server with large RRSIG RRsets to act as the trigger. The attacker would then find ways to query an organization’s caching resolvers for non-existent names in the domain served by the bad server, getting a response that would “trigger” the vulnerability. The attacker would require access to an organization’s caching resolvers; access to the resolvers can be direct (open resolvers), through malware (using a BOTNET to query negative caches), or through driving DNS resolution (a SPAM run that has a domain in the E-mail that will cause the client to perform a lookup).

Interesting explanation of JSON security

If you have partial control over some of the JSON data it’s possible to steal the data by manipulating it using UTF-7

[…]

If you are pen testing JSON feeds make sure the web site in question prevents external inclusion of the data via script or even better recommend the site does not expose the data publicly if privacy will be compromised. Twitter solved the information disclosure problem by requiring authentication for its JSON and other feeds consider doing the same if the data has to be exposed.

I often see references to anonymous behaviour as cowardly or some other negative connotation. It is especially strange to me to see security professionals denigrate all forms of anonymous speech. Although there are risks to allowing a voice without a known identity, the risk of requiring an identity also has to be weighed.

Shoq Value gives an interesting (albeit lengthy) example of the balance.

At 10:47 (on May 29th), this email arrived, demonstrating nicely exactly why I remain anonymous. It’s because critics will always try to intimidate or silence people by any means they think are available to them.

Whereas the intimidating critics may themselves be anonymous, Shoq does not call them cowards or advocate for an end to their anonymous speech. Instead, the tool of anonymity is recognised as a double-edged sword.