Security ViewpointsSecurity ViewpointsComments, observations and tips on security, operating systems and the IT industry
Articles:
1, 2
Articles
Happy 20th birthday Perl
2007-12-19 03:47:00 According to perlbuzz.com and Wired News , December 18th 2007 marks the 20th anniversary of release 1.0 of Perl , my favorite programming language. These days Perl is most often thought of as the first “web programming” language. Back in 1994 or so when public access to the ... More About: Happy , Birthday
Cheap supercomputing from your graphics card
2007-10-25 16:11:00 The folks at Russian firm ElcomSoft are making headlines this week by releasing one of their brute force password cracking tools that uses nVidia graphic processing units to boost performance by 25 times. (You may recall ElcomSoft from 2001 when an employee was arrested during Defcon. He was eventually ... More About: Graphics , Card , Computer industry , Cheap , Graphics Card
CIS releases Vmware ESX security guide
2007-10-23 23:29:00 The Center for Internet Security has now released guidelines for hardening hosts running VMWare ESX Server 3. This supplements the more general virtual machine security guide they published in September. The ESX guidelines cover basic to intermediate techniques for hardening the ESX host and linux-based service console, including ESX-specific guidance for ... More About: Virtualization , Guide , Vmware , Guid
Multiple critical vulnerabilities in all VMware products
2007-09-20 17:37:00 VMware has announced several privilege escalation and denial of service vulnerabilities affecting every single supported VMware product, including the flagship VMware ESX server product line. Some of the issues could potentially allow users in a guest VM to execute code on the host, so these are critical problems. Interestingly, the ... More About: Products , Vulnerabilities , Virtualization , Vmware , Critical
Dear developers: sign your code!
2007-09-14 02:29:00 Yesterday the domain belonging to the Bastille Linux server hardening project was taken over by a domain squatter who is demanding $10,000 to give it back. So far the squatter hasn’t done anything malicious with the web site, but how much can you trust someone whose business model ... More About: Code , Sign , Developers , Develop
CIS releases virtual machine security guide
2007-09-12 13:12:00 The Center for Internet Security (CIS) has published a nice little guideline on hardening virtual machines . The guide covers security issues for both guests and hosts and applies to any virtualization product, not just VMWare. CIS has created a number of guidelines for hardening popular operating systems, routers ... More About: Machine , Virtualization , Guide , Virtual
Core GRASP - SQL injection prevention for PHP
2007-08-24 17:55:00 SQL injection vulnerabilities are still common in web applications. The damage done when attackers are able to send raw SQL commands through to your database are severe enough that most developers have some idea about avoiding it: using bound parameters and stored procedures rather than the usual method (building an SQL statement by ... More About: Prevention , Core , Injection
Port scanning with Adobe Flash
2007-08-20 15:50:00 The same origin policy for web browsers is completely blown. Last year SPI Dynamics demonstrated how to trick a browser into doing a port scan of the local network using plain old Javascript. Now researchers at the Chaos Communication Camp demonstrated that Adobe Flash can do the same thing. ... More About: Scanning , Port , Adobe Flash
ClamAV bought by Snort vendor Sourcefire
2007-08-17 15:22:00 Get good results in one little bake-off and you get bought out? Sourcefire , the little company behind the open source Snort intrusion prevention has just acquired the open source Clam AV anti-virus project: “Sourcefire has acquired the ClamAV project and related trademarks, as well as the source code copyrights held ... More About: Computer industry , Clamav , Lama
Open source ClamAV beats McAfee and Norton
2007-08-09 21:55:00 A little anti-virus “bake off” organized by security gateway vendor Untangle has found that popular open source ClamAV has very good detection rates compared to commercial anti-virus products. In an informal test using variations of the EICAR test pattern plus 25-odd “in the wild” and community-submitted malware, Kaspersky scored the highest overall ... More About: Open Source , Malware , Open , Source , Open-Source
(Unencrypted) site security confirmed!
2007-08-08 04:04:00 SSL vendors still equate encryption with “security”. Forget about hardening your e-commerce server. Don’t bother encrypting data at rest. According to the ads from SSL vendors, all you need is their 128-bit SSL certificate (preferably the new high assurance variety) … and to pay the annual fee. VPN and other crypto product vendors ... More About: Security , Site , Crypt
Pwnie Award nominees are out
2007-08-01 15:56:00 The first annual Pwnie Award s have now published their list of nominees for 2007 and will be presenting the awards today at Blackhat Las Vegas. This extremely irreverent award was announced in July by security researcher Alexander Sotirov with the awards in the following categories: Best Server-Side Bug Best Client-Side Bug Mass 0wnage Most Innovative Research Lamest Vendor ...
SpamAssassin p0f plugin catches bot spam
2007-07-26 03:20:00 Most spam right now originates from compromised Windows desktop systems. Bot herders are more than happy to sell or rent a few thousand infected Windows home computers to spammers. If only there was a way for a mail server to detect when a Windows XP box is the source of ... More About: Spam , Plugin , Assassin , Massa
DNS cache poisoning made easy
2007-07-25 04:19:00 Filling a DNS server’s cache with fake records just got a whole lot easier. Two flaws in the BIND domain name server (DNS) software were announced today that make the normally hit-or-miss practice of stuffing name servers full of false info into a sure thing. ... More About: Infrastructure , Made , Easy , Cache , Poison
Fast flux botnets
2007-07-16 18:20:00 Researchers at the excellent Honeynet Project have published a detailed paper on the growing phenomenon of what they call “fast flux service networks “. Essentially, criminals are now using DNS records with a short time-to-live that return hundreds of A records of compromized hosts. Both the NS records for the domain and the ... More About: Malware , Fast , Botnet , Botnets , Flux
Torpark is now ?XeroBank Browser?
2007-07-14 16:35:00 Torpark, the customized version of Firefox for Windows that included a built-in Tor network has been rebranded as XeroBank Browse r and gone semi-commercial. I wrote a review of the original product last year and even created an enhanced version that improved privacy protections. Now ... More About: Privacy
Major new flaw in Adobe Flash Player - Windows, Linux and Mac
2007-07-13 16:46:00 A couple days ago Adobe admitted to three separate vulnerabilities in their Flash player plugin for web browsers. The vulnerabilities affect Windows , Mac and Linux and allow arbitrary code execution, cross-site request forgery (CSRF), and logging of keystrokes (!). The official announcement from Adobe CVE numbers: CVE-2007-3456 , CVE-2007-3457 and CVE-2007-2022 Now, ... More About: Flash Player
U.S. Energy Department loses nearly 20 laptops a month
2007-05-27 16:48:00 Last year we learned that the U.S. Commerce Department was losing an average of 17 laptop laptop computers per month. Now the Energy Department reports 1,415 laptops have vanished between 2001 and 2006, inclusive. That’s 19.6 laptops per month, on average, out of a reported total inventory of 71,874. The ... More About: Laptops , Nearly , Earl
Reducing spreadsheet errors by suggestion?
2007-05-25 22:10:00 Number-oriented people love their spreadsheets. Every once in a while I run into someone who has created a prized Excel document encrusted with VBA macros, filters and formulas that make String Theory look simple. Usually these monsters started life as a quick-and-dirty “what if” then grew over ... More About: Suggestion , Errors , Error , Redu , Spreadsheet
VMware Workstation 6 released
2007-05-10 03:52:00 The latest edition of VMware Workstation is finally out of beta and available for download. Once again, VMware allows existing users of Workstation 5 to upgrade for a hundred bucks U.S. In addition to the usual incremental improvements and official ... More About: Virtualization , Released , Stat , Lease
Marcus Ranum has a podcast
2007-05-09 18:47:00 Exhalted internet security guru Marc us Ranum has posted a podcast, complete with presentation slides to go with it. He promises this is the first of a series (I certainly hope so, but making podcasts takes much more time and effort than blogging, and Marcus rarely updates his blog). ... More About: Podcast , Computer industry
Spam more profitable than extortion?
2007-05-01 20:34:00 Spam sent directly from botnets is rising and the use of botnets to perform denial of service extortion is declining, according to a blog article posted last week by Symantec. According to Symantec there was “a pretty sharp decline in the daily number of denial of service attacks” during the second half last year, possibly because ... More About: Spam , Malware , More , Table , Extortion
Fuzzing virtual machines
2007-04-26 18:49:00 Security researcher Tavis Ormandy has published an interesting paper "An Empirical Study into the Security Exposure to Hosts of Hostile Virtual ized Environments" (PDF link) where he used a I/O fuzzer and random opcode generator to find anomalies in VMware and other virtualization products. Tested were VMware Workstation and VMware Server, Xen, QEMU, Bochs, plus two "popular ... More About: Machines , Virtualization , Chine , Fuzzing
Setting up software RAID in Ubuntu Server
2007-04-24 23:08:00 Linux provides excellent software-based RAID built into the kernel. Unfortunately information on configuring and maintaining it is sparse. O’Reilly published Managing RAID on Linux back in 2003 and that book is still mostly up to date but searching the web for clear instructions on setting up RAID and all the various gotchas has become a ... More About: Software , Linux , Ubuntu , Server , Soft
Notes on Secure Mississauga 2007
2007-04-19 13:47:00 Yesterday the group behind the CISSP certification, the ISC2 held a one-day security seminar with speakers discussing the state of IT security, threat modeling, privacy and disclosure laws and other interesting topics. The ISC2 is holding several of these around the world this year… mainly as opportunities for CISSPs to add a few more education credits (you need ... More About: Notes , Miss , Secure , Cure , Mississauga
Month of PHP bugs summary
2007-04-12 17:58:00 Well, the "Month of PHP Bugs " has concluded, exposing 41 security issues in the PHP web development language. Some don’t agree with this method of publishing vulnerabilities, but sometimes it’s necessary to help developers focus on security. Embarrassment is an highly effective motivator. Personally I think this was sorely need for PHP and Stefan Esser ... More About: Php , Mary , Summary
Nasty little bug in Gnu Privacy Guard (GPG)
2007-03-10 20:23:03 Time to upgrade if you use Gnu Privacy Guard to encrypt or sign email or files. It turns out that if you prepend unencrypted text to a GPG-signed (or signed and encrypted) file, when the file is decrypted by GPG the prepended text is spit out immediately followed by the decrypted plaintext. There is with no visual indication where one block of text ends and the other begins. An attacker who can modify a GPG-encrypted file (such as an email message or file on disk) can exploit this behavior to turn a signed message like Purchase 40 shares of Acme Widgets into a message that reads Please sell all my shares and deposit the proceeds into account 123456 of Offshore Criminals Savings and Loan. Later this week I will thenPurchase 40 shares of Acme Widgets This flaw is most likely to be a problem with email clients that use GnuPG, such as Mozilla Thunderbird with the Enigmail extension. The problem isn’t in the cryptography… it’s that by default GPG displays no separat... More About: Little , Nasty , Riva
U.S. military to standardize Windows hardening
2007-02-07 19:57:03 The lede of today’s SANS Newsbites claims that the U.S. military is about to start using standardized "secure configurations" of Wind ows operation systems across all services: "Over the next several weeks, you’ll begin to hear about US military services standardizing on secure configurations of common operating systems (VISTA and XP to start) (1) so they can avoid costs and errors of tens of thousands of sites doing their own hardening, (2) so they can get the operating system vendors to test patches on the standard configurations before releasing them - so patches can be installed much more quickly, and (3) so they can ensure application vendors deliver software that doesn’t force configuration changes that conflict with their standard configuration." If true it’ll be interesting to see how successful the initiative is. The article implies that the "secure configurations" used will be the well-known benchmarks published by the... More About: Military , Standard , Hard
A job interview
2007-01-31 19:50:05 February 2007 marks the tenth anniversary of me being a self-employed consultant. Such milestones tend to inspire lots of naval gazing, so I guess should get busy doing that. Oddly enough today I had an interview for a full-time security job with a high-tech firm. It was the first employment interview I’d done in seven years so was very rusty at playing that particular game. As a consultant you’re interviewed all the time by prospective clients, but those are focused on very specific technical abilities. Employment interviews delve into areas like personal motivation and life goals, something you don’t think much about as a consultant… you’re far too busy either drumming up business, working on the jobs you have, and trying to keep up with the endless demands of the taxation office. Besides the usual questions about previous work experience, during this interview the team asked a couple of thinkers. First was along the lines "how do you j... More About: Inter , Interview , View
150 million bots
More articles from this author:2007-01-31 19:50:05 The majority of the estimated 600 million computers attached to the Internet are home computers, with no one to secure or clean them up when they become compromised. Right now, entire underground economies exist for buying and selling access to trojaned home computers for criminals to broadcast spam, flood targets offline, or just plain old keystroke capturing for bank access and credit card numbers. Criminals are crafting malware not just to infiltrate home computers, but to delete competing malware so they can have use of the box to themselves. Yesterday Vint Cerf and other pioneers were quoted in an article by the BBC saying that 150 million of the 600 million machines are bots and the situation is an epidemic. No kidding. Botnets have been growing right along with the adoption of broadband Internet access. This is not news, of course. In 2003 when Microsoft worms were at their peak it was easy to see from server and firewall logs that most sources were broadband home computers. ... More About: Lion , Bots , Million 1, 2 |
|
 |
|
 |
