Privacy, Security Archive

You probably know intuitively that applications have limited powers in Intel x86 computers and that only operating system code can perform certain tasks, but do you know how this really works? This post takes a look at x86 privilege levels, the mechanism whereby the OS and CPU conspire to restrict what user-mode programs can do.

"In many ways the virtues that have brought Linux from a Unix look alike pet project to a competitive operating system are the same as the ideals behind DefCon. The community stood on each other's shoulders and developed piece after piece of software to fill in the gaps that were found through use. Programmer's built on the ideas of others creating tighter and tighter code to support an increasingly complex framework."

NSA takes its Flask architecture to the open-source community to offer an inexpensive route to trusted systems. "What it really helps out with is something called zero-day exploits," said Daniel Walsh, a principal software engineer at Red Hat and leader of the company's SELinux team. "If you have a bug in your software that allows a machine to be taken over, SELinux another layer of controls to make sure that application only does what is was designed to do. SELinux is your last line of defense."

Security consultant Howard Fosdick has contributed the latest entry in the 2008 OSNews Article Contest: a highly detailed examination of security and privacy on the Windows platform, and how to use free software tools and a little knowledge to protect your privacy online.

"Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now available in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days. Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year."

People shouldn't read anything into the fact that of the three laptops set up for last week's 'PWN to OWN' hack challenge, the only one left standing was running Linux, said the security expert who oversaw the contest. "There was just no interest in Ubuntu," said Terri Forslof, manager of security response at 3Com Corp.'s TippingPoint subsidiary, which put up the cash prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure of relative security between operating systems. It's not an accurate barometer."

"An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure. A former US National Security Agency employee has trousered USD 10000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked. Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages. The MacBook was the only system to be hacked by Thursday. Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems." There is more bad news for Apple: "If you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple." Update: The contest is over. Vista got hacked using Adobe's Flash, Ubuntu was left standing.

The technologies we rely on, both new and old, are now very effective tools that both governments and private firms are using to gather, analyze, store, and sell information about our private lives, habits, purchases, whereabouts, and even thoughts and beliefs. But some of this invasion of privacy pays a welcome dividend in convenience and power in our own lives. Where do we draw the line, and how can we use this potentially-invasive technology for our benefit, without sacrificing our private lives to commerce?

So, you think that since there are so few holes in your Mac OS that you're invulnerable to attack? That may be true for Trojans and viruses, but it's not the case for phishing attacks that can be fiendishly deceptive and destructive. Not worried yet? Read this column and you might think again.

"Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security. Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects. A total of 7826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review." Note: I just want to state for the record that the headline has not been written by me. I do like the total kicking-in-open-doors air surrounding it, though.

When it comes to launching online attacks, criminals are getting more organised and branching out from the Windows operating system, says eBay's security chief. eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University. "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes," he said.

KernelTrap offers a summary of a lengthy debate on OpenBSD's -misc mailing list comparing the security features built into OpenBSD versus the security offered by the Linux kernel's SELinux feature. The main arguments presented against SELinux centered around its complexity and the difficulty of defining a secure policy. "The first thing people usually do with SELinux is turn it off", suggests the article, noting that the ease with which it can be turned off is another security shortcoming. By contrast, OpenBSD offers numerous security features that are always enabled with minimal overhead, including propolice stack protection, random library mappings, proactive privilege separation, W^X, and systrace.

Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others -- tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation.

An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Vista kernel. Purple Pill, a utility released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista - effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system.