Keep OSNews alive by becoming a Patreon, by donating through Ko-Fi, or by buying merch!

Privacy, Security Archive

Surprise, Microsoft Listed as Most Secure OS

Microsoft is frequently dinged for having insecure products, with security holes and vulnerabilities. But Symantec, no friend of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors. The information was a part of Symantec's 11th Internet Security Threat Report. The report, released this week, covered a huge range of security and vulnerability issues over the last six months of 2006, including operating systems.

Monthly OS Security Score Card: Another View

"In response to Jeff Jones' Monthly Security Scorecard I did some research on Secunia and made some statistics to answer his. Jeff's Scorecard is quite minimal in my opinion and as pointed out by some of the comments, is missing some interesting facts. These facts include the outstanding advisories, for example, and of course the amont of software installed. Since Linux installs a lot more software the numbers are a bit skewed; however, even if I only take the numbers from Secunia with regard to advisories, vulnerabilites fixed, etc., things still look quite different then on Jeff's charts."

Operating System Vulnerability Scorecard

"Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System products. I'm going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions." Note that these results speak only of fixed vulnerabilities; the author aims to include information on non-fixed problems and the time it takes to fix problems as well. You should also read this, by the way.

IE, Firefox Share Vulnerability

Internet Explorer 7 and Firefox 2.0 share a logic flaw. The issue is actually more severe, as the two versions of the Microsoft and Mozilla browsers are not the only ones affected. In this regard, the vulnerability impacts Internet Explorer 5.01, Internet Explorer 6 and Internet Explorer 7 but also Firefox 1.5.0.9. Microsoft has stressed the fact that IE7 on Windows Vista is not affected in any manner.

Linux vs. Vista: How Does Security Stack Up?

For consumers looking to boost their computers' security, is Vista the way to go? Or can Linux provide greater protection from hacker attacks? In the face of viruses, worms or other breaches, the answer is obvious. "We don't need a survey or study to determine the answer. The answer is universal with those that actually manage these systems," said John Cherry of the OSDL Desktop Linux Working Group.

Vista: Significant Security Improvement?

In the new issue of the free (IN)SECURE Magazine read an article on Vista's security features, an interview with Ed Gibson (the Chief Security Advisor for Microsoft UK), a look at the new format and new protection/security policy in Office 2007, and an interview with Joanna Rutkowska, the security researcher in the news lately for discussing the 'very severe hole' in the design of UAC.

OpenSSL Gets Hard-Fought Revalidation

"After a long and arduous journey that included a suspended validation last year, the Open Source Software Institute has announced that OpenSSL has regained its FIPS 140-2 validation and is now available for download. The validation process, which normally lasts a few months, took an astounding five years to complete, and those involved with the projects say they are already devising ways to avoid such long delays in future validations."

Thoughts on PatchGuard

Ken Johnson, a Windows kernel mode and debugging guru, analyzes the Windows x64 Kernel Patch prevention system on his blog. From his perspective, PatchGuard is neither a security scheme nor a DRM measure due to the limited scope of the structures it protects. Instead, it is a tool to prevent vendors from destroying system security and stability. Johnson also forecasts a hypervisor-based PatchGuard mechanism for future revisions to this technology. Check out other posts on Nynaeve for a wealth of technical details on Windows mechanisms of interest to reverse-engineers.

Linux Guru Argues Against Security Liability

Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write. Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible. "Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.

Various Ways of Detecting Rootkits in GNU/Linux

"A rootkit is a collection of tools a hacker installs on a victim computer after gaining initial access. It generally consists of network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. I know of two programs which aid in detecting whether a rootkit has been installed on your machine. They are Rootkit Hunter and Chkrootkit."

Non-OS-Dependant Malware

"All too often people talk about the disadvantages of the Windows operating system: it has too many security flaws, it is not properly patched, it is not security oriented… Until the much talked about Vista system finally reaches our computers, there will still be plenty of time to protest. However, with the new malware dynamic, the idea that malware is restricted to specific operating systems is becoming anachronistic. It no longer matters whether the victim is a home-user or a company employee. It is now irrelevant whether the system administrator is just someone who lives round the corner or a highly qualified IT manager."

Rule-Based Access Control

"Although Web servers can perform user authentication and coarse-grained authorization checking for applications, developers of Web services and SOAs often must write custom code to restrict access to certain features of their system, or customize the behavior or appearance, based on the identity of a user. Embedding authorization checking within an application is inflexible, prone to error, and increases its complexity. What if it were data-driven instead of implemented by program logic?"

Key-Based SSH Logins with PuTTY

"This guide describes how to generate and use a private/public key pair to log in to a remote system with SSH using PuTTY. PuTTY is an SSH client that is available for Windows and Linux. Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure."

Encrypt Devices Using dm-crypt and LUKS

"There are many different methods to encrypt data using various encryption algorithms (ciphers). In this document I describe in short how to encrypt a device with one of the most contemporary methods, using dm-crypt and LUKS. Actually, devices cannot be encrypted. It's the block devices which are volumes that can be. This means that you can encrypt a hard disk partition, a ZIP disk, a usb flash stick, or even a volume within a file."

Windows Vista: a Baby Step for Microsoft NAP

"Today welcomes Vista to market, at least to the businesses that have early access to Vista. While Vista brings promises for better security – IPv6 kernel, whole disk encryption and more – it only marks the client phase for Microsoft Network Access Protection. Network Access Protection requires support for both client and server which means enterprises will have to write until the end of 2007 when Windows Longhorn Server is available to fully deploy NAP. Many companies need NAC now and can't wait another year, as evidenced by a recent Infonetics Research study that suggests 60 percent of North American large enterprises will have NAC deployed by the end of 2008."