Privacy, Security Archive

Alan Cox, one of the leading Linux kernel developers, has told a House of Lords hearing that neither open- nor closed-source developers should be liable for the security of the code they write. Cox, who is permanently employed at Red Hat, told the Lords Science and Technology Committee inquiry into personal internet security that both open- and closed-source software developers, including Microsoft, have an ethical duty to make their code as secure as possible. "Microsoft people have a moral duty in making sure their operating system is fit-for-purpose," Cox said on Wednesday.

"Security, perception, reality. What security professional hasn't struggled with the gaps between those three things? Is there anything worse for security than a false sense of security?" And part II.

"A rootkit is a collection of tools a hacker installs on a victim computer after gaining initial access. It generally consists of network sniffers, log-cleaning scripts, and trojaned replacements of core system utilities such as ps, netstat, ifconfig, and killall. I know of two programs which aid in detecting whether a rootkit has been installed on your machine. They are Rootkit Hunter and Chkrootkit."

"All too often people talk about the disadvantages of the Windows operating system: it has too many security flaws, it is not properly patched, it is not security oriented… Until the much talked about Vista system finally reaches our computers, there will still be plenty of time to protest. However, with the new malware dynamic, the idea that malware is restricted to specific operating systems is becoming anachronistic. It no longer matters whether the victim is a home-user or a company employee. It is now irrelevant whether the system administrator is just someone who lives round the corner or a highly qualified IT manager."

"This guide describes how to generate and use a private/public key pair to log in to a remote system with SSH using PuTTY. PuTTY is an SSH client that is available for Windows and Linux. Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure."

The root of the PHP and Lamp security problem lies in the way most Apache servers are configured. In this article, you will improve the Linux security of a LAMP by using the capabilities of Apache's Proxy's directive mod_proxy module to isolate potential Linux security risks while maintaining the flexibility that tools like PHP provide.

"Today welcomes Vista to market, at least to the businesses that have early access to Vista. While Vista brings promises for better security – IPv6 kernel, whole disk encryption and more – it only marks the client phase for Microsoft Network Access Protection. Network Access Protection requires support for both client and server which means enterprises will have to write until the end of 2007 when Windows Longhorn Server is available to fully deploy NAP. Many companies need NAC now and can't wait another year, as evidenced by a recent Infonetics Research study that suggests 60 percent of North American large enterprises will have NAC deployed by the end of 2008."

The security guys at Microsoft are posting about how MS SQL 2005 didn't had any security vulnerabilities at all (you can check Secunia to confirm it). The secret? Apparently, like in other products (no, IE is not part of those products, its core is 5 years old after all), the real difference has been in that they've applied the "Security Development Lifecycle".

Alan Cox, one of the most respected figures in the UK open source community, has warned of complacency over the security of open source projects. Speaking to delegates at London's LinuxWorld conference on Wednesday, he emphasised that considerable sums of money were being spent to try and hack into open source systems. And he cautioned that many open source projects were far from secure. "Things appear in the media like open source software is more secure, more reliable and there are less bugs. Those are very dangerous statements," Cox said. My take: Agree wholeheartedly. Security complacency, often seen in OSNews' comments sections, is very, very dangerous.

"The security industry and trade press have directed a lot of attention toward the 'Zero-day attack', promoting it as THE threat to guard against. According to the marketing hype, the Zero-Day attack is the one that you should most fear, so you must put in place measures to defend your organization from it. The Zero-Day threat is born the moment a vulnerability is publicly announced or acknowledged. But what about the period of time that the threat existed before being announced. At StillSecure we call this class 'Less-Than-Zero' threat. In this two-part series I'll examine this Less-Than-Zero threat, compare it to the Zero-Day threat, and discuss ways to protect yourself from Less-Than-Zero attacks and vulnerabilities for which patches, signatures, etc., do not yet exist."

A recent security advisory announced today by Rapid7 explains, "the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is attached to this advisory." The advisory goes on to note that the FreeBSD and Solaris binary drivers are also likely vulnerable and cautions, "it is our opinion that NVIDIA's binary driver remains an unacceptable security risk based on the large numbers of reproducible, unfixed crashes that have been reported in public forums and bug databases."

pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD's ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC) for excellent packet queueing and finally an integrated package management system for extending the environment with new features. pfSense version 1.0 was released today.

It's not just Symantec that wants to call foul on Microsoft; McAfee got in on the action today with a full-page ad in the print edition of the Financial Times. The ad accuses Microsoft of engaging in dangerous practices that are creating 'inherent weaknesses' in Windows Vista. And by 'inherent weaknesses', McAfee means limitations on what their own products can do.

Symantec has previously complained that Vista's PatchGuard kernel-protection technology might limit Symantec's ability to protect the kernel with its own software. But what do other security vendors think? Yesterday Sophos' Ron O'Brien told BetaNews that "Nothing about the way PatchGuard works would hinder Sophos' architecture for an enterprise security suite. In fact, he argued, if Microsoft wants to use its own methods to close off the kernel, that's a good thing."