Privacy, Security Archive

"The goal of this howto is building a NFS server that works on an SSH tunnel. This way all traffic between your hosts and the file server is encrypted and thus more secure. Normally you should enter a password every time you try to establish a SSH connection but since we could be mounting at bootup we will use ssh-keygen to create a keypair so we can login without entering a password. We will, however, limit that login session to executing just 1 command."

Hackers are hitting paydirt in their search for browser bugs. According to Symantec's twice-yearly Internet Security Threat Report, hackers found 47 bugs in Mozilla's open-source browsers and 38 bugs in Internet Explorer during the first six months of this year. That's up significantly from the 17 Mozilla and 25 IE bugs found in the previous six months. Even Apple's Safari browser saw its bugs double, jumping from six in the last half of 2005 to 12 in the first half of 2006. Opera was the only browser tracked by Symantec that saw the number of vulnerabilities decline, but not by much. Opera bugs dropped from nine to seven during the period.

"Is Browser Security getting better? That is tough to say but Firefox is definitely not leading the way. Despite all the hype, despite all the Myths, Firefox 1.x has a worse security record so far in 2006 than Internet Explorer 6.x."

"Jon Ellch was one of the presenters of the now infamous 'faux disclosure' at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them."

IT professionals need to strike a balance between user freedom (such as letting them install any app they want) and keeping a predictable and safe computing environment. Several network admins give their advice about the best way to find and maintain that balance - with tech tips for each operating system.

A landmark study on Department of Justice network crime prosecutions reveals most attacks used stolen IDs and passwords, resulting in far greater damages to affected organizations than previously thought: up to USD 10 million per occurrence and on average more than USD 1.5 million per occurrence. The report, "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006", concludes that 84% of attacks could have been prevented if, in addition to checking the user ID and password, the organization had verified the identity of the computer connecting to their networks and accounts.

"You've probably heard of full disclosure, the security philosophy that calls for making public all details of vulnerabilities. It has been the subject of debates among researchers, vendors, and security firms. But the story that grabbed most of the headlines at the Black Hat Briefings in Las Vegas last week was based on a different type of disclosure. For lack of a better name, I'll call it faux disclosure. Here's why."

An attacker could gain complete control over a laptop by sending malformed network traffic to a vulnerable computer, David Maynor, a senior researcher at security service provider SecureWorks, said in a presentation at the Black Hat security event. Maynor, along with researcher Jon 'Johnny Cache' Ellch, showed a video of a successful attack on an Apple Computer MacBook. However, the attack is possible also on other computers, both laptops and desktops, and not just MacBooks, the researchers said. The recent security fixes issued by Intel are not related to this issue.

The on-again, off-again status of OpenSSL Certificate 642's validation by the National Institute of Standards and Technology seems to be coming to a conclusion as abruptly as it began.

A new report from Symantec security researchers contends that Microsoft's much-awaited Vista operating system could harbor a range of vulnerabilities that will make it less secure than previous iterations of Windows. According to research published July 18 by Symantec, a number of Vista's software components, specifically a handful of protocols related to its redesigned networking technologies, could become security loopholes if Microsoft does not fix the problems or ensure that the product is configured appropriately to hide the glitches when it is shipped.

Sophos has published new research into the past six months of cyber crime. The Sophos Security Threat Management Report Update reveals that while there has been a vast drop in new viruses and worms, this has been over-compensated by increases in other types of malware, as cyber criminals turn their attention to stealing information and money. Most interestingly, new Trojans now outweigh viruses and worms by 4:1, compared to 2:1 in the first half of 2005. In addition, the continued dominance of Windows-based threats has prompted Sophos to suggest that many home users should consider switching to Apple Macs, to shield themselves from the malware onslaught.

"This HowTo is about creating a user-session-safe directory which offers security on- and offline. This is done with PAM, a module named pam_script and Encfs ('Encrypted Filesystem'). This safe directory is used to store credentials and other sensitive information during a session. When a usersession is ended, in the worst case an encrypted directory remains on the harddrive. In the best case everything is removed. This construction is only meant to store information during a session, not for documents or any other valid information."

A gaping security flaw in the latest versions of Symantec's anti-virus software suite could put millions of users at risk of a debilitating worm attack, Internet security experts warned May 25. Researchers at eEye Digital Security, the company that discovered the flaw, said it could be exploited by remote hackers to take complete control of the target machine "without any user action".

Here is an article explaining how shellcodes work: "This article is not a guide on writing exploits, nor an overview of popular vulnerabilities. This is a step-by-step guide on developing a shellcode, a crucial point of any exploit software. Hopefully, learning how they work will help conscientious and respectable developers and system administrators to understand how malefactors think and to defend their systems against them."