Privacy, Security Archive

eEye Flags iTunes, QuickTime Flaws

Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks. eEye issued two alerts on its upcoming advisories web page to warn of heap overflows and integer overflows in the two Apple products. eEye said the vulnerabilities affect QuickTime/iTunes on Windows NT, Windows 2000, Windows XP and Windows Server 2003. Mac OS X users are also vulnerable to the code execution attacks.

Test Shows How Vulnerable Unpatched Windows Is

It's official, boys and girls: it's easier to kick in a door when it's open. "A test has revealed that a Linux server is far less likely to be compromised. In fact, unpatched Red Hat and SuSE servers were not breached at all during a six-week trial, while the equivalent Windows systems were compromised within hours. However, patching does make a difference. Patched versions of Windows fared far better, remaining untouched throughout the test, as did the Red Hat and Suse deployments."

Patching Window Is Getting Shorter

"Internet Security Systems has published a report which shows that hackers and cyber criminals are developing malicious codes to exploit known vulnerabilities much faster than before. The X-Force Threat Insight Quarterly highlights that the number of vulnerabilities in 2005 has increased by over 33% over 2004. Analysts from X-Force, the research and development team at ISS evaluated 4472 vulnerabilities in both hardware and software during 2005. From the public announcement of the vulnerability on the internet, the report highlights that 3.13% of threats discovered had malicious code that surfaced within 24 hours, whereas 9.38% had code that surfaced within 48 hours."

The Role of Architectural Risk Analysis in Software Security

Design flaws account for 50% of security problems. You can’t find design defects by staring at code—a higher-level understanding is required. That’s why architectural risk analysis plays an essential role in any solid software security program. Find out more about architectural risk analysis in this sample chapter. Also, Matthew Heusser and Sean McMillan are convinced that it takes smart people to develop good software that makes money. Where do you find smart people? You don't find them; you make them! Matt and Sean provide some fundamental rules for doing just that.

Preventing SSH Dictionary Attacks with DenyHosts

"In this HowTo I will show how to install and configure DenyHosts. DenyHosts is a tool that observes login attempts to SSH, and if it finds failed login attempts again and again from the same IP address, DenyHosts blocks further login attempts from that IP address by putting it into /etc/hosts.deny. DenyHosts can be run by cron or as a daemon. In this tutorial I will run DenyHosts as a daemon."

‘Security Fixes Come Faster with Mozilla’

"Last month, I looked at how long it took Microsoft to issue security updates for known software flaws in the Windows software that powers most of today's computers. Last week, I conducted the same analysis on free software produced by the Mozilla Foundation, perhaps best known for its Firefox Web browser. Over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems."

Fyodor Releases nmap 4

After two years of work, since the 3.50 release, Fyodor announced the Nmap Security Scanner version 4.00. Changes since version 3.50 include a rewritten (for speed and memory efficiency) port scanning engine, ARP scanning, a brand new man page and install guide, runtime interaction, massive version detection improvements, MAC address spoofing, increased Windows performance, 500 new OS detection fingerprints, and completion time estimates. Dozens of other important changes - and future plans for Nmap - are listed in the release announcement. Fyodor also gave an interview on 4.00.

Red Hat Disputes CERT Vulnerability Figures

Open source experts have hit back at a study published by the United States Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows in 2005, labelling the report misleading and confusing. The report has attracted criticism from the open source community. Linux vendor Red Hat said the vulnerabilities had been miscategorised, and so could not be used to compare the relative security of Windows and Linux/Unix platforms.

US-CERT: 5198 Linux, Windows OS Flaws in 2005

"The United States Computer Emergency Readiness Team released its year-end summary of computer vulnerabilities. While Windows is regarded as the most insecure operating system, the US-CERT found four times as many vulnerabilities specifically related to Unix and Linux. Of 5198 reported flaws, 812 were for the Windows, 2328 for Unix and Linux, and 2058 more affected more than one operating system. Notably missing from the list of Windows vulnerabilities is the recently discovered Windows Metafile issue. No vulnerabilities were listed for Apple's Mac OS X, however several had been disclosed during the year. Also, since OS X is based on Unix, it is vulnerable to some of the flaws associated with its core operating system." Note: The link is fixed. I have no idea what happened there, sorry guys!

DRM Hell

BentUser takes a look at OS-level DRM in upcoming operating systems, particularly Windows Vista. Protected video path, PVP-UAB and PVP-OPM, have the potential to be really obnoxious, eclipsing any annoyances one experiences with current DRM technologies.

Configuring IPsec on Your XP Professional Laptop

"I have already written about configuring my FreeBSD IPsec gateway and workstations. In this article I will show how I configured my Windows XP box to use the same gateway. You might ask why I'm writing about Windows XP on a website about FreeBSD? My terse answer is because I can. My realistic answer is because it will help people. It's something I did, with my FreeBSD gateway. I use XP on a regular basis. Use the right tool for the job. Sometimes that's XP. Sometimes it's FreeBSD."

The Unspoken Taboo – The Never Expiring Password

Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords.

Sun Plugs Java Holes; Apple Security Updates; Windows Flaw

Sun Microsystems has fixed five security bugs in Java that expose computers running Windows, Linux and Solaris to hacker attack. In the meantime Apple also released a Mac OS X security update for apache_mod_ssl, CoreFoundation, CoreTypes, curl, iodbcadmin, OpenSSL, Safari, sudo, syslog. Elsewhere, computer code posted can crash vulnerable Windows machines by exploiting a "critical" Windows flaw disclosed and patched by Microsoft in October.

Time to Take Off the Training Wheels

How are users supposed to learn if they never fall down? For many users, being faced with "safety" features just creates more workaround. Confirming, clarifying, and checking every operation, as most applications these days do, is intended to protect users from accidents. The result is similar to what many people find after putting training wheels on a child's bicycle: the vehicle is more cumbersome and the child never learns to ride it properly.

Digital Rights Management: When a Standard Isn’t

"Whether you're a buyer or a seller of a product, the essential goal of standardization is to make interoperability possible, allowing communication with anyone else using the same protocol and media. In some cases though, vendors have specific reasons for not being compatible - and those vendors have developed a standard for incompatibility, digital rights management. The goal of DRM is to limit compatibility because things which are compatible can be copied and distributed freely. In this article, Peter Seebach looks at a potential oxymoron - standards designed to subvert and prevent interoperability."