Privacy, Security Archive

Hardening Linux: a 10 step approach to a secure server

Submitted by Flavio Villanustre 2005-06-16 Privacy, Security 12 Comments

The Internet has become a far more dangerous place than it was 20 years ago. Nowadays, Operating System and application security is an integral part of a server configuration and, while firewalls are very important, they are not the panacea.

Fixes in for critical IE, Windows flaws

Eugenia Loli 2005-06-15 Privacy, Security 27 Comments

Microsoft on Tuesday issued three "critical" patches for flaws that could allow a malicious attacker to take remote control of a computer.

IBM Gives Your Information to the Government

Submitted by Anonymous 2005-05-31 Privacy, Security 13 Comments

Software developed by S.R.D. (Systems Research and Development), recently acquired by IBM, allows huge collections of personal data (travel manifests, medical data) to be compared with other databases, such as terrorist watch lists, while not actually disclosing the data between two entities. What's actually compared is a one-way hash, and any "hits" between two lists, would identify a record number that would presumably lead to a request for the whole record. S.R.D. was originally funded by the CIA's In-Q-Tel venture capital arm.

FreeBSD: Fix for Hyper-Threading Vuln. Considered Non-Trivial

Submitted by HassleB0f 2005-05-31 Privacy, Security 1 Comment

KernelTrap reports: Colin Percival continues the discussion regarding the shared-cache vulnerability inherent in multi-core processors, offering potential mitigation techniques in the form of fixes to the FreeBSD schedulers. Based on Percival's original discovery, information leakage between threads which share a processor core and the subsequent opportunity to monitor memory access patterns can be prevented by eliminating the co-scheduling of threads that have differing privileges.

No ELF Vulnerability in Linux Kernel (Updated)

David Adams 2005-05-29 Privacy, Security 44 Comments

Update: It appears that we mischaracterized the conclusions in our title and our summary on this story. Greg KH was referring only to the ELF vulnerability in this story. Whether we were deliberately mislead by the submitter of this story or not, we regret the error.

The original story: According to "Greg KH," co-maintainer of the 2.6.x.y series of important stability and security fixes, the Linux kernel does not suffer from the much-hyped hyper threading vulnerability that affected the BSDs: " The main reason there have not been any updates, is that there really isn't a problem for the 2.6 kernel. The original author has admited this finally, no one was ever able to reproduce it on a 2.6 kernel. The only reason I released a kernel update, was at the time, we thought there was an off-chance that there was a problem. However in further testing, it has not been the case." This confirms Linus's earler assertion.

OS makers slow to fix flaw, researcher says

Eugenia Loli 2005-05-27 Privacy, Security 34 Comments

Operating system vendors were given two months notice before a security flaw was made public, but some have yet to resolve the issue, a security researcher has claimed.

Using a Network Analyser as a Security Tool

Submitted by DTY 2005-05-27 Privacy, Security 3 Comments

Because firewalls and other defensive security measures are not failsafe, you need additional tools to detect and respond to security breaches as they occur. A network analyser can detect known (and even some unknown) virus attacks and make the cleanup process much more efficient.

Bypass found for Windows piracy check

Eugenia Loli 2005-05-24 Privacy, Security 47 Comments

A tool provided by Microsoft could let people get around a check meant to prevent those with pirated copies of Windows from downloading additional MS software, according to a security researcher.

OSes suffer serious security hole through CPUs

Eugenia Loli 2005-05-13 Privacy, Security 32 Comments

Colin Percival, a FreeBSD committer and security team member, has found a local exploit against the current implementation of Intel's Hyper-Threading Technology. "Hyper-Threading, as currently implemented on Intel Pentium Extreme Edition, Pentium 4, Mobile Pentium 4, and Xeon processors, suffers from a serious security flaw," Colin explains. "This flaw permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine. Administrators of multi-user systems are strongly advised to take action to disable Hyper-Threading immediately."

Security – The Best Laid Plans

Submitted by Danny 2005-05-11 Privacy, Security 2 Comments

Security used to be as simple as a solid lock on a solid door, a safe in the back room and perhaps even a retired police officer out front (if you were really serious). But the modern business looks at security, and threats to security in a whole different light. Security of information, systems and networks are now just as important as, and often integrated with, shop-front security. read more

Mobile Security: Data Goes Walkabout

Submitted by Danny 2005-05-04 Privacy, Security 4 Comments

Mobile security is a hot issue, but who is listening? The mere word 'security' sends most people running. Investing in preventative IT security has never been a very popular topic. It often needs a competitor or an organisation itself to become a victim of crime before senior executives sit up and listen. read more

Apple Mythology and Desktop Security

David Adams 2005-04-22 Privacy, Security 43 Comments

A CIO Today editorial notes that security concerns are most often cited when IT managers consider a switch to Linux over Windows, but difficulty in replicating Microsoft Office functionality is a barrier. Why not use Macs? In addition to software-side security advantages, there are distinct security advantages to using a non-x86 platform as well. And you can still run Office.

The Facts & Fiction Around Windows Security

Submitted by Tim 2005-04-22 Privacy, Security 59 Comments

Microsoft has taken alot of heat for the security issues that surround its Windows operating systems, but they should not be the only ones taken the heat for Windows security. There are other parties out there that deserve to shoulder some of the blame with Microsoft. This editorial, originally written for a Communication Security course, tries to take an objective view of who is exactly to blame for what in the perceive mess that is Windows security.

Linux lags Windows in new security report

Eugenia Loli 2005-03-22 Privacy, Security 64 Comments

A report released today indicates Windows Server 2003 may actually be more secure than its most popular Linux competitor when it comes to vulnerabilities and the time it takes to patch them.

“Trusted Computing” Sneaks into PCs

David Adams 2005-03-17 Privacy, Security 23 Comments

"The three largest computer makers--Dell, Hewlett-Packard and IBM--have started selling desktops and notebooks with so-called trusted computing hardware, which allows security-sensitive applications to lock down data to a specific PC."

Securing Removable Media

Submitted by Danny 2005-03-11 Privacy, Security No Comments

Removable media devices are here to stay. Their ease of use and low cost have made them ubiquitous in the work environment – but at what price? In this article we look at the pro’s and con’s of removable media, and the steps IT managers can take to mitigate the security risks associated with them.

The Least Privilege Model in the Solaris 10 OS

Submitted by fintanr 2005-03-09 Privacy, Security 14 Comments

The Least Privilege Model in Solaris 10 allows for finegrained management of process and user privileges within Solaris 10. Amy Rich has written a nice introduction for Sun's bigadmin website.

The Rise Of The Customised Security Attack

Submitted by LogError 2005-03-07 Privacy, Security 10 Comments

As criminals operating online have begun to realise the potential commercial value of Internet-related crimes, so they have started to investigate other ways of using malware to line their pockets.

The Network Poltergeist

Submitted by LogError 2005-03-03 Privacy, Security 8 Comments

The IT industry isn’t as boring and technically obsessed as many outsiders believe. Viruses and malicious hacker threats in particular have been increasingly sensationalised in the popular press, squeezing the issues gradually into the public consciousness.

How secure is your computer?

Eugenia Loli 2005-03-01 Privacy, Security 76 Comments

A Windows computer without the latest security patches is in big trouble. That's the conclusion from a "honey pot" experiment conducted by StillSecure, a Louisville network security firm. StillSecure attached six computers - loaded with different versions of the Windows, Linux and Apple's Macintosh operating systems - earlier this month to the Internet without anti-virus software. The results show the Internet is a very rough place.