On a normal system, if an attacker gains root or administrator access, he or she can run rampant. Not so on a trusted system -- at least so long as it is properly configured. Read the article at NewsFactor.
Privacy, Security Archive
A key code for installing Microsoft's Windows Server 2003 has leaked onto the Internet, a loss that could lead to widespread piracy of the OS. In the meantime, the battle for "Trustworthy Computing" is still on.
Columnist Tim Mullen from SecurityFocus wrote an interesting editorial about how the media are overeacting on some thought exploits/holes found on Windows 2k/XP, while in his opinion, other platforms/apps are also as vulnerable but they don't get as agressive reporting: "This kind of thing damages overall security. It clouds the issue, and rains on the wrong parade. The media should give its readers all the information-- not slant it in an effort to make Microsoft look like the bad guy every time."
Counting viruses is simplistic, but there is evidence that Windows is becoming more resistent, and Linux is becoming more of a target. The report also points out that Apple is becoming vulnerable, "now that it is fielding an operating system with embedded Internet protocols and Unix utilities.". Read the article at ZDNet UK by John McCormick.
"Wireless networks are replacing wired networks very rapidly. More and more people want to stay connected on the road. What this transition brings is - more security problems. While wired networks have been around for ages and have had the time to make good security defences, wireless networks and new in comparison and still have a long way to go. This book aims to give you the knowledge you need to bring maximum security to your network, by teaching you how that security can and will be broken." Read the review at Help Net Security.
Red Hat and Mandrake are cutting support for older versions of their Linux distributions... The results will be a security nightmare for the Internet, says Jon Lasser.
The Bush administration signed off Friday on the final version of the United States' strategy for protecting the Internet and securing information systems. Additionally, Attorney General John Ashcroft wants even more power to snoop on the Internet, spy on private conversations and install secret microphones, spyware and keystroke loggers.
Computer security experts said on Thursday the recent "SQL Slammer" worm, the worst in more than a year, is evidence that Microsoft Corp.'s year-old security push is not working.
The company plans to update its Smartphone 2002 operating system to fix flaws that make it possible to send rogue software programs to a specific model of phone that uses the OS.
Brian Richardson, AMI's engineer, replies to a long interview on Slashdot about TCPA, Palladium, and other BIOS issues. Interesting read.
"Could we be constantly tracked through our clothes, shoes or even our cash in the future? I'm not talking about having a microchip surgically implanted beneath your skin, which is what Applied Digital Systems of Palm Beach, Fla., would like to do. Nor am I talking about John Poindexter's creepy Total Information Awareness spy-veillance system, which I wrote about last week. Instead, in the future, we could be tracked because we'll be wearing, eating and carrying objects that are carefully designed to do so." Read the interesting editorial at ZDNews.
TechTV published a look at security issues in the past year, and they found that worms, viruses, spam, and other security scourges are on the rise, and are affecting common computer users as well as big data centers: If 2001 was the year of corporate headaches, 2002 saw average PC users under attack.
"Reid Ellison is a 15-year-old high school hacker who, for a time, had complete control over his school's computer system. A hack attack from a smart kid is just about any school's worst nightmare. But Ellison got a pat on the back for his exploits, rather than a slap on the wrist. This is actually a good news story about a kid who used his hacking talents for good rather than evil." Read the full story at ABC News.
Nicholas writes: "There's an interesting interview over at LinuxWorld about U.S. government and open-source security. Robert McMillan of LinuxWorld.com talks to Marc Sachs of the White House Cyberspace Security Office about the role of open-source software in the US government."
This is old news, but still, everyone should be aware of it. And on a theoretical basis, the co-creator of UNIX, Ken Thompson wrote a paper on which he explains that it is possible to add a backdoor to a closed source compiler and when you first compile any other compiler (e.g. GCC), any concequent compiles from this new compiler, would include the backdoor by default. Pessimistic thought of the day: nothing is safe. Neither Windows or Unix. I wonder how "safe" the Security-Enhanced Linux from NSA is. It might secure you from others, but does it secure you from NSA itself? ;P Update: More info here (Ms reply on the issue) and here.
According to a report published November 12 by Aberdeen Group, "Security advisories for open source and Linux software accounted for 16 out of the 29 security advisories - about one of every two advisories - published for the first 10 months of 2002 by Cert." Read the report at NewsForge.
"Palladium is not secure Windows. Not exactly. Nor is it a standalone OS. Not exactly. Manferdelli presents it as a sort of parallel OS that is securely ringfenced from Windows, but which doesn't run all the time, and which actually you wouldn't want to run all the time. It works like this..." Read the rest of the article at TheRegister.
"At the USENIX Security Conference held here recently, Microsoft developers touted the company's upcoming Palladium architecture as technology that would enhance privacy, stymie piracy and increase a corporation's control over its computers." Read it at ZDNews.
Based on the number of vulnerabilities announced in 2002 that affect operating systems, the SCO Unix, Apple Macintosh and Compaq Tru64 Operating Systems appear to be the least prone to hacker attack and damage from viruses and worms. This is one of the startling conclusions of the end-of-October 2002 analysis of digital attacks to be released on 1st November.
Critics have slated a Microsoft document on its upcoming Palladium digital rights software as containing several outright "lies". The 1,500-word frequently asked questions (FAQs) paper gives some details about how Palladium will work and how it relates to digital rights management and the Trusted Computing Platform Alliance. Read the rest at VNUnet. Update: Another article about Palladium, here.