[x]Blackmoor Vituperative

Tuesday, 2009-06-16

IT professionals concerned about Forrester Research competence

Filed under: Security,Software — bblackmoor @ 09:22

Forrester Research has come out with a report stating, among other things, that half to two-thirds of businesses have “concerns” about open source security.

The problem with empty headlines like “Companies still concerned about open source security” is that they tell you nothing and yet imply everything. You may as well say, “Study Reveals Pittsburgh Unprepared For Full-Scale Zombie Attack“. What does this headline tell you? Is any city prepared for a full scale zombie attack? Is a full-scale zombie attack even remotely likely?

The answer to both is “no”. Yet the headline implies that the answer to both questions is “yes”.

Should companies be concerned about the security of open source software? Of course they should — and they should also be concerned about closed source software, as well as the firmware in their hardware, their physical security, and the safety of their employees in the parking lot.

Should companies avoid open source software for “security” reasons? Of course not. Open source software is, in general, more secure than closed source software, and security flaws in open source software are more quickly corrected when they are found.

The problem with polls like Forrester’s (and those who conduct them) is not that the results are inaccurate (although they may be). The problem is that you won’t get the correct answer if you do not ask the correct question — and you have to understand the topic in order to ask the right questions. Forrester Research clearly doesn’t.

Wednesday, 2009-06-10

10 ways to avoid IT security breaches

Filed under: Security — bblackmoor @ 08:51

It is not possible to prevent every possible security breach. However, some common sense measures will make such a breach significantly less likely to occur.

Tuesday, 2009-06-09

Microsoft hacks Firefox, installs security hole

Filed under: Security,Software — bblackmoor @ 16:59

In a surprise move this year, Microsoft has decided to quietly install what amounts to a massive security vulnerability in Firefox without informing the user. […]

Microsoft pushed out its .NET Framework 3.5 Service Pack 1 update this February […] it installs the Microsoft .NET Framework Assistant extension for Firefox, silently, without informing the user. If you had Firefox on your computer when this update was installed, you may be subject to some dire consequences. […]

Yes, that’s right — the long-time, well known security hole present in Internet Explorer that consists of essentially letting Websites install dangerous, untrusted code on your computer willy-nilly has now been shoehorned into your MS Windows install of Firefox without your knowledge or permission.

Worse yet, Microsoft isn’t satisfied with just giving you vulnerabilities without your permission or even your knowledge. It has also gone out of its way to ensure that you’ll have a difficult time removing the vulnerability from your system if you should happen to become aware of it. The Uninstall button for this extension in Firefox has been deactivated.

(from Microsoft may be Firefox’s worst vulnerability, TechRepublic)

To find out how to remove this security vulnerability, see Uninstalling the Clickonce Support for Firefox.

Tuesday, 2009-03-24

A few interesting security links

Filed under: Security — bblackmoor @ 10:36

Just thought I’d pass along a few security-related links which I thought were interesting…

In particular, I think this comment strikes at the heart of what’s wrong with IT in many companies:

Open source software in general, and Linux in particular, also has an undeserved reputation for poor security in some circles. Part of the reason for this is the fact that many people simply don’t understand how software security, and open source development, works. They hear “open source”, and think “Hell, if anyone can get the source, then anyone can modify it. How do we know we aren’t getting software modified by some malicious ‘hacker’ who wants to steal our sensitive data?” Another part of the reason is that many people with limited technical skills — and a dismaying number of supposed technology “experts” — simply don’t understand that there’s more to security than counting vulnerabilities.

(from Recession: a chance to deploy open source security solutions, TechRepublic)

Saturday, 2009-01-31

Postfix and Comcast

Filed under: Linux,Security — bblackmoor @ 12:36

I got a fun email today from Comcast (my ISP), saying they are blocking port 25, the port on which SMTP sends email, as a measure to fight spam. Isn’t that a kick in the pants? Of course, the only time I send email from home is when mortshire.org sends me reports. However, that is important, so I needed to find a way for mortshire to send me email with Comcast’s blessing. Thanks to Patrick Ben Koetter and Chris Fay, I have done just that.

1. In /etc/postfix/main.cf I added or changed these lines:

myhostname = annwn.mortshire.org
mydomain = mortshire.org
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

relayhost = [smtp.comcast.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options=

2. I create a file /etc/postfix/sasl_passwd with the contents:

[smtp.comcast.net]:587 userid:password

where userid and password are my comcast.net username and password.

3. Next, I changed the ownership and permissions on the sasl_passwd file to protect it from unauthorized access.

sudo chown root:root /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd

4. Finally, I created a database file from the contents of the sasl_passwd file:

sudo postmap hash:/etc/postfix/sasl_passwd

There we go: postfix now uses the Comcast mail gateway, and operates on port 587 rather than 25 (because spammers would never be able to do that, right? Yeeeeaaaahhhhhh…).

(Note: this is Postfix 2.5.5 under Fedora 10.)

Tuesday, 2009-01-13

MD5/SSL exploit not the end of the world

Filed under: Security — bblackmoor @ 11:17

TechRepublic has an interesting article that gives a brief explanation of the MD5/SSL exploit that was the cause of such panic last month.

On the surface, this “event” proves that it’s possible for an attacker to insert himself into the certificate acquisition process, resulting in wrongful authentication of visited sites. However, SSL might not be in as much danger as originally reported.

Yes, there are many CAs still using MD5 for at least some certificate signing. In fact, the rogue certificate used in this exploit emulated a VeriSign RapidSSL cert. TC TrustCenter AG, RSA, and Thawte Inc. also still use the vulnerable hash function. But there are four significant mitigating factors.

  1. Most enterprise-class certificates, such as VeriSign’s Extended Validation SSL Certificates use the still secure SHA-1 hash function.
  2. Certificates already issued with MD5 signatures are not at risk. The exploit only affects new certificate acquisitions.
  3. CAs are quickly moving to replace MD5 with SHA-1. For example, VeriSign was planning to phase out MD5 by the end of January 2009. The date was pushed up due to the December proof of concept. On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures.
  4. The researchers did not release the under-the-hood specifics of how the exploit was executed.

Again, these are mitigating factors. It isn’t impossible for cybercriminals to come up with an attack on their own now that conceptual understanding of approach is public knowledge. But SSL is not broken. The only thing broken is a portion of the public key infrastructure (PKI) which underlies it, and the risk is manageable.

(from The new MD5/SSL exploit is NOT the end of civilization as we know it, TechRepublic)

I do not pretend to understand the mathematics behind much of this, but I find it all very interesting, nonetheless.

Monday, 2009-01-12

NSA initiative pinpoints 25 top coding errors

Filed under: Programming,Security — bblackmoor @ 18:40

It looks like the NSA is actually doing something useful for a change, rather than just spying on American citizens.

Saturday, 2008-01-26

Shareaza warning

Filed under: Music,Security,Technology — bblackmoor @ 21:27

Warning: shareaza.com has been suborned by scammers. For Shareaza updates, always go to http://shareaza.sourceforge.net.

Friday, 2007-07-20

Mac worm incites death threats and intrigue

Filed under: Security — bblackmoor @ 12:23

A soap opera is playing out on the mailing lists of several security newsgroups this morning, complete with people hiding behind pseudonyms, people “outing” one another and rumors of death threats against the major players. At stake? A possible worm for Apple’s Mac OS X operating system.

(from CNET News.com, News of a Mac OS X worm incites death threats and intrigue)

Monday, 2007-04-02

Homeland Security wants master key for the Internet

Filed under: Security — bblackmoor @ 11:35

The US Department of Homeland Security is insisting that Verisign hand over the master keys of the Internet.

If it succeeds, the US will be able to track DNS Security Extensions (DNSSec) all the way back to the servers that represent the name system’s root zone on the Internet.

Effectively it would mean that US spooks could snoop on anyone in the Worldwide wibble and place control of the Interweb tubes firmly in the paws of the US government.

(from The Inquirer, Homeland Security wants master key for the Internet)

« Previous PageNext Page »