Security

Tutorial: OpenSSL Command

Thu, 18 Aug 2011 07:30:00 EDT

The OpenSSL is based on SSLeay library developed by Eric A. Young and Tim J. Hudson and licensed under an Apache-style license. OpenSSL has lots of features but I will cover encoding, checksums, encryption, passwords and pass phrases. Many Linux distributions have OpenSSL as part of the bundled packages and is most likely located in /usr/bin. Versions may vary and currently openssl-1.0.0d Feb 8 is the current version. Most of the examples that are found in this document should work on most versions.

The Development of a Perl-based Password Complexity Filter

Tue, 19 Jul 2011 12:00:00 EDT

If you watch the news regularly, it is easy to notice that in almost any given week some company seems to have experienced an electronic break-in or in some other way experienced a form of computer or network compromise. While computer security professionals can help to mitigate such risks via the proper configuration of firewalls, careful crafting of Access Control Lists, the application of updates, and the judicious application of file permission, among other measures, it’s important that one of the most fundamental ways of improving the security of a computer or network resource not be overlooked – that of a really strong password. To this day passwords remain one of the weaker links in the security of electronic resources, and their potential for exploitation needs to be examined more carefully than ever. With the growing trend of cloud computing-based initiatives, many resources that were formerly enclosed within the wall of a business are now available over a network, thereby mitigating the physical security measures the previously helped to limit access to such resources. Given that many of these cloud-based solutions are accessed via user name and password combinations, a strong password is often the primary form of defense against illicit access.

Metasploit Nessus Bridge on Ubuntu

Fri, 01 Jul 2011 10:00:00 EDT

Ever wondered how to use the autopwn feature in Metasploit on Unbuntu? Want to run nessus from within metasploit? What database should I use: sqlite3 or postgres? I will explain the benefits of both. Nessus is a vulnerability scanner program, it is free for personal use using the nessus for home. They also have a nessus for business which requires a fee. I will be discussing the nessus for home use and using it with the popular metasploit framework. Acquire the latest release of nessus homefeed Nessus-4.4.1-ubuntu1010_i386.deb and register for the activation code. Follow the instructions listed in the document ion for installing with Ubuntu and start to configure. Nessus daemon cant be started until nessus has been registered and the plugin download has occurred.

Bulletproofing the WebSocket Wire Protocol

Sun, 12 Dec 2010 02:30:00 EST

There's been a flurry of discussion this week among Internet and Web standards heavy-hitters around WebSocket, the new communications protocol supported in Chrome 4 and Safari 5. What was the main issue? Is there some kind of fundamental security vulnerability with the WS protocol? Web Security Journal turned to a domain expert in such issues, namely the CTO of Kaazing Corporation, John R. Fallows.

White House Taps Cyber Security Czar

Mon, 28 Dec 2009 11:30:00 EST

Right before Christmas, the White House tapped Microsoft’s long-ago chief security officer, the CEO of the non-profit Information Security Forum Howard Schmidt as head of US cyber security. Despite the national priority, between pressure from US companies and reported infighting among bureaucrats, it took 10 months for the Obama administration to find someone who would take the job of dealing with millions of attacks a day on government and military systems – including hacks by Russia, China and terrorist interceptions of drone video feeds – as well as increasing financial losses to phishing schemes and Internet thefts like the reported multimillion-dollar one pulled off by the Russian mafia at Citigroup. How Schmidt interprets the job will be watched. There are doubts about his authority and the adequacy

Data Breaches Pain IT Executives

Sun, 20 Dec 2009 02:00:00 EST

Depending on how IT executives handle the situation, reactions to data loss reports can range from indignation to outrage, with personal consequences for the decision-makers. IT executives at ChoicePoint, Inc., looked like heroes when they reacted swiftly to a potential data breach in 2005. More often, though, leaky data pipes lead to unpleasant consequences for the executives responsible: from public outrage to protests and unemployment. HackerGuardian from Comodo helps IT executives detect and prevent catastrophic data losses.

It All Comes Down to YOU – The User

Tue, 15 Dec 2009 18:45:00 EST

For many years now, we’ve been warned that it is risky to click on embedded links in a suspicious email or dangerous to click through the certificate warnings from your browser and hopefully many people have changed their behavior. That’s within our control. But when a researcher finds a specific vulnerability in a particular protocol, potentially affecting several vendors, there is really not much an individual user can do. Sure, you or the IT department can check with their vendor to see if it applies to their product but would you immediately stop using something when it’s a critical part of your infrastructure. Once again, which is usually the case for security, you must weigh the risks and determine if it’s within your control. Bruce points out that many of the vulnerabilities affect systems that are out of our control and if your data is already out there, unplugging your computer will not lessen the potential exposure.

Einstein, Sharks and Clouds: IT Security in the Cloud

Tue, 20 Oct 2009 09:00:00 EDT

Lately there has been a barrage of articles with regards to cloud security, and some very public demonstrations of outages with Facebook and Twitter. Its been a field day for many who oppose the cloud computing model. Let me get this out of the way so that there is no misunderstanding, yes, I agree with most on the need for better security in the cloud, and rest assured, the cloud service providers are motivated to work on it.

Czech Summit Data Leak Should Not Have Happened

Thu, 23 Apr 2009 05:18:00 EDT

The data leak at the EU/US summit which has just taken place in the Czech Republic - and which has reportedly resulted in Finland's Prime Minister changing his passport - should not have happened, says Credant Technologies, the military grade encryption specialist.

EFF Coder’s Rights Project

Mon, 20 Apr 2009 12:18:00 EDT

I ran across this today, and thought it was just too valuable to not make mention of. The EFF has a “Coder’s Rights Project” that includes FAQs and guides related to the legalities of security disclosure, reverse engineering, and ethical hacking/testing for security vulnerabilities. They are absolutely fantastic layman summations of all the legal nuances (US-centric) that you should be aware of while pursuing any of these legally grey endeavors. The FAQs and guides concisely lay out how the various US laws, such as DMCA, copyright, and Computer Fraud and Abuse Act can come into play during security testing, disclosure and reverse engineering efforts. The EFF material also provides very good advice regarding how to reduce/limit your risk.

CohesiveFT Adds Fedora Core 10 to its Automated Elastic Server Platform

Fri, 17 Apr 2009 19:55:00 EDT

CohesiveFT ( http://www.cohesiveft.com ), the leader in onboarding solutions for virtual and cloud computing infrastructures, today announced the... Read more at VMblog.com.

Why 'LiveCD' Should Be a Part of Every Computer User's Vocabulary

Fri, 07 Mar 2008 11:00:00 EST

Throughout the last decade, society has witnessed an explosion of network connectivity among PCs and mobile devices as well as a vast proliferation of networked applications, ranging from Web-based email to online banking. The end result of this is that network connectivity has become an almost indispensable resource for many individuals.

Proactively Preventing Data Corruption

Thu, 03 Jan 2008 14:00:00 EST

Data corruption is an insidious problem in storage. While there are many forms of corruption, there are also many ways to prevent them. For example, enterprise class servers use error checking and correcting caches and memory to protect against single and double bit errors. System buses have similar protective measures such as parity. Communications going over the network are protected by checksums.

Trend Micro Enhances Linux Security With ServerProtect

Thu, 01 Jun 2006 22:00:00 EDT

Trend Micro, a provider of network antivirus and Internet content security software and services, has announced a solution, the Trend Micro ServerProtect for Linux, that provides highly scalable and real-time protection for internal and external endpoints.

BitDefender Unveils Powerful Linux-Based Enterprise Security Suite for Mail and File Servers

Tue, 30 May 2006 20:00:00 EDT

BitDefender has announced the public availability of its new Enterprise Security Suite for Mail and File Servers running on Samba or FreeBSD. The powerful, new Linux-based security suite - including BitDefender Mail Protection for Enterprises, BitDefender Mail Protection for SMB, and BitDefender for Samba File Servers - is now currently available for download in both enterprise and SMB editions.

Finland's Ministry of Defence Taps Novell for Move to Linux

Mon, 27 Mar 2006 16:30:00 EST

Novell announced that Finland's Ministry of Defence has selected Novell SUSE Linux Enterprise Server as its platform for critical process management and documentation applications, messaging services, and Intranet portal. The Ministry tapped Novell's Linux platform for its proven reliability, high availability and security.

Empowering Linux Users to Reclaim Their E-mail Experience

Tue, 28 Feb 2006 12:00:00 EST

The Linux community - nearly 29 million platform users - has been plagued for years by spam which, according to industry statistics, is dramatically on the rise. Despite relentless efforts to stop it (including billions of dollars spent to develop anti-spam solutions), spam continues to infiltrate our in-boxes every day. Not only does it cost consumers and businesses precious time, money, and resources, but it also represents a huge security risk since many spam sites infect individual computers and corporate networks with viruses or spyware.

KDE Patches JavaScript Buffer Overflow Vulnerability In Its Linux Desktop Environment

Tue, 24 Jan 2006 07:45:00 EST

It emerged this week that KDE developer Maksim Orlovich had discovered an incorrect bounds check in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE, that allows a heap based buffer overflow when decoding specially crafted UTF-8 encoded URI sequences. According to KDE.org source code patches have already been made available which fix these vulnerabilities.

Variadic Functions: How They Contribute To Security Vulnerabilities and How To Fix Them

Tue, 06 Dec 2005 15:15:00 EST

C/C++ language variadic functions are functions that accept a variable number of arguments. Variadic functions are implemented using either the ANSI C stdarg approach or, historically, the UNIX System V vararg approach. Both approaches require that the contract between the developer and user of the variadic function not be violated by the user.

How To Design and Implement an Enterprise Open Source Security Architecture

Thu, 10 Nov 2005 12:00:00 EST

Information security is a top priority for many companies. Protecting information from external threats such as hackers, viruses, and spam, as well as governmental regulation requirements (SOX, HIPAA, NISPOM, etc.), are driving IT purchases beyond ROI as C-level executives seek to assure shareholders (and themselves) that assets are secure within the company complex. Viewed as today's growth market, many software/hardware/service companies are creating offerings to mitigate perceived risk or actual liability.

SYS-CON Media Obtains Michael Lynn's Black Hat Cisco Presentation

Thu, 04 Aug 2005 13:45:00 EDT

The brouhaha over a presentation given last week by Michael Lynn has taken on a life of its own on the worldwide web. No surprise here. Lynn's presentation can be found easily, as can many other interesting related items. SYS-CON Media herewith presents a few things we've found.

Principles of Secure Programming

Mon, 30 May 2005 12:15:00 EDT

The purpose of this article is to show how basic security principles can help you develop programs that are harder for the bad guys to break. We'll examine a simple function that executes a command as though it were typed at the keyboard, exactly what the library function system does. But unlike many system implementations, we'll constrain what happens so the calling program can't trick it into executing some other program.

Symantec To Buy Veritas: May Announce Deal "As Early as This Week"

Tue, 14 Dec 2004 00:00:00 EST

Security giant Symantec, The New York Times is reporting this morning, is 'close to acquiring' Veritas for more than $13 billion, trumping yesterday's $10.3 billion acquisition of PeopleSoft by Oracle, and dwarfing Honeywell's $1.5 billion bid this week for Novar. Only the possible $35 billion merger between Sprint and Nextel would be a bigger deal than Symantec-Veritas.

Trusting Computing on Linux

Mon, 13 Dec 2004 00:00:00 EST

In an era where everybody is connected to a potentially harmful Internet with an increasing number of complex and distributed applications, controlling what the computers do has become significantly harder. At the core, simple actions (executing software, e-commerce, etc.) rely on trust relationships; what if your computer (or the merchant's) has been compromised and alters your perception of reality?

The Best of Both Worlds

Tue, 31 Aug 2004 00:00:00 EDT

Speedy disk backups are gaining in popularity as networking demands increase, but the traditional tape data protection won't disappear overnight. Maybe it's time to think about the best of both worlds.

Security Alert: Mplayer Users Urged to Upgrade to Latest Version

Wed, 04 Aug 2004 00:00:00 EDT

Users of the popular Mplayer media device are being urged to upgrade to the latest version, due to a bug.

Creating IT Security Policies

Tue, 27 Jul 2004 00:00:00 EDT

It's no secret to technical developers that security issues need to be taken into consideration when developing policies. However, the extent of those security issues can easily be overlooked by many organizations.

Open Source for Perimeter Security

Tue, 27 Jul 2004 00:00:00 EDT

Does the open source community provide world-class security technology? Can organizations stop dealing with commercial vendors for security software? To avoid any undue suspense, the answers are: 'Emphatically yes' and 'Maybe, but you probably need to make an investment of some kind.'

An Approach That Works

Mon, 19 Apr 2004 00:00:00 EDT

Seemingly everyone has insight into the open source versus closed source security debate. Each side provides plausible arguments for the benefits of their own model and points out drawbacks of the other. The proponents of open source argue that the source code is open and available for anyone to see, for many sets of eyes to examine, and is therefore more secure.

Securing a Tightly Integrated OS

Mon, 19 Apr 2004 00:00:00 EDT

As the state of the art in operating systems (OS) continues to advance, an unnerving trend has emerged: vulnerabilities in tightly integrated operating systems. How do you address this? With an effective combination of educated staff, proper procedures, and technology.

The Challenges of the Linux Audit

Mon, 19 Apr 2004 00:00:00 EDT

As a decision maker in your IT organization, you're aware that your Linux systems share is growing (if your enterprise follows today's business trend). Linux installations are now available on every major hardware platform. New projects in development include Linux systems in an increasing share, and you're challenged with incorporating these Linux systems seamlessly into your operations and business processing.

Exclusive Interview with Robert A. Clyde, CTO Symantec

Sat, 06 Mar 2004 00:00:00 EST

Symantec's CTO talks about comprehensive security and how today's IT organizations must address it.

Stop Malicious Code Execution at the Kernel Level

Mon, 22 Dec 2003 00:00:00 EST

This article presents a Linux kernel module capable of verifying digital signatures of ELF binaries before running them. This kernel module is available under the GPL license and has been successfully tested for kernel 2.5.66 and above

Experts: Worry more about insiders than cyberterrorism

Tue, 03 Jun 2003 00:00:00 EDT

Enterprises worried about cybersecurity should pay more attention to their own employees than to the as-of-yet unrealized threat of cyberterrorism, two cybersecurity experts warned a group of IT professionals. (800 words)

Apache group issues update, warns of security hole

Wed, 28 May 2003 00:00:00 EDT

As with its last software update, the Apache Software Foundation said that 2.0.46 was the 'best version of Apache available' and recommended that users of prior Apache versions upgrade.

Secret Microsoft plot to promote open source exposed!

Wed, 12 Feb 2003 00:00:00 EST

Our Hero uncovers Microsoft's ingenious, covert marketing efforts to promote Linux and open source via its own products' security vulnerabilities. This column is intended for mature audiences with a keen eye for sarcasm. (1,600 words)

The worst security problems? We can't tell from the FBI's top 20 list

Mon, 11 Nov 2002 00:00:00 EST

The list is misleading in that many readers and editors would have seen this as an FBI certification of the relative equality of security problems between systems running Microsoft Windows and those running Unix.

How to install PureSecure, the painless IDS

Tue, 30 Apr 2002 00:00:00 EDT

PureSecure is much more polished, more complete, and more fully featured than its free software counterpart ACID. It's not free for commercial use, however. (1,200 words)

How to detect intruders with ACID

Wed, 10 Apr 2002 00:00:00 EDT

All it takes is time and free software to set up a powerful intrusion detection system for your Unix system. Follow along as Joe Barr installs ACID on his system and discovers a big security hole. (1,450 words)

'Chinese Whisper' security advisories

Mon, 21 Jan 2002 00:00:00 EST

All vendors have made mistakes at some time, and no vendor seems to be any better or worse than the other. Fortunately, these mistakes do not appear to be malicious -- just the result of a game of Chinese Whispers. (1,200 words)