Slashdot Mirror

← Back to Domains

Domain: cert.org

Stories and comments across the archive that link to cert.org.

Comments · 757

  1. Re:who is cenzic? by Silfax · · Score: 2, Interesting · on Firefox Most Vulnerable Browser, Safari Close

    hits search

    367 http://search.cert.org/search?q=advisory+internet+explorer
    89 http://search.cert.org/search?q=advisory+netscape
    61 http://search.cert.org/search?q=advisory+firefox
    20 http://search.cert.org/search?q=advisory+safari
    18 http://search.cert.org/search?q=advisory+opera
    12 http://search.cert.org/search?q=advisory+lynx

    clearly, the fewer number of letters in the name of your browser makes it more secure.

  2. Re:who is cenzic? by Silfax · · Score: 2, Interesting · on Firefox Most Vulnerable Browser, Safari Close

    hits search

    367 http://search.cert.org/search?q=advisory+internet+explorer
    89 http://search.cert.org/search?q=advisory+netscape
    61 http://search.cert.org/search?q=advisory+firefox
    20 http://search.cert.org/search?q=advisory+safari
    18 http://search.cert.org/search?q=advisory+opera
    12 http://search.cert.org/search?q=advisory+lynx

    clearly, the fewer number of letters in the name of your browser makes it more secure.

  3. Re:who is cenzic? by Silfax · · Score: 2, Interesting · on Firefox Most Vulnerable Browser, Safari Close

    hits search

    367 http://search.cert.org/search?q=advisory+internet+explorer
    89 http://search.cert.org/search?q=advisory+netscape
    61 http://search.cert.org/search?q=advisory+firefox
    20 http://search.cert.org/search?q=advisory+safari
    18 http://search.cert.org/search?q=advisory+opera
    12 http://search.cert.org/search?q=advisory+lynx

    clearly, the fewer number of letters in the name of your browser makes it more secure.

  4. Re:who is cenzic? by Silfax · · Score: 2, Interesting · on Firefox Most Vulnerable Browser, Safari Close

    hits search

    367 http://search.cert.org/search?q=advisory+internet+explorer
    89 http://search.cert.org/search?q=advisory+netscape
    61 http://search.cert.org/search?q=advisory+firefox
    20 http://search.cert.org/search?q=advisory+safari
    18 http://search.cert.org/search?q=advisory+opera
    12 http://search.cert.org/search?q=advisory+lynx

    clearly, the fewer number of letters in the name of your browser makes it more secure.

  5. Re:who is cenzic? by Silfax · · Score: 2, Interesting · on Firefox Most Vulnerable Browser, Safari Close

    hits search

    367 http://search.cert.org/search?q=advisory+internet+explorer
    89 http://search.cert.org/search?q=advisory+netscape
    61 http://search.cert.org/search?q=advisory+firefox
    20 http://search.cert.org/search?q=advisory+safari
    18 http://search.cert.org/search?q=advisory+opera
    12 http://search.cert.org/search?q=advisory+lynx

    clearly, the fewer number of letters in the name of your browser makes it more secure.

  6. Re:who is cenzic? by nangus · · Score: 1 · on Firefox Most Vulnerable Browser, Safari Close

    Pfft, 18 is way to many try a real browser
    advisory lynx

  7. Re:who is cenzic? by xgr3gx · · Score: 3, Informative · on Firefox Most Vulnerable Browser, Safari Close

    Missing this one, the lowest of all:
    http://search.cert.org/search?q=advisory+opera

  8. who is cenzic? by bl8n8r · · Score: 4, Insightful · on Firefox Most Vulnerable Browser, Safari Close

    Just another consultant hired to slant reality if you ask me.

    http://search.cert.org/search?q=advisory+internet+explorer
    http://search.cert.org/search?q=advisory+firefox

  9. who is cenzic? by bl8n8r · · Score: 4, Insightful · on Firefox Most Vulnerable Browser, Safari Close

    Just another consultant hired to slant reality if you ask me.

    http://search.cert.org/search?q=advisory+internet+explorer
    http://search.cert.org/search?q=advisory+firefox

  10. BIND vulnerability not fixed? by HSpirit · · Score: 4, Interesting · on Mac OS X v10.5.8 Ready For Download

    I can't see any reference to the latest BIND vulnerability being fixed by Apple in the Mac OS X Server. It's vulnerable and has been fixed by other vendors so why not?

  11. BIND vulnerability not fixed? by HSpirit · · Score: 4, Interesting · on Mac OS X v10.5.8 Ready For Download

    I can't see any reference to the latest BIND vulnerability being fixed by Apple in the Mac OS X Server. It's vulnerable and has been fixed by other vendors so why not?

  12. BIND vulnerability not fixed? by HSpirit · · Score: 4, Interesting · on Mac OS X v10.5.8 Ready For Download

    I can't see any reference to the latest BIND vulnerability being fixed by Apple in the Mac OS X Server. It's vulnerable and has been fixed by other vendors so why not?

  13. Re:There is a difference - attack surface by WD · · Score: 1 · on Microsoft Warns of New Video ActiveX Vulnerability

    You are correct. My original post was a bit over-simplified. Out of the COM objects that comes with Windows XP, about 350 of them are marked Safe for Scripting, and almost 250 of them are marked Safe for Initialization with a pretty large, but not complete amount of overlap between the two properties. That's still orders of magnitude larger than the plug-in attack surface of a browser like Firefox.

    And even the objects that are not Safe for Scripting or Init cannot be discounted. Some objects cause IE to crash in an exploitable manner, triggered just by Internet Explorer checking if the control is safe or not. See:
    http://www.kb.cert.org/vuls/id/959049 for more details. There is no analogy of this in the NSAPI world.

  14. There is no reason to have Java enabled by WD · · Score: 1 · on Mac OS X Users Vulnerable To Major Java Flaw

    CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.

    http://www.cert.org/tech_tips/securing_browser

  15. Re:What else did we expect? by SL+Baur · · Score: 1 · on Windows 7 "Not Much Faster" Than Vista

    What's unusable?

    The amount of dexterity required to select a menu item from a nested menu is frustrating and it's worse trying to work with a touchpad. Lack of multiple desktops. Lack of customizability without a super secret Microsoft decoder ring[1]. To name three.

    Vista is susceptable to far fewer viruses and malware (even without anti-virus) than XP.

    I'm not comparing it to XP. Stand back from the keyboard a moment, read and think about what you wrote.

    Malware was encouraged by really horrible (and previously discredited) design decisions on Microsoft's part. It's never safe to willy-nilly pass executable content around and worse to have it execute by default. Now that enough users have been trained to expect things like that, it's going to be extremely tough to retrain people into safe computing.

    The oldest example I can recall: http://www.cert.org/advisories/CA-1995-10.html

    Cost? It's basically the same price as XP was, unless you want Ultimate.

    Which is per host and apparently more than most people here are willing to pay for it, so they either pirate it, or steal a copy from work.

    Never before has a product been successfully marketed such that people pay not to use it. Example: I have two x86 machines at work. Between the two of them, they have *seven* separate Microsoft Windows licenses. The desktop has a Microsoft Windows 2000 preinstall license, plus corporate site licenses for 2k, XP and Vista along the way. The notebook has a Microsoft Windows XP preinstall license, plus corporate site licenses for XP and Vista along the way. Neither of the preinstalls were ever used.

    The desktop never got the XP upgrade - I found Microsoft Windows 2000 on it when I inherited it and used it as a footrest until I was allowed to install Linux on it.

    And, of course, since both of those machines run Linux the Microsoft site license is wasted on them.

    Convenience? I find Vista far more convenient because I can do things (mostly) much faster.

    That's nice, I'm very happy for you. I was referring to WGA & activation. Something that many people here actively avoid.

    Poor performance happens.

    I found on my company-issue Lenovo, that Microsoft Windows XP was far, far slower than RHEL on the same equipment.

    I gave Microsoft Windows XP a shot for about six months a couple years ago. The only happy moments I had were when I powered the machine off, and of course, wiping the disk and installing RHEL on it. It's a faster and cooler (XP seems to run very hot) machine now.

    [1] One time when I brought up my long-standing gripe about the big key to the left of the "A" key, I was pointed at some microsoft.com webpage. Capslock is useless and some people like Sun know it's supposed to be Control. It's very easy to fix this in KDE & Mac OS X.

  16. Re:Coming full circle? by Drew+M. · · Score: 1 · on IE8 May Be End of the Line For Internet Explorer

    There is no alternative namespace, there are merely alternate streams in a file - named locations for storing meta data. The file is right there in the filesystem, obvious to all. The file data may be a bit hidden, requiring normal Windows system calls to read (just like one uses normal Windows system calls to create alernate data streams), instead of Notepad. Oh, wait, you can read them with Notepad too. What a bunch of FUD.

    Because as we all know, no security issues ever came out of the namespace differences between C:\Program Files\foo and C:\PROGRA~1\foo

    http://www.cert.org/advisories/CA-1998-04.html
    http://www.kb.cert.org/vuls/id/544392

  17. Re:Coming full circle? by Drew+M. · · Score: 1 · on IE8 May Be End of the Line For Internet Explorer

    There is no alternative namespace, there are merely alternate streams in a file - named locations for storing meta data. The file is right there in the filesystem, obvious to all. The file data may be a bit hidden, requiring normal Windows system calls to read (just like one uses normal Windows system calls to create alernate data streams), instead of Notepad. Oh, wait, you can read them with Notepad too. What a bunch of FUD.

    Because as we all know, no security issues ever came out of the namespace differences between C:\Program Files\foo and C:\PROGRA~1\foo

    http://www.cert.org/advisories/CA-1998-04.html
    http://www.kb.cert.org/vuls/id/544392

  18. Re:That's the opposite of what the DHS said by Anonymous Coward · · Score: 0 · on State of Colorado Calls Firefox Insecure, IE6 Safe

    Not long ago the DHS said to avoid IE and use firefox for security reasons.

    Actually, it was *quite* some time ago (though they have repeated it many times).
    They first published it in April 2004 and pointedly repeated it in June 2004 when the IIS/IE double-whammy hit.

    gewg_

  19. Re:That's the opposite of what the DHS said by Anonymous Coward · · Score: 0 · on State of Colorado Calls Firefox Insecure, IE6 Safe

    Not long ago the DHS said to avoid IE and use firefox for security reasons.

    Actually, it was *quite* some time ago (though they have repeated it many times).
    They first published it in April 2004 and pointedly repeated it in June 2004 when the IIS/IE double-whammy hit.

    gewg_

  20. Re:are you sure this is such a good idea? by Onymous+Coward · · Score: 1 · on VeriSign Will Support DNSSEC In .com By 2011

    What!

    Where have you been for the last decade? Pay attention!

    http://www.kb.cert.org/vuls/byid?searchview&query=isc%20bind

    http://www.kb.cert.org/vuls/byid?searchview&query=djbdns

    18 v. 0? And you're looking for what kind of "authority" to make this judgement for you?

    (For full disclosure, there is now a single candidate (by-design) vulnerability listed with the CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4392)

  21. Re:are you sure this is such a good idea? by Onymous+Coward · · Score: 1 · on VeriSign Will Support DNSSEC In .com By 2011

    What!

    Where have you been for the last decade? Pay attention!

    http://www.kb.cert.org/vuls/byid?searchview&query=isc%20bind

    http://www.kb.cert.org/vuls/byid?searchview&query=djbdns

    18 v. 0? And you're looking for what kind of "authority" to make this judgement for you?

    (For full disclosure, there is now a single candidate (by-design) vulnerability listed with the CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4392)

  22. Learn good coding practice by syousef · · Score: 5, Informative · on Website Security Without Breaking the Bank?

    It doesn't matter what you do after the fact to secure your web sites, if your scripting is full of holes, trying to plug them up after the fact isn't going to work. For example, you mention MySQL so I gather your code accesses one or more databases? If so do you know what a SQL injection bug is and have you reviewed your code for them? Nothing you do at the point of deployment is going to help fix a SQL injection bug.

    I'm afraid that if you're using MySQL and PHP you've moved from the realm of the very basic to something more advanced. You're no longer just talking about slapping static content on the web. People spend years learning how to do these things really well. You should find yourself a good book and get started. Start with a Google. It costs nothing. If you have friends who do web development with similar tools talk to them and see if they'll help point you in the right direction.

    Here are some things to get you started. Note that these are language independent things you should do no matter what dev tools you use. You might want to look at something more targetted for PHP as well.

    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

    Here's the main site.
    https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards

    The other way to go would be to make your web files more static. However getting rid of everything dynamic may not be a reasonable option in 2009.

  23. Learn good coding practice by syousef · · Score: 5, Informative · on Website Security Without Breaking the Bank?

    It doesn't matter what you do after the fact to secure your web sites, if your scripting is full of holes, trying to plug them up after the fact isn't going to work. For example, you mention MySQL so I gather your code accesses one or more databases? If so do you know what a SQL injection bug is and have you reviewed your code for them? Nothing you do at the point of deployment is going to help fix a SQL injection bug.

    I'm afraid that if you're using MySQL and PHP you've moved from the realm of the very basic to something more advanced. You're no longer just talking about slapping static content on the web. People spend years learning how to do these things really well. You should find yourself a good book and get started. Start with a Google. It costs nothing. If you have friends who do web development with similar tools talk to them and see if they'll help point you in the right direction.

    Here are some things to get you started. Note that these are language independent things you should do no matter what dev tools you use. You might want to look at something more targetted for PHP as well.

    https://www.securecoding.cert.org/confluence/display/seccode/Top+10+Secure+Coding+Practices

    Here's the main site.
    https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards

    The other way to go would be to make your web files more static. However getting rid of everything dynamic may not be a reasonable option in 2009.

  24. More difficult than it sounds by __roo · · Score: 1 · on A Cheap, Distributed Zero-Day Defense?

    I recently interviewed security researcher Michael Collins for Beautiful Teams (a book I'm finishing for O'Reilly) about work he'd done at CERT working on SiLK, a collection of traffic analysis tools. From talking to him, it sounds like this is an enormously difficult problem to solve. His work involved modeling "normalcy" as a baseline to detect anomalies using an enormous amount of data spit out of edge routers. When I asked, "So your goal was to look at the data from routers, and just by looking at the gigabytes of daily data from router logs you can detect successful and unsuccessful attempts at intrusion?", he said, "That's the Holy Grail." (We'll be printing the whole interview, if you're curious to see it.) TFA was light on details -- if they managed to make some headway towards solving this problem, that would be amazing. But from what we talked about, it sounds like simply finding anomalies after the fact using a huge amount of data turns out to be enormously difficult. Doing it in real time seems ... well, let's just say that I'm skeptical.

  25. Re:"Fair and balanced" summary?? by Anonymous Coward · · Score: 0 · on MySQL 5.1 Released, Not Quite Up To Par

    My favorite DB bug is the Interbase back door: http://www.kb.cert.org/vuls/id/247371.

  26. Re:Auto-infect by WD · · Score: 1 · on Worm Attack Prompts DoD To Ban Use of External Media

    Not at all. Please read:
    http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

    Basically:
    1) U3 devices emulate CD-ROM devices, which will automatically run code with zero user interaction.
    2) Clicking a drive icon in Windows explorer may run code specified in the autorun.inf file rather than exploring that drive location.

  27. It's not intuitive how to disable AutoRun by WD · · Score: 5, Informative · on Worm Attack Prompts DoD To Ban Use of External Media

    Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows. There are several options, and none of them (and even all of them combined) will disable AutoRun and AutoPlay features in their entirety. In fact, up until recently, Windows Vista had the logic reversed for one of the AutoRun features! i.e., if you take the effort to disable the AutoRun feature, you actually put yourself at more risk. More details here:
    http://www.kb.cert.org/vuls/id/889747

    But luckily, there is a single registry value that can disable AutoRun at its core. Once this change is made, Windows will not interpret the Autorun.inf file on any device, effectively disabling AutoRun for all devices, including USB drives, network shares, and more. Get the scoop here:
    http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

  28. It's not intuitive how to disable AutoRun by WD · · Score: 5, Informative · on Worm Attack Prompts DoD To Ban Use of External Media

    Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows. There are several options, and none of them (and even all of them combined) will disable AutoRun and AutoPlay features in their entirety. In fact, up until recently, Windows Vista had the logic reversed for one of the AutoRun features! i.e., if you take the effort to disable the AutoRun feature, you actually put yourself at more risk. More details here:
    http://www.kb.cert.org/vuls/id/889747

    But luckily, there is a single registry value that can disable AutoRun at its core. Once this change is made, Windows will not interpret the Autorun.inf file on any device, effectively disabling AutoRun for all devices, including USB drives, network shares, and more. Get the scoop here:
    http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

  29. CERT and Function Extraction? by Anonymous Coward · · Score: 2, Informative · on Stealing Data With Obfuscated Code

    I've heard about a project at cert called function extraction that might be relevant to this. It's been going on a few years and they've produced some tools. Don't know much more.

    http://www.cert.org/sse/function_extraction.html

  30. Re:Damn parasites by Anonymous Coward · · Score: 1, Interesting · on Microsoft's Annual Report Reveals OSS Mistakes
    I've got a question for any people who know about the BSD TCP/IP stack and the relationship to Microsoft.

    .

    In 1998 Cert issued an advisory about the TCP/IP stack in BSD but what's of note is that Microsoft isn't vulnerable.

    .

    So my question is whether they were still using a BSD derived stack at that time and if so whether anyone knows if the bug was fixed unknowingly or knowingly (eg, whether in refactoring the code they just happened to fix it OR whether they found a bug and kept quiet).

    Also would the GPL have prevented BSD maintaining this bug for so long?

    .

    Thanks for any advice or comments,

  31. Yes there is a point by WD · · Score: 4, Informative · on Internet Users Not Updating Browser

    Not upgrading to IE7 because you don't "use" it is dangerous. Because, as you mentioned, IE is closely integrated into the operating system, its components can be used by other applications regardless of whether you click the blue 'E' icon or not. Any Windows application that has the ability to handle HTML content is likely to use some IE components. So if IE is not fully up to date, these other applications can put you at risk.

    So, for example, vulnerabilities that only affect IE6 may affect other applications that use the relevant IE components for HTML rendering (think email, IM, etc.). Such as:
    http://www.kb.cert.org/vuls/id/923508

    Or, even better... A recent Safari for Windows vulnerability:
    http://www.kb.cert.org/vuls/id/127185
    Safari, a "stand-alone" web browser, is actually at a higher risk on systems with IE6 as opposed to IE7.

    As with any software on your computer, you should upgrade it whether you *think* you use it or not.

  32. Yes there is a point by WD · · Score: 4, Informative · on Internet Users Not Updating Browser

    Not upgrading to IE7 because you don't "use" it is dangerous. Because, as you mentioned, IE is closely integrated into the operating system, its components can be used by other applications regardless of whether you click the blue 'E' icon or not. Any Windows application that has the ability to handle HTML content is likely to use some IE components. So if IE is not fully up to date, these other applications can put you at risk.

    So, for example, vulnerabilities that only affect IE6 may affect other applications that use the relevant IE components for HTML rendering (think email, IM, etc.). Such as:
    http://www.kb.cert.org/vuls/id/923508

    Or, even better... A recent Safari for Windows vulnerability:
    http://www.kb.cert.org/vuls/id/127185
    Safari, a "stand-alone" web browser, is actually at a higher risk on systems with IE6 as opposed to IE7.

    As with any software on your computer, you should upgrade it whether you *think* you use it or not.

  33. Re:So give a layman explanation by Nefarious+Wheel · · Score: 3, Informative · on Massive, Coordinated Patch To the DNS Released

    A good way to find out is to go directly to the CERT web site and have a look at the vulnerability note they're talking about. Link here, if you trust me =) http://www.kb.cert.org/vuls/id/484649/

  34. ok, who let the Debian guys loose again? by spir0 · · Score: 2, Funny · on Massive, Coordinated Patch To the DNS Released

    from http://www.kb.cert.org/vuls/id/800113: "The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID."

    Just put the real seed back into the code.

    obrant: and who the frak releases advisories in DOC format in the 21st century?

  35. Bad summary including a Word document?? by ockers · · Score: 2, Informative · on Massive, Coordinated Patch To the DNS Released

    What a terrible summary. What would be really useful and news worthy would be a link to a web page with some information about the vulnerability. The links in the summary included: 1) a WORD DOCUMENT? WTF? 2) a PDF, 3) a podcast?? WTF? and 4) a link to a slashdotted DNS checker. How about a link to the CERT vulnerability web page which describes the problem?

    http://www.kb.cert.org/vuls/id/800113

    Now THAT would have been much more useful. Do people who work as sysadmins actually have time to sit around listening to a podcast? Especially when there are DNS servers to patch?

  36. CERT advisory in readable format: by molo · · Score: 3, Informative · on Massive, Coordinated Patch To the DNS Released

    Here is the CERT advisory in a readable format.

    http://www.kb.cert.org/vuls/id/800113

    BTW, did they hold this for a Microsoft patch Tuesday?

    -molo

  37. Re:Crappy router. by VENONA · · Score: 1 · on Windows XP SP3 Causing Router Crashes

    "Does that make it inappropriate for home users?"

    Yes. A home user has just as much to lose a corporation, *in relative terms*. Completely hosed is completely hosed. The average home/SOHO user is just operating at a greater disadvantage, because few have the resources required to understand the threats, and make good decisions. People who read technical sites of any sort are a minority, in every survey I've seen, and have been for years.

    In a post above, I think Tony Hoyle might have been referring to the .swf-based attacks that were being widely used back in January. Hopefully most people here turned off upnp on their router back then. Anyone that didn't should probably read https://www.kb.cert.org/vuls/id/347812
    It has links to MS Knowledge Base articles, and lots more info.

    Thinking that, "I'm just a home user," is basically what's given us botnets. I see no way that problem can be fixed, but sometimes I have to put my Don Quixote hat on, over my Security Guy hat, and post something.

  38. wow.. that seems -- trusting by way2trivial · · Score: 1 · on Google To Host Ajax Libraries

    http://www.cert.org/homeusers/email_postcard.html

    there are, between my ISP and the destination ISP-- many many waypoints that a bored tech can use to copy all the packets moving through--

  39. Re:Impossible by caitriona81 · · Score: 4, Informative · on Anti-Keylogging Recommendations?
    More possible data gathering points:
    • Previously compromised accounts (email/chat/google web history)
    • Email forwarding settings (yes this is overt, but how many users actually look at their forwarding rules)
    • Recoverable "deleted" files on disk
    • Browser plugins
    • Saved passwords - even if they are "encrypted" any encryption that allows the application to read the password lets someone else do so as well.
    Solutions to these additional threats:
    • Every time a compromise is suspected, change all passwords from a secure computer immediately.
    • Check forwarding rules, particularly to web-based email services.
    • Always use SSL/TLS encryption whenever they are available. Learn not to give passwords over unencrypted channels - this won't help you against a keylogger, but it will help you against sniffing.
    • Be aware that "deleting" files doesn't really delete them unless you use specialized tools
    Further protection against keyloggers.
    • Reformat.
    • Make your computer as tamper-evident as possible. Buy a UPS so that if the computer reboots, there will be a reason for it. Keep the computer turned on. Secure all accounts on the computer with a password. If it's Windows, encrypt the SAM database with a password that you have to enter at bootup. Remove your own administrator rights, and have a separate administrator account that you only use to install software. Use a BIOS password. Disable booting from anything other than the hard drive. Install physical locks on the case to prevent it from being opened. Epoxy over the screws on the keyboard (after you've bought a new one).
    • Use an alternative web browser.
    • Be careful about opening links and attachments in email. Learn about phishing, particularly the type of targeted phishing that can be attempted by someone with intimate knowledge of their target. (Don't trust the return address on mails in particular - many of the keyloggers out there get on via a trojan horse that you have to be tricked into running)
    • If any evidence of tampering is found, start over.
    • Learn about computer security. http://www.cert.org/homeusers/ is one of the best starting places for non-technical users. Even if you don't understand it all, you have a starting place to ask questions.
    • Remember, trust is the enemy of security. Look for it. Understand how it makes you vulnerable, and decide if the risks are acceptable or not. This mindset extends all the way from the bare metal up to the human being at the keyboard. You have to start to think that way to really be able to keep a computer secure.
  40. Re:Interesting, but really needed? by Alex+Belits · · Score: 1 · on Estonian Cyber Defence Hub Set Up

    I do think that the idea of Cyber Defence is quite cool and I'm glad, that we're the pioneers here but it does seem that this really is the primary reason here, to pioneer something. It might still become useful one day and I'll be interested to see how this rolls out. New? Pioneers? Morris worm was launched, and defeated by co-operating sysadmins and programmers in 1988, 20 years ago. CERT was founded in the same year. Bugtraq mailing list is operating since 1993. CVE exists since 1999. And those are organizations that are maintaining ongoing up to date information on security-related matters. OpenBSD was founded in 1995. SELinux was released in 2000. grsecurity in 2001. Those are only most prominent software projects related to security.

    The only thing you are "pioneering" is a way of getting piles of other governments' money for a basic network security awareness program.

    I do enjoy the fact that the small size of Estonia allows us to try all the new IT solutions on quite a large scale very fast. So far we've done quite well and I hope that we can do something revolutionary on the international scale as well. The IT innovation part of Estonia is really something I'm proud of. More like dumping ground for proprietary "IT solutions". The rest of the world is busy trying to get rid of them.
  41. Re:How does it work? by WD · · Score: 1 · on DVD Porn Viruses Ravage US Soldiers' Computers

    Or how about disable autorun instead of having to remember to hold down shift before any CD, DVD, thumb drive, etc. is inserted into your computer?

    http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

  42. Re:Read the article? by jayp00001 · · Score: 1 · on Microsoft Downplaying Recent DNS Vulnerability

    How is it the parent got modded insightful for claiming M$ "can't deliver" when TFA clearly and unambiguously states that it did in fact deliver a patch to a reported vulnerability. You might think that DNS is bottom of the line tech but you can hardly blame microsoft for that. Bind had a similar vulnerability http://www.kb.cert.org/vuls/id/927905 (bind 8) http://www.kb.cert.org/vuls/id/252735 (bind 9)

  43. Re:Read the article? by jayp00001 · · Score: 1 · on Microsoft Downplaying Recent DNS Vulnerability

    How is it the parent got modded insightful for claiming M$ "can't deliver" when TFA clearly and unambiguously states that it did in fact deliver a patch to a reported vulnerability. You might think that DNS is bottom of the line tech but you can hardly blame microsoft for that. Bind had a similar vulnerability http://www.kb.cert.org/vuls/id/927905 (bind 8) http://www.kb.cert.org/vuls/id/252735 (bind 9)

  44. Re:Let's see some truthful tagging by yuna49 · · Score: 1 · on Top Botnets Control Some 1 Million Hijacked Computers

    Slammer and its derivatives (Sobig, etc.) targeted Microsoft SQL Server. It so happened that some MS desktop applications also had code derived from SQL Server and were thus also vulnerable.

    That's not to say that there weren't also worm attacks against Apache. And many PHP applications have been exploited to carry out cross-site scripting attacks.

    Still, framing the question as "Now show me an OS that hasn't been exploited at least once?" seems disingenuous at best. Shouldn't we also consider the frequency and success rate of these exploits? By those criteria Windows has a much poorer record than *nix-based OS's, and it's not just because there are lot more Windows machines in the world.

  45. A buffer overflow? In 2007? Seriously? by argent · · Score: 2, Insightful · on Safari 3.1 For Windows Violates Its Own EULA, Vulnerable To Hacks

    Seriously, people give MS a bad rap these days, but any exploit you're going to see in their software these days usually takes advantage of complex system interactions or odd exception throwing.

    That's because Microsoft's "Active Content" security model, introduced in 1997, pretty much created the 'complex system interactions' vulnerability ecosystem. Before then the whole idea that an application that displayed untrusted content would provide a path for that content to execute code with full local user privileges was inconceivable. It was a joke, literally, the basis for the joke "Good Times" virus hoax was the idea that there would EVER be a way for an embedded virus to be launched automatically by email software.

    Microsoft has its own problems with buffer overflows, for example this recent one, but if they only had buffer overflow issues there wouldn't be the kind of virus problem there is now. Because when you fix a buffer overflow you're fixing a bug. When you fix a 'complex system interaction' problem, you can't usually fix the underlying cause because there's other legitimate software that depends on that cause... so all you can do is add new checks. Which means that variants of the original exploit, possibly using a different avenue of approach to the underlying vulnerability, still remain.

    So Microsoft is between a rock and a hard place. Every check they add has the possibility of breaking legitimate content. So instead of preventing the dangerous interaction, they pop up a dialog and ask the user if they really meant to do whatever caused the dangerous interaction to happen. Which pisses users off, and trains them to answer "yes" to "I'm about to do something stupid and dangerous" dialogs.

    When web comics about fuzzy animals are making fun of this problem, you know things are getting bad.

    CATS wants to execute 'setupbomb42.dll'. As a result you may have no chance to survive make your time. Allow (yes) (no)?

    And the really annoying thing is that Firefox (with XPI install through the browser) and Safari (with 'open "safe" files after downloading') have started to follow Microsoft's path of setting users up the bomb and then popping up a dialog asking if they want to detonate. Luckily Apple finally turned 'open "safe" files' off by default, but they've kept the 'set us up the bomb?' dialogs anyway.

  46. Re:Even the courts aren't this daft by Z00L00K · · Score: 4, Informative · on G-Archiver Harvesting Google Mail Passwords
    I actually found a few links that should be useful in cases like this: Of course you may have your own national version of IT incident reporting.

    So if we really want to avoid having the police hunt us for petty crimes of downloading files - give them something real. :-)

  47. Re:That... by palegray.net · · Score: 2, Insightful · on Hackers Target MySpace and Facebook

    Chances are that people who uploaded images recently and ran Internet Explorer that used the ActiveX control might have gotten their password and personal information stolen. For the love of Pete, it's a remote code execution vulnerability. We're talking about a lot more than a use's MySpace password getting lifted. Why couldn't the submitter be bothered to provide a link that actually describes the issue in detail, instead of just a sensationalist news article that gives virtually no technical information?
  48. Re:Just what kids on Myspace and Facebook need... by palegray.net · · Score: 3, Informative · on Hackers Target MySpace and Facebook

    Not really much threat of goatse images, but a signficant threat of arbitrary remote code execution for Windows users.

  49. Re:Internet Explorer based exploit by palegray.net · · Score: 4, Funny · on Hackers Target MySpace and Facebook

    Origami plugin? Does it fold your keyboard into a three dimensional swan? Surely you meant the Aurigma ImageUploader plugin.

  50. Re:Internet Explorer based exploit by palegray.net · · Score: 5, Informative · on Hackers Target MySpace and Facebook

    Well, according to this page it allows execution of arbitrary code on the victim's machine. Whatever the user's account permits them to do, the code could do, up to and including actions permissible by other unpatched vulnerabilities on the client machine.