Slashdot Mirror
Domain: net-security.org
Stories and comments across the archive that link to net-security.org.
Comments · 137
-
Unpatched security vulnerabilities anyone?
Linux, in its KERNEL ONLY mind you, has 4x++ the unpatched security vulnerabilities Windows 7/Server 2008 have, AND UNPATCHED REMOTE ONES no less in Linux also (which Windows is also a complete "distro" with all of its parts, not just a kernel only - add on the other parts of Linux that come in a distro, you will get more)!
In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!
This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:
---
Vulnerability Report: Microsoft Windows 7: (11/27/2011)
http://secunia.com/advisories/product/27467/?task=advisories
Unpatched 6% (5 of 85 Secunia advisories)
OR
Vulnerability Report: Microsoft Windows Server 2008: (11/27/2011)
http://secunia.com/advisories/product/18255/?task=advisories
Unpatched 3% (4 of 153 Secunia advisories)
* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds, or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?
Doubt it!
PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:
http://net-security.org/malware_news.php?id=1863
& this:
http://www.net-security.org/secworld.php?id=11759
---
FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT - see my p.s. below in fact on that note
(& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux)
, THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!
NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?
?
That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).
So, that "all said & aside"?
Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:
---
Vulnerability Report: Linux Kernel 2.6.x (11/27/2011)
http://secunia.com/advisories/product/2719/?task=advisories
Unpatched 6% (18 of 281 Secunia advisories)
---
AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))
* Additionally/again - so it "sinks in":
That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...
In fact? LAMP is the favored attack for phishers & spammers:
http://www.theregister.co.uk/2011/06/10/domains_lamped/
---
PERTINENT QUOTE:
"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.
Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"
---
Vulnerability Report: MySQL 5.x (11/27/2011):
-
Re:NoScript
Java is the "most vulnerable" application, IE is actually in 4th after Acrobat and Flash.
-
Re:NoScript
Since 85% of attacks come through Java, Acrobat, and Flash, how exactly does NoScript block those?
-
Linux? rootkits? ==
OS doesn't matter if someone wants to target it. In fact it can even be good thing - it's a lot easier to rootkit and hide in Linux based systems than Windows, and most people don't know how to get rid of them too. Hell, in Linux a simple rootkit can work just by editing the system commands like ls.
Then use http://www.chkrootkit.org/
Oh, and apparently it is GPL software, too. http://www.net-security.org/software.php?id=210
-
Re:Source?
Not sure how this article which was on slashdot a few days ago arrived at 37% being due to Java JRE exploits, 32% acrobat and 16% flash exploits, but then people must be a lot more lazy updating their JRE than anything else...
-
Salient point:
http://www.net-security.org/images/articles/102011-infection.jpg
Avoid Java, Flash, acrobat and IE Explorer and you avoid around 95+% of the entry points. IOW it does not seem to be opera or mozilla which is vlnerable, but the added cruft plug in. -
Are THESE all "FUD" too?
http://yro.slashdot.org/story/10/09/30/1640223/Many-More-Android-Apps-Leaking-User-Data
http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel
http://it.slashdot.org/story/10/11/05/0229205/Researcher-To-Release-Web-Based-Android-Attack
http://www.theregister.co.uk/2010/11/10/android_malware_attacks/
http://mobile.slashdot.org/story/10/11/27/213219/Security-Expert-Warns-of-Android-Browser-Flaw
http://www.theregister.co.uk/2011/01/14/android_chinese_stealing/
http://mobile.slashdot.org/story/11/01/20/1534236/Soundminder-Android-Trojan-Hears-Credit-Cards
http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/
http://it.slashdot.org/story/11/01/29/1946202/New-Android-Exploit-Discovered-To-Steal-Data
http://www.theregister.co.uk/2011/02/17/android_trojan_click_fraud_scam/
http://mobile.slashdot.org/story/11/02/23/1640252/Mobile-Spyware-Conferences-Into-Your-Calls
http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills
http://www.theregister.co.uk/2011/03/04/google_android_market_peril/
http://www.bangobang.com/2011/04/android-phones-are-no-more-protected.html
http://www.ibtimes.com/articles/137143/20110421/android-phones-track-users-movements.htm
http://www.net-security.org/malware_news.php?id=1718
http://www.theregister.co.uk/2011/05/16/android_impersonation_attacks/
-
Re:Yeah, but ..
.. have they figured out how to install it without asking an admin user for permission?
If someone figures out a way to bypass Installer and run unsigned code without at least throwing a warning, then I'll worry
Better start worrying.
-
tomhudson = "CouNt StaLKuLa" by ac replies? LOL!
Don't you EVER learn tomhudson? We all KNOW that you stalk & troll me by AC replies, and who said that??
Why, YOU DID, here, quoted verbatim (and instigating others to do so as well? Please... lol, you FOOL, no one!):
"Wait until he starts on another kick, then reply to him as an AC. It's the new meme". - by tomhudson (43916) on Sunday May 09 2010, @08:29PM (#32150544) Homepage Journal
QUOTED, LITERALLY VERBATIM, FROM -> http://slashdot.org/comments.pl?sid=1646272&cid=32150544
(So, if the "best you've got" is AC trolling & stalking replies to me tomhudson? Well... lmao @ U!)
APK
P.S.=> Now, on this "tidbit" from you? Who the F do you think you're fooling tomhudson??
"Nobody ever claimed that Linux was immune" - by Anonymous Coward on Tuesday May 31, @01:26PM (#36299196)
I've been around here long enough (since 2004, maybe a bit earlier) to KNOW "how it is" around here, a very "Pro-*NIX slant" to things, & Penguins are NIGH CONSTANTLY implying that "Windows is a malware ridden horror, Linuxes are not"!
Well, to THAT, specifically (& on topic about ANDROID Linux)?
Heh... see these additional "problems" ANDROID Linux has shown over time then recently:
---
A RECENT HISTORY LIST OF ANDROID LINUX EXPLOITS BY MALWARE ETC. et al:
http://www.net-security.org/malware_news.php?id=1718
http://www.theregister.co.uk/2010/11/10/android_malware_attacks/
http://www.ft.com/cms/s/2/bf3d6002-452e-11e0-80e7-00144feab49a.html#axzz1FdlXHJmB
http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/
http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills
http://it.slashdot.org/story/11/01/29/1946202/New-Android-Exploit-Discovered-To-Steal-Data
http://mobile.slashdot.org/story/10/11/27/213219/Security-Expert-Warns-of-Android-Browser-Flaw
http://yro.slashdot.org/yro/08/11/21/1321200.shtml
http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel
http://mobile.slashdot.org/story/10/11/05/2011243/Major-Security-Holes-Found-In-Mobile-Bank-Apps
http://news.slashdot.org/story/10/10/18/1910224/A-Tidal-Wave-of-Java-Flaw-Exploitation
-
HUGE list of ANDROID Linux exploits inside... apk
1st, let me "open" with 3.5++ times as many unpatched security vulnerabilities in Linux 2.6x KERNEL ALONE (not the entirety of a Linux distro, nor the other parts needed for business development), vs. NEARLY ALL OF THE TOOLS MICROSOFT PUTS OUT FOR BUSINESS DEVELOPMENT, for starters:
http://mobile.slashdot.org/comments.pl?sid=2200490&cid=36300084
OR, do you care to deny that much, vs. SECUNIA's statistics for that much (they're quite respected on that note, mind you).
Secondly?
Well - My point here was that ANDROID, which yes, IS A LINUX VARIANT, is showing itself, it's TRUE SELF (& thus, Linux as well) to be no better @ being secure than Windows is...
Hell, it's WORSE!
Now - Would you like me to post an entire LIST of problems I know ANDROID has had on the security front too? I can, roughly 50 of them, & from RECENT HISTORY no less? Ok, here goes:
---
RECENT HISTORY LIST OF ANDROID LINUX EXPLOITS BY MALWARE ETC.:
http://www.net-security.org/malware_news.php?id=1718
http://www.theregister.co.uk/2010/11/10/android_malware_attacks/
http://www.ft.com/cms/s/2/bf3d6002-452e-11e0-80e7-00144feab49a.html#axzz1FdlXHJmB
http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/
http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills
http://it.slashdot.org/story/11/01/29/1946202/New-Android-Exploit-Discovered-To-Steal-Data
http://mobile.slashdot.org/story/10/11/27/213219/Security-Expert-Warns-of-Android-Browser-Flaw
http://yro.slashdot.org/yro/08/11/21/1321200.shtml
http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel
http://mobile.slashdot.org/story/10/11/05/2011243/Major-Security-Holes-Found-In-Mobile-Bank-Apps
http://news.slashdot.org/story/10/10/18/1910224/A-Tidal-Wave-of-Java-Flaw-Exploitation
http://yro.slashdot.org/story/10/09/30/1640223/Many-More-Android-Apps-Leaking-User-Data
-
Re:Security through obscurity
At this point it doesn't really matter so much who developed it. Regardless, we're still potentially collateral damage or potential targets of a fully disassembled/reverse-engineered/built-fresh-with-a new-twist version as well as whatever the original authors might unleash. Whoever made it was shortsighted if they felt that even versions attempting to be very specific wouldn't be analyzed and modified or cause some collateral damage as-is. Pruning target-filtering code seems it would be a relatively trivial task.
Some say Israel had people bragging about it.
http://www.net-security.org/secworld.php?id=10596Collateral damage adding to some other bad event? You decide.
I don't think the victims had a clue.http://www.publicradio.org/columns/kpcc/kpccnewsinbrief/2008/11/officials-unveil-why-yorba-lin.html
http://articles.latimes.com/keyword/yorba-linda-ca
http://www.ylwd.com/fireupdate/pdf/Freeway%20Complex%20Fire%20Report.pdf -
Let's talk about ANDROID then Mr. Brin...
Per my subject-line above, some "examples thereof":
http://www.net-security.org/malware_news.php?id=1718
http://www.theregister.co.uk/2010/11/10/android_malware_attacks/
http://www.ft.com/cms/s/2/bf3d6002-452e-11e0-80e7-00144feab49a.html#axzz1FdlXHJmB
http://www.theregister.co.uk/2011/01/29/android_data_disclosure_bug/
http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills
http://it.slashdot.org/story/11/01/29/1946202/New-Android-Exploit-Discovered-To-Steal-Data
http://mobile.slashdot.org/story/10/11/27/213219/Security-Expert-Warns-of-Android-Browser-Flaw
http://yro.slashdot.org/yro/08/11/21/1321200.shtml
http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel
http://mobile.slashdot.org/story/10/11/05/2011243/Major-Security-Holes-Found-In-Mobile-Bank-Apps
http://news.slashdot.org/story/10/10/18/1910224/A-Tidal-Wave-of-Java-Flaw-Exploitation
http://yro.slashdot.org/story/10/09/30/1640223/Many-More-Android-Apps-Leaking-User-Data
http://mobile.slashdot.org/story/10/12/21/1849243/The-Smartphone-That-Spies-and-Other-Surprises
http://yro.slashdot.org/story/11/01/20/1422239/Cybercriminals-Shifting-Focus-To-Non-Windows-OSes
Want more? I've got 'em... MANY more in fact!
So, please - my "bottom-line" here, is this & quite simple:
Don't go telling folks that "Windows is 'bad'" etc., because ANDROID's not exactly "looking good" and on MANY grounds (see those links above).
APK
P.S.=> So, do I "hate google"? No, in fact, FAR from it... but, what I do NOT like is when someone in a position to make changes, good changes, starts acting like a "PR Machine" to attempt to "mess up the competition" - especially when his own platform has issues... MANY issues! apk
-
Re:Chrome was updatedWhy am I being modded as offtopic? Can anyone explain what in my reply was offtopic, this is the parent:
The organizers said that the software configuration was frozen a week ago. Nobody was allowed to do last-minute updates (like it was last year)
This is my reply
Chrome got to use the built in auto mechanism just before the contest started (source 1, source 2, source 3) which is probably why the contestant registered to try to beat Chrome did choose not to try.
Granted, there was a spelling mistake, it should have said "built in auto update mechanism" but why mod me down?
-
Re:Chrome was updated
-
Re:This is why I don't use facebook
If you're going to take nothing more than the fact that I use a particular communication tool as a reason to write me off as irresponsible, I feel fully justified in declaring you as a pompous, superior, neo-luddite based on nothing more than that single Slashdot post.
The difference between you and the OP is that the OP has good reason to worry. FB users post things to FB they shouldn't. I know several people who have been burned by things they posted on social media sites. My estimation of anyone who uses them is automatically adjusted lower, just like anyone who uses texting abbreviations in professional communications. It shows a level of ignorance of proper etiquette and social consequences. Does it mean that everyone who uses FB is stupid? No, but it does make for an easy metric to weed out people who are less likely to make good decisions about confidentiality when they have a personal stake in the results. How are they going to behave when it is some strangers privacy they are destroying? I should also point out that in all of the cases of people I know being burned by social media posts, not one of them learned their lessons, and they all continue posting things that can and probably will be used against them in the future. Social Media is akin to any other addiction, and I don't trust the addicts for the obvious reasons.
-=Geoskd -
Re:Microsoft Security Essentuals
The responses in this thread blow me away. You all trust the antivirus option from Microsoft... the people that make the software which gets owned by the most exploits (IE, Outlook, Word, etc.)?
On the browser side actually FireFox and Opera has the most vulnarebilities.
Internet Explorer deemed least vulnerable browser
-
Tell that to these 170 'nobodies'...
The recent arrest of a 23-year-old California man that has allegedly hacked e-mail accounts of more than 170 women and posted sexually explicit pictures found within them to the victims' Facebook accounts, has highlighted the need to limit the amount of personal information posted on various social networks.
-
Re:Use a switched network
I hate to break it to the incompetent. Oh wait. I don't. I hate when people giving misleading advice get upmodded.
But I was sniffing traffic on a switched network in 1999. With tools that were already written. It was easy then (script kiddy easy), and it's even easier now.
Switches solve half the problem and very little more. The only switch I've seen you can't sniff off of runs so far upstream it's not worth talking about.
I know you like to pretend as a sysadmin you know how the internets work. And you're right. But you only know half. Networks fail. Predictably. They fail open. Without logs.
Stop the myth that switches 'protect' against packet sniffing. They mitigate it. Against the most trivial and basic wireshark attack that existed
-
Re:Too late for a film at 11 joke...
I'm not so quick to forget why I dropped IE in the first place. To get away from ActiveX and general apathetic browser security. Where's that represented in benchmark?
Which browser do you use? Most security companies have ranked Firefox, and Safari, as having far more security vulnerabilities than IE for quite some time.
One of many (JFGI): "Firefox most vulnerable browser, Safari close second": http://www.net-security.org/secworld.php?id=8489
-
Re:Social networking sucks
The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like.
During the peak of the Facebook app craze, I came upon an application that I decided not to add because the EULA sounded even more dodgy than usual Facebook apps go. The license text was seemingly copied from somewhere else and slapped onto the web app regardless of the context. I felt smug when I read the news that the application vendor was banned for distributing malware disguised as the full version of their bait Facebook app.
-
Re:cyberwar = bullshit
dont buy this cyberwar bullshit. they are just using it as an excuse to justify internet control schemes they want to bring upon you americans. remember how terrorism was used to bring liberties-infringing 'security' measures in all aspects of life. its the same shit, repeating itself.
do NOT buy it.
From an article about the "mock cyber attack":
"...A bevy of former top US officials were given various roles to play:- John Negroponte, the former Director of National Intelligence, as the Secretary of State
- Michael Chertoff, the ex DHS Secretary, as the National Security Adviser
- Fran Townsend, former White House Homeland Security Advisor, as the Secretary of DHS
- John McLaughlin, ex CIA deputy director, as the Director of National Intelligence
- Jamie Gorelick, former deputy attorney general, as attorney general
- Charles Wald, retired Air Force general, as the Secretary of Defense
- Stephen Friedman, former director of the National Economic Council, as the Treasury Secretary.
The entire scenario was thought up by Michael Hayden, the former CIA Director, and the faux attack began with malware masquerading as a free March Madness application for smartphones...."
Not only the same shit, but the same shit doled out by the same people. -
Only one unique link in summary
The other link is probably meant to be this article. Video
A bevy of former top US officials were given various roles to play... The entire scenario was thought up by Michael Hayden, the former CIA Director, and the faux attack began with malware masquerading as a free March Madness application for smartphones. Once activated, it spread fast and first incapacitated cellphone networks, then landlines, the Internet, and finally - aided by mock bombs exploding in a couple of gas pipelines and power stations and a hurricane hitting the Gulf Coast - brought the entire East Coast electrical power grid to its knees. Air traffic was thrown into disorder and commerce came to a standstill.
This exercise was just a huge piece of FUD by CNN and a bunch of retired government officials all touting the need for more government in our lives.
-
Re:Firefox
The only people still using internet exploder are people who don't care about security. They have ignored more than enough warnings and deserve what they get.
The rest of the world is already using firefox, opera, or whatever the OS X browser is called.
I care about security, and I think you would be hard pressed to document that Firefox is more secure than IE8 in protected mode (sandboxed, reduced user privileges). Yes you can find reported vulnerabilities in IE8, but most security companies announce far more for Firefox these days. Including pretty severe ones like we discussed here a couple of days ago: http://it.slashdot.org/story/09/11/20/1257232/Zero-Day-Vulnerabilities-In-Firefox-Extensions
"Firefox most vulnerable browser, Safari close second": http://www.net-security.org/secworld.php?id=8489 . Secunia is saying pretty much the same thing. -
security products .. ?
Security isn't a 'product' that you can bolt on. Security is something that has to be built in from the ground up. A primary function being irrevociable auditing of all activity on the system. How you can design a 'security product' that doesn't accuratly log activity beggers belief. These 'products' sound like the typical management process of covering their arses with certificates.
'Incomplete or inaccurate logging of who did what and when accounted for 58 percent of initial failures' -
Re:BIND security hole - are you patched?
Slightly off-topic, but just a reminder: have you patched the BIND security hole yet? If you're running BIND 9 and your server is the master for any domains (including localhost), and you haven't patched this week, one malicious packet can crash your server.
Crashing your server, now that's a bit extreme. It actually causes Bind9 to exit on the master server. Which whilst inconvenient, isn't worth being to histerical about. Any DNS admin worth his salt has geographically and network disperse slave servers to handle queries when the primary cannot be contacted.
I did an
apt-get update && apt-get install bind9
yesterday, so my master dns server is safe now -
Re:I still worry...
Yeah Oracle's never had injection problems either right....
-
MyDoom's denial of service attack on SCO
"This one is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world. The perpetrator of this virus is attacking SCO, but hurting many others at the same time"
"There are computers with incorrect clock settings that may already be firing off an attack," against SCO's site"
Curiously enough SCOs site was hit before the virus was set to trigger and a company Centershift based in the same co-location facility was hit at the same time and/or were having contemporaneous problems with the same hosting company. And iirc the DNS record for www.sco.com briefly disappeared at the time. -
The Nigerians are looking for the gold
They read about it on the Interwebs, and co-opted their spam partners to do the dirty work.
Really. Scouts honor.
-
Re:Bullshit
Here's the guy in question:
http://www.net-security.org/article.php?id=467
As if his reputation wasn't already in tatters, this guy states "I must admit that I am a power user of Windows XP"
!!!
-
Re:Hmmmmmm Funny that you should mention
the paperclip (alluding to magnetism)... My initial thoughts are that this is a successful (achieved, whether or not the victims want it to be a) sabotage act. We already heard that crackers broke in but were contained or blocked. Often, thefts and heists are facilitated by insiders. I wonder which (if any) internal "agents" is a mole. Even just yesterday, having read the link about acts of internet sabotage/cyber attacks:
http://net-security.org/secworld.php?id=6554
I wouldn't be surprised if a US or US-sympathetic student or agent working on the scientific teams helped map the security protocols/topology and insert the mole. Why dare slam the US? Well, because we CONSTANTLY are bombarded with what appear to be outrageous lies about *China* constantly attacking (when "probing" might be the better description?) US military sites. The report/link on the attacks indicates that China's currently interested or succeeding in planting trojans/bots/mechanisms in less secure academic facilities. And, the US' Semiconducting super collider never took off:
http://www.npr.org/templates/story/story.php?storyId=94481272
So, who knows with unassailable certainty that the US (aside from risking losing access to treasured scientific Data from the LHC) wouldn't have tinkered with the idea of delaying or sabotaging the LHC? NOBODY! But, there could be other culprits, to be fair...
OTOH, if there are any Chinese nationals as scientists/workers there, i doubt they'd have a motivation for doing it. It's not as if they have a domestic collider program. They're busy with the ship construction, manufacturing, and space programs - and, i suppose, - if Crawl Street implodes, they will try to advance Shanghai or other places as financial centers, inviting in many of the brightest being purged or dropped from New York. And, who's to SAY (with certitude and factuality) that the US WILL AND SHALL remain the financial processing center of the world? NO ONE can.
Anyway, I bet any overheating or tube/ring failures will end up being reported as unfortunate mechanical failure. Even if it is sabotage, it'll be kept hushed to not help any attackers know for certain that THEIR act was the one that did in the LHC and deflated the short-lived jubilation felt over activation of the LHC...
-
Re:So it's become real...
Perhaps you should check the CNN news reports?
*WOOSH*
-
Re:So it's become real...
Perhaps you should check the CNN news reports?
-
Nature of the attack
It's reasonably obvious from the CERT advisory how an attack would work. The CERT advisory tells us that the vulnerable systems are ones where the 16-bit DNS transaction ID and the 16-bit port number for a transaction are not randomly chosen. The CERT advisory also tells us that the attacker must be able to spoof IP addresses, that is, they must not be behind some ISP with egress filtering. CERT also tells us that it's a DNS poisoning attack.
So it looks like a form of this attack documented in 2003 at "Cache Poisoning using DNS Transaction ID Prediction". Back in 2003, it took a large number of packets to make this attack work, and even then it wasn't reliable. But there may be a more cost-effective attack strategy if you know how the DNS server assigns transaction numbers and ports.
The fundamental problem comes from 1) the fact that source IP addresses can be forged, and 2) the DNS transaction ID, at 16 bits, is far too short to be considered a useful random key. Any key with security implications should be at least 64 bits and be generated by a crypto-grade random number generator.
-
Re:Goes to show ...This, IMHO, goes to show that Ruby isn't any better at security than the other Open Source interpreted languages. Fixed that for you.
And it never claimed to be. I don't know anyone who uses Ruby because it's more secure. Everyone I know who uses Ruby does so because of the beautiful syntax, pervasive OO, and other things that make it nicer to program in.
far less mature then, let's say, Python or PHP. Oh, really?And again, it's not the security. I'm willing to risk having to patch my interpreter like this once in awhile, if it means I'm able to
Keep in mind, this vulnerability is so far only a DoS, and won't necessarily affect most installations. Most people run multiple interpreters serving a single site, each load-balanced to. Knock out one and it'll be restarted, while the other continues to serve content.
Which brings us to your next point...
A matured, tested and established mod_ruby, unicode and a few years more in the field is what Ruby needs before I take a look at it. Well, let's see -- Unicode has existed, albeit not great, for quite awhile. 1.9 has had Unicode strings from the beginning.mod_ruby -- you do realize pretty much no one in the Ruby world uses Apache, right? It's all mongrels and nginx... But if you must, there's Passenger.
a few years more in the field is what Ruby needs before I take a look at it. Obviously, you really haven't taken a look at it. -
the real story ..
"What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers"
The real story is who built such an 'ecosystem' that makes phishing such a sucessfull enterprise and what imdemnification does the maker of such systems offer the end user."
"They have collectively caused billions of dollars in losses, and ruined the lives of many citizens whose identities they have stolen and abused"
What end user Operating System do these phishing efforts require in order to me sucessfull. For instance how many phising efforts have been sucessfull on the current Apple Mac OS? -
Re:MS has no right to steal consumer data.
In response to "stolen" data.... Ever used a PE boot disk? Works wonders on borked installs to get data off a hard drive where the native OS won't boot. You are still in possession of your data. They are simply refusing to facilitate that retrieval, since you are not a legal, paying customer.
What about when hard drives have OS support for hardware encryption? http://www.net-security.org/secworld.php?id=5461
Windows Palladium/TPM will eventually require hardware that will prevent you using a boot disk to bypass any security. -
Re:This sounds familiar...
To be fair, Bill Gates denied saying it, and nobody has come up with an original cite or witness to the quote. That doesn't mean that he didn't say something "wrong or stupid" (which he admits to doing on other occasions). Not like he hasn't been wrong in the recent past (SPAM predictions, for example - it's been two years, Bill, and it's getting worse.
-
Re:Romania????Other articles noted that the investigation includes Romania - http://www.net-security.org/secworld.php?id=4352.
This article in the Washingtonn Post appears to be the most comprehensive - http://blog.washingtonpost.com/securityfix/2006/1
1 /14_arrested_for_credit_card_ph_1.html -
Re:A modest proposal
See: http://www.net-security.org/vulnerability.php?id=
2 6768
Any complex enough system will have vulnerabilities. Live with it. -
more and more upgrades.
It's been stated in Help Net Security that the only solution to this problem is to:
Upgrade to version 0.9.8c, 0.9.7k or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
'No known workarounds' seems like quite an exxageration!
It's normal for technologies to be upgraded, right? But u have to admit though.. everything seems to require regular upgrading nowadays. At least once! Even humans need a so-called self-upgrading. What more technologies which are created by humans?
To those of u (humans), who are still yet to realise what security complications would be seen from this vulnerability issue, here are some of the major classifications effects:
1. Remote vulnerability
2. Impact on integrity
3. Exploit unknown
4. Verified
http://www.net-security.org/vulnerability.php?id=2 8549
".. winners don't do different things, they do things differently." -
Re:Good Training
I cannot give enough praise to The Training Camp. I just got back from their Pennsylvania facility a few days ago. I took the MCSA course. It was one of the most enriching experiences of my life. The classes definitely focus on passing the exams. But you can't really pass the exams without knowing what you're doing. I have virtually no network admin experience, but I still did well in the course. I learned how to manage a network as well as how to pass the tests. The instructors at The Training Camp literally write the books that you'll find in the computer section of all the major bookstores. Check out this article about the publishing accomplishments of the instructors. http://www.techtrain.com/us/press_release.asp?id=
4 8 One of those trainers, Andrew Whitaker, was asked by Cisco to try to hack into their network and then write a book about it. Cisco isn't going to ask just anyone to do that. Another instructor not mentioned in that article is Steve Kalman. Interview and background info on him here http://www.net-security.org/article.php?id=410. He teaches the CEH and CHFI courses at TTC. In addition to having nearly 40 years in the computer field, he is also an attorney. So he's an authority on computer laws. Still another instructor who has published is Roger A. Grimes. Articles by him here http://www.windowsitpro.com/Authors/AuthorID/1293/ 1293.html. Honored by Microsoft as a Most Valuable Professional http://www.trainingcamp.com/us/press/pr_02_05_04.a sp. The Training Camp is the only place for me. You won't be disappointed if you go there. It's worth every penny. -
Re:nice!it is an unrelated correction:
-
Re:Protect yourself in one click
This is quite a nasty little exploit so I suggest making the change ASAP.
I did this years ago.
Can someone remind me what is the point of a browser allowing "driveby downloads" and automatically launching the content of the download?
Safari has a nice download manager that lists the most recent downloads, and by simply double clicking on the one you trust and want to view is up to you.
This is at least over a 1 year old issue: http://www.net-security.org/vuln.php?id=3461
Is it too much to ask for normal users to double click on a file to launch it? This is what we used to do, and still do with email, ftp, removable media, networked drives, everything. What is the point of a driveby download and launch? -
More securing OS X links/pdf's etc
http://www.nsa.gov/snac/
http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf
http://eq.rsug.itd.umich.edu/software/radmind/
http://homepage.mac.com/hogfish/PhotoAlbum2.html
Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks. -
Re:I wonder..
I've seen other studies where people revealed their passwords for a candy bar or the price of a latte.
Scary. -
Re:Wonderful! So, let's kill the spammers already!
The US is still the world's largest spammer. Perhaps we should imprison American spammers rather than Brazilian ones if we want to reduce spam.
Brazil only produces 6.17% of all the spam in the world, compared to US's 42.53%. -
you have to steal their mojo.We're not communists, we're "software terrorists",
He already tried that but it backfired. M$ tried to blame windoze viruses and worms on FOSS. It was easy to show that the worms were written on Windoze by people who know about Windoze. All the accusation did was admit that there was a worm problem and give a good example of blame shifting. It also highlighted the relative security of free software.
Concentrated efforts by real Communists against free software have failed. No automated worms have emerged, despite the majority use of free software in typical targets of such efforts: high profile corporate webserves.
Microsoft themselves have engaged in such activities against previous competitive threats. There are court documented cases of them breaking code for DrDOS, Netscape and a host of others. It would be interesting indeed if they were to try to classify such activity as "terrorist".
If there is a software terrorist threat, it's dependence on Windows. Windows systems, including large banks, have continued to be trashed and this has an effect on public moral and institutional confidence.
Mojo, free software's got it, M$ don't.
-
Automatic Human pronouncable password generators.
Good human pronouncable (thus easy to remember) passwords can be generated using tools like these it is even a part of debian (apt-get install apg). try it out, the generated password are generally very good, mix of cases, numbers etc.
-
Re:NAT
Talk her into a Mac, if you can.
I'm serious. As a child, I was an "Apple II for all" kid. Then I became one of those "Macs are too easy and wimpy" teens. In college, however, I became a "Hey, I can do work, I'm an addict!" person. Then I became a security wonk, and I'm a "Gee, why can't I find hardly any information on hardening OS X? It's not perfect" kind of person.
I don't believe it's possible for the average user to run Windows cleanly. You have to know too much. I've heard my security-wonk coworkers joke about how much spyware they had after a scan (and yeah, they're not great security wonks, but they were well above me on the food chain). If yer average security wonk can't keep his stupid box clean, then there's a problem with both the box and the user, not just the user.
I don't believe that OS X is perfect. There are exploits that work. Safari has some of the same problems IE does (minus the whole hooked-into-the-OS-issue). You have to look really hard to find the issues, though. And for getting actual work done, they're a wonder. The built-in software does much of what regular users need. The interface is pretty and clean. And with BSD underneath, I've found that they a lot easier for linux-geek techie friends to suss out.
I've come to the conclusion that Macs really are the best computers for most of the population. You don't get owned out of the box. You can download your security patches on modem--they come separate from the OS updates. You can safely read The Register. Even my Classic-emulated Office doesn't crash on OS X.
Hardware costs are pretty much at parity for brand-name devices. The cost problem tends to be with replacing software. But there is a useful shareware community for Macs, Fink is pretty well-regarded, and commercial software can be found. Consider how much a password-sniffing Trojan might cost and cough it up.
Thus endeth annoying advice.
-
Re:Dear slashdot...
I know you like my dad way more than his dad, and his dad works for a corporation and therefore cannot be superior. Please ignore how often my dad has a nervous breakdown.
