Slashdot Mirror

By that logic Apache should have more exploits than Microsoft's web server

It possibly does.

361 Apache Advisories on Buqtraq VS 141 IIS advisories

A rough and cheap example, but never the less a belief that Apache is somehow super secure is a nonsense.

The many eyes argument is a tired one - how many people actually check the code, how many of those people are experienced enough to find vulnerabilities?

Look at the DARPA funded Linux Security effort. It died because noone was contributing.

Open source is great because you can read the code, but a belief that someone else must be auditing that code leads to security through delusionment - unless YOU are auditing the code, and unless YOU are trained to know how to audit it well, don't assume anyone else is.

By that logic Apache should have more exploits than Microsoft's web server

It possibly does.

361 Apache Advisories on Buqtraq VS 141 IIS advisories

A rough and cheap example, but never the less a belief that Apache is somehow super secure is a nonsense.

The many eyes argument is a tired one - how many people actually check the code, how many of those people are experienced enough to find vulnerabilities?

Look at the DARPA funded Linux Security effort. It died because noone was contributing.

Open source is great because you can read the code, but a belief that someone else must be auditing that code leads to security through delusionment - unless YOU are auditing the code, and unless YOU are trained to know how to audit it well, don't assume anyone else is.

This was on bugtraq a week or two ago:

Check it out and there was a discussion of it a few days later.

Someone actually has a whole forum dedicated to finding things you can do with google here.

Apparently this was even a DEFCON speech subject.

This bugtraq report shows that T-mobile customers are vulnerable to caller id spoof access to voicemail in the default configuration. I wonder if this provides sufficient spoofage.

So it started with technological innovation, and saw rapid development through the cooperation of governments and universities. It was refined and improved thanks to the effort of a bunch of awfully dedicated academics to the point where it could merge with mainstream technologies (talking PPP over analog phone modems). The new worldwide resource gave us the ability to communicate like never before.

Things were going so well, until the marketers came on board and started flooding people with ads and junk whatever way they could find. Spam was funny at first; now it's a serious waste of bandwidth and resources, with business people resorting to purely criminal activities in order to flood their advertising and harm benevolent volunteer organizations. Thanks to dirty business the Internet has become a battle ground. Spyware and even viruses are directly linked to immoral advertising/spam.

Now, I don't hate marketing people (I run a businses, and am a student in Management) but it's safe to say that immoral marketers are f*cking up the Internet.

Almost two years old, in fact:

http://www.securityfocus.com/news/613

I'm sure one could find even earlier discussions of this vulnerability.

k.

I wonder if this will motivate /.ers to read the article before posting.

Check out the SecurityFocus Incidents-mailing list for details.

It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.

As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.

Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:

packetstorm security
Security Focus

There was a three part series on Metasploit on SecurityFocus in July. See here

We can all sleep better now.

Yet another reason to switch to, IMHO, a better client such as gaim.

Gaim's security doesn't look very good either. Switch if you like, but don't expect it to be any more secure.

Recent research supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.

Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:

* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously

In addition we encourage users to pick strong passwords:

Good Passwords contain:

* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!

Bad Passwords contain:

* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen

I recently conducted an audit using the excellent @stake LC5. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.

It got many "strong passwords" chosen using the above methodology which is similar to the previous post. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.

The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.

I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer and evidently vindictive successive OSX disclosure campaign.

You mean Toneloc? Good times, good times... :-)

One time, we found a phone number that apparently patched through to the PA system in a warehouse somewhere. No menu or anything, you simply called this number and your voice was broadcast throughout some warehouse somewhere. You could also hear what was going on in the warehouse.

nokia admits that some of their phones are vulnerable to bluesnarfing.

Security Focus also has some good information.

or blue stumbler or bluejackQ might interest you.

There is a common misperception that Apple's various releases of MacOS are more security than alternatives A, B and C, and that "you can't hack a Mac". That, of course, is pure bullshit. The evidence often sited to support that outlandish claim is the lack of viruses or "hacking" incidents involving MacOS personal computers. One of the, if not the most important, factors in the "popularity" of a virus or worm is the popularity of the host it is designed to effect. MacOS may comprise a mere 5% (which is probably lower than the proportion of Linux desktop users) of desktops today, however Apple's products dominated back in the day. They have since lost that dominance to a little upstart based in Redmond, Washington ;)

Anyways, I think a review of some malicious code history is in order.

As you can see from the history, the bit of code considered to be the first virus. Elk Cloner spread from machine to machine on floppy disks. Of course, Apple was the shiznit at that time, and kids could get access to them in school.

Fast forward to 1986, and we see the first viruses hitting MS-DOS, which was starting to become popular at that time. The first self-replicating bit of malware (aka worm) was identified in 1987, affecting IBM mainframes.

It wasn't until 1988 that the first virus-related crisis broke out, but that often overshadows the fact that 1988 also marked two new viruses for the Apple Macintosh, including the first major outbreak. The Mac was still a very popular desktop at this time, both for business and in the educational sector.

Over the next few years, Apple's popularity decreased while Microsoft got a stranglehold on the desktop computer market. PCs running Windows started to become affordable, moreso than Apple's products, and personal computers spread rapidly into homes. With this increase in popularity came an even more rapid pace in malicious code being seen out in the wild.

It doesn't take much brain power to see that viruses, worms, trojans, and other malware are written for the big targets. Vulnerability in the target certainly plays a role, and both Apple and Microsoft have had their share of attention. Microsoft gets a far bigger share, of course. Given that they comprise roughly 90% of desktop PCs, it should be no surprise that the kiddies who write viruses are both using and targeting Windows products. It also doesn't help that Microsoft is only starting to really get a clue about security.

However, this shift has resulted in the misperception that I mentioned at the beginning of this post. Is Apple a victim of the "you can't hack a Mac" delusion? There is some evidence that they are. A recent Security Focus article discusses a recent vulnerability in MacOS X - Apple patches critical Mac OS X hole:

The hole was discovered by a German techie called "Lixlpixel," who claims to have reported the bug to Apple on February 23rd. It wasn't until nearly three months passed without any response from the Cupertino, Calif. computer maker that Lixlpixel went public with the hole, when discussions about it began showing up in online forums, he says. Security services firm Secunia confirmed the vulnerability and released a formal advisory on Monday. Secunia rates the bug "extremely critical."

Apple's responses to the reports ranged from silence, initially, to smug assurances that customers are not at risk and that MacOS X's UNIX core is more secure than most. UNIX may have better inherent capabilities for security than Windows due to design, however a poor implementation of a UNIX-based system is equally (if not more) vulnerable than most systems ("most" being everything that isn't UNIX).

The big question is whether or not Apple has a good and secure implementation of UNIX at the heart of their product? Short answer: hell no. One of the pred

Bind9 isn't vulnerable to that. Heck, I doubt even bind8 was.

That't not what this securityfocus article says.

That's what I was thinking about. Really interesting to see how Microsoft responds to that question, here's one of their previous respond http://www.securityfocus.com/news/191

is here.

As an aside, items like ASET and RBAC are not new for S10; IIRC they have been included since S8.

Or instead of reading about these things, individuals can download the Solaris 10 Beta 5 ISOs and try them out. Go to this page and scroll to the bottom to Solaris Express.

It has been reported that the FBI uses Darwin based MacOS machines internally, in part because of their out-of-the-box superior security.

It seems like there is a major problem with cross-site scripting that is very hard to fix in all cases. For example, here's one related to Passport. The point is that css is hard to fix because you can't guarantee that another website that uses the same single signon system won't be vulnerable. So if there is a single signon system, then it seems to me that it's all only as secure as the most insecure website in the network.

The Trouble with Tripwire is that you can't tell whether the reports reflect work done by sysadmins or hackers. Radmind is the cure for this issue. Not only does it differentiate between patches & hackers, but you can use it to actually deploy the patches (or other software).

:w

Slightly OT, but particularly ironic, I think, is little problem in Utility Manager:

The Microsoft Windows 2000 operating system family supports a feature called Accessibility Options. [...] The Utility Manager runs as a Windows service [...] within the interactive desktop with Local System privileges. [...] winhlp32.exe was executed under the Local System account.

Microsoft originally fixed this in MS04-11. But how? They just removed the menu entry, but forgot about all the other ways the help system can be invoked.

Really assistive of them to help 'em gain Admin...

http://www.activedir.org

http://www.ntbugtraq.com/

http://www.securityfocus.com/archive

FAS Secrecy News

Linux Users Group of Davis Lists

linux-wlan(tm) Project Mailing Lists

In addition to BugTraq and NTBugTraq, Full-Disclosure is another excellent vulnerability list, and is always a week or two ahead of the "official" advisories.

For other lists, Fyodor's SecLists.org is the list of security mailing lists.

What do you find interesting, and what do you need to be informed about?
Security?
Wine updates?
http://seclists.org/
http://www.cert.org/
Those are interesting and informative for me, but a perl developer can probably give a damn about the latest nmap release.

What are your needs?

So what you're saying is that it's taken at least 2 years (and counting) for Microsoft to fix the shell: URI handler, despite having multiple exploits?

Yes, I agree!

Microsoft keeps patching the various ways to invoke it incorrectly due to their pathetic clinging to zones as an effective security mechanism. XP is a leaky ship and conceptually they've kept deciding to shove off and jury-rig plug the holes as they go along. They need to put the damn thing in dry dock and fix the hull or else, sooner or later, the people running XP are going to drown.

Of course, that also means that Microsoft knew about the problem for 2 years as well. Remember, this is only a problem because Microsoft isn't handling shell: correctly.

Not Invented Here has been in full swing at Microsoft for far, far too long. SP2 getting delayed to August is just the tip of the iceberg due to the mess they're trying to clean up.

The Microserf workload just got increased. Poor serfs.

the IE big wig thinks that all of his engineers should have other browsers installed to see what they can do Right, to see what they can do. This has nothing to do with *COUGH* the vulnerable nature of Internet Explorer. Looks to me that Microsoft was just following CERTs suggestion to stop using it.

"A Vist from the FBI"

Take a look at this story:

Wi-fi hopper guilty of cyber-extortion

While a good book is always great, most of this stuff is already on SecurityFocus. Not to mention is home of the bugtraq mailing list. I find alot of the material is already covered in their infocus articles, plus some of the best hackers out there, both white hat and black hat, are on the list and give some of the best tips.

While a good book is always great, most of this stuff is already on SecurityFocus. Not to mention is home of the bugtraq mailing list. I find alot of the material is already covered in their infocus articles, plus some of the best hackers out there, both white hat and black hat, are on the list and give some of the best tips.

Writing email saying its been virus checked is just a simple form of "Social Engineering" ...

It's interesting that while slashdot is quick to report on flaws in Windows and IE, they refuse to report on linux vulnerabilities.

According to SecuritiyFocus. Windows 95, 98 and ME users are also vulnerable. So why is this patch only for Windows NT, 2000, XP, and 2003?

It does NOT run on Windows 98.

Oh, I remember, Microsoft only produces patches for "supported" (if that's what you can call it) products.

Holy smokes batman! I don't know if anyone else read this article, however it says that IE has had 153 holes since 18 April 2001, and 6 this month alone! I knew IE was bad, but that is not even acceptable.

Stupid Mods. If you don't know what the poster is talking about, don't mod it. Just leave it and go to the next post.

He is referring to this Security Focus article

From the article,
Still, speaking at a press conference here Monday, Gates told journalists that Microsoft's patching process compares well with competitors'. "You know, the time -- the average time -- to fix on an operating system other than Windows is typically ninety to a hundred days," said Gates. "Today we have that down to less than forty-eight hours."

I already posted link to this article here

securityfocus.com

"We all know this is true: IE is a buggy, insecure, dangerous piece of software, and the source of many of the headaches that security pros have to endure (I'm not even going to go into its poor support for Web standards; let that be a rant for another day). Yes, I know Microsoft patches holes as they are found. Great. But far too many are found. And yes, I know that Microsoft has promised that it has changed its ways, and that it will now focus on "Trustworthy Computing." But I've heard too many of Microsoft's promises and seen the results too many times. You know, fool me once, shame on you; fool me twice, shame on me. Who's shamed when it's "fool me the 432nd time"? Who's the fool? We're security pros, and we know the score. It's time. It's time to tell our users, our clients, our associates, our families, and our friends to abandon Internet Explorer."

I've pretty much stopped reading paper magazines for tech news... Slashdot and related links keep me in tune with what's going on in the tech and scientific worlds.

Subscribing to the SecurityFocus mailing list keeps me alert to the latest bugs, exploits and such.

For "news" news, I keep an eye on the New York Times and the Washington Post.

Like a poster above, I read The Economist as regularly as I can... it's a great source for stories from a non-US perspective.

Because it's an election year, I look at and subscribe to factcheck.org - they do a great job of analyzing political advertisements and correcting the exaggerations and outright mistruths on both sides.

Last but not least, Arts & Letters Daily always has quite a lot of thought-provoking articles and essays.

I would suspect that these folks could *easily* develop a plugin adaptor for MSIE.

Geez, everyone else seems to be able to! ..Can't be that hard... ;o)

--J

SF has an article regarding this.
Gates Defends Microsoft Patch Efforts

Of course it didn't concern me because I read my email with pine

Pine Message/External-Body Type Attribute Buffer Overflow Vulnerability [Sep 10, 2003]

Pine From: Field Buffer Overflow Vulnerability [Sep 23, 2000]

Pine 4.x Remote Command Execution Vulnerability [Jun 28, 1999]

Of course it didn't concern me because I read my email with pine

Pine Message/External-Body Type Attribute Buffer Overflow Vulnerability [Sep 10, 2003]

Pine From: Field Buffer Overflow Vulnerability [Sep 23, 2000]

Pine 4.x Remote Command Execution Vulnerability [Jun 28, 1999]

Of course it didn't concern me because I read my email with pine

Pine Message/External-Body Type Attribute Buffer Overflow Vulnerability [Sep 10, 2003]

Pine From: Field Buffer Overflow Vulnerability [Sep 23, 2000]

Pine 4.x Remote Command Execution Vulnerability [Jun 28, 1999]

Nuclear power plants have already been affected by Micro$hit's crappy software. Take a look at this link for more details. Basically, the monitoring system was taken offline due to Blaster. Luckily, a meltdown didn't occur, but we may not be so fortunate in the future. Do we really want Micro$hit software running these plants? Ask yourself, would you live next to one of these plants?

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.