Domain: trusecure.com
Stories and comments across the archive that link to trusecure.com.
Comments · 14
-
What about RC4?
RC4 is a stream cipher which has been on shaky ground for a long time. There are two problems with RC4. The first is that the data is not as random as it could be, at the beginning. The way RC4 works, you put in a key and then it generates a string of random bytes which you XOR with your plaintext to encrypt. But there are weaknesses in the randomness of the first part of RC4's key stream. To fix this experts recommend throwing away the first N bytes. The problem is that nobody can agree on what N should be and it keeps going up. It used to be that 256 bytes was enough, then a thousand; now they say several thousand. Such progressive weakness is a bad sign in a cipher.
The other problem is that stream ciphers in general are hard to use correctly. There have been many notorious cases of RC4 being misused. If you use the same keystream twice you get very bad results (similar to using a one time pad twice), and you can xor bits of the ciphertext and have them go straight through to the plaintext. Again and again people make these mistakes.
RC4 has probably been the cause of more security flaws than any other crypto algorithm. The most recent one (the first link above) was just this year. It is time for Microsoft to retire RC4 in new protocols and products. -
Vulnerabilities vs AdvisoriesNote very carefully, they count advisories only once, even though they may include multiple vulnerabilities.
The Windows XP Pro list includes:
- Microsoft Windows 14 Vulnerabilities
- Microsoft Windows RPC/DCOM Multiple Vulnerabilities
- Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
- Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities
Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli (free) or TruSecure (fee) which have far higher totals.
-
Another impartial proposal (not)
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming ...
Another fine impartial article brought to you by Slashdot.
-
Another impartial proposal (not)
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming ...
Another fine impartial article brought to you by Slashdot.
-
Another impartial proposal (not)
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming ...
Another fine impartial article brought to you by Slashdot.
-
Another impartial proposal (not)
Russ at NTBugtraq is proposing fines for those whose computers allow the propagation of viruses, worms, etc., knowingly or unknowingly...
- Russ Cooper is editor at NTBugTraq
- NTBugTraq is a division of TruSecure Corporation
- Russ Cooper is chief scientist at TruSecure Corporation
- TruSecure Corporation sells security solutions and services.
In other news, the Haagen Das corporation is pushing a proposal to hasten global warming ...
Another fine impartial article brought to you by Slashdot.
-
IntelliShieldIs there a place that I can go that digests the latest threats and information down in to a nice, clean webpage?
TruSecure IntelliShield is one such service, but it is not free. It pulls together information about a vulnerability from various vendors, mailing lists, and such, and puts it all under one issue. It also has alerts and a shared task list for managing your organization's response to a vulnerability. The alerts can be useful given the fast-spreading nature of recent worms. The task list is less useful since organizations large enough to benefit from it probably have something similar internally.
I have no affiliation with TruSecure, yadda yadda yadda, I just previewed their service for a former employer.
-
IntelliShieldIs there a place that I can go that digests the latest threats and information down in to a nice, clean webpage?
TruSecure IntelliShield is one such service, but it is not free. It pulls together information about a vulnerability from various vendors, mailing lists, and such, and puts it all under one issue. It also has alerts and a shared task list for managing your organization's response to a vulnerability. The alerts can be useful given the fast-spreading nature of recent worms. The task list is less useful since organizations large enough to benefit from it probably have something similar internally.
I have no affiliation with TruSecure, yadda yadda yadda, I just previewed their service for a former employer.
-
Article summary here
Press release with summary of the article can be found... -
Re:Loudest
Open Source Security: A Look at the Security Benefits of Source Code Access
available here -
Disappointed with TruSecure
Our company paid ~$9K for a security audit by TruSecure. I was very disappointed with the work that they did -- their recommendations are basically, upgrade everything to the latest version and try to make it so that people don't know what software you're using. We were seeking their "Site Secure" certification for our server farm. They wouldn't approve me until 1.) our mailserver filtered out nasty types of email attachments (.com,
.vbs, etc.) that could hurt MS clients (even though our company & servers are entirely linux), and 2.) I recompiled Apache so that it doesn't report itself as Apache (but it still says it uses mod_ssl, etc... it's totally obvious it's still apache). They had a few other recommendations that were similar. Their on-site inspector was totally wowed by my Linux desktop (it seemed like he'd never seen one before!).
When I expressed my disappointment with the service, they said that they offer much for thorough audits for more in the $50k range. We paid almost $10k and got basically nothing except the thumbs up from a few companies that we were hoping to do "B2B" connections with... (and a cool "stamp" to put on our site)...
I don't know who I'd choose next time, but I'd steer clear of these guys unless you're ready to spend some big bucks and are willing to really check out what they're going to do for you. -
TruSecure not SecurityFocus
NTBugtraq is actually part of TruSecure, not SecurityFocus. What SecurityFocus has in a separate list called BugTraq. Very confusing...
-
Check out this quote...from USAToday:
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."
Hmm. Anyone else sense a little hostility from the for-profit security industry...?
-
Virus Cost according to ICSA
Peter Tippet, vice chairman and CTO of the International Computer Security Association (ICSA), gave keynote speach at the '98 International Virus Prevention Conference called "Virus Costs vs. Various Protection Strategies". The presentation was made available for download here (zip file). The presentation download included a spreadsheet with formulae and statistical data to calculate the quarterly or annual cost of virus activity for your enterprise.
Used in conjunction with the ICSA's annual Virus Prevalence Survey (available here) you should be able to update any '97 data and find out what viruses cost you today.
Both the IVPC presentation and the Virus Prevalence Survey are heavy on both statistics and supporting data.