Menu:
gotta love Microsoft
Microsoft Windows Root Certificate Security Issues
I don’t know how much of a problem this is in practice, but be glad if you can run Linux instead.
Posted by markus on Wednesday, July 25, 2007(0) Comments • Permalink • In the news • IT Security
from the “I told you so” department
Old hard drives yield dark secrets
It’s hardly surprising that old hard drives contain all kinds of juicy information. I’ve said for years that old disks acquired through ebay or the like are ideal for forensics target practice. Having said that, it nevertheless amazes me that free and readily available tools like Darik’s Boot and Nuke aren’t in universal use.
Posted by markus on Monday, August 14, 2006
(0) Comments • Permalink • In the news • IT Security
GNU/Solaris
It’s always fun to watch somebody take an axe to two or more unrelated projects and bolt selected chunks together.
NextentaOS, a.k.a. GNU/Solaris, is an example. On the heels of Sun releasing opening up the source code of Solaris, the project took the OpenSolaris kernel and grafted the GNU user-land on top of it. Although Solaris on Intel never tickled my fancy, the Ubuntu/OpenSolaris hybrid is an intriguing combination, if for no better reason than “because it can be done”...
It’s not the first time that the GNU user-land has been ported to a kernel other than Linux, either. GNU/Mach comes to mind and I dimply recall a similar project involving one of the *BSD kernels. While it’s not a bad thing to be agnostic about the kernel and for desktop usage or most application servers any differences should be transparent, the situation is different for firewalls and VPN gateways, say. Having said that, the preceeding also suggests a fun project or two - retool these appliances for NextentaOS.
Posted by markus on Wednesday, August 09, 2006(0) Comments • Permalink • IT Security
a bit of a puzzler
For once, people seem to fuss about the wrong issue…
So Microsoft tries to do something about kernel rootkits.
Criticism
abounds and reasoned comment is hard to find, not that the source of the latter is particularly friendly towards Microsoft.In nutshell, it’s perfectly okay to flame Microsoft for not hardening their kernel in the first place. If the fix doesn’t close all the known holes, then there’s another obvious problem. Clearly, purveyors of third-party security products have a vested interest in being able to install their wares, but if they already complain about a partial fix, what would they say about a fix that left both them and the malware writers high and dry? Looks like they are between a rock and a hard place, doesn’t it?
Update: More media coverage: Windows defense handcuffs good guys
I still don’t know that the security vendors have a legitimate grievance. However, there is the problem with Microsoft entering the security market. A partial fix that appears designed to deal a major setback to competitors, while leaving the door wide open for the bad guys deserves a few raised eyebrows.
Posted by markus on Monday, August 07, 2006(0) Comments • Permalink • In the news • IT Security
Nessus 3 vs. OpenVAS
A recent announcement of a new Nessus 3 plugin (Nessus 3 Agent-less Compliance checks) reminded me of this particular open source vs. closed source can of worms.
To state the obvious, it’s up to the copyright holder to chose the license under which their product ships. It is also obvious that closing the source on a previously open-source project is certain to antagonize a subset of users and perhaps a sizeable one at that. Tenable spun their decision one way, the people that kicked off the OpenVAS fork have a different view. I haven’t kept tabs on either Tenable or OpenVAS; perhaps they’re both doing well, perhaps not.
Speaking for myself, Nessus 3 as closed source doesn’t work for me for philosophical and pragmatical reasons. It seems increasingly geared towards a clientele that is shopping for an off-the-shelf product and while I don’t know how much the open-source user community contributed back to the project, there is less incentive to contribute to a commercial project.
Posted by markus on Monday, August 07, 2006(0) Comments • Permalink • In the news • IT Security
a target-rich environment
New and not so new attack targets, a current crop reported by HNS:
Javascript Attacks on Steroids
Attackers pass on OS, aim for drivers and apps
Red flag raised over NAC security
Even offline computers can be hacked, researchers say
Blackjacking and RFID passport exploits star at DEF CON
Posted by markus on Monday, August 07, 2006(0) Comments • Permalink • In the news • IT Security
what took them so long
Ransomware getting harder to break
This is a worrying trend, but I’m surprised to learn that there’s any ransomware susceptible to decryption in the first place.
Posted by markus on Monday, July 31, 2006
(1) Comments • Permalink • In the news • IT Security
vaporware wars
I suppose this is another relationship with Microsoft gone sour:
Symantec continues Vista bug hunt
With Microsoft entering the security product arena, small wonder that Symantec starts to treat them as the direct competitor they now are. What’s amusing about this story is that Microsoft’s strategy of annoucing vaporware products way, way in advance to sow FUD about competitors is applied to them - preemptive FUD about a major selling point of the upcoming product.
Posted by markus on Tuesday, July 25, 2006(0) Comments • Permalink • In the news • IT Security
WGA abomination….
I have grown first lukewarm, then indifferent to Microsoft products over the years. Philosophically, supporting a convicted predatory monopoly that doesn’t change its ways is an untenable position to me. It so happens that I have some Windows PCs left at home, if for no other reason than that I had no choice but to buy Windows pre-installed on them. Enter stories like the following:
WGA and Activation Failures Don’t Faze Redmond
I do not trust Microsoft to accurately report the number of users running afoul of validation and activation failures. With regards to WGA, the fundamental flaw from my point of view is that a single legitimate customer locked out is already one too many. Not that Microsoft would see it that way - unless there’s a huge public backlash that threatens their cash cows, it doesn’t appear that the company cares.
For me as a home user, I’m content to migrate what I can off Windows and to make contingency plans for the remaining systems. As a business user, I’d have a cold, hard look at Linux…
Click to read MORE...Posted by markus on Monday, July 24, 2006
(0) Comments • Permalink • IT Security
Linux wireless how-to
Create a secure Linux-based wireless access point
Filed for future reference.
Posted by markus on Monday, July 24, 2006(0) Comments • Permalink • IT Security
no kidding
Security Pros Wrestle With Data Overload
Having spent some time co-developing a SIM, I feel that pain. Worse, I have an urgent need to do more of the same. I’m pretty much willing to commit to writing another custom SIM to address my specific needs.
Posted by markus on Monday, July 24, 2006(0) Comments • Permalink • In the news • IT Security
OpenSSL certification woes
Security validation of OpenSSL encryption tool uncertain
I can understand the political issues (read: financial stakes) involved. What puzzles me is this (nitpick mode on):
The decision means that government agencies can’t purchase the open-source tool for the time being, although those that have already done so will still be allowed to use it.
To the best of my limited knowledge, OpenSSL is an open-source toolkit. How would government agencies go about purchasing such a tool?
Posted by markus on Monday, July 24, 2006(0) Comments • Permalink • In the news • IT Security
password math
An interesting article: Password size does matter.
The obvious math quiz: For a given L, 256**L is a larger key space than 32**L. However, in practice the comparison even with forced “complex” passwords is probably closer to (92**2)*(32**(L-2)) than 256**L or even 92**L. Simple question: On average, how much longer do simple passwords have to be to fill a larger key space than the kind of “complex” passwords people can actually remember?
Posted by markus on Monday, July 24, 2006(0) Comments • Permalink • In the news • IT Security
Windows application-level virtualization
Enter TrustWare, a company offering patent-pending commercial products that virtualize applications running on Windows.
It is an interesting thought and a product that will have a certain appeal to some. However, I can’t help thinking that ditching Windows is the superior choice.
Free versions are available, but they seem of limited utility since they protect a single application only.
Posted by markus on Monday, July 17, 2006(0) Comments • Permalink • Emulation • IT Security
IE in a sandbox
As reported elsewhere, a new product has been released that tries to ride the wave of IE security flaws: GreenBorder Pro.
According to the overview page found on Greenborder’s site, their product runs IE on top of a (patented) virtualization layer, which is supposed to isolate IE from the base OS and also sports a “reset to pristine state” feature. I am a bit bemused by this; it’s been years since I actively used IE - other than for the infamous Windows Update and occasionally testing if a website is rendered correctly in that browser. Simply put, I personally have no need for a commercial product to sandbox a perpetuall security headache that I don’t use in the first place.
While it may be beyond the skill and comfort level of many users, I much prefer to grab a copy of the free VMware player and run the pre-built browser appliance on it. If you use virtualization at all, why not go whole hog?
By the way, I do wonder how this virtualization sits with Microsoft’s licensing department. Will they want you to get an additional retail license for Windows or will they let this narrow use slide?
Posted by markus on Tuesday, July 04, 2006(0) Comments • Permalink • In the news • IT Security • VMware