Navigation

You are here: Home Security

Archive | Security

Security is not a feature; it’s a process. Notes on issues, patches and essays on security.

Asta La Vista My Computer, now it's Their Computer

By on August 3, 2006 in Microsoft, Security, Technology

In Fun with User Access Control in Vista… Argh!!!, Microsoft MVP and Developer Extrodinaire Rick Strahl bemoans:

Vista Security is tight and I can understand the need to lock down the system to some degree. But UAC is nothing short of annoying, so much so that it becomes a totally worthless feature. After using UAC for a few minutes you won't be reading any prompts and blindly prompting every link spawned. This is not security – this is making things worse by giving people a false sense of security… It's relatively straight forward to turn off UAC, but as it turns out this doesn't quite get you all the way where you might expect.

He documents a situation in which the Administrator of the machine is unable to delete a directory. Is this a feature? When a skilled and experienced operator can't find a way to work through a system to repair a problem, there's something deeply wrong. Read Rick's entire post here.

JavaScript – the new malware language

By on August 2, 2006 in Security, Technology

On the DDJ portal, Jon Erikson points out the latest Javascript exploit, a fearsome beast if it's not vaporware. I run with NoScript running as a FireFox plug-in and only enable scripting when I need to. Travelocity does a graceful job of pointing out that they require JavaScript enabled. PG.com does a miserable job, recommending I upgrade my browser to IE4 or Netscape.

Get a clue, web developers. If the client comes to your site without JavaScript enabled, it might not be because he lacks a clue. Don't show them that you lack one.

MerriLUG, 20 July, SELinux

By on July 18, 2006 in Linux, Security

The Nashua Linux User Group meets this Tursday, and will feature a great presentation on SELinux. Hope to see you there!

MerriLUG announcement follows:

  • Who : Daniel J Walsh, Lead SELinux Engineer, Redhat
  • What : SELinux for Dummies
  • Where: Martha's Exchange
  • Day : Thur 20 July
  • Time : 6:00 PM for grub, 7:30 PM for workshop

:: Overview

Dan starts with an overview of SELinux: How is it different? Who should use it? What are the benefits for home users, small businesses, and non-server installations? Is installation and maintenance comparable with regular Linux distributions?

After establishing the application scope and benefits, Dan will cover the utilities, commands, administration, and general use of SELinux. You will learn how to use it, not just turn it off!

Driving directions:
http://wiki.gnhlug.org/twiki2/bin/view/Www/PlaceMarthasExchange

PowerPoint Zero-Day Vulnerability in the Wild

By on July 16, 2006 in Microsoft, Security

Slashdot post PowerPoint ZeroDay Vulnerability Exploited. “whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case.”

1. Never EVER open an untrusted document, whether it is Word or PowerPoint or a PDF or a video.

2. There are no trusted documents.

What #2 means is that you should always confirm that, whenever a document arrives appearing to be from a friend or a co-worker, it really is from them. Most of the time, you've had a conversation in advance. Social engineering works by making you think that a document is part of a normal exchange. If Bob in accounting send a message with some non-descript “check this out” message and an attachment that appears to be a spreadsheet, it's worth taking a couple seconds to verify it's really from him. Malware steals other people's email addressbooks, so the mail could appear quite legitimate.

Microsoft Monthly Patch: 7 Patches, 5 Critical, Remote Code Execution – patch now!

By on July 12, 2006 in Microsoft, Security

OSNews also notes Microsoft Patches Seven Vulnerabilities. “Microsoft alerted us this time about seven vulnerabilities of which five were rated critical and two important. There are vulnerabilities in the Server service, the DHCP Client service, Excel and Office that could allow remote code execution.”

Seven patches, 5 Critical with Remote Code Execution possibilities, 2 Important, which includes Remote Code Execution within IIS. Bulletins MS06-033 through MS06-039 issued on the 28th week of the year. It looks like this kind of velocity, more than one per week, has been steady at Microsoft for nearly three years now. I would have expected the more secure IIS6 and Windows Server 2003 to stem the flow a bit. But these product continue to be listed in the affected systems list. Hmm.

MS06-033: Vulnerability in ASP.NET Could Allow Information Disclosure (917283)

MS06-034: Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)

MS06-036: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS06-037: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)

MS06-038: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)

MS06-039: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)

Security is not a feature, it's a process. Patch now to avoid more problems later.

New front-end tool to manage SELinux

By on July 9, 2006 in Linux, OpenSource, Security

OSNews reports SELinux Policy Editor 2.0 Released. “In the past, SELinux has been critized for being too dificult to configure. To solve this, the SELinux policy editor was created: A GUI-oriented editor with a simplified policy description language (ala Apparmor). According to the announcement, this new version includes a much improved user interface and some improvements to the “Policy description language”.

Very cool. Security-Enhanced Linux is the next-generation security implementation beyond UNIX users and groups, individual file permissions and general security policies of firewalling unwanted traffic and requiring logins. However, I've found it difficult to grasp at first, and surely difficult to master. A friendly front-end GUI tool to manage SELinux is welcomed.

OpenOffice.org 1.1.x and 2.0.x vulnerabilities – get patching!

By on July 6, 2006 in OpenSource, Security

InfoWorld: Application development reports OpenOffice.org warns of three vulnerabilities. “OpenOffice.org is warning users of security vulnerabilities that can crash the OpenOffice.org productivity software and give malicious hackers access to full system resources.”

“The company is urging OpenOffice.org 2.0.x users to upgrade to version 2.0.3, released last week. A patch for OpenOffice.org 1.1.x will be available soon, the company said.”

Want to steal an election? Go electronic!

By on June 30, 2006 in Security, Technology

Ars Technica notes New e-voting study shows it's really easy to steal an election. “If you have some basic tech skills, a few readily available tools, and some hooligan friends, then you too could steal an election. Sadly, election fraud ain't that hard in the age of electronic voting.”

Tell your local officials: paper ballots are still the only reliable system. With audits. And reviews. And security. Electronics are just too easy to hijack.

Older posts Newer posts

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.