The majority of the successful attacks on operating systems come from only a few software vulnerabilities. This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. System compromises in the Solar Sunrise Pentagon hacking incident, for example, and the easy and rapid spread of the Code Red and NIMDA worms can be traced to exploitation of unpatched vulnerabilities.

Two years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty, which followed a year later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerabilities that led to all three examples above - the Solar Sunrise Pentagon incident, and the Code Red and NIMDA worms - are on that list.

Political News from Wired News - List: Windows, Unix Still at Risk.

The FBI and SANS Institute release a new top 20 list of the most serious computer security holes, while the feds vow to do even more to help plug them.

Political News from Wired News - Fighting Net Censorship Abroad.

Washington lawmakers are considering legislation that would allocate $100 million to thwart Internet censorship by authoritarian regimes.

Rep. Chris Cox (R-Calif.) introduced a bill Wednesday that would establish an Office of Global Internet Freedom to foster development of censorship-busting technology for users in countries including China and Saudi Arabia. The bill would allocate $50 million each for 2003 and 2004.

The office would be part of the International Broadcasting Bureau, which provides engineering and administration for the Voice of America, Radio and TV Martí (Office of Cuba Broadcasting), and other electronic media aimed at viewers in authoritarian countries.

New York Times - free registration required Microsoft Reports Progress in Averting Computer Crashes.

The data from Watson has offered some surprises, he wrote. For example, Microsoft has discovered that 1 percent of the software errors cause 50 percent of the crashes users experience. The company said it had received error reports about half a million separate programs.

[ ... ]

After a program or operating system crash, users are confronted with a dialog box that gives them the option of reporting crash details.

[ ... ]

He acknowledged that despite Microsoft's assurances that it has taken pains to protect customer privacy and that only crash data is reported, some customers still have privacy concerns about the service.

Software reliability experts are also skeptical about an error-reporting system if it is not accompanied by fundamental changes in programming techniques.

Slashdot | Survey On Security Investment Trends.

whoisjoe writes "Information Security Magazine has an interesting article (although it's in PDF) on the trends and effects of security spending by organizations. Basically, organizations tend to spend less per machine as they grow, and the effectiveness of their investment tends to depend more on the share of the IT budget than the absolute amount."

Times of India on Quantum Communications. The Quantum Communications article. Unavailbl;e at the moment (out of memory) probably due to the Slashdot effect.

Slashdot | Ultrasecure Quantum Communications Over Thin Air.

SlashDotIDOne writes "Well, given a hundred years at university and a few extra titles to my name, I'd be comfortable trying to summarize the article so don't take what I say at face value. Apparently British and German researchers have found a way to use quantum crypto through the air, thus allowing it to be used to communicate with satellites, etc. A very secure form since you know whether a message was intercepted, rather hard to tamper with ;). Courtesy India times and Google's new news service."

InfoWorld - DRM bill proposed in US House.

A bill introduced Wednesday in the U.S. House of Representatives approaches digital rights management (DRM) from consumers' standpoint by ensuring that people who buy digital media can make backup copies and play them on whatever device they like without fear of breaking copyright law, according to the bill's sponsor.

Representative Zoe Lofgren, a Democrat from California whose district includes Silicon Valley, introduced the bill, saying the legislation seeks to maintain in the digital age the same balance that existing U.S. copyright law establishes between the interest of copyright holders in controlling the use of their works and the interests of the public in the free flow of ideas, information and commerce.

"Consumers need a voice in this debate," a release issued by Lofgren's office quotes the congresswoman as saying. "Right now it is the entertainment industry versus the technology industry, and the consumers are watching from the sidelines."

[ ... ]

The bill also prohibits shrink-wrapped licenses, also known as EULAs (end-user license agreements), that limit consumer rights, and the proposal clarifies the ways in which consumers can legally sell, archive or give away copies of digital works they purchased. In addition the law gives flexibility to digital content owners to develop new and innovative ways to protect their content and enable its use without violating copyright law.

Slashdot | Your Rights Online - Lofgren's Anti-DRM Bill.

blastedtokyo writes "House representative Zoe Lofgren introduced the Digital Choice and Freedom Act. Perhaps the most interesting section is the part that invalidates 'non-negotiable shrink wrap licenses' (EULAs) that limit rights. On top of this, it states that both digital and analog media need to be subject to fair use rules for backing up. The full text of the bill is also available." --- News.com.com.com.com and Infoworld have stories as well, which both note that there is no chance of these bills being passed this year.

BusinessWeek Online via Yahoo News - Can Software Security Be Certified?

These are busy days at InfoGard Labs. The San Luis Obispo [Calif.] outfit is one of only six info-tech laboratories in the U.S. and Canada allowed to issue a government seal of approval known as FIPS compliance. FIPS stands for Federal Information Processing Standard, a rigorous set of criteria established by groups of government and private-sector experts on cryptography standards and implementations.

Starting in July, 2002, FIPS 140 level-2 standards became mandatory, replacing the more lenient FIPS 140 level-1 rules. Every company seeking to sell encryption software to the federal government or to do business with Uncle Sam involving computers and encryption has to use equipment that holds a FIPS-2 compliance rating. We're not talking just spookware. Once the strictly the province of military and intelligence communities, encryption is now common in everything from e-mail and instant-messaging software to databases.

At the same time, federal laws covering privacy requirements in banking and health care have mandated that more data be encrypted. The steady rise of cyberattacks has likewise made enhanced encryption a priority for business in general. And the rise of the Internet has in many cases forced FIPS compliance on seemingly benign systems, such as automated procurement software, that talk to federal computers.

[ ... ]

Of course, FIPS certification doesn't confer total protection from hacker attacks -- something InfoGard readily concedes. In fact, some folks in the security field remain lukewarm toward the whole certification process. Bruce Schneier, a noted cryptographic expert and chief technology officer at Counterpane Internet Security in Cupertino, Calif., never considers certifications before buying a product. "Primarily, certification is a marketing tool," he says.

Cryptography Research's Kocher feels that the current system, while a good start, has a key flaw: "The problem is that the testing companies make money by certifying products, not catching problems." Some might cut corners by relying heavily on automated attack programs to test products rather than live computer engineers. Automated software is a good baseline approach, but it falls far short of cunning humans hammering away at systems.

[ ... ]

Slashdot | Questioning Security Certifications.

prostoalex writes "BusinessWeek questions the validity of security certifications in the modern world. They take a look at Federal Information Processing Standard and the certification process. Apparently 'the testing companies make money by certifying products, not catching problems' thus implying that the seal of approval might not mean a whole lot."

Slashdot | "Ask Slashdot" - Cheap SSL Certificates for Small Websites?.

zaqattack911 asks: "In the workplace today it is becoming more and more common for everyday applications to be accessible over the web. Just about all the booking and tracking systems at my job are handled via web-apps these days. Along with this trend, is the increased need for secure transactions over the web. Just about all of the apps on my webserver are going to be SSL only. Some of them are for internal use only, some for the outside internet to use. Is there a cheap alternative to getting your certificates signed? Self signing my certificates works of course, but just about all browsers make a big fuss about it. Verisign asks for about 400$ initially, and 300$ to renew a certificate every year. This seems like a scam to me, and I'd love to know if anyone knows of alternatives out there? Is there a way to get around the certificate signing business? I looked at a company called RSA Security which allows a company to 'self sign' and use their accepted signature. The website doesn't mention the price, and I'm sure it's not very affordable. What else is there?"

FindLaw's Writ - Editorial Op-Ed - By U.S. Representative Howard L. Berman - The Truth About The Peer To Peer Piracy Prevention Act:. Why Copyright Owner Self-help Must Be Part Of The P2P Piracy Solution

Slashdot | Your Rights Online - Howard Berman Talks About P2P Piracy Prevention Act.

An anonymous reader writes "I know Rep. Berman is not held in high regard on Slashdot, but he has posted an article on Findlaw where he discusses his self- help for P2P piracy bill. He has not convinced me that this is about preventing theft, rather than preserving old business models, but the bill does appear to have a lot of safeguards built-in." --- I'm confused about what measures Berman believes would be acceptable, after reading the many disclaimers here.

IBM developerWorks: Security : Web server security - Secure Dynamic Content.

Slashdot | Apache - Secure Dynamic Content with Apache.

KingARP writes "This article details how to secure dynamic content on an Apache Web server. Topics covered include general security issues pertaining to dynamic content, securing Server Side Includes, configuring Apache's Common Gateway Interface, and wrapping dynamic content. The article is targeted primarily at Webmasters and system administrators responsible for maintaining and securing a Web server; however, anyone with a need or desire to server dynamic content will benefit from the topics covered."