Thursday, March 15, 2007

SELinux by Example. (Book Review) SELinux by Example. Ravi writes "SELinux is a project started and actively maintained by the U.S Department of Defense to provide a Mandatory Access Controls mechanism in Linux. It had been a long standing grouse of Linux power users and system administrators over its lack of fine grained access control over various running processes as well as files in Linux. While Solaris touts its famous RBAC and Microsoft Windows has its own way of providing finer rights to its resources, Linux had to put up with the simple but crude user rights known in tech speak as discretionary access control to control user access of files. With SELinux project making great strides and now being bundled with many major Linux distributions, it is possible to effectively lock down a Linux system through judicious use of SELinux policies. SELinux implements a more flexible form of MAC called type enforcement and an optional form of multilevel security." -- Read the rest of Ravi's review. Or go directly to my Amazon Associate site and buy the book - SELinux by Example [Slashdot] 3:49:06 PM

Core Security | CoreLabs - OpenBSD's IPv6 mbufs remote kernel buffer overflow Vulnerability Description The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in: 1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or; 2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic) The issue can be triggered by sending a specially crafted IPv6 fragmented packet. OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration. 3:42:23 PM

Remote Exploit Discovered for OpenBSD. Remote Exploit Discovered for OpenBSD. An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible." [Slashdot] 3:39:14 PM

New Fraudulent Adware Uses Rootkit Techniques. New Fraudulent Adware Uses Rootkit Techniques. "Under no circumstances should users download applications through pop-up ads, or shortcuts that suddenly appear on the desktop." [GT: Security and Privacy] 3:16:48 PM

Chertoff: Security and privacy not at odds. Chertoff: Security and privacy not at odds. Calling privacy groups "Luddites," DHS head Michael Chertoff defends the Real I.D. Act. He claims that the data-chipped drivers licenses, which will be linked to a numbers of databases around the country, will actually protect privacy  Editor:And down is up, black is white, and I have a bridge I'd like to sell you. [...] The head of the Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country. The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy." Chertoff was referring to privacy concerns surrounding the Real ID Act, a law passed by Congress in 2005 that would require states to create machine-readable ID cards containing the name of the holder, the data of birth, a digital photograph and other information. Privacy groups, including the Electronic Privacy Information Center (EPIC), have said that the DHS hasn't come up with rules on how the information on the cards should be protected. DHS has made only "vague" plans for card security and for restricting which state motor vehicle agency employees would have access to the information, EPIC says. "On security and privacy standards for the card, state motor vehicle facilities, and the personal data and documents collected in state motor vehicle databases, DHS shows little interest," EPIC says on its Web site. But Chertoff said those raising privacy concerns about the use of IT in the U.S. government's domestic security efforts create a false tension between security and privacy. "This kind of Luddite attitude ... is exactly wrong," he said. "Security and privacy are very much the same type of value. I don't think they're mutually exclusive, they're mutually reinforced." Chertoff also talked about how DHS is using IT. Technology plays a part in nearly all the agency's efforts, including machines that read fingerprints at border crossings, databases that link law enforcement investigations and scanning technologies for containers coming into the U.S. [Computerworld Privacy News] 3:12:44 PM

Spyware Legislation Could Aid Enforcement, CDT Testifies. Spyware Legislation Could Aid Enforcement, CDT Testifies. An anti-spyware measure pending in Congress contains important provisions that could strengthen enforcement against spyware scammers, but broad consumer privacy legislation is still needed to address the larger issues associated with spyware, CDT Deputy Director Ari Schwartz told a congressional panel today. Testifying before the House Energy and Commerce Committee's Subcommittee on Commerce Trade and Consumer Protection, Schwartz applauded language in the Spy Act (H.R. 964) that bolsters the Federal Trade Commission's enforcement capabilities. But Schwartz also noted that the longtime practice of addressing privacy concerns sector-by-sector, rather than as part of a broader initiative would not get to the root of the problem. [Center for Democracy and Technology] 2:45:50 PM

Interpreting the Results of a Vulnerability Assessment: How to Focus on What's Important in Your Web Application Security Testing. Interpreting the Results of a Vulnerability Assessment: How to Focus on What's Important in Your Web Application Security Testing. SPI Dynamics just completed a new article, written by Kevin Beaver and Caleb Sima, that discusses how to interpret and prioritize the results of Web application security tests. By Kevin Beaver. [Infosec Writers Latest Security Papers] 1:59:06 PM

© Copyright 2007 Paul Hardwick. Last update: 3/18/07; 5:52:05 PM.