Paul Hardwick: Open Source

Dell Censors IdeaStorm Linux Dissent.

Fri, 02 Mar 2007 00:39:34 GMT

Dell Censors IdeaStorm Linux Dissent. thefickler writes "It seems pointless to seek ideas and feedback if you're going to ignore and delete the opinions you don't like. That's exactly what Dell is doing with its IdeaStorm website, which the company set up to solicit such ideas and feedback. Dell deleted a post linking to an article that criticizes its handling of the 'pre-installed Linux' issue." [Slashdot: Your Rights Online]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Mozilla Plugs Firefox Security Holes.

Mon, 26 Feb 2007 22:33:13 GMT

Mozilla Plugs Firefox Security Holes.

Mozilla on Friday published software updates to fix a baker's dozen security and compatibility problems with its Firefox Web browser. The new version includes fixes for serious security flaws along with updates designed to make Firefox play nicer with Vista, Microsoft's new Windows operating system.

Users of supported versions 2.x and 1.5.x already should have received an alert that updates have been installed. If you haven't received one, you may be running an older, unsupported (and insecure) version of Firefox such as version 1.0.x. To check your version, click "Help" and then "About Firefox."

[Security Fix]

Mozilla Fixes Firefox Bugs.

Sun, 25 Feb 2007 03:48:10 GMT

Mozilla Fixes Firefox Bugs. An update to Firefox fixes a number of security flaws in the browser. [PC World: Latest Technology News]

Firefox Flaw Could Let Attackers Change Cookies.

Mon, 19 Feb 2007 01:21:10 GMT

Firefox Flaw Could Let Attackers Change Cookies. Attackers could change the way Web sites are displayed and how they work. [eWEEK Security]

QDN: The growing consensus behind OpenID

Fri, 16 Feb 2007 18:28:06 GMT

It's because of this that I'm so happy to see an initiative like OpenID succeeding. A few years ago, the idea of OpenID was floated by the inestimable Brad Fitzpatrick (the father of LiveJournal, now a Six Apart property) as a way for people to carry around virtual identity cards on the net, and to securely use those credentials as a way of demonstrating to others on the internet who they really are. Between then and now, OpenID's development has taken place out in the open, on mailing lists and wikis and web forums, and the result is a technology that Microsoft adopted last week and AOL has been quietly rolling out to its online service and instant messenger users for a few months now. That's a great adoption rate, and I'd like to think that it's because it's a technology that's sorely needed on today's web. I'm not naive enough to think that it's a salve to cure all the net's wounds -- for example, there's still work to be done to make sure that anonymous ID providers don't become the way spammers and miscreants get around the system -- but I'm hopefuly enough to recognize that OpenID might be one of the more important building blocks to us all being able to trust our online interactions just a bit more.

Pop-up Blocker Problem Found in Firefox.

Mon, 12 Feb 2007 02:52:32 GMT

Pop-up Blocker Problem Found in Firefox. Security analysts say a flaw in the pop-up blocker in the Firefox browser could allow an attacker to access local files. [PC World: Latest Technology News]

The Chronicle: 2/9/2007: Caught in the Network

Sat, 10 Feb 2007 22:35:45 GMT

I wasn't particularly impressed. I had helped edit and revise that policy when I worked for the information-technology office before I earned my Ph.D., and I knew that neither Tor nor any similar program had existed when the policy was first written. I also knew that the provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent use of Tor. While I couldn't dispute most of the details in the logs, they seemed inaccurate. For example, the technician said I had been using Tor earlier that morning. In fact, I had been at Wal-Mart that morning looking for a good deal on an HDTV; I had reached my office only about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All they demonstrated was that I, like thousands of others around the world, had installed and infrequently used Tor. In my case, of course, there was no wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and that I avoid covering it in class.

Having been on the administrative end of academic technology, I appreciate the difficulties facing the information-technology staff. No one pats you on the back if nothing goes wrong, but if something does -- if a virus or worm sweeps through the campus's network infrastructure, or someone hijacks some computers to churn out spam -- you are off everyone's Christmas-card list. The last thing my former colleagues needed was some smarmy faculty member spouting off about academic freedom and threatening to demonstrate Tor to 100-plus students each semester.

Their job is to protect the network that allows me to do my job: to teach classes that are mostly or entirely online, and to conduct research. If they weren't here as the first or even only line of defense against the unscrupulous elements of our technological society, my university would cease to function. It's as simple as that.

Furthermore, I do not rely heavily on Tor, or even think much about it outside the context of my courses. I find all that routing makes it slow to use, even with the superfast connection I have at work.

But it is being used all around the world, by people in countries that restrict their access to information, by corporate whistle-blowers, and by digital-rights activists. It's even being used by average people like me, as a way to keep innocuous and personal online activities private.

So in the head-on collision between my appreciation of the role IT staff members play on my campus and my understanding of the role I have to play for my students, my need for academic freedom won. I found myself lecturing my three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded me that I was probably violating the responsible-use policy, and left. They had bigger game to catch: the other Tor user on the campus.

A moment later, I heard another knock on my door. One of the detectives had come back to ask if I would reconsider my position. I told him that while I would think about giving up Tor, I honestly felt that this was a clear case of academic freedom, and I could not bow to external pressure. I reminded him that Tor is a perfectly legal, open-source program that serves a wide variety of legitimate needs around the world.

He nodded and left. Feeling an odd mixture of righteous indignation, patriotism, and dread, I closed the door.

Microsoft to Support OpenID.

Wed, 07 Feb 2007 18:51:02 GMT

Microsoft to Support OpenID.

SAN FRANCISCO: Microsoft Chairman Bill Gates today said his company would throw its support behind "OpenID," an open-source, distributed identity management system that seeks give computer users a more secure way to manage their online credentials.

"Everywhere you go on the Web there are issues about reputation and trust," Gates said in the keynote address this morning here at the RSA Security conference here. "Some blog environments want anonymous people to [be able to] say anything, and in other environments, they want you to represent some credentials about who you are. And that's just not going to scale with the kind of password thing we have today."

In a (very simplified) example, OpenID works like this: The key to your online identity is a Web address, such as http://myblog.someplace.com. You pick one of several OpenID providers -- such as Vox, OpenID, Verisign or LiveJournal (OpenID is the brainchild of LiveJournal founder Brad Fitzpatrick) -- to be the trusted host for your identity credentials. When you visit a site that has implemented OpenID, you're asked to enter your personal Web address, which you've configured to query your identity credentials stored at your chosen OpenID provider, which in turn will ask you to login using whatever credentials it requires. These couple of blogs have more coherent and complete explanations of how OpenID is supposed to work.

OpenID is most often cited as a way to help Internet users navigate the zillions of blogs and other Web 2.0 applications that require users to sign up and manage different usernames and passwords. Some advocates say it also has the potential to help users guard against phishing scams and related forms of online fraud, but others say the whole system is likely to be a boon for phishers and online scam artists everywhere.

Gates said Microsoft would support OpenID 2.0 in conjunction with CardSpace, a feature similar in nature to OpenID that is built in to Windows Vista. CardSpace seeks to make managing digital identities easier and safer by replacing usernames and passwords as the means of identifying oneself on the Web.

Microsoft's acceptance of an open standard is being cautiously praised by many technologists in the blogosphere, who see the software giant's participation as key to fixing the more complex problems with online identity management and authentication. Microsoft has tried to control the online ID space in the past with programs like MSN Passport, which largely failed to gain traction beyond Microsoft's own online properties. Single sign-on programs also have been touted by Yahoo! and Google.

Bruce Schneier, a cryptography expert and chief technology officer for online security provider BT Counterpane, greeted Microsoft's announcement with reservation, saying Microsoft has a long history of "supporting and then co-opting" open standards.

"They tried to get their own system working, and I think it's telling that they are now supporting an open system," said Schneier, who's giving a talk at RSA later today on what he calls "the psychology of security."

"In some ways it's worrisome, but I'm reasonably confident in the Web 2.0 world that the distributed control of OpenID is strong enough, that it's not Microsoft-driven," he said.

[Security Fix]

DRM, Vista and your rights ( polishlinux.org )

Mon, 29 Jan 2007 02:33:14 GMT

In the US, France and a few other countries it is already forbidden to play legally purchased music or videos using GNU/Linux media players. Sounds like sci-fi? Unfortunately not. And it won't end up on multimedia only. Welcome to the the new era of DRM!

In this article I would like to explain the problem of Digital Rights (or restrictions) Management, especially in the version promoted by Microsoft with the new Windows Vista release. Not everyone is familiar with the dangers of the new "standard" for the whole computer industry. Yes, the whole industry -- because it goes way beyond the software produced by the giant from Redmond and its affiliates.

IBM to open source information security software - Network World

Sat, 27 Jan 2007 22:18:19 GMT

The XML-based software technology, called Identity Mixer, employs a novel method of using X.509-based digital certificates to mask selected sensitive information transmitted in a document but still lets that shielded content be seen by authorized viewers. The goal is to make Identity Mixer available as open source software through the Eclipse Open Source Foundation to encourage widespread deployment, said Anthony Nadalin, IBM distinguished engineer and chief security architect at Tivoli.

"The Identity Mixer code is in the intellectual-property review phase and within a few weeks it should be available through Eclipse," said Nadalin.

The Identity Mixer software was developed to further "user-centric identity management" -- a way that computer users can manage and control personal information--under the aegis of Project Higgins, which was initiated a year ago by IBM, Harvard and Novell.

For the end user, Identity Mixer would work as a Web browser plug-in, "to control the amount of data flowing to your related party," said Nadalin. The technical process works through public-key cryptographic mechanisms. The Identity Mixer browser plug-in generates tokens called iCards that represent the data that can be read by a user with the appropriate cryptographic software on the receiving end.

When the Identity Mixer software is made available through the Eclipse Open Source Foundation, it is expected to include a full X.509-based tool kit, including certificate issuance server, validation server and more, that would allow for experimentation with the data-masking technology.

IBM to Open Source Novel Identity Protection Software.

Sat, 27 Jan 2007 22:16:22 GMT

IBM to Open Source Novel Identity Protection Software. coondoggie handed us a link to a Network World article reporting that IBM plans to open source the project 'Identity Mixer'. Developed by a Zurich-based research lab for the company, Identity Mixer is a novel approach to protecting user identities online. The project, which is a piece of XML-based software, uses a type of digital certificate to control who has access to identity information in a web browser. IBM is enthusiastic about widespread adoption of this technology, and so plans to open source the project through the Eclipse Open Source Foundation. The company hopes this tactic will see the software's use in commercial, medical, and governmental settings. [Slashdot: Your Rights Online]

Patch Issued for Critical OpenOffice.org Flaw.

Thu, 04 Jan 2007 17:58:50 GMT

Patch Issued for Critical OpenOffice.org Flaw. WMF vulnerability in free productivity suite could allow hackers to run malicious code. [PC World: Latest Technology News]

Computers, Freedom and Privacy - Montreal, May 1-4 2007

Fri, 29 Dec 2006 00:41:06 GMT

Come to CFP2007 in Montreal, May 1-4 2007. There's a lot at stake.

Computers, Freedom and Privacy 2007 - Call For Proposals

Fri, 29 Dec 2006 00:37:58 GMT

Call For Proposals - The deadline for proposals is January 20, 2006

The Program Committee of the Seventeenth Conference on Computers, Freedom, and Privacy (CFP2007) seeks your proposals for innovative conference sessions and speakers.

Behind the Magic of Anti-Censorship Software.

Thu, 21 Dec 2006 16:07:27 GMT

Behind the Magic of Anti-Censorship Software. Regular Slashdot contributor Bennett Haselton writes in to say "The December 1st release of Psiphon has sparked renewed interest in the various software programs that can help circumvent Internet censorship in China, Iran, and other censored countries. (Some of this interest undoubtedly being motivated by the fact that many of these programs also work for getting around blocking software at work or school.) Have you ever wanted to understand the science behind these programs, the way that mathematicians and codebreakers understand the magic behind PGP? If you loved the mental workout of reading "Applied Cryptography", have you ever wanted a tutorial to do the same for Psiphon and Tor and other anti-censorship programs?" The rest of his editorial follows. [Slashdot: Your Rights Online]

New Firefox Version Fixes 8 Security Holes.

Thu, 21 Dec 2006 15:51:42 GMT

New Firefox Version Fixes 8 Security Holes.

Mozilla on Tuesday released updates to fix at least eight security vulnerabilities in its Firefox Web browser and related software. Five of the eight flaws received a "critical" label, meaning that an attacker could exploit them to break into machines running vulnerable versions of the software.

Patches are available for both the 1.5.x and 2.x versions of Firefox, each of which should automatically alert you when the updates are ready for installation. Users also can install updates by clicking on "Help" then "Check for Updates." Some of the same updates also are available Mozilla's Thunderbird e-mail client, and its Seamonkey Internet suite.

Mozilla did not address one particular flaw that has received quite a bit of press over the past month: A bug in Firefox's password manager that could be exploited to gain access to a victim's stored user names and passwords.

Dan Veditz, a member of Mozilla's security team, said the team members thought they had a fix for the password manager flaw ready a week ago Friday, but later learned that it really didn't solve the problem. He said Mozilla currently plans to ship a fix for the problem in January.

"It made the password manager pretty unusable," Veditz said. "It required a format change to the password manager file to store additional information, and doing that ran the risk of losing peoples' passwords, so we were very uncomfortable rushing it in and decided to hold off a bit."

One final note: If you're using a version of Firefox prior to 1.5 (see "Help," "About Firefox" to view the version number), then it's time to install Firefox 2.0. Mozilla long ago stopped supporting or shipping patches for any Firefox versions that begin with 1.0.

[Security Fix]

DNS Security and Threat Mitigation: An Overview of Domain Name System Threats and Strategies for Securing a BIND Name Server.

Fri, 01 Dec 2006 20:42:40 GMT

DNS Security and Threat Mitigation: An Overview of Domain Name System Threats and Strategies for Securing a BIND Name Server. This document, written by Jeff Drake, will first present an overview of the DNS architecture and name resolution process as well as describe common threats to DNS. when we will outline some of the defensive configurations that can be implemented in BIND to help protect against some of these common threats. By Jeff S. Drake. [Infosec Writers Latest Security Papers]

Information Security - Tools of the Trade.

Fri, 01 Dec 2006 20:40:13 GMT

Information Security - Tools of the Trade. Sajeev Nail submits this paper that lists tools and their various purposes to security professionals. By Sajeev Nair. [Infosec Writers Latest Security Papers]

Web browsing behind closed doors.

Wed, 29 Nov 2006 20:13:23 GMT

Web browsing behind closed doors.

Psiphon bypasses government censors

Canadian developers will next month release a tool to bypass government-enforced restrictions on web browsing in countries like China, Syria and Iran.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

(IN)SECURE Magazine Issue 8.

Mon, 27 Nov 2006 18:39:26 GMT

(IN)SECURE Magazine Issue 8. Articles in this issue include: Payment Card Industry demystified, Skype: how safe is it?, Computer forensics vs. electronic evidence, Review: Acunetix Web Vulnerability Scanner, SSH port forwarding - security from two perspectives, part two, Log management in PCI compliance, Airscanner vulnerability summary: Windows Mobile security software fails the test, Proactive protection: a panacea for viruses?, Introducing the MySQL Sandbox and Continuous protection of enterprise data: a comprehensive approach [(IN)SECURE Magazine Notifications RSS]

EFF: DeepLinks - miniLinks for 2006-11-15

Mon, 27 Nov 2006 18:09:26 GMT

Universal CEO: Pirates Are to Pirate Ships, as Fans Are to iPods
"These devices are just repositories for stolen music, and they all know it," Doug Morris says.
RIAA Explodes at Claim That It's Unfriendly to Fair Use
Cary Sherman claims consumer electronics industry is "extremist."
Europe-based Legal Advice for Free Software Developers
New "Freedom Task Force" will be based in Zurich, Switzerland, advising and enforcing the GPL.
Crimson Tide of Litigation
University of Alabama asks court to forbid artist from using "famous crimson and white color scheme."
GNU's Not Anti-trust
Full judicial opinion and commentary on Daniel Wallace's attempt to have the GPL declared anti-competitive.
Does Opt-Out Copyright Violate First Amendment?
Larry Lessig's Kahle v. Gonzales is heard by the Ninth Circuit.
ITU Makes Bid to Control "Security in Cyberspace"
The new secretary general of the UN's ITU Telecoms Development Bureau, Hamadoun Toure, wants to take the lead in governing security issues online.
Who's Censoring Whom?
State Net censorship monitors the OpenNet Initiative talks to Wired News.

Slashdot | Firefox 2.0 Password Manager Bug Exposes Passwords

Wed, 22 Nov 2006 06:30:33 GMT

zbuffered writes, "Today, Mozilla made public bug #360493, which exposes Firefox's Password Manager on many public sites. The flaw derives from Firefox's willingness to supply the username and password stored on one page on a domain to another page on a domain. For example, username/password input tags on a Myspace user's site will be unhelpfully propagated with the visitor's Myspace.com credentials. It was first discovered in the wild by Netcraft on Oct. 27. As this proof-of-concept illustrates, because the username/password fields need not be visible on the page, your password can be stolen in an almost completely transparent fashion. Stopgap solutions include avoiding using Password Manager and the Master Password Timeout Firefox extension, which will at least cause a prompt before the fields are filled. However, in the original case detailed in the bug report, the phish mimicked the login.myspace.com site almost perfectly, causing many users to believe they needed to log in. A description of this new type of attack, dubbed the Reverse Cross-Site Request (RCSR) vulnerability, is available from the bug's original author."

Microsoft makes claim on Linux code.

Wed, 22 Nov 2006 04:29:56 GMT

Microsoft makes claim on Linux code.

And sets alarm bells ringing in open source community

Microsoft CEO Steve Ballmer has said that every user of the open source Linux system could owe his company money for using its intellectual property. The statement will confirm the worst fears of the open source community.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Breach Security Releases First Appliance With ModSecurity v2.0 Open Source Web Application Firewall

Wed, 15 Nov 2006 06:19:57 GMT

Breach Security, Inc. the leader in web application security, today announced the release of the ModSecurity version 2.0 open source web application firewall on an appliance delivering the lowest cost commercial web application firewall available. The ModSecurity Pro(TM) M1000 appliance is easy to deploy and manage with rules sets for compliance with Payment Card Initiative v1.1, as well as protection for Microsoft(TM) Outlook Web Access (OWA).

"We have listened to the community and taken the ModSecurity open source project to an entirely new level -- with an appliance that delivers web application security immediately. It is ideal for small-to-medium businesses or large organizations needing just-in-time virtual patching," said Ivan Ristic, chief evangelist, Breach Security. "The M1000 is easy to install and provides an affordable, essential layer of proven security, along with the PCI rule set that addresses important security vulnerabilities."

A Little Patch Housekeeping.

Wed, 15 Nov 2006 01:17:06 GMT

A Little Patch Housekeeping.

Security Fix has been a tad sparse on patch updates lately because I've been taking some use-it-or-lose-it vacation time. The time off served as a good reminder of how quickly the programs on your machine can get outdated even in just a few weeks time.

Last Tuesday, Mozilla released security updates for its Firefox Web browser and Thunderbird e-mail software. The Firefox updates fixed at least three separate "critical" security bugs in the browser, but people using the new 2.0 version of Firefox do not have to worry. Normally, Firefox will alert you when there are updates available; for some reason, my copy of Firefox 1.5.0.7 didn't, but I was able to download the 1.5.0.8 update by clicking on "Help" and then "Check for Updates."

Speaking of browser updates, I'm way late on blogging about an important update for Opera users. In mid-October, the company shipped a patch to fix what appears to be a very serious and easy-to-exploit flaw in the browser that bad guys could use to install software just by getting an Opera user to click on a really long hyperlink. The vulnerability is present in versions 9.0 and 9.01 on Windows and Linux (version 8.x is reportedly not affected). Opera 9.0 users should make sure they're using the latest version, v. 9.0.2.

There is also a new version of AOL's Nullsoft Winamp media player available that fixes what appear to be a pair of pretty serious security holes. The current, patched version is Winamp 5.31.

Finally, my personal favorite software application to write about -- Java. -- also received more updates recently. The current version of the J2SE Runtime Environment (something most people probably don't even know is on their machine) is JRE 5.0 Update 9. There do not appear to be any security fixes in Update 9 that weren't also included in Update 8, but for some reason I never covered Update 8 when it was released so I'm mentioning it here. If you are running Update 8 already, I see no reason to go through the whole process again unless you're having problems with the program. Remember, it's important to uninstall any previous versions of Java that remain on your machine after updating.

[Security Fix]

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting.

Wed, 15 Nov 2006 01:15:21 GMT

Report: Firefox 2.0 Trumps IE7 In Phish-Fighting.

Update, 3:24 PM ET: The text below was changed to clarify Mozilla's role as author of the report and the role of third-party testing and verification companies. Also, the data about this report that I promised earlier can be found at this link.

Original Post from Earlier Today:

The newly released Mozilla Firefox 2.0 and Microsoft Internet Explorer 7 Web browsers both include new technology to help flag and block phishing sites -- those authentic-looking Web sites set up by scammers to trick users into entering personal financial information.

So how do the browsers stack up against one another in a no-holds-barred, anti-phishing slugfest? One third-party test that pitted the browsers against two week's worth of phishing sites concluded that Firefox's phish net may have fewer holes than IE's.

The evidence comes in a report released today by Mozilla which shows the results of testing each browser against the same phishing sites flagged by contributors to Phishtank, an anti-phishing network run by OpenDNS. Mozilla is the author of the report, but they hired software testing firm SmartWare to conduct the testing, and they commissioned iSEC Partners to validate the test methodology and findings.

Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not.

Before I go any further with the numbers, I think it's important to offer a little background on how the phish-filtering technology is set up within both browsers. With IE7, the user is asked upon installation whether he wants to allow the browser to auto-check all Web sites against a Microsoft database. (More about how this technology works in IE7 is online here, and the obvious privacy issues are discussed here.)

Firefox's default setting, in contrast, uses a blacklist of known phishing sites that is stored on the user's computer and updated approximately every 30 minutes. Alternatively, Firefox users can opt to turn auto-detect on, in which case the browser will check Web sites the user visits by checking them against a database maintained by Google. (More about the service is online here.)

Back to the numbers: The testers found that with IE7's auto-check turned off, the browser blocked less than two percent of all phishing sites thrown at it. With the phone-home option turned on, IE blocked 66 percent of the scam sites.

In its default configuration, Firefox 2.0 blocked close to 79 percent of all phishing sites during the test period; with the "Ask Google" option enabled, Mozilla's browser blocked nearly 82 percent of all scam pages.

While I applaud Microsoft and Mozilla for their first efforts, the reality is that -- depending on which browser (and setting) you use -- anywhere from 20 to 40 percent of the phishing scams are going to sneak past undetected. I'm not saying this is an easy problem to solve: It certainly isn't. But I'm left wondering whether a stronger "whitelist" approach that involves identifying legitimate banking sites might prove to be a more effective strategy, or at least a highly complementary one.

As Security Fix noted last week, Mozilla, Microsoft and other browser makers are teaming up with Web site certificate authorities to try to make it more obvious when a user is truly at a verified banking site as opposed to a convincing fake. It may turn out that phishers will come up with a clever way to spoof these "supercerts" as well. But it seems to me that combined with an oft-updated blacklist, the whitelist approach has the greatest potential to bring the number of phishing scams that go undetected by either browser well down into the single digits.

Avivah Litan, an online fraud analyst with Gartner Inc., agreed. "With crooks moving these phishing sites from place to place within minutes, it's really hard to keep a blacklist up-to-date," Litan said "The future of [browser-based anti-phishing technology] is whitelisting, backed up with heuristics" that allow the browser to detect unidentified phishing links as suspicious.

For its part, Microsoft pointed to a report the company commissioned earlier this year that gave Microsoft's anti-phishing measures top marks compared with other browsers and technologies. The report highlights the fact that IE7 didn't raise any alarm bells about legitimate sites, a problem known in the business as a "false positive." It's not hard to see why that factor alone would be a paramount concern for Microsoft: A legitimate company whose site was errantly blocked by IE7 most likely would file a lawsuit against Microsoft in a heartbeat.

The SmartWare study doesn't appear to have addressed the problem of false-positives to any meaningful degree. Still, what I especially like about the Phishtank-based study is that it is premised on open-source information that everyone has the same access to. In contrast, the founders of 3Sharp, the company that authored the Microsoft study, clearly state on their site that their goal in creating 3Sharp was "to use the robustness, flexibility, and sheer native capabilities of the Microsoft communication and collaboration technologies to enhance the business of our customers."

Incidentally, any serious Mozilla-using phish fighters out there who want an easier way to submit "phishy" sites to Phishtank should check out this Firefox add-on.

[Security Fix]

Wi-Fi Exploits Coming to Metasploit

Fri, 27 Oct 2006 11:11:36 GMT

The Metasploit Project plans to add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool, a move that simplifies the way wireless drivers and devices are exploited.

The controversial open-source project, created and maintained by HD Moore, of Austin, Texas, has added a new exploit class that allows modules to send raw 802.11 frames at one of the most vulnerable parts of the operating system.

In recent months, there has been an increase in public awareness around the severity of wireless driver flaws. At the August 2006 Black Hat Briefings in Las Vegas, researchers David Maynor and Jon "Johnny Cache" Ellch showed off a new technique for breaking into computers via Wi-Fi driver vulnerabilities on Windows and Mac systems.

Slashdot | Wi-Fi Exploits Coming to Metasploit

Fri, 27 Oct 2006 11:09:29 GMT

bucksDrop writes "Eweek.com is reporting that the Metasploit Project will add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool. Metasploit 3 will integrate kernel-mode payloads to allow users to use existing user-mode payloads for both kernel and non-kernel exploits. Metasploit is collaborating with Jon 'Johnny Cache' Ellch and implementing it by wrapping the LORCON library."

Platinax Small Business News - Firefox 2 releases privacy storm

Fri, 27 Oct 2006 01:45:19 GMT

The most-awaited Firefox 2.0 was launched by the Mozilla Foundation yesterday - and immediately generated a storm of protests over privacy issues.

Key to privacy concerns is that Mozilla have set up their long-awaited phishing protection feature on Firefox 2.0 - but to use it properly, you have to send Google a record of every single website you visit.

A cookie will record all your behaviour data when using Firefox and provide the information free to Google, who can then use that information for their own commercial purposes.

Although, the feature does require an explicit opt-in, it's an unwelcome trade-off for many Firefox users, who believe that there is no reason to tie-in phishing protection with providing free data to a billion-dollar multinational.

The concerns may be damaging to the Mozilla Foundation - who have long had a close relationship with Google - and who became a "for-profit" business last year.

The provision of free tools and services simply for the purposes of collecting user data has become a habit with Google in recent years, and especially raised privacy concerns - not simply on the data collection, or how it may be used - but also how it may be collected by government agencies.

However, the overall situation is that Google are probably not actually doing anything in terms of data collection and retention than many other major Internet Service Providers are already doing.

Microsoft, Yahoo!, AOL, Amazon, and telecoms companies already store and retain vast amounts of private and often personally identifiable data, via their own service provisions, which are then used for commercial purposes.

The simple truth is that online privacy is already a mess, and that internet users are simply are often not allowed to determine how their personal data may be collected, used, or processed.

[via Privacy.org]

Mozilla Releases Firefox 2.0.

Wed, 25 Oct 2006 21:43:58 GMT

Mozilla Releases Firefox 2.0.

Mozilla this week unveiled Firefox 2.0, the next generation of its Web browser that includes security enhancements and quite a few new features that make Web browsing a bit more fun and a lot more intuitive

[Security Fix]

How Do You Secure 100 Million Laptops?

Fri, 13 Oct 2006 02:39:33 GMT

If the plan is perfectly executed, Nicholas Negroponte's One Laptop Per Child project will deploy 100 million laptops in the first year. In one fell swoop, the nonprofit organization will create the largest computing monoculture in history.

Wary of the security risks associated with a computing monoculture--millions of machines with hardware and software of identical design--OLPC foundation officials are seeking help from the world's best hackers to review the full specifications of the $100 laptop's security model.

"This is an enormous challenge for us," said Ivan KrstiÄ[omega], director of the security and information platform efforts for the OLPC project in Cambridge, Mass. "Security for these machines is hands down the hardest thing I've ever worked on."

Slashdot | Security and the $100 Laptop

Fri, 13 Oct 2006 02:37:35 GMT

gondaba writes "The One Laptop Per Child project is actively recruiting hackers to help crack the security model of the $100 laptop to avoid the obvious risks associated with what will effectively be the largest computing monoculture in history. From the article: 'The key design goal, Krstic explained, is to avoid irreversible damage to the machines. The laptops will force applications to run in a "walled garden" that isolates files from certain sensitive locations like the kernel. "If we discover vulnerabilities, the security model must hold up enough that even a machine that is unpatched won't be easily exploitable. This gives us a bit of diversity to avoid the monoculture trap," he added.'"

Understanding Sql Injection.

Fri, 29 Sep 2006 00:43:48 GMT

Understanding Sql Injection. Hardik Shah discusses SQL injection, how it works, why it works, and how to protect against it. By Hardik Shah. [Infosec Writers Latest Security Papers]

Free anonymous browsing.

Thu, 21 Sep 2006 17:43:01 GMT

Free anonymous browsing.

Surf's up for privacy

A modified version of Mozilla Firefox that lets users browse the web anonymously has been released.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Tweaked Firefox Lets You Surf Internet Without a Trace.

Thu, 21 Sep 2006 17:39:19 GMT

Tweaked Firefox Lets You Surf Internet Without a Trace. Torpark browser makes Web surfing more anonymous [PC World: Latest Technology News]

New Firefox Version Fixes 7 Security Holes.

Tue, 19 Sep 2006 04:40:45 GMT

New Firefox Version Fixes 7 Security Holes.

Mozilla this week pushed out a new version of its Firefox Web browser to mend at least seven security holes in the program, including at least four flaws that attackers could use to install software on vulnerable computers.

Firefox version 1.5.0.7 patches several serious security vulnerabilities, including a potential threat to the security of the browser's automatic update functionality, as well as one demonstrated last month that could allow bad guys to fool the browser into accepting perfectly forged digital certificates of the sort typically used to verify the authenticity of a secure Web site or digitally signed e-mail.

If you are using any version of Firefox 1.5, the browser should download and install the update automatically, and alert you that a restart of the browser is needed. If you are using an older version of Firefox, it's time to uninstall the old version (might want to back up that profile first) and upgrade to the latest version.

[Security Fix]

Mozilla Fixes Critical Firefox Flaws.

Sat, 16 Sep 2006 04:26:16 GMT

Mozilla Fixes Critical Firefox Flaws. Updated browser that patches the problems is now available for download. [PC World: Latest Technology News]

German police seize TOR servers.

Thu, 14 Sep 2006 19:02:20 GMT

German police seize TOR servers.

Anonymising service flushed out

Prosecutors in Germany have seized 10 servers which hosted the anonymising service TOR.

[The Register - Internet and Law: Digital Rights/Digital Wrongs]

Slashdot | New Web Browser Leaves No Footprints

Thu, 31 Aug 2006 19:27:59 GMT

eastbayted writes "InfoWorld reports a new web browser designed to protect users privacy is available for download. Called Browzar, it 'automatically deletes Internet caches, histories, cookies and auto-complete forms.' It also boasts a search engine, which the company will use to generate income. The 264KB application is the brainchild of Ajaz Ahmen, known for creating the U.K.'s first ISP Freeserve. The forthcoming version is for Windows only, but Mac and Linux versions will be available eventually."

TrackMeNot Firefox Extension Obfuscates Your Search History.

Wed, 23 Aug 2006 16:30:09 GMT

TrackMeNot Firefox Extension Obfuscates Your Search History.

As concerns about the privacy of one[base ']s search engine history steadily increase, various solutions have been offered to help avoid the wholesale surveillance and aggregation of one[base ']s search queries. While most solutions rely on attempts to cloak one[base ']s IP address, a new solution instead relies on obfuscation: TrackMeNot.

Developed by Daniel Howe and Helen Nissenbaum, TrackMeNot (TMN) is a Firefox extension (download here) that protects against search data profiling by issuing randomized queries to popular search-engines with fake data:

TrackMeNot runs in Firefox as a low-priority background process that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and MSN. It hides users[base '] actual search trails in a cloud of indistinguishable [OE]ghost[base '] queries, making it difficult, if not impossible, to aggregate such data into accurate or identifying user profiles.

The extension[base ']s log reveals some of the [OE]ghost[base '] queries sent to the search engines:

[QUERY] engine=google | query=[base ']followups heartbeat[base '] | 200 | Mon, 21 Aug 2006 19:46:20 GMT
[...]
[QUERY] engine=yahoo | query=[base ']trapping paywares[base '] | 200 | Mon, 21 Aug 2006 19:48:04 GMT

A comment at BoingBoing notes that the size of the dictionary used by TMN is limited, and the two-word structure of the ghost queries (coupled with the fact that no clicked results are ever recorded) might make it easy for the techies at Google to filter the noise TMN is meant to introduce. Good points. In fact, the developers of TMN have been concerned with the limitations of the word list throughout the development of this tool (I know them both; in fact, Helen Nissenbaum is the chair of my dissertation committee). While the current word list allows for over 3 million different combinations, I[base ']ve been told by the developers that [base "]future versions will include a much larger (server-side) database of terms, dynamically queried by TMN during its operation.[per thou] That[base ']s a good step towards making this important tool even more powerful.

(BTW, I was hoping Daniel Howe could demo TMN and present the underlying philosophy behind creating such a tool at the [base "]Identity and Identification in a Networked World[per thou] symposium I[base ']m co-organizing at NYU this fall. Unfortunately, other commitments will prevent Daniel[base ']s attendance, but Helen Nissenbaum will be on hand to demo and discuss the tool in his absence.)

[michaelzimmer.org]

Cleversafe Open Source Community

Tue, 22 Aug 2006 17:15:14 GMT

cleversafe.org is an open source community creating software for dispersed data storage

A Move to Secure Data by Scattering the Pieces - New York Times

Tue, 22 Aug 2006 17:11:27 GMT

So what began as a home improvement project culminated in a system called Cleversafe, with potential applications far beyond Mr. Gladwin's memorabilia. For companies and government agencies trying to secure networked data, it offers a simple way to store digital documents and other files in slices that can be reassembled only by the computers that originally created the files.

The idea of distributed data storage is not new. But Cleversafe is significant because it is an open-source project -- that is, the technology will be freely licensed, enabling others to adopt the design to build commercial products. That approach may contribute to Cleversafe's potential to lower the cost of reliably storing data on the Internet.

"If we distributed data around the world this way, it would be a pretty resilient way to store data," said David Patterson, a computer scientist at the University of California, Berkeley, who is a pioneer in designing distributed data storage techniques.

Mr. Gladwin contends that Cleversafe can store data at a lower cost and make it more secure than current Internet services. The group is counting on a continuing explosion of consumer digital data of all types, including new generations of high-definition still and video cameras that will create demand for secure and private backup capabilities.

Allowing Linux to Authenticate to a Windows 2003 AD Domain.

Mon, 21 Aug 2006 17:49:44 GMT

Allowing Linux to Authenticate to a Windows 2003 AD Domain. This paper, written by Tom Munn, will explore using one of several different ways that you can integrate your LINUX boxes to your windows AD forest. By Tom Munn. [Infosec Writers Latest Security Papers]

Researchers: OpenOffice.org Security 'Insufficient'.

Sun, 13 Aug 2006 20:44:10 GMT

Researchers: OpenOffice.org Security 'Insufficient'. French researchers say it may be more susceptible to viruses than Microsoft Office. [PC World: Latest Technology News]

Slashdot | Major Security Hole Found In Rails

Thu, 10 Aug 2006 18:03:52 GMT

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

Mozilla VP Talks the State of Firefox.

Tue, 08 Aug 2006 17:39:26 GMT

Mozilla VP Talks the State of Firefox. isah writes "As Firefox downloads pass the 200 million mark, people are talking about how its security features stack up against IE7 and protect against malware. Mozilla VP Mike Schroepfer told NewsForge's Joe 'Zonker' Brockmeier that security will continue to be an issue 'for anything written in native code' but Mozilla intends to meet the challenge by including JavaScript 1.7 with the browser's 2.0 release. Schroepfer also talked about the timeline of future releases and offered just enough information to wet our whistles for 3.0."[Slashdot]

An Open Source Security Triple Play.

Tue, 08 Aug 2006 17:12:10 GMT

An Open Source Security Triple Play. Marcus Maciel writes to tell that Linux.com's Joe Barr recently took a look at OSSEC-HIDS, an open source host intrusion detection system. From the article: "According the OOSEC-HIDS Web site, it's more than a host intrusion detection system (IDS). It's also a security event manager and a security information manager, which makes it the security equivalent of a hat trick in hockey, a triple-play in baseball, or a rare triple-double in basketball. OSSEC-HIDS runs on both Windows and Linux/Unix. You can download the latest version along with the project's PGP public key, so you can verify the download."--- Linux.com and Slashdot are both owned by OSTG.[Slashdot]

Password-Stealing Trojan Disguised as Firefox Extension.

Fri, 28 Jul 2006 16:22:15 GMT

Password-Stealing Trojan Disguised as Firefox Extension.

A spam e-mail making its rounds with a file attachment disguised as an "extension" or add-on for the Mozilla Firefox browser is actually a Trojan horse program, which allows attackers to install programs that intercept Web traffic from a victim's computer and monitor what he or she types, such as passwords and other login information.

According to analysis from McAfee AVERT, the spoofed message is designed to look like it came from the Wal-Mart billing support department. It includes an order number in the body of the e-mail and the same order number as the name of the attachment. If a Windows user clicks on the attachment, it will lead to the installation of a malicious program that steals passwords and monitors the victim's network activity (unless he or she has taken our advice to avoid using their computer under the all-powerful "administrator" account.)

Once installed, this malware is disguised as the Numberlinks 0.9 extension for Firefox, taking its name from a legitimate add-on designed to make it easier for Firefox users browse the Web without a mouse. Firefox extensions normally prompt the user to install them, but this one silently patches the user's browser without giving any notice. The next time the victim restarts the browser, the spying program -- which McAfee has dubbed "FormSpy" -- will start up automatically.

[Security Fix]

Mozilla Issues Security Updates for Firefox.

Fri, 28 Jul 2006 16:12:28 GMT

Mozilla Issues Security Updates for Firefox.

Mozilla has pushed out a new version of Firefox that cleans up a dozen security flaws, more than half of which could be used by malicious Web sites or attackers to hijack the browser or the user's computer.

The new version, 1.5.0.5, also includes some stability updates. If you are using any version of Firefox 1.5, you may have already seen a pop-up notification when you launched the browser that a new version of the browser has been installed. If not, you can check for updates by selecting "Help" and then "Check for Updates." Windows users can download the standalone installer from here, while Mac and Linux users can get the installer here.

If you are still using an older version of Firefox in the 1.0.x family, you will not receive automatic updates, nor will you be able to apply these updates. It's a good idea to ditch the older version altogether by uninstalling it before you upgrade. This shouldn't affect your browser bookmarks, settings, etc., but it might not be a bad idea to locate and back up your profile first.

[Security Fix]

Forrester Research Q2 2006 Web Application Firewall Evaluation.

Wed, 26 Jul 2006 17:38:10 GMT

Forrester Research Q2 2006 Web Application Firewall Evaluation.

Back in March 2006 I was approached by Forrester Research and invited to participate in their Q2 web application firewall evaluation, along with six other WAF vendors. I was delighted with their invitation and gladly accepted. It is not often that an open source product is invited to play with the commercial guys. It turned out the participation required a lot of work on my part. I had to systematically cover and describe the entire feature set of ModSecurity, and that's not something I do often (at least not with that level of detail). It was, however, a very productive exercise because I had to make a step back and look at a bigger picture.

The results were published a couple of weeks ago and I think we did rather well. We were praised for our positive aspects (e.g. everything is configurable) and criticised for our weaknesses (e.g. lack of a management GUI). Unfortunately the entire report is not available online - you would have to buy the report if you want to read it. Revealing excerpts are available for the main report and for ModSecurity.

Two quotes from the ModSecurity scorecard summary are of particular interest:

"...ModSecurity is by far the most extensively deployed Web application firewall, with more than 10,000 customers."

and:

"ModSecurity's stringent implementation standards [~] build nothing unless you approach the highest level of security [~] will push the entire Web application firewall market toward higher-quality products."

[Source: Forrester Wave^TM: Web Application Firewalls, Q2 June 2006", Forrester Research, Inc., June 2006.]

P.S. Forrester are also making available a PowerPoint presentation that gives a quick overview of the reviewed products.

[Web Security Blog]

Trojan Cloaks Itself as Firefox Extension.

Wed, 26 Jul 2006 16:22:52 GMT

Trojan Cloaks Itself as Firefox Extension. Malicious software can steal credit card numbers and passwords from PCs. [PC World: Latest Technology News]

The Fourth of July, 2006 is Privacy Digest's 7th Anniversary

Mon, 03 Jul 2006 17:14:11 GMT

Tomorrow, The Fourth of July 2006, Privacy Digest will have been publishing as this domain for seven years. We were actually around a bit longer as part of another blog. But on July 4, 1999, I decided that the issue was important enough to warrant it's own dedicated domain.

If you would like to help out my Amazon wishlist has a few things I need. More ideas on ways to support us can be found here.

ModSecurity 2: Explicit Normalisation Options.

Wed, 28 Jun 2006 14:44:23 GMT

ModSecurity 2: Explicit Normalisation Options.

One of the things I realy dislike in ModSecurity 1.x is that its anti-evasion features are implicit. A series of transformations is always performed on input data and always in the same order. This is somewhat convenient because it saves you from having to think about the evasion issues. This approach - implicit normalisation - is not foolproof (no surprises there). First, there are occassions where you need some other (sometimes peculiar) transformation to take place before you look at data. Second, the context in which input data is used *is* important. It is not always appropriate to perform a particular transformation - you might even be helping the attackers avoid detection (or prevention).

That's why, when I set to design ModSecurity 2.x, I came up with a flexible solution that allows one to configure normalisation features correctly in every possible sitation. The new capabilities do not come for free: ModSecurity 2.x is a better tool but it is also more difficult to use. Enough about that, let's discuss the improvements.

There are 19 normalisation functions documented in the ModSecurity 2.x reference manual. They are:

lowercase
replaceNulls
removeNulls
compressWhitespace
removeWhitespace
replaceComments
urlDecode
urlEncode
urlDecodeUni
base64Encode
base64Decode
md5
sha1
hexDecode
hexEncode
htmlEntityDecode
escapeSeqDecode
normalisePath
normalisePathWin

The names of most are self-explanatory. (For the others refer to the manual.) By default ModSecurity 2.x will perform lowercase, replaceNulls and compressWhitespace on input data. If you need something else you will have to reconfigure this setting using the new action "t". As before you can use SecDefaultAction to set the defaults for all rules that follow:

SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

The above is an example of a default configuration. You can also have a per-rule setting, either by changing the normalisation options completely, or by adding or removing from the default configuration. Here's an example where "compressWhitespace" is removed and "replaceComments" added.

SecRule ARGS keyword t:-compressWhitespace,t:replaceComments

To completely replace the configured normalisation functions simly use the special name "none".

SecRule ARGS keyword t:none,t:normalisePathWin

And if the built-in normalisation functions are not enough for you there is good news - ModSecurity 2.x has an API that allows you to add a new normalisation function without having to touch its source code. (There are examples of this in the distribution.)

[Web Security Blog]

Slashdot | Freenode Network Hijacked, Passwords Compromised?

Mon, 26 Jun 2006 13:17:12 GMT

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

Security Fix Pop Quiz.

Sun, 25 Jun 2006 17:16:09 GMT

Security Fix Pop Quiz.

I thought it might be a good idea to periodically remind Security Fix readers of recent security updates to popular software programs, because we all know how these things can slip through the cracks. The following entries include a link to the Security Fix post on each patch, followed by a link to the downloadable updates and the date each was released.

Windows updates for Windows 2000, Windows Server 2003, Microsoft Exchange, and Macromedia Flash: Microsoft Update Web site. Released May 9.

Mac OS X: Update for OS X 10.4.6, and OS X Server 10.4.6. Released May 11.

Firefox:v. 1.5.0.4. Released Jun. 1.

QuickTime (Windows and Mac versions): version 7.1. Released May 11.

Java: J2SE 5.0 Update 7. Released May 26.

RealNetworks (for RealPlayer, Rhapsody, Helix Player and RealOne Player): Click here to see if you need to update. Issued March 30.

[Security Fix]

Zfone: A New Approach for Securing VoIP Communication.

Wed, 21 Jun 2006 14:30:22 GMT

Zfone: A New Approach for Securing VoIP Communication. This contribution by Samuel Sotillo is a survey on VoIP security with a focus on Phil Zimmermann's new ZRTP protocol and Zfone application. By Samuel Sotillo. [Infosec Writers Latest Security Papers]

Embeddable Web Application Firewalls and Impedance Mismatch.

Mon, 12 Jun 2006 16:05:26 GMT

Embeddable Web Application Firewalls and Impedance Mismatch.

Some of you may remember I wrote about impedance mismatch that occurs between security layers. Ryan Barnett made an interesting post to the mod-security-users mailing list the other day:

Those of you running Snort in addition to ModSecurity undoubtedly saw the Snort URI rule bypass bug announced last week - http://www.demarc.com/support/downloads/patch_20060531.

I run both Snort and ModSecurity in my DMZ segment to identify/prevent HTTP attacks. They are a great compliment to each other as they are different tools - 1 a network-based IDS and 1 an embedded WAF within Apache.

Nothing highlights the differences between the 2 and how they handle HTTP data more than this type of vulnerability announcement. Snort is doing the best that it can to interrogate HTTP transactions however the fact is that it is not a web server so there will be mistakes made as it analyzes data. ModSecurity, on the other hand, is integrate into Apache and therefore does not fall victim to this type of HTTP evasion attack.

When this announcement was released, I quickly ran some tests between Snort and ModSecurity to verify that ModSecurity did in fact identify and block my requests with inserted "\r" return characters. Due to the fact that I use the Snort2Modsec.pl script to translate all of the Snort web attack sigs, I had absolutely zero loss of IDS coverage on my web servers while I upgraded/patched Snort :)

He makes an interesting point. It is obvious that running embedded has both positive and negative aspects. Being able to see exactly how web server parses requests is a positive one.

[Web Security Blog]

LinuxWorld | Users hit by multi-browser threat

Sat, 10 Jun 2006 15:09:29 GMT

Security vendors have warned of a flaw that affects an unusually broad cross-section of browsers -- Internet Explorer, Firefox and the Mozilla suite on Windows, Linux and Mac OS X -- and could be used to hoover up files from vulnerable systems.

The problem is in the way the browsers implement scripting -- JavaScript in Firefox and Active Scripting in IE. Both browsers have a design error in which a script can cancel certain keystroke events when users are entering text.

The bug could be exploited into tricking users into entering text into a field that seems secure, while in fact the text is being made accessible to an attacker. "In both IE and Firefox you can filter the keystrokes entered in a form and 'bounce' the input over to the file input box, and then bounce back to previous text entry, making it appear as if nothing has happened," said Charles McAuley, who originally discovered the flaw, in an advisory published on Monday.

Using this technique, attackers could obtain the directory path of sensitive files, which could then be uploaded to the attacker, according to several advisories.

Get in sync - security exposure ??

Thu, 08 Jun 2006 14:10:10 GMT

Get in sync

Posted by Brian Rakowski, Product Manager

What could be worse than forgetting to bookmark the obscure page you found that maps out the perfect walking tour of Venice? Having bookmarked it on the computer sitting on your desk back at home, 6000 miles away, instead of on the laptop you brought along. Or how about the frustration of being on a new computer and not remembering your passwords because your browser on your old computer automatically filled them in for you?

These sorts of frustrations inspired us to build a Firefox extension that keeps your browser settings for all your computers in sync. Google Browser Sync unifies your bookmarks, history, saved passwords, and persistent cookies across all the computers where you install it. It also remembers which tabs and windows you had open when you last closed any of your browsers and gives you a chance to reopen them. We think you'll enjoy how it handles sync conflicts and "just works," enabling you to bring your browser with you everywhere.

Meanwhile, we've also been improving version 2 of the Google Toolbar for Firefox . We've fixed a bunch of bugs and made it more stable, so we're stripping off the "beta" tag. We'll be updating all Toolbar users to this new version in the next couple of weeks.

- A Googler [Official Google Blog]

Editor: Emphasis added. Sounds handy, but I'm not sure how comfortable I would be storing all my Bookmarks, history and saved passwords on someone else's server. They do seem to have some basic encryption of your data, but we'll have to wait and see how secure this is. But if this enctyption is ever hacked it will be a goldmine of security data.

The evolution of SNMP from a security perspective.

Tue, 06 Jun 2006 14:58:09 GMT

A Comparison of SNMP v1, v2 and v3. Eddie Bibbs and Brandon Matt submit this paper which discusses the evolution of SNMP from a security perspective. By Brandon Matt. [Infosec Writers Latest Security Papers]

Firefox, Thunderbird users urged to update to patch serious flaws.

Sat, 03 Jun 2006 01:38:23 GMT

Mozilla Squashes Bugs. Firefox, Thunderbird users urged to update to patch serious flaws. [PC World: Latest Technology News]

Firefox 2.0 Bakes in Anti-Phish Antidote

Thu, 01 Jun 2006 16:24:02 GMT

Mozilla has reached the latest development milestone for its next-generation Firefox 2.0 "Bon Echo" browser with a little anti-phishing help from Google.

Anti-phishing capability, which Mozilla has branded "Safe Browsing," is one of the marquee features in Firefox 2.0 and one of the reasons a third alpha is necessary. Now baked into Firefox 2.0 alpha 3, Google Safe Browsing is triple-licensed under the Mozilla Public License (MPL) 1.1, the GPL 2.0 (define) and the LGLP (define).

It is also built into the Google Toolbar, which is available for both Firefox and IE.

First StarOffice Virus Detected.

Wed, 31 May 2006 15:52:11 GMT

First StarOffice Virus Detected. Proof-of-concept virus uses macros to attack the office suite. [PC World: Latest Technology News]

IptablesWeb2

Wed, 24 May 2006 15:56:12 GMT

IptablesWeb is a free software (under GPL licence): it allows to inspect iptables logs, to receive e-mails and alerts using a web browser; it's a plugin-based multilanguage and multiuser software written in PHP.

ModSecurity for Apache 2.0.0-beta-3 now available!

Tue, 23 May 2006 19:27:36 GMT

ModSecurity for Apache 2.0.0-beta-3 now available!

ModSecurity 2.x is a big deal. The project grew organically since 2003, with features added on top of the existing architecture. At some point we hit a limit of what is possible with the old code base. It's when I decided the time was ripe to break ModSecurity into pieces and re-assemble it into a brand new code base. ModSecurity 2.x is a result of a year of planning and several months of execution. The new code is nice, tidy, and modular. More importabtly, the new code is no longer tightly intergrated with Apache, which allows it to be ported to other web servers. (Yes, this will be happening later this year.)

[...]

Finally, here is a brief list of improvements:

Five processing phases (where there was only one in 1.9.x). These are: request headers, request body, response headers, response body, and logging. Those of you that wanted to do things at the earliest possible moment can do them now.
Per-rule transformation options (previously normalisation was implicit and hard-coded). Many new transformation functions were added.
Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, etc.
Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and appliction users).
Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
Support for web applications and session IDs.
Regex backreferences.
There are now many functions that can be applied to the variables (where previously one could only use regular expressions).
XML support (parsing, validation, XPath).

Overall, you will find ModSecurity now does very little, if anything, implicitly. You will be expected to configure it explicitly to work as you want it to work. I realise this is going to make life more difficult for a casual user, but I also believe the change was necessary to make ModSecurity into a tool that can properly mitigate web application security issues.

You can download ModSecurity 2.x from the Thinking Stone Network (free registration, no spam). The manual is included in the distribution. While you're there, be sure to check ModSecurity Console 1.0.0-beta-1, a nice looking daemon/GUI tool for ModSecurity audit log centralisation, which I will cover in a future post. Both programs are available for download in the Early Access section.

[Web Security Blog]

Voice Encryption May Draw U.S. Scrutiny - New York Times

Mon, 22 May 2006 22:05:33 GMT

Philip R. Zimmermann wants to protect online privacy. Who could object to that?

He has found out once already. Trained as a computer scientist, he developed a program in 1991 called Pretty Good Privacy, or PGP, for scrambling and unscrambling e-mail messages. It won a following among privacy rights advocates and human rights groups working overseas -- and a three-year federal criminal investigation into whether he had violated export restrictions on cryptographic software. The case was dropped in 1996, and Mr. Zimmermann, who lives in Menlo Park, Calif., started PGP Inc. to sell his software commercially.

Now he is again inviting government scrutiny. On Sunday, he released a free Windows software program, Zfone, that encrypts a computer-to-computer voice conversation so both parties can be confident that no one is listening in. It became available earlier this year to Macintosh and Linux users of the system known as voice-over-Internet protocol, or VoIP.

What sets Zfone apart from comparable systems is that it does not require a web of computers to hold the keys, or long numbers, used in most encryption schemes. Instead, it performs the key exchange inside the digital voice channel while the call is being set up, so no third party has the keys.

Zfone's introduction comes as reports continue to emerge about the government's electronic surveillance efforts. A lawsuit by the Electronic Frontier Foundation, a privacy rights group, contends that AT&T has given the National Security Agency real-time access to Internet communications.

Secure Voice over IP: Zfone by Phil Zimmerman

Mon, 22 May 2006 22:05:03 GMT

21 May 2006 - I've just released a new public beta for Zfone, a new product that takes a new approach to make a secure telephone for the Internet. Zfone lets you whisper in someone's ear, even if their ear is a thousand miles away.

Zfone uses a new protocol called ZRTP, which is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another ZRTP client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors.

How to get the Zfone Public Beta (Yes, we've got Windows!)

Yes, we finally have a Windows XP version , as well as a new Mac OS X and Linux version. To get your hands on the Zfone public beta software, click here:
Get Started with Zfone Now!

In keeping with the long-standing PGP tradition, the source code is also available to download for peer review.

The Story of PGP.

Mon, 22 May 2006 00:20:23 GMT

The Story of PGP. Hefty crypto has a complicated history full of lawsuits, legislation and international intrigue. This account of PGP's creation and rise to fame is excerpted from the new book by Michael W. Lucas. In Webmonkey. [Wired News: Top Stories]

SELinux from scratch ( IBM developerworks )

Tue, 16 May 2006 23:13:53 GMT

SELinux, the U.S. National Security Agency's implementation of mandatory access control, is the most prominent new security subsystem in Linux(r). It comes installed by default in Fedora and Red Hat Enterprise Linux and is available in easy-to-install packages in other distributions. This article shows you how to convert a non-SELinux system by hand in order to expose details about how SELinux is integrated into a system.

Building a PHP Honeypot.

Mon, 15 May 2006 16:37:11 GMT

Building a PHP Honeypot. This contribution by Jamie Riden and Laurent Oudot describes a design for a low interaction honeypot to emulate flaws in various PHP applications. By Jamie Riden. [Infosec Writers Latest Security Papers]

German government engineers open OpenPGP for Windows.

Sat, 13 May 2006 21:53:53 GMT

German government engineers open OpenPGP for Windows. If you run a mostly Linux-based network with some Windows machines, but want to standardize on open source data encryption tools on all your platforms, now you can. [Network World on Privacy]

Secure DVD Live DVD Collection.

Wed, 10 May 2006 12:40:07 GMT

Secure DVD Live DVD Collection. SecureDVD is a live DVD collection*) featuring the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) as per Darknet (see article here) on one single DVD. [LinuxSecurity.com]

Diving deeper into the latest Linux vulnerability numbers.

Sat, 06 May 2006 02:18:42 GMT

Diving deeper into the latest Linux vulnerability numbers. A recent report by Russian cyber security outfit Kaspersky Labs says Linux saw the largest gains in malware, viruses and other malicious software targeting the operating system, compared to other non-Windows, Unix-based operating systems. Statistics from the report - titled "2005: *nix Malware Evolution" - show that there were 863 malicious programs targeting Linux in 2005, a jump from 422 in 2004. [Virus and worm news from Network World Fusion]