Security Tools News & Tips

An independent assessment of Windows vs. Linux. Microsoft Windows Server 2003 vs. Red Hat Enterprise Linux AS v.3 were examined to see which platform is more secure.

The results were not unexpected. Even by Microsoft’s subjective and flawed standards, fully 38% of the most recent patches address flaws that Microsoft ranks as Critical. Only 10% of Red Hat’s patches and alerts address flaws of Critical severity. These results are easily demonstrated to be generous to Microsoft and arguably harsh with Red Hat, since the above results are based on Microsoft’s ratings rather than our more stringent application of the security metrics. If we were to apply our own metrics, it would increase the number of Critical flaws in Windows Server 2003 to 50%.

• Leave a comment...(0)

Lessons From a Honeynet That Attracted 700,000 Attacks – The Continuous Processes of Vulnerability Management: Create security policies & controls, Track inventory / categorize assets, Scan systems for vulnerabilities, Compare vulnerabilities against inventory, Classify risks, Pre-test patches, Apply patches, Re-scan and confirm fixes.

Apple patches a dozen security holes – Apple released security updates to Mac OS X operating system and other software.

MS update patches patching – Microsoft this week pushed an update to patch their patching system.

OpenOffice virus reaches across platforms – “A virus writer with something to prove has written a proof-of-concept OpenOffice document to demonstrate a way to infect Windows, Linux and Mac OS X systems with a single script.”

• Leave a comment...(0)

Google Online Security Blog – Google has gone public with it’s new security blog. The first post says: “we’ve started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we’ll tackle is malware, which is the subject of our inaugural post.”

Top 10 vulnerabilities in Web applications in Q1 2007 – “In this study, Cenzic identified 1,561 unique vulnerabilities during the first quarter of 2007. Of the reported vulnerabilities, file inclusion, SQL injection, cross-site scripting and directory traversal were the most prevalent, totaling 63 percent. The majority of vulnerabilities affected Web servers, Web applications and Web browsers, with Cenzic classifying the bulk as easily exploitable.”

Top 15 free SQL Injection Scanners – “Checking for SQL Injection vulnerabilities involves auditing your web applications and the best way to do it is by using automated SQL Injection Scanners. We’ve compiled a list of free SQL Injection Scanners we believe will be of a value to both web application developers and professional security auditors.”

• Leave a comment...(0)

Estonia hit by ‘Moscow cyber war’ [BBC] – Estonian web sites have suffered massive DoS attacks for the last three weeks, and they’re blaming Russia for it.

Symantec pursues $55m copyright damages [Channel Register] – Symantec is seeking $55m in damages against eight US and Canadian firms for selling illegal copies of its software.

British Judge asks to prosecutor: So what’s a Web site? [msnbc] – “The trouble is I don’t understand the language. I don’t really understand what a Web site is,” he told a London court during the trial of three men charged under anti-terrorism laws.

Global net censorship ‘growing’ [BBC] – The level of state-led censorship of the net is growing around the world, according to a survey

• Leave a comment...(0)

Mac Virus and On-Line Security FAQ – “These days it’s hard to avoid the dirty underbelly of the Internet, it’s not as bad as it seems out there if you have some common sense and know the facts Using a Mac helps too. In this little FAQ, I’ll pass on some tips and get you up to scratch regarding viruses, internet security, firewalls, on-line shopping and more.”

Ubuntu Security Resource – “If you’ve recently switched from Windows to the Linux distribution Ubuntu, you’ve probably experienced a decrease in spyware — and malware in general — on your system. But although Ubuntu is billed as the ultra-secure solution, you should know that even though Ubuntu’s default install has its flaws, like every other operating system.”

Firefox Surfers More Likely Patched Than IE Users – “New statistics released today indicate that people who use Mozilla’s Firefox Web browser are more likely to be cruising the Web with all of the latest security updates installed than those surfing with Microsoft’s Internet Explorer.”

• Leave a comment...(0)

I received an email from (ISC)2 yesterday about the new, stricter requirements for CISSP. The new experience requirements for the CISSP certification will be effective 1 October, 2007. Basically now you’ll need five years of work experience instead of four and the endorsement must be done by (ISC)2 certified professional. I can see that (ISC)2 is trying to maintain the high standards of CISSP. So, it means new CISSPs must find and interact with other CISSPs before they can earn the title. You can find more details about the new requirement on (ISC)2’s press release.

* The minimum professional experience requirement for CISSP certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

* Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification – CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

• Leave a comment...(1)

• (IN)SECURE Magazine issue 11 is available for download. It’s a freely available digital security magazine discussing some of the hottest information security topics.
• One in 10 web pages laced with malware – At least one in 10 web pages are booby-trapped with malware, according to Google.
• The Pirate Bay hacked – They have got a copy of the user database. That is, your username and passwords.
• 1.4 million Chinese infected over holiday week – May vacations bring trojan avalanche for gamers and filesharers.

• Leave a comment...(0)

• Heir ‘hired firm to spy on wife’ – American banking heir Matthew Mellon paid private detectives to hack into the e-mails of his estranged wife prior to their divorce, a court was told.
• Schneier questions need for security industry – “We shouldn’t have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn’t have to buy from somebody to secure our network or servers. Our networks and servers should already be secure.”
• Websense buys Surf Control – Websense is bulking up to take on the big IT security vendors by buying Surf Control, the British censorware developer, for £201m ($400m) cash.
• Virus Writers Taint Google Ad Links – Virus writers are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau.

• Leave a comment...(0)

IT Security has a nice article about Top 10 Most Famous Hackers of All Time. 5 Black Hat Crackers and 5 White Hat Hackers. Some famous for wrecking havoc and others for driving technological innovation.

• Leave a comment...(0)

• What to Do When Your Security’s Breached – You’ve got a full-blown security incident on your hands. What are you going to do about it?
• How I’d Hack Your Weak Passwords – If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?
• Wireless LAN security myths that won’t die – Since it has been two years, I’m going to update the information with more defined categories and better explain why they’re so bad from an ROI (return on investment) and security perspective.

• Leave a comment...(1)