Software companies should be made liable for the security problems that arise in their products, according to security guru Bruce Schneier.
In a presentation at the LinuxWorld OpenSolutions Summit, the BT Counterpane CEO said that this was the only way to help improve IT security, the effects of which were currently taken for granted.
Online criminals today know what they want, and they know where to find it: in your corporate database. Yet, despite a number of highly-publicized data breaches and thefts, many enterprises still have not fully developed a database security strategy.
Experts agree that database information particularly customer lists and personal user data is currently the most marketable and attractive target for electronic thieves. But most databases aren't ready for the onslaught of attacks they are beginning to see, the experts warn.
In October 2005, Windows expert Mark Russinovich broke the news about a truly underhanded copy-protection technology that had gone horribly wrong. Certain Sony Music CDs came with a program that silently loaded itself onto your PC when you inserted the disc into a CD-ROM drive. Extended Copy Protection (or XCP, as it was called) stymied attempts to rip the disc by injecting a rootkit into Windows — but had a nasty tendency to destabilize the computer it shoehorned itself into. It also wasn't completely invisible: Russinovich's own RootkitRevealer turned it up in short order. Before long, Sony had a whole omelette's worth of egg on its face, and the word rootkit had entered the vocabulary of millions of PC users.
A few months back I did some intense testing of all the best vulnerability scanners out there… I had a couple unix boxes hooked up, as well as some windows machines, and figured I could add clients to a “once-a-week” scanning contract. So naturally, I wanted to use the scanner that was the best for my purpose.
Source: LinuxDevices.com - Posted by Benjamin D. Thomas
SafeNet is shipping an "integrated IPSec VPN platform" software said to support VPN connections from next-generation mobile devices. QuickSec 4.1 Server and Client Toolkits helps developers incorporate the most current IPSec security standards, such as MobIKE, into carrier-grade security gateways, network routers, mobile VPN devices, and desktop VPN clients, according to the company.
I first touched a BSD box in around 1994, thanks to the donation of a BSD/OS system and SLIP connection from UUNet to my high school. It was love at first sight! Discovering FreeBSD not long after, I've been a regular FreeBSD user since around 1995, although I only became involved in FreeBSD development in 1999, gaining a "commit bit" to help maintain the FreeBSD portions of the Coda distributed file system, a project I had worked on while at Carnegie Mellon University. My undergraduate degree is in Logic and Computation, from CMU's philosophy department, along with a double major in Computer Science, but it became clear that my greatest interest lay in operating systems and security. After working on file system ACLs and mandatory access control for FreeBSD, I started the TrustedBSD Project in 2000, with the goal of bringing more advanced security features to the platform. In 2001, while working at Network Associates Laboratories (NAI Labs, and later McAfee Research), I proposed and became Principal Investigator on a research project as part of DARPA's CHATS research program, which was investigating security and open source. This project included sponsoring and developing UFS2, OpenPAM, the TrustedBSD MAC Framework, NSS support, PAE support, several network stack hardening projects (including syncache and syncookies for FreeBSD), GEOM, and GBDE.
You may not always be able to protect your laptop from a thief, but you can keep the data it contains safe. Two new products -- PGP Corp.'s PGP Whole Disk Encryption 9.5 and SecurStar GmbH's DriveCrypt Plus Pack 3.5 -- promise to protect your data, so that even if your computer falls into the wrong hands, its contents will remain unreadable. Both applications are easy to use and offer an impressive suite of tools, but most users will appreciate the more practical features and lower price tag of PGP's product. Both PGP and DriveCrypt offer on-the-fly, full-disk encryption, which means that they scramble all the data on your hard drive the moment you save it to disk. Both use the AES-256 algorithm, a fast, well-established and trusted mechanism for encrypting data.
OpenSSH 4.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
Source: EnGarde Secure Linux Development Team - Posted by Carney Mimms
Guardian Digital is pleased to announce the release of
EnGarde Secure Community 3.0.10 (Version 3.0, Release 10). This release includes our new SELinux Control Console and our new context-sensitive Guardian Digital help system, along with bug fixes and upgrades to major applications including Apache, Postfix, and Snort.
For details, see our new Community News and Upgrade page at:
The Atlanta-based software maker introduced several new add-ons to DevInspect 3.0, which promises to help Web applications designers locate potential flaws in their work using so-called black box testing tools in combination with source code inspection technology.
By identifying and verifying exploitable security defects using the automated black box system, and scouring program source code for more common errors, the company maintains that the product provides customers with a hybrid technique for eliminating potential glitches in Web-based systems.
The product also seeks to facilitate more effective communication related to vulnerability reporting and remediation between IT security specialists and software developers.
