After talking an LinuxCONF Australia last week, Bruce Schneier sat down and talked about how to incorporate the right mindset for security, how to counter FUD and much more...
The only way to overcome it is through information. You have to counter people's natural reactions, their default ways of thinking. You need to make people stop and think about what they're doing. Sure it is hard but people in those positions do this all the time. In businesses, it's going to be easier. If you get it right, your business is more successful and you get more profits. So there's an incentive to get it right.
What do Linus Torvalds, Ted Ts'o, Fyodor (creater of NMAP) and Andrew Morton have in common? They are all celebrity's in the world of Linux, and just like everyone else, they have to worry about security too. But each one has something different to say on their security.
Torvalds: "My firewall rules are also pretty anal. I basically try to not let anything in. Not even SSH; when I'm traveling, I simply cannot log into my normal machines. And I don't..."
Ts'o: "...has been running Linux on his desktop without a firewall for years."
Morton: "I rely upon a little Netgear router not having any bugs in it, and everything behind that router is just out-of-the-box distro code with various security features disabled when they start to irritate me."
Fyodor: "Update your software frequently. Most modern distributions make it easy to install updates (including security patches) for packages installed on your system..."
Source: www.Savvyadmin.com - Posted by Ryan Berens
Performing GnuPG functions from Vim is actually pretty helpful if you work heavily with both applications on a regular basis. I was recently looking for a simple way to both word wrap and clearsign various text files within Vim, and found just what I was looking for...
If you tend to use Vim and GnuPG, he aslo goes into how to encrypt, decrypt and verify text from directly within Vim. Do you use Vim?
The most overlooked open source security vulnerabilities, according to Palamida researchers, occur in Apache Geronimo, JBoss Application Server, Libtiff, Net-SNMP and ZLIB. "The most popular projects appear in every test. This always surprises companies. There is from three to 10 times the use of open source code [in software enterprise uses] than companies realize," said Theresa Bui-Friday, cofounder of Palamida.
I believe that open source code is more secure because more people are identifying and patching any vulnerabilities found in the code. What do you think?
What inspired you to write Nmap, and what were your early expectations?
Nmap was mostly written during the summer of 1997, which I spent in Baltimore working as a teaching assistant at Johns Hopkins University. They set me up in a dorm room with Ethernet connectivity, giving me a new network to explore. At the time, I had a directory full of port scanners, such as Strobe for connect scanning, Reflscan for SYN scanning, and the UDP scanner from SATAN. I hacked them all to add options and features, but still found them frustrating to use. So I decided to write my own dream port scanner which would be faster, and support all the scan types and options I wanted.
Most of us have used nmap but few of us know who created this tool. This article interviews Fyodor the creator of Nmap.
Source: Searchenterpriselinux.com - Posted by Ryan Berens
James Turnball, one of the veterans in Linux and security, chimes in on the biggest stories in Linux security of 2007. It was an eventful year:
Storm bot attacks threatened, but new Linux tools and updates kept storm bots and most other IT security hacks at bay in 2007. That said, new problems -- such as security risks in virtual machines -- cropped up last year. Here's my round-up of the big Linux security events, software releases and controversies that cropped up in 2007.
Application source code scanning for vulnerability detection is an interesting challenge and relatively complex problem as well. There are several security issues which are difficult to identify using blackbox testing and these issues can be identified by using whitebox source code testing methodlogy. Application layer security issues may be residing at logical layer and it is very important to have source code audit done to unearth these categories of bugs.
Any tools which can help make my code more secure I feel is worth looking at. Have you ever used a software application for scanning your source code for vulnerabilities? Do you think they are useful?
Source: Enterprise Networking Planet - Posted by Ryan Berens
I dislike raining on anyone's parade, but all wannabe-Web moguls need to invest some serious time and energy into learning their LAMP stacks inside out. Any Internet-exposed server requires extra attention to security, and dynamic Web servers even more so because of their complexity. The risk for collateral damage is high. Bigtime organized crime is behind computer exploits these days, and malware is just a gateway to fraud, extortion, and theft.
She goes into much further detail - why should you fling PHP? What add-ons does PHP need? How do you set up Apache in the best way possible, and much more...
Vulnerabilities and advisories are a standard part of running your system. So for the Open Source realm, which ones deserve the most attention? Well, Palamida, a code testing company has done just that:
For year-end 2007, we have compiled the Top 5 Most Overlooked Open Source Vulnerabilities encountered during 2007. We came up with this list after reviewing over 300 million lines of code and spending literally thousands of hours of analysis across a wide range of industries - including technology, financial services and government, among others.
So what do we mean by "Most Overlooked"? Well first, we mean that these are known vulnerabilities with a high-severity, Common Vulnerability and Exposure, (CVE) ranking found within open source projects that appear in code audits we perform. Secondly, and perhaps even more importantly, these vulnerabilities were found throughout 2007 in some of the most frequently used open source projects that customers did not realize they had.
Source: ww.NetworldWorld.com - Posted by Ryan Berens
Network Behavior Analysis (NBA) tools fill the void left by static security products such as firewalls, which simply enforce pre-existing policies, and intrusion-detection/prevention systems (IDS/IPS), which detect and block attacks based on known signatures.
A concise overview on how the can represent the last line of defense for clients networks. This is because they protect against those attacks which can be considered irregular.
