Linux Security Week: January 3rd 2005

I administer a newly deployed ROCKS compute cluster, and I use the Parallel Virtual Filesystem which comes with the ROCKS linux distribution to provide a parallel IO system. For those who are not familiar, check out my earlier ROCKS article, as well as my earlier article about PVFS. My cluster is slightly older hardware -- dual PIIIs, and each PC has two hard drives. Initially, I thought having two drives was great news, because I could add all of the capacity of the second drive, along with unused capacity of the first drive to grant large amounts of scratch space to the cluster users, some of whom would be more than happy to have it.

How you handle calls and returns is as important as which components you call. Application programs typically make calls to other components, such as the underlying operating system, database systems, reusable libraries, Internet services (like DNS), Web services, and so on. This article explains how to prevent attackers from exploiting those calls to other components by discussing the use of only secure components, passing only valid data, making sure the data will be correctly interpreted, checking return values and exceptions, and protecting data as it flows between applications and components.

Internet security research firm iDefense has announced a series of vulnerabilities and patches for a variety of Unix- and Linux-based products.

news/server-security/unix-linux-security-bugs-patched

The average unpatched Linux system survives for months on the Internet before being hacked, a report recently issued by the Honeypot Project claims.

news/server-security/unpatched-linux-pcs-stay-secure-for-months

A trio of new and unpatched vulnerabilities in Microsoft Windows were made public on security mailing lists over the weekend, nudging some security vendors to alert users that their systems may be open to attack and hijacking. The vulnerabilities, first reported by a Chinese group and then posted to the Bugtraq mailing list, are in Windows' LoadImage API function, its animated cursor files, and in the way it handles help files. All of the bugs are as yet unpatched.

news/vendors-products/new-critical-windows-bug-lack-patches

The average unpatched Linux system survives for months on the Internet before being hacked, a report recently issued by the Honeypot Project claims. The life expectancy of Linux has lengthened dramatically since 2001 and 2002, the project said, from a mere 72 hours two and three years ago to an average of three months today. Honeypot Project is a non-profit that, as its name suggests, connects vulnerable systems to the Internet in the hope of drawing attacks so that they can be studied.

news/security-projects/honeypot-project-finds-unpatched-linux-pcs-stay-secure-online-for-months

Security, Web services and Linux jobs continue to dominate the IT help wanted ads and are projected to remain among the hottest skill and certification areas in 2005, according to research firms that specialize in tracking skills and certifications. Researchers said companies continue to invest in security-related projects while looking to eliminate aging legacy systems, and are exploring less expensive, newer platforms such as Linux.

news/security-projects/linux-security-skills-projected-hot-skills-for-2005

What technologies are going to be most important for you to survive 2005? We pull out our looking glass and tell you what's hot.We Don't Need No Stinking Power Cords! Power over Ethernet (PoE) technology will be deployed big-time, allowing wireless access points, VoIP phones, and many other devices to be used with less hassle and expense, because they can get electricity and Ethernet connectivity from the same cable. Electricians unions across the country walk out in protest.

{mos_sb_discuss:24}

Web services, security and Linux jobs continue to dominate the IT help wanted ads and are projected to remain among the hottest skill and certification areas in 2005, according to research firms that specialize in tracking skills and certifications.Researchers said companies continue to invest in security-related projects while looking to eliminate aging legacy systems, and are exploring less expensive, newer platforms such as Linux.

The source code for the most prevalent worm targeting mobile phones has been made public, security firms announced Wednesday, a dangerous disclosure that may lead to more effective attacks.

news/hackscracks/phone-worm-source-code-out-expect-more-threats-9946

An IPv6-based network linking 25 universities in 20 cities across China began operating on Saturday. The China Education and Research Network Information Center (CERNIC) announced the launch of the network, called CERNET2, which is thought to be the largest single IPv6 network yet created. CERNIC claimed it makes China a world leader in the race to build the next generation of the Internet. China's National Development Reform Commission (NDRC) has set aside 1.4bn yuan (US$169m) to support six next-generation Internet networks, according to People's Daily , China's main daily newspaper. Half of it will be used on projects linked to the university network, with the remaining money given to five telecom operators.

{mos_sb_discuss:6}

Sometimes people don't know when a revolution has happened until afterwards. Then, the historians tell us that 2004 was the year that open source started to become computing's mainstream.

In my last column, I reviewed the top security developments of 2004. Now I'm going to extrapolate on the trends that I see affecting IT security in 2005, both here and abroad.

{mos_sb_discuss:24}

Biometrics authentication technology should be a promising means to confirm a cardholder's authenticity. With a Linux-based radio frequency (RF) personalizer that reads and writes in memory, the administrator can set various parameters of the smart security controller, such as real-time clock, personal identification number (PIN) option, alarm options and reader delays.

news/privacy/biometric-sensors-keep-finger-on-security

Many security workers feel that government regulations aimed at protecting IT networks from threats are working, according to new survey.

news/government/security-workers-praise-sarbanes-oxley

Malware authors on Christmas day left dubious "gift" packages in e-mailboxes across the Internet. Fresh attacks, which took advantage of old Internet Explorer bugs, as well as new versions of the Santy worm fouled the holidays for some Windows users and PHP server admins. A posting on the Full Disclosure mailing list described a new attack that can proceed without user intervention.

news/hackscracks/holiday-attacks-target-ie-browser-php-servers

It took hackers less than a week to produce a working exploit that attacks a new, unpatched vulnerability in Microsoft's Internet Explorer, security firms said Tuesday.

{mos_sb_discuss:27}

news/hackscracks/fast-acting-hackers-put-out-trojan-attacking-ie

It took hackers less than a week to produce a working exploit that attacks a new, unpatched vulnerability in Microsoft's Internet Explorer, security firms said Tuesday. Phel.a, a Trojan horse discovered Monday, attempts to exploit the flaw in Internet Explorer 6.0 dubbed "Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass" that was first made public less than a week before, on December 21.

{mos_sb_discuss:27}
news/hackscracks/fast-acting-hackers-put-out-trojan-attacking-ie

The source code for the most prevalent worm targeting mobile phones has been made public, a dangerous disclosure that may lead to more effective attacks. The source code for the most prevalent worm targeting mobile phones has been made public, security firms announced Wednesday, a dangerous disclosure that may lead to more effective attacks. Cabir, which first appeared in June, uses Bluetooth to infect smart phones running the Symbian operating system.

news/hackscracks/phone-worm-source-code-out-expect-more-threats-9946

Malware used to be easy to detect and avoid. Virus writers would attach a malicious programme to an e-mail and distribute it as widely as possible. If any of the recipients opened the attachment, the virus could delete system and data files, search for confidential information and propagate itself on the local network. In those simple days, viruses were like vampires -- as long as you didn't invite them in, they couldn't do you any harm.

news/hackscracks/enn-year-in-review-2004-virus-wars

I hate spam as much as the next person, but recent decisions by courts in Iowa and Virginia demonstrate how fear of technology (and justifiable annoyance) can force the legal system to impose fines and sentences that are grossly disproportionate to the harm caused by spammers. This is not to defend or justify spammers, whose actions are at best deceptive, almost always annoying, generally illegal and frequently criminal.