Security Projects - Page 39
We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
Very cool. It would be really nice to see a review of this project, and follow it as it progresses. Is anyone interested in reviewing it and letting us know how you make out?A group of developers has released open-source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.
The Wireshark developers have announced the release of version 1.2.1 of Wireshark, the popular open source, cross-platform network protocol analyser. In addition to over 30 bug fixes, the security update addresses seven vulnerabilities that could crash the application remotely or lead to a buffer overflow. The denial-of-service (DoS) vulnerabilities affect the IPMI, AFS, Infiniband, Bluetooth L2CAP, RADIUS, MIOP and sFlow dissectors. Versions from 0.9.2 up to and including 1.2.0 of Wireshark are affected and all users are advised to update.
This tutorial on hacker attack techniques and tactics will provide insight inside the mind of a hacker and help you to understand a malicious attacker's motives. You will receive advice on how hackers target specific information and what polices and procedures every organization should have in place to protect sensitive data.
Sucuri submitted a great research document they created that details the security of random blogs on the Internet for their attention to security factors.Research to determine if bloggers are taking the security of their sites seriously. We randomly selected 1747 blogs from the blog catalog and scanned them to see how secure they are... The results are interesting... Check it out. It is indeed very interesting. I'd like to hear more from this security team in the future.
This article talks about Ksplice, a program developed by an MIT grad student to perform security updates on a Linux server without having to reboot it:The technology was developed by cofounder Jeff Arnold while he was a graduate student at MIT, and last week, it won the grand prize at the Institute's $100K Entrepreneurship Competition. Waseem Daher, cofounder and chief operating officer, explains that the approach adopted by Ksplice saves it from restructuring instructions in a higher-level programming language on the fly. So far, Ksplice has developed its new update technology for the Linux operating system--which is commonly used to control server machines--although Daher says that the technology could work on other operating systems too.In my experience, it's not necessary to reboot a Linux server unless you're doing a kernel update or some change to a filesystem. Do you see any purpose for this?
Have you thought about the security implications of cloud computing? This article explains the cloud, and talks extensively about what the author proposes be done to address the security issues. The dramatic change in the rate of adoption and the amount of discussion taking place regarding cloud computing demands that this technology, or rather a set of related technologies, continue to evolve utilizing a security-sensitive design.
This is an excellent lesson in the security problems inherent in trusting proprietary software: After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc. Draeger, the manufacturer maintained that the system was perfect, and that revealing the source code would be damaging to its business. They were right about the second part, of course, because it turned out that the code was terrible.
I thought a national discussion about secure programming was important, despite that it's not specifically about open source. Homeland Security's Build Security In, Microsoft's Software Development Lifecycle (SDLC), BSIMM, and now OpenSAMM: Secure application development programs are spreading amid calls for more secure code. The practice of writing applications from the ground up with security in mind remains in its infancy, even with software giant Microsoft leading the charge by sharing its internal Software Development Lifecycle framework in the form of free models and tools for third-party application developers and customers in the spirit of promoting more secure software.
Securosis, Microsoft team up to solicit input for building a metrics model that measures efficiency and costs of security patching. Security consulting firm Securosis is spearheading a new effort to create metrics to quantify the cost and efficiency of an organization's security patching process.
The Nmap team has released an updated version that lets you remotely scan for machines Conficker-infected machines: Thanks to excellent research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, we've rolled out a new Nmap release which can remotely scan for and detect infected machines. Nmap 4.85BETA7 is now available from the download page, including official binaries for Windows and Mac OS X.
After many, many years of 0.9 status, the OpenSSL team has finally released a beta of version 1.0 of their software: Please download and test them as soon as possible. This new OpenSSL version incorporates 107 documented changes and bugfixes to the toolkit. Click-through to read the rest of the announcement!
James Morris has a good summary of the changes introduced into 2.6.29 up over at his blog, go take a look!
This message came across my INBOX this weekend: The PostgreSQL community is considering including security enhancements in Postgres 8.4, e.g. row-level permissions and SE-Linux security. However, to evaluate the patch and its usefulness, we need security experts who want to use this capability or have used it in other databases. If you use PostgreSQL and are interested in contributing in the discussion, click-through to read more!
James Morris just gave a presentation on sVirt at linux.conf.au this year and just posted his slides: The talk seemed to go reasonably well, and had a larger audience than I expected given that Tridge and Willy were talking at the same time. A video of the talk should appear online soon. If you're unfamiliar with the sVirt project this is a great way to get introduced to it, and if you're following the sVirt project this is still a good read!
Frank Neugebauer submitted the following: NoMachine NX is a solution for secure remote access, desktop virtualization, and hosted desktop deployment using compression, session resilience and resource management. It integrations a powerful audio, printing and resource sharing capabilities and makes it possible to run any graphical application (e.g KDE, Gnome etc.) across the network connection. Click-thru to see the rest of his tip!
Amon Ott says: Rule Set Based Access Control (RSBAC) 1.4.0 has been released for both Linux kernels 2.4.37 and 2.6.27.10. RSBAC 1.4 mainly introduces the new Virtual User Management feature which allows to isolate complete sets of users in so-called "virtual sets". Every user in every set can have individual passwords and access rights. Click-through to see the whole announcement, and to leave your opinions of RSBAC. Do you use it? If so, why?
It is good practice to use a different password for each Web site you need to log in to. Good passwords tend to be long and contain a wide selection of characters. That can make remembering all your passwords difficult. But you can make things easier on yourself by storing passwords for various Web sites in an encrypted file on your computer. I'll take a look at a four programs that give you easy access to your passwords when you need them and protect the password file itself against compromise. Do you use any software to manage your passwords? This article looks at four of the more popular ones and reviews them.
Port Knocking came about in around 2003, but it has various weaknesses. There are plenty of implentations though (some quite advanced). Most of the problems are fixed however by fwknop! fwknop stands for the