Look like there is a bug in Spamassassin in the check for "dates grossly in the future" which defines among other things, 2010 as "grossly in the future". The details are here. I've updated the ruleset on UFies.org though, but please check your spam boxes if you use SA for your spam checking.
Found out on TWIT this week that Audible.com is having a thanksgiving giveaway of a free audiobook (no credit card required, but an account is needed) and the selection is pretty good, not just crap ones. Hey, free is free!
Being that the New jailbroken iPhone worm is malicious, it's another reminder to people who have jailbroken phones that if you can ssh into the phone with username root and password of 'alpine', you really want to change the password, cause everyone knows what it is already.
Davey Winder says that 80 percent of viruses love Windows 7, and that a Windows 7 machine without AV software on it gobbled up viruses like a fat kid gobbles up candy on Halloween. Now this was a bit of an unfair test, not installing AV software, but still, the "we're making Windows more secure" mantra has been going at MS for a while now, you'd think that this would be better.
As a note, here is the article that RoundTop mentioned.
If you received an email with content similar to the below:
On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.http://updates.ufies.org.secure.digi1adm.org/ssl/id=70140097714-[youremail]@ufies.org-patch[somenumber].exe
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
Another Lifehacker note is that AVG 9 Free Now Ready for Download. Though for the first time in years I'm not using AVG and am testing the new Microsoft suite. No word if this AVG release removes some of the annoying "you know you want the non-free version... come on...." popups when using the app.
I haven't seen much confirmation of this, but I'd be a hypocrite if I didn't point to a story where <screaming alarm voice>a Major bug in Snow Leopard deletes all user data</screaming alarm voice>. It appears to be centered around the guest account, and logging into it, then back into your account deletes all your data (if it's true, Steve Jobs deserves a spanking, cause that's bad), but might also have to do with the way you upgraded to Snow Leopard, upgrade vs fresh install or something. Read the article and watch for news about this, and maybe stop using the guest account until this is all worked out. And maybe switch back to a PC for a bit too....
According to Lifehacker, 10,000 Hotmail Passwords were Leaked Online. Time to a) change your password and b) check the site to see if yours is listed there.
Hey, what happened to one way hashes? Isn't that the way you're supposed to do passwords?
A sneaky inside source in the Microsoft world pointed me to uhm... well, already public information about Microsoft Security Essentials, which will be available to the public tomorrow, free of charge. MSE is Microsoft's integrated anti-malware, anti-virus solution, which I'm sure that McAfee, Symantec and friends are going to be happy with.
The original version was open to only 75,000 users, but if you knew where to look *cough*softpedia*cough* you could still find the download from the Microsoft site. Now they have announced that it is available now. No fees, no registration, no renewals, no nothing. OMFG, have they done this right? One might argue they should have done it sooner, shouldn't have done it at all, should just fixtheirdamnOSdammit, and the like, but a couple of people that I respect greatly in the security space (including Steve Gibson of the Security Now! podcast have given it a thumbs up (and if you know how paranoid Steve Gibson is, who just recently upgraded from Windows 2000 to XP... though that might take away some credibility :) ) that's quite the endorsement).
I've got this installed on my new Windows 7 install instead of AVG for the first time in years, and so far I can say it hasn't gotten in the way, has warned me of a couple of infected keyge... uhmm... files, and hasn't appeared to suck up too many system resources. I'm giving it a cautious "works for me" so far.
Anyway, Microsoft Security Essentials is out, free, and available for download now. Guess the next step is to wait for the reviews to come out and see what the other experts think of it.
Why you need balls of steel to operate a Tor exit node details some of the things that might happen if you run a Tor exit node. Now personally I'm glad that Tor exists and think that it is an essential part of society/internet/etc, even though some of it's uses are completely unsavory. Still, after reading this I have to applaud the people who do take on the responsibility.
Saw via slashdot that there's a Windows Vista/7 SMB2.0 Remote B.S.O.D.
"Oops"
Looks like you can send malformed SMB headers at a fully patched Vista/Windows 7 server and "poof", BSOD. I haven't tested this of course, but something to be aware of, I'm sure a patch for this will be coming out RSN.
The saving grace is that SMB2 is probably not going to be a) enabled on a server connected to the net or b) allowed into a corporate LAN from the outside. Still a danger though...
Torrent Freak points out that the copy of The Pirate Bay that was posted has been brought to life, and is up and running over at btarena.org. Or at least I think it is. Hard to tell. Anyway, the 21G of torrents are up and going and alive and well out in the wild.
If you're a digsby user, you may want to re-consider after reading this where lifehacker details some of what Digsby has done lately in terms of bundled crapware. Bummer.
Update: Digsby has posted a response.
Really interesting article over on Slashdot on SEncryption? What Encryption? and discussing how having an encryption program that you can be forced to give up the keys to (or arrested for refusing to) automatically puts you under suspicion, because if you do have some sort of program like TrueCrypt then you must have something to hide. The author goes through the pros and cons of a few different ways, and proposes some interesting ideas of ways for plausibly deniable encryption to become a little bit more mainstream and "normal", and therefor not as much of a red flag that you have evil anti-government subversive videos hidden on your hard drive.
Tom's Hardware scored an interview with the author of the iPhone SMS hack, where he explains what the issue was and how he exploited it.
Quick note that Mozilla has released Firefox 3.5.2, so if you don't see a "firefox has updated, restart now?" when you get into the office this morning, go to help -> check for updates to get yourself up to date and protected against a couple of security vulnerabilities.
Very interesting story about the raid and takedown of UWWWB by the FBI (I had never heard of them before this) from the point of view of the owner. An excerpt:
Here's what happened: March 12th, 2009, at about 5:AM in the morning, my home alarm system went off. I get up to see what’s going on, on maybe 3 hours of sleep, and my wife points out there are two people with flash lights in my back yard. Now, this may not be unusual for everyone, but I lived in a fairly nice home in Southlake Texas, the United States highest per-capita income city for 2008. A very nice community, virtually no crime, and excellent schools. That is to say, I did not live in a shack in the hood, this is nice suburbs, and not where the FBI usually does raids.
The sysadmin's best friend, nmap, just got a major version update. The Nmap 5.00 Release Notes have all the details.
I Started Something has video demonstration of a Windows 7 UAC code-injection vulnerability. Source code has been released as well.
Hopefully this will be fixed before the final release sometime in September. Hopefully no one argues that being able to change UAC options silently is a bad idea.
Slashdot notes that the venerable IT security tool L0phtCrack has released version 6. 64 bit support, better NTLM password hash handling, and support for rainbow tables are among the improvements.
Saw via Slashdot that Microsoft Update Quietly Installs Firefox Extension. Technically I'm sure it wasn't silent, and that somewhere buried in the small print it said it was going to do this, but still, that's no excuse. AVG does the same thing to show "safe links" in your google results, and I have the same opinion. Don't F-n do it. Or if you do, have it on a separate page of the install wizard, defaulting to no showing clearly what you're doing. Like Sun does for the google toolbar (or is it yahoo now?) when they do a java update. Well, without the default to No that is.
So maybe all the conficker hand-wringing wasn't an overreaction.... seem according to the twitters (11) register.com's dns servers are down due to a massive DOS attack.
So if you're website is down (like our companies is) or you're wondering why half the internet is dark, this may be the reason :) Some people are reporting it's back, but with sporadic response from their DNS servers.
We're into the Pirate Bay Trial Day 8 and things are progressing, but not hugely so. Some choice pickings from the entry on torrentfreak:
Kennedy said he qualified as a lawyer since the 70’s but hasn’t practiced recently. He was asked if he understood BitTorrent. Kennedy said he did, but in “very vague terms.” When the defense lawyers asked more detailed questions, about uTorrent for instance, Kennedy said he’d heard of it but had no idea of the details. It was very clear he knew nothing about any remotely technical issues.
If you want to see the real nightmare for the prossecution, check out what happened on day 7:
When asked if he had any network equipment logging exactly what was going on ‘behind the scenes’ of any of his sample downloads, he replied that he didn’t. When asked if he verified in any way during the download process that he had any contact with The Pirate Bay’s tracker, again the answer was negative.
[...]
Then, Nilsson came out to say that he was sure that a majority of the content on The Pirate Bay was copyrighted. However, he had no evidence that supports this claim. The defense lawyers pressed him on this and he had to cave in, “I have no documentation as to the claim that most material is copyrighted. It is just an opinion,” Nilsson said.
Maybe the initial "all of vista's security rendered useless" may have been sensationalist, so says OSNews in their Look at a New Vista Security Bypass.
TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux just released version 5.0, including an OS/X version, a Linux graphical version, and lots of other goodies. Great work guys!
Here's a Wired article by security guru Bruce Schneier entitled Steal This Wi-Fi
I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.
My thoughts on this are twofold if I were to do this (and he has some good arguments on it): 1 - I'd want a 'no wireless' button so that anyone using my wireless is cut off when I'm playing games... nothing sucks like having a high ping for no reason all of a sudden and 2 - I'd probably want to DMZ the wireless so it is separated from the rest of my internal network. Having open wireless is very nice.... it annoys me if I'm wandering into some random building in downtown and want to check my email from my iPod and all the networks are encrypted and not using 'admin and password'. Of course, out in the boonies where I live I doubt there'd be a whole lot of "walk in" traffic as it were :)
Nice article on ars technica saying how you should use a blocklist or you will be tracked... 100% of the time if you're on P2P networks.
# If you don't use a blocklist, you will be tracked. Every one of the researchers' test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.
Chris Pirillo pointed out some software from BananaSecurity which uses a webcam to recognize your face, lock your computer when you're not there, and unlock it only when it recognizes your face again. Obviously there are some questions about this, like what if I'm wearing a hat, what if it's darker/lighter, how secure is the lock it puts on your computer, and what if I want to use the webcam? Course, it still interest me greatly as the laptop that work got for me has a built in webcam on it...
If you're one of the fine folks who downloaded the Safari public beta be careful, there is a 0 day exploit out already. Don't think this is in the wild, but definitely potentially dangerous due to bad handling of URI protocols. Hmm... page seems to be dead....
Here's a cool little extension for firefox that allows you to Encrypt and sign Gmail messages with FireGPG.
Now this is supercool! Via slashdot (discussion) comes a Windows firewall squeezes on a USB key. The "windows" part of is is a bit of a misnomer though, it's actually a firewall running linux as the core and a bunch of security applications on top of it, but currently it only works when plugged into a Windows host.
It sounds like the system grabs network traffic as it comes into the windows host, does the happy-happy firewalling stuff, then passes things back to the host. Linux and Mac drivers are planned.
Check the screenshots midway through the article too, very sexy graphs!
Hmm.... firewall on a small host, I wonder where I've heard of those before? :) If anyone remembers the cool project the dot-com I was part of that created the firecard, we did something similar, or at least, kinda similar. At the time we used RJ45 jacks (like Yoggie Systems' previous version) and we were on a PCI card instead of a USB key. OK, maybe not that similar then....
George Ou posts about Wireless LAN security myths that won’t die. A nice breakdown of what'll get you the most bang for the buck.
Slashdot announced that TrueCrypt 4.3 was Released. Fun new features are 32/64 bit Vista support, ability to load it onto mp3 players, and auto-dismount in addition to the fun stuff like hidden volumes, plausible deniability, "traveler mode", and other fun stuff. Check it out at http://www.truecrypt.org/
Lifehacker takes on a comparison of two of the major disk encryption systems available and puts them in a bloodthirsty cage match. OK, maybe not quite.... however, the OS Encryption Showdown: Vista's BitLocker vs. Mac's FileVault is a good primer as to what's available and the up and downsides. Read the article to see who wins!
I'm disappointed that Linux doesn't have an offering here. Actually, I'm disappointed Linux doesn't have a user friendly offering here. Linux has had disk encryption for a while now, it just hasn't had the friendly frontend that OS/X and Vista have put on it, and instead make the user resort to typing in cryptic commands like dd and cryptsetup and dealing with terms like 'loop-AES' and 'LUKS'.
Speaking of Vista, here's a link to a OS Security Features Chart over on Matasano Chargen's blog. Interesting, though I wonder how targeted this was at Vista. I'd like to see something similar for Linux (ie: grsec, selinux, and friends).
Found this one on LifeHacker.... a nifty portable app for your ipod (works fine on a USB key though) called DemocraKey.
Imagine carrying a portable security suite with you wherever you go. Walk up to any computer, quickly scan it for viruses, and then defeat any internet access blocks to view any website you want anonymously. It’s here, and the DemocraKey 2.0 Lite let’s you have it on your iPod.
Another forgetfoo post is a link to Neomeme on Generating the Perfect Password. How about "ppearsfweocrtd" ?
Definately an interesting idea, and anything that encourages users to have better passwords and better security makes everyone happier!
Darren pointed me to an article on Lifehacker on setting up Hamachi, what looks like a nice and quick VPN tool. Not exactly the industry strength stuff you would want to connect your satallite offices (for that you'd probably go openvpn or freeswan), but for getting into friends machines for maintenance, or a quick an dirty connection to surf pr0n from home from work it sounds like the way to go. Win/Linux/Mac as well which is nice.
Found a good tutorial on how to Encrypt devices using dm-crypt and LUKS.
If you've been hit by the ugly virus that encrypts all the files on your hard drives and then extorts you for cash, you're lucky. The article states that the virus has been cracked and that the password you need is: "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw".
Fun times :)
I know I rag on Microsoft, and Windows security, but at least there are those out there doing something about it. My ex-boss, ex-coworker and good friend Dana has just released version 1.1 of Firewall Dashboard. New features include:
Update ... ok, implemented more strict helo rules for the site... ie: you can't use 'helo ufies.org' when connecting to my mailserver unless you're legitimately ufies.org. Here's hoping...
For the stable distribution (woody) these problems have been fixed in version 1.2.5-8woody3.
For the unstable distribution (sid) these problems have been fixed in version 1.4.4-pl4-1.
We recommend that you upgrade your gallery package.
I'd assume all ya'll have already updated this, but if you're in debian, make sure you do your apt-get updates early and often!
I've blogged about the problems I've had with this. So subtle hint to all of you guys with MT3 on the UFies.org server, please upgrade :)
I guess the problem is that no matter who does the reporting and comparing they'll have some link to something, or someone will dig up that sometime around 1992 someone in the organization mentioned that "this microsoft thing is kinda cool" and therefor is biased, or they have a linux server so they can't possibly report fairly.
It's also the right tool as Dana is constantly saying, but there are definately crossovers in between linux and windows as far as the tools that are available for both. Anyway, recommended reading of course, and the /. discussion I'm sure will be full of intelligent and calm discussion :)
The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity.
Maybe this is the sort of thing that they need to NOT do to increase shareholder value.
Ah, they link to a server that stops serving the images/files after you decide. Stupid and lame, figured so.
These guidelines are, by necessity, broad. Software creation and distribution are complex and the technology is continuously evolving. As a result, some useful applications may not comply entirely with these principles and some deceptive practices may not be addressed here. This document is only a start, and focuses on the areas of Internet software and advertising. These guidelines need to be continually updated to keep pace with ever-changing technology.
s more effectively, than on a Linux system where the web server is running "far removed from the OS." I am no security expert but if you tried to sell your web server to the Linux community on the basis that it "works in kernel space instead of user space!" you would be laughed out of the room, and possibly the state.It's a good read, both to take stock of your own misconceptions as well as to get some ammo when talking to people who insist that "X is better than Y for Z".
This has always been one of the problems with examining security between Windows and Linux (or any different OS)... high profile or low profile, root exploits, local, remote, etc all come into play, and you rarely see a comparision where all these factors are taken into account.
My way of looking at it is how comfortable would I be putting a box of either type connected directly to the internet without a (separate) firewall? Hint. Not windows :)
I'm convinced that you have to be on some really good drugs to reach these conclusions.
body_checks = regexp:/etc/postfix/body_checkswith the body_checks file being something like what is posted in the link. In theory it should work :)
Anyone know of a good integrated virus checker for postfix like qmail has?
I've added some body_checks onto the ufies.org mail mail system and it's catching stuff already, which is good. If you're losing mail let me know though :)
Some good procmail magic is also available here.
Sadly, they probably won't, and will go in with all their resources, marketting, bloggers and programmers and probably squeeze some of the security vendors out of the market (ie: zonealarm) as they try to sell us on the "no, you can trust us this time" marketting hype that's no doubt coming.
As Dana noted they have a chance with Longhorn to prove they can create a secure OS. It'll be here in 2006 (or later), so you can see that as either a huge opportunity for security products and/or alternative OSs to jump in, or sad because the people that are being hit by viruses and worms aren't the sort of people that do anything to their OS from the time they buy their new computer (ie: the stereotypical mom, dad, granny and grampa).
What makes this even funnier to me is that not that long ago I read someone comment on a blog somewhere (might have been on scoble) saying that exchange was "invaluable" to them. People run exchange on purpose? Why? Anyway, I resisted responding at the time. Guess this is a good response though :)
The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.
