Vista Security Issues not *that* Bad

Maybe the initial "all of vista's security rendered useless" may have been sensationalist, so says OSNews in their Look at a New Vista Security Bypass.

TrueCrypt 5.0 Released

TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows Vista/XP, Mac OS X and Linux just released version 5.0, including an OS/X version, a Linux graphical version, and lots of other goodies. Great work guys!

Running an Open Wireless Access Point

Here's a Wired article by security guru Bruce Schneier entitled Steal This Wi-Fi

I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

My thoughts on this are twofold if I were to do this (and he has some good arguments on it): 1 - I'd want a 'no wireless' button so that anyone using my wireless is cut off when I'm playing games... nothing sucks like having a high ping for no reason all of a sudden and 2 - I'd probably want to DMZ the wireless so it is separated from the rest of my internal network. Having open wireless is very nice.... it annoys me if I'm wandering into some random building in downtown and want to check my email from my iPod and all the networks are encrypted and not using 'admin and password'. Of course, out in the boonies where I live I doubt there'd be a whole lot of "walk in" traffic as it were :)

P2P-ers: Use a Blocklist

Nice article on ars technica saying how you should use a blocklist or you will be tracked... 100% of the time if you're on P2P networks.

# If you don't use a blocklist, you will be tracked. Every one of the researchers' test clients that did not use a blocklist soon connected to an IP address found within those lists. It turns out that 12 to 17 percent of all IP addresses on the network belonged to these blocklisted ranges.

I'd never advocate piracy or copyright infringement, but if you are one of those evil pirates, an interesting read which will make you shutdown your torrent client until you install a blocklist of some sort. The only ones I really know of are:

• Windows - Peer Guardian
  
• Linux - MoBlock
  

Anyone know of different/better ones they want to share?

Windows Lock/Unlock Via Webcam

Chris Pirillo pointed out some software from BananaSecurity which uses a webcam to recognize your face, lock your computer when you're not there, and unlock it only when it recognizes your face again. Obviously there are some questions about this, like what if I'm wearing a hat, what if it's darker/lighter, how secure is the lock it puts on your computer, and what if I want to use the webcam? Course, it still interest me greatly as the laptop that work got for me has a built in webcam on it...

Safari on Windows 0 Day Exploit

If you're one of the fine folks who downloaded the Safari public beta be careful, there is a 0 day exploit out already. Don't think this is in the wild, but definitely potentially dangerous due to bad handling of URI protocols. Hmm... page seems to be dead....

GMail PGP/GPG Encryption

Here's a cool little extension for firefox that allows you to Encrypt and sign Gmail messages with FireGPG.

Complete Firewall on a USB Key

Now this is supercool! Via slashdot (discussion) comes a Windows firewall squeezes on a USB key. The "windows" part of is is a bit of a misnomer though, it's actually a firewall running linux as the core and a bunch of security applications on top of it, but currently it only works when plugged into a Windows host.

It sounds like the system grabs network traffic as it comes into the windows host, does the happy-happy firewalling stuff, then passes things back to the host. Linux and Mac drivers are planned.

Check the screenshots midway through the article too, very sexy graphs!

Hmm.... firewall on a small host, I wonder where I've heard of those before? :) If anyone remembers the cool project the dot-com I was part of that created the firecard, we did something similar, or at least, kinda similar. At the time we used RJ45 jacks (like Yoggie Systems' previous version) and we were on a PCI card instead of a USB key. OK, maybe not that similar then....

GPG In GMail

FireGPG Is a easy way to use GPG easily in GMail.

Wireless Security Myths

George Ou posts about Wireless LAN security myths that won’t die. A nice breakdown of what'll get you the most bang for the buck.

New TrueCrypt Released

Slashdot announced that TrueCrypt 4.3 was Released. Fun new features are 32/64 bit Vista support, ability to load it onto mp3 players, and auto-dismount in addition to the fun stuff like hidden volumes, plausible deniability, "traveler mode", and other fun stuff. Check it out at http://www.truecrypt.org/

BitLocker vs FileVault OS Disk Encryption

Lifehacker takes on a comparison of two of the major disk encryption systems available and puts them in a bloodthirsty cage match. OK, maybe not quite.... however, the OS Encryption Showdown: Vista's BitLocker vs. Mac's FileVault is a good primer as to what's available and the up and downsides. Read the article to see who wins!

I'm disappointed that Linux doesn't have an offering here. Actually, I'm disappointed Linux doesn't have a user friendly offering here. Linux has had disk encryption for a while now, it just hasn't had the friendly frontend that OS/X and Vista have put on it, and instead make the user resort to typing in cryptic commands like dd and cryptsetup and dealing with terms like 'loop-AES' and 'LUKS'.

• Linux disk encryption howto on linux.com
  
• Disk encryption tools.
  
• Debian Cryptsetup / LUKS howto.
  
• Gentoo howtos on the gentoo wiki.
  

OS Security Feature Matrix

Speaking of Vista, here's a link to a OS Security Features Chart over on Matasano Chargen's blog. Interesting, though I wonder how targeted this was at Vista. I'd like to see something similar for Linux (ie: grsec, selinux, and friends).

Security / Anarchy Download of the Day: DemocraKey

Found this one on LifeHacker.... a nifty portable app for your ipod (works fine on a USB key though) called DemocraKey.

Imagine carrying a portable security suite with you wherever you go. Walk up to any computer, quickly scan it for viruses, and then defeat any internet access blocks to view any website you want anonymously. It’s here, and the DemocraKey 2.0 Lite let’s you have it on your iPod.

You can use it either to access the freedoms and justices you deserve from inside a repressive state, or surf porn from school, whichever one floats your boat :)

The Perfect Password?

Another forgetfoo post is a link to Neomeme on Generating the Perfect Password. How about "ppearsfweocrtd" ?

Definately an interesting idea, and anything that encourages users to have better passwords and better security makes everyone happier!

Quick and Painless VPN Setup

Darren pointed me to an article on Lifehacker on setting up Hamachi, what looks like a nice and quick VPN tool. Not exactly the industry strength stuff you would want to connect your satallite offices (for that you'd probably go openvpn or freeswan), but for getting into friends machines for maintenance, or a quick an dirty connection to surf pr0n from home from work it sounds like the way to go. Win/Linux/Mac as well which is nice.

Encrypted Devices Under Linux HOWTO

Found a good tutorial on how to Encrypt devices using dm-crypt and LUKS.

Hard Drive Encrypting Virus Cracked

If you've been hit by the ugly virus that encrypts all the files on your hard drives and then extorts you for cash, you're lucky. The article states that the virus has been cracked and that the password you need is: "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw".

Fun times :)

Calling all Windows Security Experts... Firewall Dashboard 1.1 Now Available

I know I rag on Microsoft, and Windows security, but at least there are those out there doing something about it. My ex-boss, ex-coworker and good friend Dana has just released version 1.1 of Firewall Dashboard. New features include:

• Import/export of config for deployment to multiple machines
  
• A new plugin to aid in remote monitoring for managed service providers
  
• New reports and the usual array of bugfixes and tweaks
  

For those of you who don't know what Firewall Dashboard is, it's a firewall log report creation tool for Windows firewalls. Probably pictures speak louder than words, so just hit the screenshots.

Denyhosts Tutorial HowtoForge has a nice tutorial on Preventing SSH Dictionary Attacks With DenyHosts. This is the program I installed last week on UFies and it seems to be working just fine. So far I have 37 IPs blocked, and my SSH attempts are down to under 100 to over 20,000 per day :)

Test mod_security Just installed mod_security in anticipation of using it on UFies, please let me know if you see anything wierd.

Worried About New Windows Activation Checks? Don't Be. Recently MS has said they are going to start doing checking for piracy when doing a windows update. Worried? Don't be, the system was cracked in 24 hours using a simple line of javascript. Maybe all that integration of IE is a good thing!

Spam Blocking with Postfix Kasia points to how to block spammers with Postfix HELO controls. Going to see if this'll work on UFies.....

Update ... ok, implemented more strict helo rules for the site... ie: you can't use 'helo ufies.org' when connecting to my mailserver unless you're legitimately ufies.org. Here's hoping...

Movable Type Exploit Fixed A Movable Type Vulnerability has been patched with the lastest version. Everyone who has a blog on ufies please make sure you upgrade ASAP (there is also an upgrade in the form of a plugin for ease of update.

Debian Updates Gallery For Security Issue Thanks to Dana for pointing out Debian just today released an update for this Gallery security hole.

For the stable distribution (woody) these problems have been fixed in version 1.2.5-8woody3.

For the unstable distribution (sid) these problems have been fixed in version 1.4.4-pl4-1.

We recommend that you upgrade your gallery package.

I'd assume all ya'll have already updated this, but if you're in debian, make sure you do your apt-get updates early and often!

Adaptive Firewalls with Snort and SnortSam I was browsing around some stuff for setting up Snort on my network and came across a link to SnortSam, which lets you modify your firewall based on Snort IDS rules. I'm thinking this will go a long ways towards setting up a way to kill off some of the comment spammers. IE: set up a rule that will detect if someone tries to hit mt-comments from the same IP more than say, once per second and then block them for an hour (or send a pingflood back to them, with a big "screw you spamming asshole" written on the nose, whichever you prefer :)

New MovableType Release Addresses Spam Load Issues The new Movable Type 3.14 apparently addresses the load issues that have come up from comment spammers attacking system and driving up the load on the server.

I've blogged about the problems I've had with this. So subtle hint to all of you guys with MT3 on the UFies.org server, please upgrade :)

Security - Posted by Arcterex at 12:05 PM

Secure Password Creation Neat tip to one of the redhat lists on creating secure passwords using a tool called mnencode.

More Linux vs Windows Security The Reg has a long Windows vs Linux report. Linked from /. (discussion), and it seems to take into account things like damage potential, ease of exploitation, size of deployment, busting some myths, etc. I haven't had a chance to read the entire thing yet, but while the Reg isn't the biggest MS fan in the world, I trust their reporting a bit more than Microsoft's "facts" somehow. But hey, I'm biased as well.

I guess the problem is that no matter who does the reporting and comparing they'll have some link to something, or someone will dig up that sometime around 1992 someone in the organization mentioned that "this microsoft thing is kinda cool" and therefor is biased, or they have a linux server so they can't possibly report fairly.

It's also the right tool as Dana is constantly saying, but there are definately crossovers in between linux and windows as far as the tools that are available for both. Anyway, recommended reading of course, and the /. discussion I'm sure will be full of intelligent and calm discussion :)

BSD IDS There is a new Intrusion Detection System for FreeBSD. The thesis is available. From the email to the IDS list:

The IDS system is designed as a kernel module for FreeBSD 5.2. It is inspired by the SpamAssassin program, which detects spam by applying a set of tests to every email message and counting a sum of point score generated by each test. My IDS system applies a set of tests to every running process in the OS and counts its score generated by the tests. Therefore, the purpose of the IDS is not to monitor the network traffic, but rather to monitor the process activity.

MS Users Start Your Upgrades! As seen on slashdot, it looks like a whack of new updates for windows have been posted to the Microsoft technet update page. Included in the goodness are Shell, NNTP, SMTP, Zip, and a few others. Doesn't look like it's on windows update yet, but you can download the hotfixes from the linked page. Not all these affect all versions, and in a couple of cases it looks like you're safe if you are running xpsp2, but not all.

Snort, MySQL Acid Guide for Gentoo Link for self: Complete guide to Snort, MySQL, and Acid on gentoo from the forums.

Microsoft only Half Patches (again) Shocking as it may seem, apparently the patch release by Microsoft a few days ago to patch a serious hold in Internet Explorer only addressed the immediate problem, and left users open to another closely related security hold. Full story here. Isn't this the same thing that happened with WinNuke back in the day?

Maybe this is the sort of thing that they need to NOT do to increase shareholder value.

Retractable Email Big String is an email service which claims that it lets you recall, erase, and time out email. I'm interested in how they claim to do this (or how they plan to reach into my /home/alan/Mail/inbox spool file and delete chunks of data. Sadly the "Free trial" requires a credit card number. Anyone have any experience with this, or know someone with this service?

Ah, they link to a server that stops serving the images/files after you decide. Stupid and lame, figured so.

Gallery Users Time to Upgrade Gallery users will want to upgrade to the latest version ASAP. Apparently there's a new exploit that's out or almost out that I was alerted to, and people outta get their systems up to date.

Another Comment Spam Killing Solution While MT-Bayesian isn't perfect, it could have some advantages over mt-blacklist. For those of us who were caught over the weekend by the comment spam zombies and had to (in my case) clean 1200+ comments out, this might be something worth looking at. If you are running mt-blacklist don't forget to upgrade to the latest version and to import the master blacklist file.

Google takes a stand on spyware.... Google's software principles basically say "don't screw over the customer". This isn't going to stop spyware bastards from doing their dirty work, but it is nice to see that someone is thinking of trying to start a trend towards making your computing experience safe.

These guidelines are, by necessity, broad. Software creation and distribution are complex and the technology is continuously evolving. As a result, some useful applications may not comply entirely with these principles and some deceptive practices may not be addressed here. This document is only a start, and focuses on the areas of Internet software and advertising. These guidelines need to be continually updated to keep pace with ever-changing technology.

Read it all here. Via Scripting.com.

Some OS Myths Debunked There's a good series of articles over at OSNews.com on Common OS Myths Debunked. Not all Linux friendly and not all Windows friendly. I don't agree with all of the writers opinions, but so far it seems to be pretty brually honest. For example, when talking about the "myth" that windows is bad for the server the author says (after agreeing that the myth isn't a myth at all):

s more effectively, than on a Linux system where the web server is running "far removed from the OS." I am no security expert but if you tried to sell your web server to the Linux community on the basis that it "works in kernel space instead of user space!" you would be laughed out of the room, and possibly the state.

It's a good read, both to take stock of your own misconceptions as well as to get some ammo when talking to people who insist that "X is better than Y for Z".

Statement of GNU/Linux Security Debian, RedHat, Mandrake, SUSE and Mandrake have released a Joint Statement about GNU/Linux Security in response to a report on Linux security. Basically it points to flaws in the original reports methodology (considering every vulnerabilty as having the same danger), and says that closer investigation of the reports conclusions should conducted.

This has always been one of the problems with examining security between Windows and Linux (or any different OS)... high profile or low profile, root exploits, local, remote, etc all come into play, and you rarely see a comparision where all these factors are taken into account.

My way of looking at it is how comfortable would I be putting a box of either type connected directly to the internet without a (separate) firewall? Hint. Not windows :)

Blocking Mail Liars Good thread on the postfix-user email list on How to ban spam pretending to be from my domain. Some good configuration options for the postfix users out there.

SCO and Darl - What Drugs are They On? In an open letter, Darl McBride determines that the GPL and open source software is, among other things, a threat to US security. Evil doubleplus bad people in other countries can obtain "their" intellectual property for free over the internet (even from countries they as good wholesome apple pie eating Americans would never sell to) and use the technology to build a virtual supercomputer in short order. This supercomputer would no doubt be used to create more weapons of mass destruction, without giving SCO their just desserts, and kill puppies.

I'm convinced that you have to be on some really good drugs to reach these conclusions.

Log Watching In the "to do later on when I have time" category comes the Central Loghost Mini-HOWTO with some good info for syslog-ng, swatch, and the like. Also here is the Gentoo security guide which is another good resource.

Spyware Oh My If you ever needed more of a reason not to run IE and Outlook, this is it.

Postfix MyDoom Fixes There is someone's body_checks file available for postfix users to help squash the MyDoom virus (thanks again microsoft!). You can put this into your postfix setup by adding the following line to main.cf:

body_checks = regexp:/etc/postfix/body_checks

with the body_checks file being something like what is posted in the link. In theory it should work :)

Anyone know of a good integrated virus checker for postfix like qmail has?

I've added some body_checks onto the ufies.org mail mail system and it's catching stuff already, which is good. If you're losing mail let me know though :)

Some good procmail magic is also available here.

Spamassassin Rules of the Day Lately I've been seeing Spamassassin's accuracy go down and down and down. A message on the gentoo-user list pointed me to the Spamassassin Wiki and in particular the Rules Du Jour page. Basically new rules to help deal with the constantly changing battlefield of fighting spammers that you can download whenever suits you (or via a handy cron entry) and in theory SA's accuracy will go up.

Better Spam Fighting? The CRM114 Discriminator - The Controllable Regex Mutilator - better than Spam Assassin? Anyone using this? Via random($foo).

Buy Security From Microsoft Dana's security blog has a pointer to an article which notes that Readers Wouldn't Buy Security Products From Microsoft. I'm in total agreement. Lots of interesting comments on this one, with many good points. As I noted elsewhere, Microsoft can't write a word processor that isn't vulnerable to attacks and viruses, why should people trust them to write security software. They write user friendly OSs and decent applications, but much as they'd love to sell you otherwise (and I'm sure they will be telling people how wonderful a security company they are as much as they are starting to hype Longhorn), they should stay out of the security market.

Sadly, they probably won't, and will go in with all their resources, marketting, bloggers and programmers and probably squeeze some of the security vendors out of the market (ie: zonealarm) as they try to sell us on the "no, you can trust us this time" marketting hype that's no doubt coming.

As Dana noted they have a chance with Longhorn to prove they can create a secure OS. It'll be here in 2006 (or later), so you can see that as either a huge opportunity for security products and/or alternative OSs to jump in, or sad because the people that are being hit by viruses and worms aren't the sort of people that do anything to their OS from the time they buy their new computer (ie: the stereotypical mom, dad, granny and grampa).

Bug In MS Exchange 2003 Anyone running an Exchange server might want to take note of it's latest flaw. "[...] a person can gain unauthorized access to another users account."

What makes this even funnier to me is that not that long ago I read someone comment on a blog somewhere (might have been on scoble) saying that exchange was "invaluable" to them. People run exchange on purpose? Why? Anyway, I resisted responding at the time. Guess this is a good response though :)

3D NMap Very cool.... Scanmap3D is a java program that displays nmap information in a 3d format. The screenshots look pretty nifty. Also check out nmap3d which is I assume, a similar program (though no screenshots so I can't assert it's niftyness).

Virus Myths Good article on Windows, IIS and Exchange myths from security focus. Thanks to < a href="http://members.shaw.ca/barrygray/">Bear.

Top 75 Security Tools The top list of 75 Favorite Security Tools. Good stuff.

New Outlook Worm Apparently there is a new outlook worm going around that is exploiting SARS fears. Standard rules apply, don't open .exe files in your mail. Ever.

Analysis of a Compromised Honeypot Fascinating article entitled Analysis of a Compromised Honeypot, which gives an interesting look into how script kiddies and crackers think and operate. Via the honeypots mailing list.

Mitnik's Missing Chapter Mitnick's 'Lost Chapter' Found is a wired story about how Kevin Mitnik's book, The Art of Deception, had it's first chapter (detailing his early life and some issues he has with Markoff's famous NYT front page story) pulled at the last minute. Seems that the chapter made it to the internet, and it is quite a good read. I wouldn't mind picking the book up either.

IE Exploit One more reason not to surf with IE.

E-Card Trojans This securityfocus story shows one more reason why you should use a browser that is non-activeX. There's a nice (and authentic-looking) trojan that poses as an e-card greeting requiring you to install a greeting card plugin that feeds porn ads to you.

The e-card porn Trojan is the latest advancement in an industry known for pushing the envelope.