November 22, 2007

Microsoft officials confirmed late Tuesday that Windows XP contains a significant random number generator bug.

According to Computerworld:
"The researchers, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, reverse-engineered the algorithm used by Windows 2000's pseudo-random number generator (PRNG), then used that knowledge to pick apart the operating system's encryption. Attackers could exploit a weakness in the PRNG, said Pinkas and his colleagues, to predict encryption keys that would be created in the future as well as reveal the keys that had been generated in the past."

October 17, 2006

YourCreditAdvisor just published an excellent guide to preventing identity theft from happening to you. The guide details which information can be given out freely, which information has medium sensitivity, and which information has high sensitivity. In addition there are many useful tips for preventing your personal information from falling into the wrong hands.

October 16, 2006

Softpedia has published a review of the three most popular free anti-virus software packages for Windows. They include Avira's AntiVir PersonalEdition Classic 7, Grisoft's AVG Free Edition 7, and Avast! Home Edition 4.7. The review features dozens of screenshots depicting all the functions of each software package.

November 2, 2005

According to an investigative article at SysInternals.com, Sony music CDs using digital rights management (DRM) features contain a rootkit that installs silently in your Windows operating system when you play the CD on your computer. Rootkits hide themselves from software used to scan for viruses and spyware, and may be programmed to intercept keystrokes and other personal information on a user's PC.

November 1, 2005

Open source operating system OpenBSD 3.8 was released today. New features include improved hardware support, new tools for RAID and IPSec management, enhanced wireless capabilities, support for the UDF file system, enhanced ospfd and bgpd routing features, OpenSSH 4.2, and dozens of other security enhancements.

June 23, 2005

An investigation by the UK newspaper The Sun has revealed that call center workers in India have been regularly selling bank customer account information to criminals engaged in ID theft. Companies engaged in offshore outsourcing of their customer support and IT infrastructure functions are now seeing the true cost of their outsourcing initiatives.

June 18, 2005

According to news sources, a hacker infiltrated the computers of CardSystems Solutions Inc., a third-party payment processor, and may have stolen up to 40 million credit card numbers. However, personal information such as Social Security Numbers and birthdays, was not included in the stolen data. The main risk from this incident is unauthorized charges, and not identity theft.

June 15, 2005

Informit.com has published a concise article detailing the major new features of Cisco's PIX Firewall 7.0. These features include: improved packet inspection engines for stateless protocols; flexible HTTP security policies; improved management of instant messaging, peer-to-peer, and tunneling applications; deep packet inspection for FTP, ESMTP, and 3G mobile traffic; Protocol Independent Multicast (PIM) routing; firewall support for IPv6; transparent firewall mode; multiple context mode; new active-active and active-passive high availability modes; quality of service and priority queuing; use of access lists on inbound, outbound, or bi-directional traffic; modular policy framework; enhanced firewall management features; intrusion detection and protection using a database of attack signatures; new VPN functionality with stateful failover and many of the major features of the Cisco VPN 3000 concentrator; client-less WebVPN using SSL; and much more.

June 10, 2005

ONLamp.com has published an article explaining how to use the mod_security module in Apache to secure web services at the WSDL and SOAP level, without having to modify the web services code itself. Because attacks against web services can lead to information theft and remote command execution, it is important to get the security right, and this is one way to do that.

June 7, 2005

Citigroup has said that it lost a computer tape containing the personal information, including social security numbers, of 3.9 million customers of its CitiFinancial subsidiary. According to company representatives, the tape went missing as it was transported by UPS to a credit bureau. As in previous incidents involving companies like Bank of America, the data on the tape was not encrypted. You would think that these people would learn by now.

June 6, 2005

Informit.com has published a very interesting article explaining how to use the free open source OpenVPN package to help secure your wireless network. This is done by implementing a VPN connection between the wireless user and the host network using not just OpenVPN, but also OpenSSL and XCA for certificate management, thus providing high level authentication and strong encryption.

May 19, 2005

The OpenBSD project has released version 3.7 of OpenBSD, a free and highly secure open source operating system. New features in this release include support for Zaurus and SGI platforms, enhanced 64-bit CPU support, driver support for new hardware (especially networking and wireless cards), a new OSPFD service, improved TCP performance, kernel based PPPoE, enhanced NTPD and BGPD functionality, improved pf firewall functionality and performance, enhanced IPSEC functionality, support for OpenSSH 4.1 and X.Org 6.8.2, hundreds of bug fixes, and even stronger security. BSD DevCenter has published an interview with some of the OpenBSD 3.7 developers, who explain all the new features and improvements. NewsForge has also published a review of OpenBSD 3.7.

May 16, 2005

Check Point Software Technologies is announcing NGX, a new unified management platform for its network perimeter, intrusion-detection and Web application security devices. The company is also releasing upgraded versions of its VPN-1 firewall and virtual private networking software.

May 15, 2005

Microsoft is getting ready to release a beta of its Windows OneCare service, which combines firewall, anti-spyware, anti-virus, backup and restore, file repair, hard drive clean up, defragmentation, and PC tune-up features. The consumer service will compete with a number of security and utility vendors like Symantec. It is yet unclear if customers will trust Microsoft to perform these tasks, since the company is responsible for many of the security holes in Windows that caused these problems in the first place.

May 11, 2005

A number of free open source security related Live CDs are available for the security administrator looking to further secure their network. An article over at SecurityFocus looks at some of these. They include Knoppix-STD, Auditor, Helix, INSERT, and Whoppix. Each is oriented toward a different security related task such as security checking, incident response, forensics, system rescue, network analysis, or penetration testing. The really great thing about Live CDs is that you can play around with these tools without having to install anything or modify your systems in any way.

May 11, 2005

An article over at Datamation looks at several new administrative security features in Mac OS X 10.4 Server. The most important of these features are Access Control Lists (ACLs) and Access Control Entries (ACEs). Apple made their implementation of ACLs compatible with Windows ACLs and Active Directory. In addition, ACLs in Mac OS X Server can operate on files as well as system services such as AFP, SMB, Printing, and more. Mac OS X 10.4 Server also supports Kerberos and NTLMv2 two-directional authentication for Windows clients.

May 10, 2005

It appears that users of Mac OS X 10.4 Tiger are concerned about how easily third-party widgets are distributed and installed in the new operating system. Clicking on a specific link is enough to get one installed. Many are wondering how long before malicious widgets appear, and asking Apple to make it more difficult to install widgets.

May 6, 2005

SearchSecurity.com has published a technical guide to using the open source Snort intrusion detection system (IDS) software. Topics include an introduction to the software, how to identify ports, how to deal with switches and segments, where to place IDS sensors, how to modify and write custom Snort rules, how to define Snort configuration variables, how to automatically update Snort rules, and more.

May 6, 2005

According to the VOIP Security Alliance and a new government report, Voice Over IP telephone services may be the next target for hackers and criminals. The major threat right now is denial of service, preventing people from using their VOIP phones making or receiving calls. Caller ID spoofing with the aid of VOIP networks is already a vulnerability being used by criminals. Other attacks, such as monitoring of conversations, are also possible since VOIP providers do not encrypt their traffic.

May 5, 2005

According to experts who work with telecom providers, the problem of cell phone viruses is completely overblown. Statistics show that only .0036 percent of customer support requests had anything to do with cell phone viruses. You should probably read this article before handing over your credit card number to Symantec or Trend Micro for their "cell phone virus protection software".