Information freedom for open source users.

Once thought to be unhackable, the Android phone is anything but, according to researchers presenting at Black Hat 2010.

Adobe Systems and Microsoft are now working together to give security companies a direct line into their bug-fixing efforts.

Sourcefire, best known for its Snort intrusion-prevention technology, Tuesday is unveiling a new open source project called Razorback that’s designed to spot malware and especially zero-day exploits.

“We want others to test it to see if our idea about this new protection framework is as innovative as we think it is,” says Matt Watchinski, senior director on the Sourcefire vulnerability research team.

A new study of 45 U.S. organizations found that cyber crime — including Web attacks, malicious code, and rogue insiders — costs each one of them $3.8 million per year, on average, and results in about one successful attack each week.

Although my intent is not to start the next GNOME/KDE-level war, it seems there must be a happy medium between total desktop insecurity and total desktop unusability. Linux offers so many ways to secure data that it’s important to realize it’s okay for folks to have different needs and desires. Sure, there are some basic security measures we all should take—things like: more>>

alphadogg writes “Is Snort, the 12-year-old open-source intrusion detection and prevention system, dead?

The Open Information Security Foundation (OISF), a nonprofit group funded by the U.S. Dept. of Homeland Security (DHS) to come up with next-generation open source IDS/IPS, thinks so. But Snort’s creator, Martin Roesch, begs to differ, and in fact, calls the OISF’s first open source IDS/IPS code, Suricata 1.0 released this week, a cheap knock-off of Snort paid for with taxpayer dollars.

The OISF was founded about a year and a half ago with $1 million in funding from a DHS cybersecurity research program, according to Matt Jonkman, president of OISF. He says OISF was founded to form an open source alternative and replacement to Snort, which he says is now considered dead since the research on what is supposed to be the next-generation version of Snort, Snort 3.0, has stalled.”

Read more of this story at Slashdot.

An anonymous reader writes “Usually, when installing a new operating system the hope is that it’s as up-to-date as possible. After installation there’s bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different; it’s shipped in as vulnerable a state as possible. As the DVL website explains: ‘Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop – it’s a learning tool for security students.’”

Read more of this story at Slashdot.

CWmike writes “Researchers Nate Lawson and Taylor Nelson say they’ve discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites such as Twitter and Digg. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This may all sound very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft’s Xbox 360 gaming system, and people who build smart cards have added timing attack protection for years. The researchers plan to discuss their attacks at the Black Hat conference later this month in Las Vegas.”

Read more of this story at Slashdot.

tsu doh nimh writes “Anti-virus researchers have discovered a new strain of malicious software that spreads via USB drives and takes advantage of a previously unknown vulnerability in the way Microsoft Windows handles ‘.lnk’ or shortcut files. Belarus-based VirusBlokAda discovered malware that includes rootkit functionality to hide the malware, and the rootkit drivers appear to be digitally signed by Realtek Semiconductor, a legitimate hi-tech company. In a further wrinkle, independent researcher Frank Boldewin found that the complexity and stealth of this malware may be due to the fact that it is targeting SCADA systems, or those designed for controlling large, complex and distributed control networks, such as those used at power and manufacturing plants. Meanwhile, Microsoft says it’s investigating claims that this malware exploits a new vulnerability in Windows.”

Read more of this story at Slashdot.

Speaking at the Microsoft Worldwide Partner Conference (WPC), COO Kevin Turner told attendees that Microsoft’s archrival Apple is now No. 1 in software vulnerabilities, with database rival Oracle in the No. 2 spot.

Technology enthusiasts and the ranks of the curious have been trying for years to rescue the term “hacker” from its pejorative meaning. A new conference that will teach kids the wonders of hacking may be one sign that such efforts are paying off.

Maybe you didn’t get the memo: Tomorrow marks the end of patches for Windows XP Service Pack 2 (SP2).

And you’re still running the nearly-six-year-old edition.

wiggles writes “The federal government is launching an expansive program dubbed ‘Perfect Citizen’ to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program.The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said. How do we feel about NSA spyware in all of our infrastructure?”

Read more of this story at Slashdot.

A newly formed gang of rogue security researchers calling itself MSRC (Microsoft-Spurned Researcher Collective) has announced it will publicize any Windows vulnerabilities it finds, rather than reporting them privately to Microsoft for the company to patch.

The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don’t run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers’ USB storage devices. Here is the account of the original reporter. “It’s not just the lack of AV that’s the problem… it appears there’s been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers’ USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning.”

Read more of this story at Slashdot.

Knowzy writes “At least two divisions at HSBC Bank apparently failed card issuing 101 and are mailing out debit cards pre-activated. Because they are debit cards, fraudulent transactions come directly out of a victim’s checking account. A similar report from 2004 suggests this issue is longstanding and widespread. When confronted with the evidence, HSBC would not commit to fixing this issue, preferring instead to offer vague statements like, ‘Through our systems and analytics, we focus on the greatest and most active threats in an effort to avoid negatively impacting customer experience.’”

Read more of this story at Slashdot.

An anonymous reader writes “A presentation about ‘The Underground Economy’, by Italian white hat hacker and security expert Raoul Chiesa, was replaced at the last minute during last week’s Hack In The Box conference. The reason behind this cancellation was that Chiesa received legal pressure from ATM vendors over the fact that the originally scheduled presentation covers details of various techniques and exploits of vulnerabilities that cyber criminals use to break into ATMs — flaws that have been known for a long time.”

Read more of this story at Slashdot.

Nicola Hahn writes “The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. The first article concludes that ‘countries should agree on more modest accords, or even just informal “rules of the road” that would raise the political cost of cyber-attacks.’ It also makes vague references to ‘greater co-operation between governments and the private sector.’ When attribution is a lost cause (and it is), international treaties are meaningless because there’s no way to determine if a participant has broken them. The second recommendation is even more alarming because it’s using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions. The other article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Then there’s also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author concludes with the ominous warning that terrorists ‘prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage — for now.’ What’s truly disturbing is that The Economist never goes beyond a superficial analysis of the topic to examine what’s driving all of the fear, uncertainty, and doubt (PDF), a subject dealt with in this Lockdown 2010 white paper.”

Read more of this story at Slashdot.

eldavojohn writes “The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, ‘If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker’s choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.’ Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL’s Winamp. While Flash player can’t implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board.”
It’s worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

Read more of this story at Slashdot.