CyberSecurity Institute – Page 360 – Security News Curated from across the world

Sun touts tougher security in Solaris 10

Posted on September 14, 2004December 30, 2021 by admini

Paul Sangster, senior Solaris security architect for the Santa Clara, Calif.-based company, touted Solaris 10’s security improvements during a roundtable discussion at Sun’s Burlington, Mass., offices Monday, saying, “Security touches everything we do, and in designing Solaris 10 we made the assumption that the Web server is sloppy” and in need of extra layers of protection. I expect IT administrators will greatly appreciate the N1 grid container zone feature and the user rights management privilege feature,” Sangster said. “These features enable (them) to much more tightly protect their services, even in the face of an attacker exploiting a known hole in some third-party software that was deployed but not yet patched.

He said the N1 grid container technology will allow users to create up to 4,000 secure, fault-isolated software partitions, each with its own IP address, memory space, file area, host name and root password.

Solaris 10 has been in development for two and a half years, and has slowly been made available to customers in recent months.

He added that Linux applications can run unmodified on Solaris.

Weinberg added that the capabilities in Trusted Solaris have been folded into Solaris 10. “Trusted Solaris has been used in government but has been separate from the standard Solaris,” he said. “We started this integration with Solaris 8, and Solaris 10 completes the move.”

James Dobson, system architect for Dartmouth College in Hanover, N.H., talked about the success the institution’s psychology department has had in using a version of Solaris 10. Pointing to the operating system’s improved interoperability, Dobson said, “We use multiple applications and platforms and Solaris 10 is working smoothly with all of these.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1005868,00.html

Metrics Matter

Posted on September 10, 2004December 30, 2021 by admini

If you want your security organization to be supported (or at least tolerated) by management, the department must become a communication station. Avoid subjective interpretations or even anecdotal information; instead, focus on metrics that are objective and indisputable.

As an example, to calculate the impact of spam filtering, the team began counting e-mails the filter rejected. Despite a few user complaints, the metrics showed these were isolated incidents and proved that a great majority of legitimate mail was getting through. This correlation of traffic to outbreaks would later help the IT staff react faster to outbreaks, because they could see worm signs before it spread.

Most infrastructure metrics are designed for gearheads, and the data is not useful to business managers.

Start with the message you want to communicate to management, then figure out which metrics would support that point. A mix of good news and bad news is to be expected–any manager knows that an employee who communicates only great news is probably a liar. If your security reports are always full of sunshine, expect management to become suspicious–and with good reason.

For instance, clients who use desktop-management and antivirus software appreciate being able to perform a “check-in”–that is, every workstation on the network “phones home” to the master console, ensuring each is in compliance with policies, such as pattern updates. This type of report is a good indicator that (a) your software investment is functioning; (b) the majority of users haven’t cleverly disabled the agent so they can download porn and install cute screensavers; and (c) you can, if necessary, invoke additional software functionality.

Indeed, any process you monitor will show that you’re on top of things–particularly if the process is new to your organization, such as vulnerability remediation, server- configuration compliance, unsuccessful login monitoring or log-exception monitoring.

When you must express dollar figures, try to associate some measure of probability with them–IT security is equivalent to risk management, after all.

Ultimately, use caution and be conservative when estimating dollar payback or you risk damaging your credibility.

Finally, in security and in business, timing is everything.

http://www.securitypipeline.com/46200070

Microsoft Sets a New Deadline for XP Service Pack 2

Posted on September 8, 2004December 30, 2021 by admini

Microsoft made available to customers in August a couple of different tools to temporarily disable the delivery of SP2 to users machines via its Windows Update/Automatic Update patching services. A number of customers had requested these tools, claiming they were not ready to take delivery of SP2, as they had not tested SP2 adequately to make sure it did not break their applications. Originally, the tools were set to postpone delivery via Windows Update/Automatic Update for 120 days, starting August 16. But on September 7, Microsoft extended this deadline to 240 days (April 12th 2005).

Microsoft has acknowledged that a number of applications, including several of its own, do not work properly with SP2 unless certain settings are changed. And a number of third-party hardware and software vendors still have yet to provide patches and updates to their products that will allow them to work with SP2.

This fall, Microsoft will be reaching out to this user base via its “Protect Your PC” campaign, in an attempt to make sure as many XP users as possible install the SP2 update.

http://www.microsoft-watch.com/article2/0,1995,1643908,00.asp?kc=MWRSS02129TX1K0000535

Over 3,000 malicious codes detected in August: Trend Micro

Posted on September 7, 2004December 30, 2021 by admini

According to the Trend Micro World Wide Tracking Centre, Sasser was the most prevalent virus in August with 325,409 victims and made up nearly 31 percent of infections in the August top 10 virus list.

Mark Sinclair, Trend Australia’s technical services manager, said both viruses were written by the same programmer; an 18-year old German who was responsible for 77 percent of infections by the top ten viruses in August. “According to Trend Micro statistics, the NetSky series has been listed among the top ten viruses since February, accounting for over half of the top ten viruses between April and July.

Most of the new viruses were variations of previous viruses, with eight new variants of the Worm _rbot series, and nine variants of the Worm_sdbot series. Another possible motive is to build a dormant “dark” network that could be used in the future to perform a large-scale attack against one or more targets.

“Mass mailers usually feature executable file attachments and stripping these attachments at the gateway is a simple method of reducing infection,” Sinclair said. “The authors of Bagle continue to wage war on Netsky; proof of concept viruses are appearing for wireless devices and 64 bit operating systems and phishing/keyboard logging Trojans are becoming more prevalent,” he said. “The potential to see new damaging network worms such as Sasser, SQL Slammer and Blaster is always there.

The top five targets of Internet bank fraud in August were US Bank, Citibank, Suntrust Bank, eBay and Paypal.

http://www.zdnet.com.au/news/security/0,2000061744,39158445,00.htm

Apple fixes 15 flaws in Mac OS X

Posted on September 7, 2004December 30, 2021 by admini

Many of the problems are flaws in the operating system’s underlying open-source software, including a critical flaw in the Kerberos authentication system–software that can act as a gatekeeper for computer networks.

The patch is available for Mac OS X 10.3.5 and Mac OS X 10.3.4, and also fixes issues in Mac OS X 10.2, known as “Jaguar.”

“All security enhancements…are also available for Jaguar, if the issue could occur on Jaguar systems,” a security advisory from the company said. The patch fixes software flaws that could enable an attacker to crash or freeze the Apache 2 Web server, run software by utilizing Apple’s Safari Web browser or expose the password store used by the network.

Security information provider Secunia ranked the Kerberos threat as “highly critical,” its second-highest danger rating.

Apple has pointed to open-source software as a source of security for the company’s operating system. While open-source projects tend to release patches as soon as possible, Apple and other companies have moved to more occasional releases of collections of patches.

Apple’s advisory, with details of the update, is available on the company’s Web site.

http://news.com.com/Apple+fixes+15+flaws+in+Mac+OS+X/2100-1002_3-5350010.html?tag=nefd.top

Security: Can you really trust just techies?

Posted on September 6, 2004December 30, 2021 by admini

By passing the buck wholesale to the IT department companies are exposing a number of flaws across their organisation – from the top down – and even a tightening of legislation and increased emphasis on accountability and corporate governance has done little to interest the head-in-the-sand ‘higher ups’ that they should be getting involved and delegating tasks effectively.

According to independent research conducted by Coleman Parkes on behalf of LogicaCMG, 53 per cent of companies entrust the IT department with the sole enforcement of the information security policy. In addition, 71 per cent of companies rely on the IT department to implement information security policies and approaches – despite the fact that much of the planning should relate to HR and legal issues as much as to the technology in place.

Sal Viveros, SME director at security giant McAfee, believes one of the biggest obstacles to effectively managing security issues centrally from the IT department is the perception of other employees. Viveros said as a result those in the IT department are often seen as “the bad guys” and coupled with a perceived lack of seniority within the company this makes it difficult for them to dictate, manage and enforce policy.

While staff may sit up and take notice of a policy handed down by HR or a member of senior management, because the trail of accountability and its direct link to discipline procedures is evident, employees may feel less inclined to treat seriously the requests of the IT department.

In a separate study conducted by MORI, also on behalf of LogicaCMG, 83 per cent of investors said a security breach of any kind would impact that companies’ share price and 56 per cent they would sell their shares in the event of a breach.

The fact companies are seemingly doing little about getting on top of security is made all the more surprising by the fact companies are aware of such risks.

http://software.silicon.com/security/0,39024655,39123732,00.htm