Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. by Ryan Naraine
US-CERT warns about BlackBerry spyware app
Infected sites rising at alarming rate
New LoroBot locks files and holds for $100 ransom
Microsoft is blaming human error for the the critical SMB v2 vulnerability that exposed Windows users to remote code execution attacks and argues that it’s near impossible to catch these types of bugs with existing code review tools and techniques.
According to a post-mortem of the issue by Redmond security guru Michael Howard (right), the company detected the vulnerable code “very late” in the Windows 7 development process but argued that there are no static analysis tools or SDL requirements that would spot this type of human error.
“Right now there is no static analysis tool I know of that would point out the developer used the wrong variable, and our analysis tools didn’t spot the potential array bounds problem in part because it’s hard to do so with generate a very large quantity of false positives,” Howard said.
“There is only one current SDL requirement or recommendation that could potentially find this, and that is fuzz testing. In fact we did find it very late in the Windows 7 development process through network fuzzing and that is why post-RC versions of Windows 7 do not have this bug,” he added.
Howard did not explain why the fix was not back-ported to Windows Vista and other vulnerable versions until it was independently discovered and released by external security researchers.
[ SEE: Microsoft security guru: Get fuzzing ]
He said the only other technique that could find this type of vulnerability — an incorrect variable in an array reference — is the process of “very slow and painstaking code review.”
This code was peer-reviewed prior to check-in into Windows Vista; but the bug was missed. Humans are fallible, after all.
Howard said the types of vulnerabilities surfacing in Windows OS code today shows that the mandatory SDL has “whittled away most of the ‘low-hanging’ bugs.”
Of course, I might be proven wrong, but looking at all the bugs over the last year in Windows, the only pattern I can spot is there is no pattern! The majority of the bugs I see in Windows are one-off bugs that can’t be found easily through static analysis or education, which leaves only manual code review, and for some bug classes, fuzz testing. But fuzz testing is hardly perfect, because the malformed data might not hit the vulnerable code path or trigger a failure in the code.
He called on software developers to spend more time on defenses against unknown vulnerabilities, as well as trying to prevent or remove vulnerabilities.
See: MS09-050, SMBv2 and the SDL, by Michael Howard.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan’s full profile and disclosure of his industry affiliations.
From You National Center for Supercomputing applications (NCSA)
Blue Waters is expected to be the most powerful supercomputer in the world for open scientific research when it comes online in 2011. It will be the first system of its kind to sustain one petaflop performance on a range of science and engineering applications. The project also includes intense collaboration with dozens of teams in the development of science and engineering applications, system software, interactions with business and industry, and educational programs. This comprehensive approach will ensure that scientists and engineers across the country will be able to use Blue Waters to its fullest potential.
Scientists will create breakthroughs in nearly all fields of science using Blue Waters. They will predict the behavior of complex biological systems, understand how the cosmos evolved after the Big Bang, design new materials at the atomic level, predict the behavior of hurricanes and tornadoes, and simulate complex engineered systems like the power distribution system and airplanes and automobiles.
Blue Waters is a joint effort of the University of Illinois at Urbana-Champaign, its National Center for Supercomputing Applications, IBM, and the Great Lakes Consortium for Petascale Computation. It is supported by the National Science Foundation and the University of Illinois.
Blue Waters will be based on POWER7 hardware from IBM—makers of more than one-third of the world’s 500 fastest computers and almost all of the 40 most “green” supercomputers. It will be the first of a powerful new system design from IBM. The design includes extensive research and development in new chip technology, interconnect technology, operating systems, compiler, and programming environments.
Substantial investments will be made by the Blue Waters partnership to enhance the scalability and performance of existing science and engineering applications and to develop new applications that take full advantage of the extraordinary capabilities that Blue Waters will provide. The partnership is developing an enhanced version of IBM’s high-performance computing environment to ensure that applications achieve high sustained performance. The enhanced environment will increase the productivity of application developers, system administrators, and researchers by providing an integrated toolset to use Blue Waters and analyze and control its behavior.
The Blue Waters project also includes a far-reaching educational and workforce development program. It will impact students from K-12 through postgraduate education, reaching out to geographical areas and communities that have been historically underrepresented in supercomputing. At the undergraduate level, the program will educate the next generation of graduate students, K-12 teachers, future technical staff, and the informed public. At the graduate and postgraduate levels, the program will educate and train the next generation of researchers.
An expanded industrial partner program is an integral part of the Blue Waters project. Members of the Great Lakes Consortium for Petascale Computation will work with their business and industry partners to introduce them to the world of petascale computing, giving industrial outreach a truly national scale.
To read more visit NCSA’s Website
A server is a specialised machine but it is also based on PC technology. So, what defines a server and separates it from the familiar personal-computing technology that lives either on your desk or your lap? And what is missing from the mix?
Generally speaking, a core philosophy behind server design is the notion that the machine must continue to provide a service even if an individual hardware component fails. Servers also deliver files and process information for multiple users simultaneously, so they need to be computing powerhouses.
All this data needs to get to and from users as fast as possible, so expect lots of high-speed network ports. And because they are not machines you sit in front of all day, they need to be remotely manageable.
Finally, there is one other characteristic that servers have all possessed up until now but that may be starting to change. (More on this later.) Here then are the most important hardware attributes a server must possess if it is to fit the bill and at the end, we have added are some items you should not expect to see.
Crucial attribute 1: Processors
At the heart of the server is the processor or, more usually, these days, at least a pair of processors. If a server is doing anything more than just file-serving, then computing power is likely to be in demand. So this Dell T710 houses a pair of brand-new Intel Core i7 Xeon processors, using 45nm processor microarchitecture code-named Nehalem.
Crucial attribute 2: Memory
Without memory, a computer is useless: our test server contains 12GB of PC8500 1066MHz DDR3 memory in the form of six 2GB DIMMs. That is enough to run a modern hypervisor such as VMware’s ESX and up to around eight to 10 virtual machines which is increasingly what even low-end servers are being asked to handle.
Crucial attribute 3: Storage
Storage is a crucial part of the server, if only because the server needs an operating system from which to boot. While in many cases, servers boot from the network, local storage for the operating system and other data that needs to be held locally is typical. In this case, we have eight 10,000rpm SAS drives of 146GB each, configured for Raid 5 which helps protect against the consequences of a drive failure, and provides around 1TB of storage.
Crucial attribute 4: Network
The data I/O channel is often the server’s bottleneck but this machine houses four 1Gbps load-balancing Ethernet ports, helping to speed the flow of data and provide redundancy against hardware failure. Because of the growth of virtualisation technology, I/O is in greater demand because each virtual machine could be serving dozens of users’ requests for information.
Crucial attribute 5: Power
The server draws power via a mains cable but in a typical configuration it will house a pair of power supply units (PSU). This means that when a PSU fails and moving parts such as the PSU fan along with hard disks are the server’s most failure-prone components the machine continues working. This server’s 1100W hot-plug PSU slides out for easy online replacement.
Crucial attribute 6: Cooling
Venting excess heat from high-powered processors is crucial. This server contains four fans but can continue to run on two, should they fail. Like the power supply unit, the fans can be removed while the server is running to provide continuous service. For photographic purposes, we have removed the plastic ducting that helps ensure the cooling air flows over the CPUs and memory.
Crucial attribute 7: Remote management
Servers tend to live in places such as datacentres or, in smaller offices, dedicated locked rooms. They are not easily accessible yet admins need to be able to manage them remotely, at any time.
That is why this server is equipped with a remote-management port and a management application on a flash SD card. The management port allows admins to manage the server using an out-of-band network, which does not affect production network traffic.
Crucial attribute 8: Diagnostics
When you are in the presence of the hardware, it is useful to be able to grab a quick snapshot of the server’s state to help with problem solving. This server’s front bezel includes a one-line LCD that provides system information, such as system health monitoring, alerts and control of basic management configuration. It also allows admins to view a power meter and ambient temperature.
Crucial attribute 9: Power security
The basic IEC mains cable includes a plug that simply pushes into a socket on the back of the machine. But it is not a secure design and it is all too easy to pull the plug out by accident, perhaps when moving the server, or if the cable has been untidily routed. This simple Velcro cable security strip can prevent that happening.
Crucial attribute 10: Noise
The final issue is noise. Servers are still pretty noisy and this machine, though a little quieter than many, still makes more racket than would be acceptable in an office as a result of its multiple fans. But quieter servers are the future: noise results from wasted energy, and energy conservation is high on the agenda of all system and component designers.
Four things you do not need in a server:
1. Graphics
There is no need for expensive, power-sapping graphics cards in a server. The most complex graphics task for a server is a graphical user interface that is rarely used. If it is running Linux, you are more likely to do that remotely using SSH, so why waste CPU and memory on graphics?
2. Audio
Audio is unnecessary on a server because most of the time there is no-one there to listen, and the audio circuitry and its associated software are just additional points of failure.
3. Keyboard and mouse
You do not need human input devices (HID) on a server 99 percent of the time. That is not just because it is not being used interactively, but also because, on those occasions when you do need a keyboard and mouse, you can do so using a KVM device that transports the HID signals to your desk.
4. Windows licence
In fact, the machine featured in most of these pictures came with a temporary Windows licence, but you do not need one. Instead, download a 64-bit version of Ubuntu server and you will have a server that works without hefty licensing fees. Alternatively, VMware’s ESX hypervisor is downloadable free and provides a tried and trusted platform for virtualisation.
Story URL: http://resources.zdnet.co.uk/articles/imagegallery/0,1000002003,39743452,00.htm
Yahoo, Google and other top technology companies have signed up to an effort to bring OpenID authentication to US government websites.
Ten companies said on Wednesday that they will support president Obama’s initial pilot programmes to make it easier for people to register and use those websites. OpenID is an open identity system that allows people to use a single username and password to log in and authenticate themselves on multiple websites.
The companies Yahoo, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems said they will act as digital identity providers using OpenID and Information Card technologies.
“By embracing OpenID (and InfoCard), the government is helping to further establish the value of owning one’s own identity, and of having convenient, consistent and privacy-protecting mechanisms in place to enhance and enable participation,” OpenID Foundation community board member Chris Messina wrote in a blog post.
The pilot programmes are being launched by the Center for Information Technology, National Institutes of Health and the US Department of Health and Human Services.
People will be able to use Yahoo, PayPal and Google IDs to sign into federal sites. According to the government, the use of OpenID will allow individuals to be more interactive with websites without revealing personally identifiable information, such as passwords.
Earlier this year, president Obama issued a memorandum launching an effort to make it easier for citizens to work with government websites. The Gov 2.0 initiative will ”transform government websites from basic ‘brochureware’ into interactive resources, saving individuals’ time and increasing their direct involvement in governmental decision-making”, the Information Card Foundation said in a statement.
01 Oct 2009 08:47
On most days it takes the right access badge and a biometric scan to make it inside the doors of Microsoft’s massive datacentre. But on Wednesday, the company allowed a group of reporters, customers and partners to tour the 700,000 square foot facility.
The datacentre, along with another just-opened facility in Dublin, Ireland and existing centres in San Antonio and Quincy, Washington, serve as the guts behind Microsoft‘s online ambitions, from Bing to Hotmail to Windows Azure.
For all its strategic import, the ground floor of the Chicago plant looks more like a lorry park than a traditional datacentre. In each parking spot, though, Microsoft can drop off a container packed with up to 2,000 servers.
Right now, only about a dozen of the 56 container spots are filled, but Microsoft executives said they expect that to change quickly. The software maker expects eventually to spend up to $500m filling the Chicago site with gear.
The site was originally slated to open months earlier, but Microsoft delayed things due to the economy. Eventually, though, it decided to move forward.
“Investing in these uncertain economic times is always a tough choice,” said Arne Josefsberg, general manager of infrastructure services Microsoft’s datacentre operations. But, he added, “We take a very long-term approach to the business.
The datacentre itself is housed in an unmarked warehouse in one of the Chicago area’s many industrial districts. (The software maker did not want the exact location disclosed.)
Microsoft picked the spot because of its convenient location close to cheap and abundant power, as well as the fact it sits atop a major internet connection point that houses major east-west and north-south fibre routes.
“It’s a lot about location, location, location,” Josefsberg said.
24 Sep 2009 11:03
Most users take their file manager for granted, but perhaps it is time to look at the range of features offered by Linux utilities, says Jack Wallen.
To Linux users, the file manager is as close to their hearts as their text editor. There is a reason for this: with the Linux operating system, and its various desktops, there are many file managers. Each has standard, as well as individual, features.
In fact, there are so many file managers, and so many specific features, it is worth listing 10 of the best choices. See if one of these file managers meets or surpasses your needs.
1. Command line
Although the command line is not just a file manager, you cannot have a listing of Linux file management tools without including it. Without these tools, working on headless servers would be a challenge, unless you are using remote desktop.
As someone who cut his Linux teeth with the command line, not a day goes by when I do not use it for something. The tools you will use for file management in the command line include cd, mkdir, rm, ls, locate, find, cp and mv.
2. Dolphin
Dolphin, the default file manager for KDE, replaced Konqueror with the arrival of KDE 4. It is a full-featured file manager and includes standard features and then some. You will also find network transparency, undo, batch renaming, split views, dockable panels, built-in encryption, zoom drag bar and much more.
Dolphin will never offer the number of features included with Konqueror, which is precisely why the KDE team made the switch. Instead, it focuses on file management alone. Konqueror focuses on everything file management, browsing, document viewing.
The KDE developers thought it best to simplify the task of file management. This was a good call on their part, especially for the new user. As a file manager, Konqueror was just too much.
3. Gnome Commander
Gnome Commander is the GTK+ version of the venerable Midnight Commander file manager. Gnome Commander is a split-pane file manager that offers all of the features of Midnight Commander with the added convenience of a graphical user interface.
Along with the graphical interface comes the ease of network transparency. With Gnome Commander, you can connect to a remote server with Samba, FTP, Windows Share, WebDAV, Secure WebDAV and SSH. Gnome Commander also offers Root Mode, keyboard shortcuts, batch renaming, built-in search, help documentation, translations, drag and drop, directory synchronisation and a plug-in system.
If you are a fan of Midnight Commander but want something a little less cumbersome than Ncurses, Gnome Commander could fit the bill.
4. Konqueror
In the right hands, Konqueror is the king of file managers. Even though KDE has gone in a different direction by adopting Dolphin, you can still use Konqueror as your primary file manager. Konqueror features all aspects of file management, and uses KIO plug-ins to extend its feature set to include many types of protocols such as ZIP, tar, smb, ed2k, HTTP and FTP.
With Konqueror, you can browse audio and video CDs, then rip them with drag and drop. Konqueror can act as your local file manager or as a remote file manager. It enjoys a universal viewer, which enables you to view nearly any type of file from within one window.
With KDE 4, you will notice Dolphin is the default file manager and Konqueror is the default web browser. This situation does not mean you are locked into them, though. You can use Konqueror as your file manager and use another browser, such as Firefox.
5. Krusader
Krusader is another KDE file manager. It will be right at home on your desktop if you are familiar with Midnight Commander or Gnome Commander. Of course, that does not mean you need to know those file managers.
Krusader is easy to use, as any good file manager should be. It offers a twin-view, graphical interface with an added command-line entry area at the bottom of the window. And it places the focus on the keyboard, so you can work efficiently without having to use…
…your mouse. It also offers remote synchronisation, advanced search, keybindings, a pop-up panel that serves as a third hand, folder history and multiple panel types, including view, disk-usage, tree and preview panel.
6. Midnight Commander
Midnight Commander was the first real file manager for the Linux operating system, and is a clone of the old DOS Norton Commander file manager.
Midnight Commander is an Ncurses application, so it runs within a terminal window. It includes native support for archives, rpm and deb files, the ability to connect to a remote server and an embedded editor with syntax highlighting. It can also issue commands against marked files.
Although Midnight Commander is an outstanding file manager and is about as versatile as they come, it initially seems complicated for what should be simple tasks. But when you need a file manager on a headless server, it is worth the time and effort it takes to learn Midnight Commander.
7. Nautilus
Nautilus is the default file manager for the Gnome desktop. It is one of the most feature-rich of all the graphical file managers. Not only does it include the standard features found in modern file managers and an outstanding, well-designed interface, it also offers the ability to extend its usefulness with Nautilus extensions and scripts.
You can search with your add/software utility using the search string ‘nautilus’ to come up with a number of pre-built extensions you can add to Nautilus. Some of the extensions include:
Nautilus uses spatial navigation, rather than a navigation bar, so finding your way through the hierarchy is not as simple as you might think. There is no back, forward or home button. Instead, when you double-click on a file or directory from within a Nautilus window, a new window will open. This way, the parent window is always open.
8. PCMan
PCMan is one of the faster and more lightweight of the file managers. However, it differs from the others through one feature: tabbed windows. Like everyone’s favourite browser, you can open up multiple tabs and even move files between them. You can also open a terminal to the current working directory or as the root user.
PCMan offers built-in volume management, file search, drag and drop, fast startup times, bookmarks support, support for non-UTF-8 encoded filenames, standards compliance, and an easy-to-use interface in GTK+ 2.
9. Thunar
Thunar is the default file manager for the Xfce 4 desktop and also ships with E17, the latest version being Enlightenment. It is incredibly lightweight, fast and reliable.
Thunar was created with extensibility in mind using the Thunarx framework. Consequently you can add features such as advanced properties, archives, media tags, batch rename, thumbnails and customisable actions.
You can switch the Location Selector between Pathbar and Toolbar style, and create customised actions that enable you to create new menu entries to serve specific purposes, such as a right-click menu for printing or renaming.
10. Xfe
Xfe is a simple, lightweight file manager similar to MS-Explorer or Commander. Anyone who appreciates making use of older systems or using a desktop with a minimal footprint will enjoy Xfe.
Xfe offers an integrated text editor, integrated text, deb, rpm and image viewer, drag and drop between Xfe and desktop, right mouse pop-up menus, optional trash, bookmarks and up to 18 languages. Xfe requires only the Fox library, so it can run on any Linux or Unix desktop.
Your choice
Of these 10 file managers, you will certainly find one that fits your needs. Or do you favour another file manager? If so, what is it and why did you choose it?
Story URL: http://resources.zdnet.co.uk/articles/comment/0,1000002985,39763719,00.htm
26 Aug 2009 09:48
With malware signatures doubling every year since 2006, the problem of web-based attacks appears out of control, says Mary Landesman.
While discussing the rapid growth of web-delivered malware, an industry colleague commented that the internet is like a city where everyone lives in straw houses and 10 percent of inhabitants are arsonists.
That parallel is uncomfortably close to the truth. According to researchers at PandaLabs, an average of 37,000 new malware samples are discovered and processed each day.
Over half 52 percent of that malware will be reconfigured within 24 hours of its release in an effort to evade signature-based scanners.
Those who had their systems infected in the first 24 hours of the malware’s existence will continue to have an active, functioning infection.
New variants
Those who encounter the same source after the initial 24 hours will be exposed to a new variant which may or may not share the same characteristics of the original, and may or may not be detectable via the signatures released the day before assuming signatures were released that quickly.
What is most disturbing about these numbers is not the challenge they pose for security vendors. The really disturbing aspect is what these numbers tell us about the success of web-delivered malware.
Each year since 2006, the number of malware signatures has doubled, or more than doubled. That timeframe is significant, because its start coincides with the wide adoption of MPack and similar exploit frameworks, and the resulting continued mass compromises of legitimate websites.
Not only are the numbers of pieces of malware increasing, the numbers of distribution points, which are largely compromised websites, also continue to rise.
Sophisticated and insidious
At the same time, the malware itself has become far more sophisticated and insidious in both its payload and its intent. According to ScanSafe Stat research, web-delivered data-theft Trojans have increased 4,955 percent since 2007 and 1,424 percent just over the past year.
Today, data-theft Trojans form the second largest category of web malware detected via the web, outstripped only by blocks on the compromised websites and exploits designed to deliver that malware.
The distribution methods are evolving just as quickly. Today’s cybercriminals have a deep understanding of web technologies and user behaviour. Given their ubiquitous use and operating system and browser independence, third-party plug-ins are now a common target for vulnerability exploit.
Adobe products have borne the brunt of the onslaught. In 2008, vulnerabilities in PDF and Flash were the most common exploits used to deliver malware via the web.
Indeed, the problem of vulnerabilities in Adobe products has risen to such an extreme, it prompted Stephen Northcutt, director of the Sans Technology Institute, to deliver this warning: “I think organisations should avoid Adobe if possible. Adobe security appears to be out of control, and using their products seems to put your organisation at risk.
“Try to minimise your attack surface. Limit the use of Adobe products whenever you can.”
As further example of attackers’ awareness and the evolution of their attacks, the web is now proving valuable for backdoor management. Most recently, Twitter, Tumblr, Jaiku and similar social messaging platforms were discovered to be used for botnet command and control.
Clearly, whatever the latest and greatest internet fad, chances are the criminals are already there whether to distribute more malware or to control their existing infections.
Mary Landesman is the senior security researcher for ScanSafe.
Story URL: http://resources.zdnet.co.uk/articles/comment/0,1000002985,39728691,00.htm
PCMedicalist.com – Puter News is Digg proof thanks to caching by WP Super Cache!
