Posted by jkouns
Sat, 21 Jun 2008 16:24:09 GMT
OSVDB is featured in the June issue of the Open Source Business Resource (OSBR) and is now available at the OSBR website. We were contacted and asked if we would like to include our original OSVDB Aims white paper in the issue. This was really the prompting that we needed to take the time to update the project’s successes since the launch and provide some additional information about the future of OSVDB.
We would like to thank Dru Lavigne and OSBR for their support and encourage you to take a look at the issue. The OSVDB article can be found at:
http://www.osbr.ca/ojs/index.php/osbr/article/view/607/568
OSBR’s editorial theme for June is “Security” and here is a listing from the table of contents:
Jake Kouns, president of the Open Security Foundation, introduces the Open
Source Vulnerability Database Project.
David Maxwell, Open Source Strategist at Coverity, discusses the findings
from Coverity’s analysis of over 55 million lines of open source code.
Robert Charpentier from Defence Research Establishment Valcartier and
Mourad Debbabi, Azzam Mourad and Marc-André Laverdière from Concordia
University present a summary of their research into providing security
hardening for the C programming language.
Frederic Michaud and Frederic Painchaud from Defence Research and
Development Canada describe their evaluation of automated tools that search
for security bugs.
Key messages from Carleton University’s Stoyan Tanev’s recent presentation
on technology marketing trends and the Eclipse Foundation’s Ian Skerrett’s
presentation on building successful communities.
Michael Geist, Canada’s Research Chair of Internet and E-commerce Law,
explains why the proposed Bill C-61 does not address the rights of
Canadians.
Alan Morewood from Bell Canada provides an example of open source meeting a
business need.
Next month’s editorial theme is “Accessibility”–contact the OSBR Editor if you
are interested in a submission.
Posted in OSVDB News, General Security | no comments
Posted by jkouns
Fri, 19 Oct 2007 20:23:42 GMT
There has been a pretty good buzz about MP3 spam in the past couple days……… Some folks at GFI sent us the following and thought it would be worth sharing….
Spammers are back with a new trick, this time round sending messages with MP3 attachments that contain the latest pump-and-dump stock scams. One sample identified this morning by GFI, was a heavily distorted 30-second MP3 file. A synthetic female voice was used to promote a particular stock. This voice is distorted to avoid filtering approaches based on the file signature. Once again, spammers are taking advantage of the fact that the MP3 format is one of the most common in use today, another attempt at social engineering
GFI Software have uploaded a sample on their website, if you want to listen to it, click here. For further details read GFI’s mp3 spam roundup.
Posted in General Security | no comments
Posted by jericho
Thu, 29 Mar 2007 18:42:21 GMT
Check out this article/report by OmniNerd, which tested various operating systems for security. They performed a base line vulnerability scan during installation, after installation and after
patches had been applied. Each installation was done to mimick as close to a ‘default install’ by clicking ‘next’ when
possible. While one can argue various points of this test, they did a good job defining the operating system, configuration and resulting open ports, along with corresponding vulnerabilities. The only questions that immediately come to mind are if the Solaris install included Update 3 and why they didn’t have any charts or graphs summarizing the information.
This is hands down one of the most fair and unbiased tests I have seen in a while, based on the information in the article.
Posted in Vulnerability Statistics, General Security | no comments
Posted by jericho
Thu, 14 Dec 2006 14:56:13 GMT
http://blog.php-security.org/archives/61-Retired-from-securityphp.net.html
Last night I finally retired from the PHP Security Response Team, that was initially my idea a few years ago.
The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the
times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin (http://www.suhosin.org/).
For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.
Stefan has a history of providing well written and very technical attacks against the PHP language. If he was one of the few (only?) people that cared about security, this doesn’t bode well for PHP.
Posted in General Security | no comments
Posted by jericho
Tue, 23 May 2006 05:05:40 GMT
http://attrition.org/security/rant/z/keysigning.html
Social Implications of Keysigning
Raven & Jericho
Tue May 23 01:41:20 EDT 2006
The use of strong public encryption has always been popular among geeks. Perhaps the most commonly used and most beloved encryption for e-mail is Pretty Good Privacy (PGP); started as a free method for protecting emails or other sensitive information, later turned into a cornerstone for a large company. As PGP became more corporate, costly and used patented algorithms, another project, GnuPG, sprung up to continue to offer strong encryption to the masses.
One foundation of reliable encryption is trust. The use of encryption between two or more people relies on you being sure that the message you sent is properly encrypted to and able to be decrypted solely by the intended recipient. When using a friend’s GPG key, you must be sure that the key was created by and belongs solely to your friend. Otherwise, you may send mail that your friend cannot read (if they don’t have the key you encrypted to), or worse, mail that some other party can read (if that party does have the key you encrypted to).
[..]
Posted in General Security | no comments
Posted by jericho
Tue, 14 Mar 2006 08:38:16 GMT
Maybe I am immature but does anyone else find the Hitachi Incident Response Team logo a bit amusing?
Pink hearts, yellow XSS, orange SQL, blue DoS and green overflows!
Posted in General Security | no comments
Posted by jericho
Wed, 07 Dec 2005 01:03:19 GMT
Just over ten years ago (95-09-15) Hobbit wrote a little tool called netcat (aka nc), swiftly dubbed the “TCP/IP Swiss Army knife”. Hobbit was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an original member of the l0pht and later the Director of Research and Development with @stake. Weld’s version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat’s use and distribution.
Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, “is that to say that SYM bought a company known then for offering naughty things?” Let us also remember that Symantec owns SecurityFocus which conveniently offers the tool in their tool repository.
Also amusing are Symantec’s “technical details” for this “hacker tool”:
Hacktool.NetCat arrives as a tool commonly carried by malicious components and dropped on the compromised computer for remote exploitation.
When Hacktool.NetCat is executed, it performs the following actions:
1. Transmits data across network connections.
Yes, there is no number two on the list. Hopefully Symantec will have the foresight to classify TCP/IP stacks as “Hacktool.TCPIP” and label it a “High Risk Impact” if found on a system.
Posted in General Security | 1 comment
Posted by jericho
Thu, 01 Dec 2005 05:14:00 GMT
November 30th was National Computer Security Day. It came and went .. did you notice? I previously blogged about National Cyber Security Awareness Month, calling into question the value of awareness months of any kind. Awareness days are no different. As William Knowles said, ”might have been national kick a penguin day, I wouldn’t have known any differnce..”
Posted in General Security | 1 comment
Posted by jericho
Sun, 16 Oct 2005 09:03:10 GMT
http://news.zdnet.co.uk/software/developer/0,39020387,39228663,00.htm
Developers ‘should be liable’ for security holes
Tom Espiner, ZDNet UK
October 12, 2005, 12:15 BST
Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, former White House cybersecurity advisor, on Tuesday.
[..]
“In software development, we need to have personal quality assurances from developers that the code they write is secure,” said Schmidt, who cited the example of some developers he recently met who had created a Web application to talk to a back-end database using SSL.
[..]
Posted in General Security | 1 comment
Posted by jericho
Wed, 12 Oct 2005 14:14:47 GMT
October has been named “National Cyber Security Awareness Month” by some. From a news article about this:
New York State, the University of North Carolina and the city of Charlotte, N.C., are joining the Department of Homeland Security, the National Cyber Security Alliance and numerous companies from the computer security industry to promote educational initiatives and free software giveaways to encourage the adoption of good cyber security practices in small businesses and citizens’ homes.
While security alliances, states and cities are grabbing their pom-poms, i’ll play the role of cynic. This awareness month means nothing to security companies and software developers that practice good security year round. As the article says, this awareness month is for businesses and end users which is good in theory. But will it help? You can answer this yourself actually. Find a friend or neighbor and ask them what other things we are supposed to be ‘aware’ of in the month of October. If your friend can’t remind you that it is National Breast Cancer Awareness Month, Domestic Violence Awareness Month, Down Syndrome Awareness Month, National Disability Employment Awareness Month, Energy Awareness Month, or Lupus Awareness Month, then this awareness month may fail too. Did you know there were more? Check out this great list of “Bizzare, Crazy, Silly, Unknown Holidays & Observances in October”.
Posted in General Security | 1 comment
