Security Week in Review

Pidgin
A new version of Pidgin came out last week. It fixes a potential issue where a remote MSN user could send a message that could execute arbitrary code on a victim's computer. This could be mitigated by only allowing people on your contacts list to contact you. This is wise behavior regardless of such flaws as this. If you allow any random person to contact you, it can be quite annoying.

The world of security has been somewhat unexciting as of late. That's probably a good thing.

Linux Kernel privilege escalation
The most interesting security story last week was probably a new kernel privilege escalation flaw. If you simply run something like a single user desktop machine, flaws such as this aren't all that serious, as it's unlikely there are any untrusted users on your system.

Things like servers pose a much greater risk where it's likely you have untrusted users able to execute arbitrary code on the machine in question. A flaw such as this would allow such a user to run commands as root. If this is your setup, there is a possible mitigation.

Argh, it's been way too long, and I've been way too busy

OpenSSH?
I imagine everyone has heard of the OpenSSH scare this week. Most are still keeping ear to the ground, but it's likely just a vanish, but now it seems it may survive. It would be a serious blow to the security world if they went away, here's hoping.

Phrack 66
Phrack 66 came out this week. If you're not aware, Phrack is the longest running hacker zine, it's impressive that after more than 20 years, it's still going.

Firefox 3.0.11
Yet another security update for Firefox was released, be sure to update, it's important.
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.11

.ORG DNSSEC
This week .ORG became the first TLD to sign their zone with DNSSEC:
http://blog.pir.org/?p=349

This is sort of a big deal, as most everyone agrees DNSSEC will happen in the future, but nobody has really taken any steps to make it happen. It falls in the same bucket as IPv6. It will happen, it will be nice when it does, but it's going very very slowly.

Many organizations will be watching how this goes for .ORG, if it goes well, it's quite likely DNSSEC will see rapid deployment, but if it goes bad, it may slow things even more than they currently are.

About the only thing I've found worth mentioning from last week is about the fabled United States "Cybersecurity Coordinator", or some other fancy word people keep kicking around.

http://www.schneier.com/blog/archives/2009/05/obamas_cybersec.html

Most everyone should pay attention to this, as whatever the US ends up doing is likely going to affect most other people due to the global nature of the world.

Things have been rather slow as of late, which is nice, as they were painfully busy previously.

Cloudy Trust?
CIO.com has a nice article that points out some of the probably flaws in cloud computing:
Cloud Security: Danger (and Opportunity) Ahead
In theory, cloud computing is a fine idea that has the potential to lower the cost of a CPU cycle dramatically. The thing nobody is really talking about yet is keeping your data secure. Right now, it would be rather unwise to presume that anything you send to the cloud won't be compromised in some way. Securing a highly multi-user environment such as this is going to pose a huge challenge. Problems nobody has even though of are going to emerge, and will take a great deal of cooperation and understanding to solve them. This is one of the places that Open Source style collaboration will prove to be highly useful.

Malicious Activity grows in 2008
2008 Saw a surge in malicious code activity:
http://www.net-security.org/secworld.php?id=7311
This is a disturbing trend, and for the underground, this is easy money. The threat will continue to grow until either the money dries up (unlikely) or the difficulty of exploiting this is greater than the potential gain. Right now it looks like the trend will continue for several years.

Who in the Linux world would be responsible for a worm
Last week OSNews asked a rather interesting, but easily answered question:
OSNews Asks: Who'd Be Responsible for a Linux Conficker?
The world of Open Source security is mostly a process that happens behind the scenes, but is quite effective. There is a wiki called OSS-Security that provides a number of links to various groups. In the event of something like a worm, the vast majority of the effort would end up happening on the Vendor Security (vendor-sec) mailing list. This is a group of trusted Open Source distributors that communicate in private in an effort to keep the end users of Open Source software secure. To date this group has been working out quite well, and the members are very used to solving security flaws in a cooperative manner. In the event of a widespread Linux worm, there would be many tired people, and quite a lot of vendor-sec emails.

April Fools!
Probably the biggest not story this week was the Conficker Worm not ending the world on April 1. From a security perspective, designing the worm to activate on April 1 was brilliant. The Internet is probably 90% nonsense on any given day, but April 1 pushes that dial to an 11. If you want to do something and not get the word out, do it on April 1. Had the worm actually done something interesting, would anyone believe the story?

April Fools?
The other biggest non April Fools story is probably OpenSSL 1.0.0 Beta 1 being released on April 1. Openssl has been at version 0.9 for as long as most people can remember. It's great to see it nearing version 1.0.0

Firefox Emergency
On Friday, a new version of Firefox was released. The number of hours that went into this event are amazing to even consider. For most of the week, there were various groups working non stop to make this happen. Be sure to update your firefox, it's pretty important.

Open Source Security
One of the dead horses that various security folks like to beat is claiming that Open Source software is less secure because anyone can look at it and analyse its security weaknesses. So what happens when a system should be closed, but is suddenly broken open?
Marine One Data Breech

It seems that Iran (the country), may have acquired sensitive information about the helicopter the President of the United States uses. When you're an organization with virtually limitless resources, the easy solution here is probably to just get a different helicopter, but suppose something similar happens to a piece of closed source software. Now you're at an elevated level of risk because people haven't been analysing your source code for weakness. Any good security system should still hold up even if complete details are made public. By purposely putting the source in public view, Open Source software has a very real advantage over a similar system that relies on obscurity as a feature.

Is Open Source Software Secure?
This week there was a story posted to Slashdot titled How To Argue That Open Source Software Is Secure?. Quoting the post:

... saying that they were warned that they are dangerously insecure because they run open source operating systems or software, because 'anyone can read the code and hack you with ease.'

This issue seems to keep coming up from time to time. This argument is of course silly and one of those "Prove it ... you can't? So it's true!" There is no way to prove that a piece of closed source software is more or less secure than a given piece of Open Source Software. If you can't see the source, you can't be certain that the vendor did or didn't fix issues. You need to unconditionally trust your vendor. If the source code is wide open for anyone to see, it keeps the vendor honest. You can't sweep issues under a transparent rug. You can try, and maybe hide a few piles of dust, but the really scary piles of dirt will stick out like sore thumbs.

The issue at hand isn't is application A more secure than application B, but do you trust vendor A more than vendor B?

Wow, I've been lazy this 2009. So here goes my first blog entry of the year.

Encryption Security
With all the recent talk of encrypting hard drives, the cold boot method, and using proper passwords, this xkcd comic reminds us of the weakest link in all cryptography, the person with the password:
http://xkcd.com/538/

Running things as root is a bad idea
While I always knew this, this article still sort of blows my mind:
Windows Security Improved By Denial Of Administrative Rights
To quote the article:

... configuring users to operate without administrative rights mitigates the impact of 92% of "critical" Microsoft vulnerabilities ...

92%, that is mind boggling. It's been sound advice for a long time in the Linux world, not to do things as root. I suspect if we expected everyone to be doing everything as root, virtual any minor security flaw would suddenly become a very serious matter. ... 92%!, just WOW.

Last week wasn't very exciting as far as security issues go. I have nothing of interest to note. Next week should be quite busy though.

Black Hat and DEFCON are going on in Las Vegas. Things are expected to be very busy.

Security Circus
By far the most entertaining story from last week was Linus giving a few choice quotes.

He does get some things right, but there's still the very real fact that security flaws let people do things they shouldn't be able to do. This adds a certain amount of danger and does require more attention than some other flaws. A nice comparison is automotive recalls. If there are two problems, one is a broken cup holder, the second makes the car explode, which do you think they'll do a recall for?


principle of least privilege
Steve Grubb has a nice interview up on SearchEnterpriseLinux.com.

It offers some hints into some of the intresting things that have happened and can be expected in the SELinux space.