We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
This guest editorial by Victor Yodaiken looks at several operating system (OS) certifications that have recently been used as ammunition against Linux by real-time OS vendors targeting the high-security and military markets. It also debunks several emotional and inflamatory arguments impugning Linux security. . . .
Gentoo has fixed a vulnerability in the 2.6 Linux kernel that could be exploited for a remote denial-of-service attack. The company calls this a "high-impact" flaw and recommends users update to newer versions of the kernel. . . .
A FTP server does the heavy lifting of security, organization, and transfer control, while clients usually just take part in saving transferred files to a specified location on your hard drive. If you are really into business and plan on spending money on your FTP server, you'll want to focus on what kind of qualities and characteristics the software provides. . . .
Linux and Unix vendors are releasing fixes for a critical bug in the popular Web server Apache that could allow attackers to crash the system or execute malicious code. The bug affects Apache 1.3.x installations configured to act as proxy servers, which relay requests between a Web browser and the Internet. When a vulnerable server connects to a malicious site, a specially crafted packet can be used to exploit the vulnerability, according to security researcher Georgi Guninski, who has publicly released exploit code. . . .
We've been trying to educate programmers about writing secure code for at least a decade and it flat-out hasn't worked. While I'm the first to agree that beating one's head against the wall shows dedication, I am starting to wonder if we've chosen the wrong wall. What's Plan B? . . .
A newly discovered security hole in Linux, published on an open source website, has raised questions about how Linux security issues should be handled. The vulnerability could allow malicious users to bring down Linux machines with just 24 lines of code, which are available from several open source websites and internet news groups. . . .
A flaw in the Linux kernel allows a 20-line C program to crash most distributions using the 2.4 and 2.6 kernels running on x86 and x86-64 architectures, according to security researchers. The problem means that anyone with an ordinary user account on a Linux machine can crash the entire server, according to Oyvind Saether, who discovered the bug along with Stian Skjelstad. Administrator access isn't required. . . .
"The program works on any normal user account, and root access is not required," Sæther reported. "This exploit has been reported used to take down several 'lame free-shell providers' servers. [Running code you know will damage a system intentionally and hacking in general] is illegal in most parts of the world and strongly discouraged." . . .
A bug lets a simple C program crash the kernel, effectively locking the whole system. It affects both 2.4.2x and 2.6.x kernels on the x86 architecture, and does not require root access. . . .
Red Hat Inc. released a spate of security advisories Wednesday, warning users of three separate buffer overflow flaws in Red Hat Enterprise Linux. The Linux distributor urged users to apply the latest patches available from Red Hat Network. . . .
Administering Linux and Unix-based servers does not need to be the scourge of your work day. With a handy tool called Webmin as part of your arsenal, you can regain complete control of your servers via the Web browser. . . .
Microsoft will not be swayed by the current industry momentum of Linux and open source, with no plans afoot to port the database to either Linux or Unix or make any SQL Server code available through an open source format, he said. . . .
Flaws in two popular source code database applications could allow attackers to access and corrupt open-source software projects, according to a security researcher. One vulnerability affects the Concurrent Versions System (CVS), an application used by many developers to store program code. The other flaw affects a newer, less widely used system known as Subversion, said Stefan Esser, the researcher who discovered the security holes. . . .
A crafty way of knocking out any email server using a few carefully constructed emails has been identified by a team of computer security experts. The trick involves sending forged emails that contain thousands of incorrect addresses in the "copy to" fields that are normally used to send duplicate messages. Researchers at UK-based NGSSoftware sent these emails to the largest email servers on the internet, and found they could force huge quantities of unwanted email to pour into another mail server of their choice. . . .
More from Laura DiDio, who tells us that many IT executives are reconsidering a move to Linux due to "a growing number of security threats and a dearth of experienced Linux administrators". Are there execs out there who consider Windows to be a more secure platform than Linux, or are they frightened by the sheer volume of patches released by the open source distributions? . . .
Red Hat Inc. took the first step this week toward the inclusion of Security Enhanced Linux in its enterprise offerings when it released Fedora Core 2, test2. The latest beta of Fedora, an openly developed and constantly changing version of Linux sponsored by the Raleigh, N.C.-based distributor, includes SE Linux and is based on the 2.6 kernel. Enterprises are unlikely to deploy Fedora for mission-critical systems, but it does serve as a proving ground for Red Hat Enterprise Linux. RHEL 4.0 is on course for an early 2005 release and is likely to include SE Linux, said Fedora technical lead Cristian Gafton. . . .
"In terms of security and man-hours to keep the network up and running, Linux is invaluable," Smith said. "Patches in the Linux world both work and leave the machine fully functional. That has not been my experience in the Windows world, where on many occasions I've had to back out a patch to regain functionality and on at least a few occasions cratered a machine by applying a patch. . . .
During the incident response process we often come across a situation where a compromised system wasn't powered off by a user or administrator. This is a great opportunity to acquire much valuable information, which is irretrievably lost after powering off. I'm referring to things such as: running processes, open TCP/UDP ports, program images which are deleted but still running in main memory, the contents of buffers, queues of connection requests, established connections and modules loaded into part of the virtual memory that is reserved for the Linux kernel. All of this data can help the investigator in offline examination to find forensic evidence. Moreover, when an incident is still relatively new we can recover almost all data used by and activities performed by an intruder. . . .
Sander Striker, a director of the Apache Software Foundation (ASF), told ServerWatch that the release was "regular" and not made in reaction to any security contingencies. However, Apache's change log shows that there are a number of security-related bug fixes and enhancements that deal with previously identified vulnerabilities. . . .
An independent study by British cyber security firm, mi2g, has found Apple's OS X Server and the Berkely Software Distribution (BSD) open source systems on which it is based, to be the most secure online server operating systems in the world, according to a recent report published . . .
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
