We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
SSH is a secure replacement for telnet, rlogin, other r* and ftp protocols which handle sensitive information in an unsecure manner. Telnet broadcasts sensitive information such as usernames and passwords unencrpyted whereas SSH encrypts them, so that a malicious user trying . . .
Ah, sendmail. You either love it for being so versatile and ubiquitous, or you hate it for being bloated, complicated and insecure. Or perhaps you're a complete newcomer to the e-mail server game and would like to give sendmail a try . . .
For some time at my workplace we've been running an ad-zapping service on our web proxy. This page documents how it works, how to use it yourself, how to join the mailing list for updates of the pattern file, and the weirdnesses of our local setup (which you need not duplicate yourself).. . .
Amanda is the Advanced Maryland Automatic Network Disk Archiver, developed at the University of Maryland in the 1990s. While it is now maintained at SourceForge and support is provided only through mailing lists and a FAQ-O-MATIC, it is still a highly . . .
Microsoft and Sun Microsystems are wrestling with the latest security hole to emerge: a flaw in their Java virtual machines that could expose user data to hackers. Both Microsoft and Sun issued advisories on this latest vulnerability.. . .
In this article I discuss generalized ways to increase system and network trust. While my examples are somewhat FreeBSD-centric, they can be abstracted to almost any platform. There is a popular misconception floating around the corporate sector. Many individuals tout, UNIX is not as secure as other operating systems.. . .
You can set up your systems so Linux users can gain secure authentication against a Windows NT Domain. That way they won't need a Linux account and a separate NT Domain account. It'll make life easier for you as a network administrator and make your power users happier. . . .
A flaw in the common open-source scripting language PHP could allow attackers to crash or compromise a hefty fraction of the nine million servers running the open-source Web software Apache, as well as other Web servers. A member of the PHP engineering team warned Web developers of the software flaws in an advisory on Wednesday, but security experts believe that while some in the Internet underground have tools to exploit the flaw, few people have the resources.. . .
Web site operators who use server-side scripting software known as PHP are being urged today to upgrade to a new release that does not contain recently discovered - and apparently serious - security holes. Stefan Esser of Germany-based E-matters, a Web development company, reported that a number of memory-allocation bugs were found in PHP code that handles file uploads, also known as multipart/form-data Post requests.. . .
Multiple critical remote vulnerabilities exist in several versions of PHP. We found several flaws in the way PHP handles multipart/form-data POST requests. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system.. . .
In this column, we look at insecure Web Proxy Servers; buffer overflows in ncurses, Squid, hanterm, and ripMime; and problems in gnujsp, the NetBSD kernel, jmcce, the IRIX Unified Name Service Daemon, and Chuid. Some insecurely-configured Web proxy servers can be . . .
For just about as long as the commercial Internet has existed, SPAM email has been the bane of users worldwide. The harder and harder we try to fight the spammers and keep our email addresses out of their hands, the smarter . . .
The software that runs the Internet's addressing system that helps make Web commerce and communication possible led the CERT Coordination Center's list of systems that faced serious intruder problems last year. The Internet Software Consortium's Berkeley Internet Name Domain (BIND) server . . .
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a security vulnerability in LIDS; buffer overflows in CUPS, jgroff, Sun Solstice Enterprise Master Agent, and Ettercap; and problems in Sawmill, Faq-O-Matic, pforum, GNAT, Taylor UUCP, and IRIX O2 Video.. . .
Application security is "in a grim state", according to new research. Almost half of application security vulnerabilities are readily exploitable through entirely preventable defects. The typical ebusiness application is at serious risk of compromise because of security flaws introduced early in . . .
Like most Internet protocols, the Domain Name System (DNS) began its life without many built-in security mechanisms. DNS is, after all, a global, public naming service, so you don't normally care who queries your name server for data in the zones that you are responsible for maintaining.. . .
An independent network security researcher has uncovered a new way to steal the secret browser "cookies" of Web surfers with the help of Internet servers that were never intended to communicate with browser software. The exploit, described by a researcher who uses the handle "Obscure" and posted on the Eye On Security Web (EOS) site, relies on common Internet server software other than Web servers that can "echo" hijacked submissions from HTML forms.. . .
Enter the resurrection of the TOS (trusted operating system), a relic from the early '80s developed for military and government security. Considered by many to be too expensive and complicated to implement and maintain, TOSes failed to catch on when introduced . . .
Several serious theoretical and practical security vulnerabilities, alleged GPL license violations, and more were found in Astaro "secure" Linux. Joerg Luebbert writes, "Some of the vulnerabilities might be local and some might argue about that Astaro Security Linux is a Firewall and no server... but as it uses SSHD it could always be that the "loginuser" account might have been compromised and shell access granted.". . .
With release 3.0 the OpenBSD project replaced Darren Reed's ipf software with the more license friendly pf filtering software. While pf and ipf are very similar in overall design, there are many subtle differences bewteen the two. This paper will focus . . .
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
