We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
BitLocker uses the AES encryption algorithm in cyber-block chaining (CBC) mode with a 128-bit key, combined with the Elephant diffuser for additional disk-encryption-specific security not provided by AES.
If you aren't running Windows 7, or you want to use something other than a Microsoft product (and don't want to spend any money), TrueCrypt from the TrueCrypt Developers Association is pretty hard to beat.
PGP has been around since 2002, but the company's roots go back to 1991, when the code base for Pretty Good Privacy (PGP) was developed. Over the years, PGP has become one of the leaders in encryption technologies. The company offers a wide variety of products that help users encrypt data files, e-mails and many other types of data. For the mobile worker and the individual user, PGP Whole Disk Protection is a very good choice for protecting the data on a hard drive.
Netbook users worried about storing sensitive data on their portables are being offered the world's first whole-disk encryption that will run useably on Intel's Atom processor.
Mozilla on Friday said that it had removed two Firefox add-ons from its Web site because they installed malware. "Two add-ons in the experimental section of addons.mozilla.org were found to be containing malware," Mozilla said on its security blog. "These were not originally detected with the anti-malware scanning tools that we have been using. We have since increased the number of scanning tools, and will be taking additional steps to minimize the risk of further incidents."
After removing Google's Android driver code from the Linux kernel, Novell Fellow and Linux developer Greg Kroah-Hartman has argued that the mobile OS is incompatible with the project's main tree. Kroah-Hartman deleted the Android drivers on December 11 - Android code is no more as of version 2.6.33 of the kernel release - and yesterday, with a post to his personal blog, he explained the move in detail.
The Symbian Foundation will move forward on Thursday with offering up the full Symbian smartphone platform to open source. The Symbian 3 platform, including applications, middleware, and the kernel itself, will be offered under terms of the Eclipse Public License and other open source licenses. "You can download it, you can modify it," said Larry Berkin, head of global alliances for the foundation. Previously, the kernel was made available via open source.
Thanks to Andreas Fabis for sending this in to us. atsec information security is pleased to announce the successful Common Criteria Certification of Red Hat Enterprise Linux Version 5.3 at EAL 4 (augmented for flaw remediation) with the Controlled Access Protection Profile (CAPP). Under Common Criteria, products are evaluated against strict standards for various features, including security functionality, development environment, security vulnerability handling, documentation of security-related topics, and product testing.
The Apache HTTP Server developers have released version 1.3.42 of the popular web server, noting that this will be the last update for the 1.3 series. The release of 1.3.42 is a bug fix and security release, with one moderate security flaw in mod_proxy fixed by preventing integer overflow on platforms where the size of an integer variable in memory was less than that of a long variable.
The recession continues to be no barrier to acquisitions with the news that PGP Corporation has reached into its pockets to buy German encryption services company TC TrustCenter. As usual, because the companies involved, including TC TrustCenter's US parent ChosenSecurity, are private, the sums involved has not been made public. The 75-person TC TrustCenter will continue as a division of PGP, however, with its own head and retaining its own branding.
VMware has advised of a number of vulnerabilities in several of its products, including ESX, Server, VirtualCenter and vCenter. According to the company, a number of the issues relate to problems in the Java Runtime Environment (JRE) and several of the 47 vulnerabilities can be used by an attacker to compromise a system.
Google is touting three new security features added to the latest version of its Chrome browser, including new protections against reflective cross-site scripting. Google has beefed up the latest version of its Chrome browser with new security protections designed to help developers build secure Websites.
Cisco, NetApp and VMware announced a project to improve the security of virtualization deployments, with a focus on isolating applications that use the same physical network, server and storage resources in multi-tenant systems.
-Trusted Computer Solutions (TCS), a leading developer of cross domain and cyber security solutions, today announced that its widely adopted automated Operating System (OS) hardening tool, Security Blanket, now supports Novell SUSE as well as openSUSE and Fedora 11. The product already supports Red Hat Enterprise Linux, Solaris, and Oracle Enterprise Linux. This new version of Security Blanket also provides role-based access control (RBAC) and a JAVA-based administration console. By providing such broad OS support TCS is expanding its market reach into new U.S. verticals and into Europe.
Security vendor Websense if offering Facebook users and businesses a new free
Mozilla yesterday reported a "huge increase" in downloads of Firefox in Germany after that country's computer security agency urged users of Microsoft's Internet Explorer (IE) to dump the browser and run a rival instead.
An update for the MIT's Kerberos 5 implementation fixes a null-pointer dereference vulnerability that allows attackers to remotely crash the Key Distribution Center (KDC). According to an advisory by the MIT, sending a specially crafted client request to the KDC is all that is required to exploit the vulnerability.
Version 8.14.4 of Sendmail, the open source mail transfer agent (MTA), includes fixes for several security vulnerabilities including some integer overflows, memory leaks and for the SSL NUL character problem disclosed in mid 2009. The release also corrects a resolution error where an apparently valid host name lookup contained a NULL pointer; this problem caused crashes on some Linux versions of the software. The update also includes a number of corrections for several non-security issues.
The Apache SpamAssassin spam filter has been shipping with a rule which defined any year past 2009 as "grossly in the future" and adding 3.2 to the email's spam score. The default threshold for spam is 5.0, so the error makes it much more likely that legitimate mail will be falsely marked as spam.
Fact: Everyone who patches is safer. Fact: Not everyone patches. The gap between the two facts is too deep for even security experts to explain, although they try, with theories running from the conspiratorial -- pirates hate to patch, they say, because they're afraid vendors, Microsoft mostly, will spy them out -- to the prosaic ... that people are, by nature, just lazy.
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
