We have thousands of posts on a wide variety of open source and security topics, conveniently organized for searching or just browsing.
Starting to get worried about the exposure of those thousands of virtual servers in your data center? The bad news is no one knows for sure what security threats lurk in the virtual world. The good news is, security tools are finally starting to emerge.
Remote-Exploit has announced the release of BackTrack 2.0, SLAX-based live CD with a comprehensive collection of security and forensics tools: After many months of work, we're finally happy enough with BackTrack to call it v.2.0 Final.
App security vendor Watchfire and anti-malware vendor Panda Software both launched web-based apps this week. Watchfire's new release, Appscan Enterprise 5, checks source code under development for security problems. The latest version includes a new
Software companies should be made liable for the security problems that arise in their products, according to security guru Bruce Schneier. In a presentation at the LinuxWorld OpenSolutions Summit, the BT Counterpane CEO said that this was the only way to help improve IT security, the effects of which were currently taken for granted.
Online criminals today know what they want, and they know where to find it: in your corporate database. Yet, despite a number of highly-publicized data breaches and thefts, many enterprises still have not fully developed a database security strategy. Experts agree that database information particularly customer lists and personal user data is currently the most marketable and attractive target for electronic thieves. But most databases aren't ready for the onslaught of attacks they are beginning to see, the experts warn.
In October 2005, Windows expert Mark Russinovich broke the news about a truly underhanded copy-protection technology that had gone horribly wrong. Certain Sony Music CDs came with a program that silently loaded itself onto your PC when you inserted the disc into a CD-ROM drive. Extended Copy Protection (or XCP, as it was called) stymied attempts to rip the disc by injecting a rootkit into Windows
A few months back I did some intense testing of all the best vulnerability scanners out there
SafeNet is shipping an "integrated IPSec VPN platform" software said to support VPN connections from next-generation mobile devices. QuickSec 4.1 Server and Client Toolkits helps developers incorporate the most current IPSec security standards, such as MobIKE, into carrier-grade security gateways, network routers, mobile VPN devices, and desktop VPN clients, according to the company.
I first touched a BSD box in around 1994, thanks to the donation of a BSD/OS system and SLIP connection from UUNet to my high school. It was love at first sight! Discovering FreeBSD not long after, I've been a regular FreeBSD user since around 1995, although I only became involved in FreeBSD development in 1999, gaining a "commit bit" to help maintain the FreeBSD portions of the Coda distributed file system, a project I had worked on while at Carnegie Mellon University. My undergraduate degree is in Logic and Computation, from CMU's philosophy department, along with a double major in Computer Science, but it became clear that my greatest interest lay in operating systems and security. After working on file system ACLs and mandatory access control for FreeBSD, I started the TrustedBSD Project in 2000, with the goal of bringing more advanced security features to the platform. In 2001, while working at Network Associates Laboratories (NAI Labs, and later McAfee Research), I proposed and became Principal Investigator on a research project as part of DARPA's CHATS research program, which was investigating security and open source. This project included sponsoring and developing UFS2, OpenPAM, the TrustedBSD MAC Framework, NSS support, PAE support, several network stack hardening projects (including syncache and syncookies for FreeBSD), GEOM, and GBDE.
You may not always be able to protect your laptop from a thief, but you can keep the data it contains safe. Two new products -- PGP Corp.'s PGP Whole Disk Encryption 9.5 and SecurStar GmbH's DriveCrypt Plus Pack 3.5 -- promise to protect your data, so that even if your computer falls into the wrong hands, its contents will remain unreadable. Both applications are easy to use and offer an impressive suite of tools, but most users will appreciate the more practical features and lower price tag of PGP's product. Both PGP and DriveCrypt offer on-the-fly, full-disk encryption, which means that they scramble all the data on your hard drive the moment you save it to disk. Both use the AES-256 algorithm, a fast, well-established and trusted mechanism for encrypting data.
OpenSSH 4.5 has just been released. It will be available from the mirrors listed at https://www.openssh.org/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
Guardian Digital is pleased to announce the release of EnGarde Secure Community 3.0.10 (Version 3.0, Release 10). This release includes our new SELinux Control Console and our new context-sensitive Guardian Digital help system, along with bug fixes and upgrades to major applications including Apache, Postfix, and Snort. For details, see our new Community News and Upgrade page at: /modules/index/releases/3.0.10.cgi
The Atlanta-based software maker introduced several new add-ons to DevInspect 3.0, which promises to help Web applications designers locate potential flaws in their work using so-called black box testing tools in combination with source code inspection technology. By identifying and verifying exploitable security defects using the automated black box system, and scouring program source code for more common errors, the company maintains that the product provides customers with a hybrid technique for eliminating potential glitches in Web-based systems. The product also seeks to facilitate more effective communication related to vulnerability reporting and remediation between IT security specialists and software developers.
The Kanguru Bio Slider II is a USB 2.0 secure flash drive made complete with the most up-to-date biometric fingerprint technology. The drive offers a low maintenance, effortless approach to protecting and storing your data.
Seagate Technology will soon begin shipping its first hard drives with special encryption chips that will make it impossible to read data off the disk -- or even boot up a PC -- without some form of authentication Relevant Products/Services. The world's largest hard drive maker said its new DriveTrust Technology, which is designed to encrypt data stored on the hard drive automatically, will require users to have a key, or password, before being able to access the drive. The new Momentus 5400 FDE.2 (Full Disk Encryption 2), geared to notebook Relevant Products/Services computers, will come in several capacities, including 80 GB, 120 GB, and 160 GB. Seagate said it expects to ship the drives early next year.
Beyond displaying an extensive slate of existing Linux products, vendors at this week's InfoSecurity show pointed to possible future offerings ranging from a Linux client for a CD-ROM encryption system to a Linux-enabled all-in-one device for securing both physical access and video surveillance. In a sign of the growing convergence between information security and physical security, the InfoSecurity conference was combined this year with the East coast edition of the ISC show, another perennial event at New York City's Javits Center. Conference sessions tended to skirt matters specific to OS and interoperability, focusing instead on convergence issues such as organizational restructurings and information sharing, as well as on what general types of tools to deploy against the latest nuances in bots, pharming, and other cyberattacks.
A security flaw in the binary NVidia graphics drivers used by many Linux systems could allow an attacker to compromise, through a malicious Web page, any computer using the company's driver, security firm Rapid7 stated on Monday. The NVidia Binary Graphics Driver for Linux remains vulnerable, the company said in an advisory. However, the flaw has been publicly reported and may have been known about as early as December 2004, prompting the company to report the issue publicly.
I am a web application security specialist and have been referred to as a web application firewall guy. In truth, I have many diverse interests (most of them related to technology) but I tend to deal with only one at a time. We live in exciting times when there is so much to do; wherever you look there is room for improvement. My background is in software development and I have spent significant time architecting software systems. However, over the last couple of years I became focused exclusively on security. Today I am probably best known for my work on ModSecurity, which is an open source web application firewall, and my book, Apache Security, which was published by O'Reilly in 2005.
Breach Security announced the release of the ModSecurity version 2.0 open source Web application firewall. ModSecurity version 2.0 provides greater flexibility, enhanced attack detection, and support for XML and Web Services. At the same time, Breach Security is releasing the ModSecurity Console for monitoring multiple sensors and ModSecurity Core Rules that together provide easy-to-deploy baseline Web application security.
The GNU telephony project reports that GPL-licensed implementations of two key security protocols are available for use in Linux-based VoIP (voice-over-IP) devices and softphones. Additionally, a GPL-licensed softphone based on the new implementations is already available for download, testing, and use. The two new security protocol implementations include: SRTP ZRTP
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
