Feed aggregator

LinuxSecurity.com: Hewlett-Packard will acquire Fortify Software to gain possession of its ability to perform analysis on source code to detect security risks and exposures.

UPDATE Looks like some patches have already been released. More details can be found here&n ...(more)...

LinuxSecurity.com: The software security sector continues to show vibrant M&A activity, with big companies like Hewlett-Packard trying to become a one-stop shop for all of their customers' technology needs, VentureWire reports. HP yesterday said it purchased Fortify Software Inc., a venture-backed maker of software-

A couple of months ago, while working on Qubes GUI virtualization, Rafal has come up with an interesting privilege escalation attack on Linux (a user-to-root escalation), that exploits a bug in... well, actually it doesn't exploit any concrete bug, which makes it so much more interesting.

The attack allows a (unpriviliged) user process that has access to the X server (so, any GUI application) to unconditionally escalate to root (but again, it doesn't take advantage of any bug in the X server!). In other words: any GUI application (think e.g. sandboxed PDF viewer), if compromised (e.g. via malicious PDF document) can bypass all the Linux fancy security mechanisms, and escalate to root, and compromise the whole system. The attack allows even to escape from the SELinux's "sandbox -X" jail. To make it worse, the attack has been possible for at least several years, most likely since the introduction of kernel 2.6.

You can find the details of the attack, as well as the discussion of possible solutions, including the one that has eventually been implemented, in the Rafal's paper.

One important aspect the attack demonstrates, is how difficult it is to bring security to a desktop platform, where one of the biggest challenges is to let applications talk to the GUI layer (e.g. X server in case of Linux), which usually involves a very fat GUI protocol (think X protocol, or Win32 GUI API) and a very complex GUI server, but at the same time keep things secure. This was one of the key priories for us when designing Qubes OS architecture. (So, we believe Qubes is much more secure than other sandboxing mechanisms, such as BSD jails, or SELinux-based sandboxes, because it not only eliminates kernel-level exploits, but also dramatically slims down GUI-level attacks).

The kernel-level "patch" has been implemented last week by Linus Torvalds, and pushed upstream into recent stable kernels. RedHat has also released an advisory for this attack, where they rated its severity as "high".

ps. Congrats to Brad Spengler for some good guessing :)

LinuxSecurity.com: SELinux is a great way to limit the access rights/roles on a Linux machine. But how do you limit CPU or memory usage of a given application? Red Hat engineer Dan Walsh has a solution that he calls SELinux Sandbox which he demoed at the LinuxCon conference today.

LinuxSecurity.com: Hackers, malware writers and online criminal elements have operated like businesses for some time. Now, according to research by [1] Kaspersky Lab, these black hat organisations are expanding to include technical support and customer service for their victims. In a way, they're beginning to mimic security solution providers.

LinuxSecurity.com: A clever feature of smartphones running Google's Android operating system is the gesture unlocking method, in which users choose a custom security pattern by selecting dots from a three-by-three grid entered via fingertip. But researchers recently showed how ordinary screen smudges that result from inputting the gesture can be used by a hacker to easily deduce the pattern.

LinuxSecurity.com: Bank accounts and personal information online are at greater risk than ever thanks to "hopelessly inadequate" passwords and brute force tactics used by hackers.

LinuxSecurity.com: As a high-profile, Washington-based think tank, the Center for American Progress takes strong positions on hot-button topics, such as health care reform, the Middle East and the state of the economy. With John Podesta, former chief of staff to former President Bill Clinton as its president and CEO, CAP remains firmly planted on the left side of the political equation.

LinuxSecurity.com: Linux Full Disk Encryption (LFDE) is a tool designed to provide Linux with a means to do true full disk encryption (FDE).

LinuxSecurity.com: In the enterprise data security chain, human beings often prove to be the weakest link. Using social engineering tactics, thieves can frequently gain secret information about a company's systems simply by asking. To prevent this, not only must employees be trained, but systems must be changed to reinforce the policies employees have learned.

In June and July I posted two diaries (http://isc.sans ...(more)...

During Black Hat USA2010, Patrick Thomas presented a new web application fingerprinting tool c ...(more)...

---- Raul Siles Founder and Senior Security Analyst with Taddong www.taddong ...(more)...

About a year ago, I wrote a diary here at the ISC called Putting the ED back in ...(more)...

LinuxSecurity.com: Hackers. Faceless people who deface government Web sites, who can peek into your computer without you knowing. What are they like? Forbes India asked Akash Mahajan, a Certified Ethical Hacker, for a few insights into the shadowy world.

LinuxSecurity.com: Traditional security technologies are losing the battle against the black hats and malicious code writers, according to digital security specialists Symantec. In a mid-year review of their IT security risks and predictions made early in 2010, Symantec has warned that there are simply too many new cyber threats out there for traditional automated systems to catch.

LinuxSecurity.com: A new method for blocking approved plug-ins from third-party sources appeared in the developer's version of Google's Chrome browser. Available on Friday for Windows, Mac, and Linux, Google Chrome dev 6.0.490.1 includes numerous bug fixes and introduces the Click-to-Play feature for more finely tuned plug-in control.

LinuxSecurity.com: A 15-year-old vulnerability in technology used to authenticate users on Windows and Unix networks continues to put the organizations that rely on it at risk, a security researcher said on Thursday.

LinuxSecurity.com: Google now offers an extension for Chrome that automates the process of adding the secure Google search site as a search engine to the Chrome 6.x branch. Google SSL Web Search is an extension, still in beta, that works with Chrome 6.0.419.0 and later on Windows and Linux computers.