New Tool Roots Out SCO Code
With legal terms such as liability, indemnification and lawsuit as prominent themes of the LinuxWorld show here, a small software company has addressed the issue with a solution to find offensive code.
Aduva Inc., Sunnyvale, Calif., has developed a system known as OnStage that contains a feature known as SCO Check that will "conduct a complete inventory of your system and if SCO [The SCO Group] identifies some illegal code, we can do a check to find the code, identify it and then automate the replacement of that code" with Red Hat Linux or an appropriate fix, said Chris Van Tuin, director of customer service for Aduva.
In addition, Aduva also announced SoundCheck, a snippet of the OnStage technology the company is delivering for free. SoundCheck scans Linux servers and identifies potential problems, such as missing dependencies, security issues and unaccepted bug fixes that could cause application failures or security leaks. It is available for download free of charge at www.aduva.com/soundcheck.
http://www.eweek.com/article2/0,3959,1212134,00.asp
Friday, August 08, 2003
Prevent data loss on XP workstations with large hard drives
When hard drives first became standard on PCs, they were commonly only around 10 MB in size. Today, depending on your organization, you might have users with ATA hard drives sizes well in excess of 100 GB, with individual data file sizes that dwarf the hard drives of old. Unfortunately, Windows XP can encounter problems with large hard drives. To avoid losing data on large hard drives on XP workstations, you should obtain and install the latest patch from Microsoft.
What's the problem?
If you have or support systems with ATA hard drive sizes exceeding 137 GB running any version of Windows XP or XP with Service Pack 1—Home, Professional, Media Center Edition, Tablet PC Edition, or 64-bit Edition—you may be at risk from a flaw in the operating system. This flaw may become apparent when the system enters Hibernation/Standby mode or after a memory dump is written out to the disk.
It's important to note that you aren't likely to run into this problem in XP without SP1, because only SP1 has native support for drives exceeding the 137-GB limit. While support can be enabled in pre-SP1 XP installations, this isn't recommended outside a test lab.
Only ATA drives are affected by this flaw. If you're running systems exclusively with SCSI drives, you aren't at risk.
To make use of the space beyond the old 137-GB limit, Windows XP SP1 uses 48-bit logical block addressing (LBA). Unfortunately, the processes that write the memory dump and Hibernation/Standby files do not write their data to the disk using 48-bit LBA. Moreover, when a Windows XP SP1 system with 48-bit LBA enabled enters Hibernation, Windows fails to issue a flush cache command to the IDE system's cache. As a result, any information still in the cache won't be written to the disk.
There are a number of symptoms that you can watch for to determine whether you're suffering from this flaw. If your system restarts rather than waking up from Hibernation, or if you experience data corruption upon entering Hibernation/Standby mode or after a memory dump or stop error, you may be afflicted. Data corruption can manifest itself in a variety of ways including problems starting the system, shutting down the system, running programs, or opening and/or saving files.…
Windows XP Patch: Hard Disk May Become Corrupted When Entering Standby or Hibernation
http://www.microsoft.com/downloads/details.aspx?FamilyID=b997cc5f-4483-4edc-a17e-6f659a033b0d&DisplayLang=en
http://techrepublic.com.com/5102-6255-5055171.html
When hard drives first became standard on PCs, they were commonly only around 10 MB in size. Today, depending on your organization, you might have users with ATA hard drives sizes well in excess of 100 GB, with individual data file sizes that dwarf the hard drives of old. Unfortunately, Windows XP can encounter problems with large hard drives. To avoid losing data on large hard drives on XP workstations, you should obtain and install the latest patch from Microsoft.
What's the problem?
If you have or support systems with ATA hard drive sizes exceeding 137 GB running any version of Windows XP or XP with Service Pack 1—Home, Professional, Media Center Edition, Tablet PC Edition, or 64-bit Edition—you may be at risk from a flaw in the operating system. This flaw may become apparent when the system enters Hibernation/Standby mode or after a memory dump is written out to the disk.
It's important to note that you aren't likely to run into this problem in XP without SP1, because only SP1 has native support for drives exceeding the 137-GB limit. While support can be enabled in pre-SP1 XP installations, this isn't recommended outside a test lab.
Only ATA drives are affected by this flaw. If you're running systems exclusively with SCSI drives, you aren't at risk.
To make use of the space beyond the old 137-GB limit, Windows XP SP1 uses 48-bit logical block addressing (LBA). Unfortunately, the processes that write the memory dump and Hibernation/Standby files do not write their data to the disk using 48-bit LBA. Moreover, when a Windows XP SP1 system with 48-bit LBA enabled enters Hibernation, Windows fails to issue a flush cache command to the IDE system's cache. As a result, any information still in the cache won't be written to the disk.
There are a number of symptoms that you can watch for to determine whether you're suffering from this flaw. If your system restarts rather than waking up from Hibernation, or if you experience data corruption upon entering Hibernation/Standby mode or after a memory dump or stop error, you may be afflicted. Data corruption can manifest itself in a variety of ways including problems starting the system, shutting down the system, running programs, or opening and/or saving files.…
Windows XP Patch: Hard Disk May Become Corrupted When Entering Standby or Hibernation
http://www.microsoft.com/downloads/details.aspx?FamilyID=b997cc5f-4483-4edc-a17e-6f659a033b0d&DisplayLang=en
http://techrepublic.com.com/5102-6255-5055171.html
Thursday, August 07, 2003
Microsoft Windows XP Peer-to-Peer Downloads
The new Windows XP Peer-to-Peer SDK and the related Advanced Networking Pack for Windows XP will help developers create advanced networking applications. The SDK provides documentation and sample code while the Pack adds advanced networking support to the XP client, including enhanced IPv6 support, APIs for Peer-to-Peer name resolution, network graphing, grouping, and identity management. This SDK will help developers to create decentralized applications that harness the collective power of edge of the network PCs.
Microsoft Windows XP Peer-to-Peer Software Development Kit (SDK)
http://www.microsoft.com/downloads/details.aspx?FamilyId=5116A614-A487-4DFF-B384-829CD8CE977D&displaylang=en
The Windows XP Peer-to-Peer SDK provides documentation, sample code and other tools that allow developers to build peer-to-peer applications or services that capitalize on the new Advanced Networking Pack for Windows XP available for users.
Note: In order to run applications built with the Windows XP Peer-to-Peer SDK, the Advanced Networking Pack for Windows XP must be installed.
Date: July 23, 2003
Microsoft Advanced Networking Pack for Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=E88CC382-8CE6-4739-97C0-1A52A6F005E4&displaylang=en
The Advanced Networking Pack for Windows XP is a set of platform technologies designed to run on Windows XP to enable the use and deployment of distributed, peer-to-peer applications based on Internet standards. The update includes a new version of the IPv6 stack, including support for NAT traversal for IPv6 applications. An IPv6 firewall is included to protect the end-user's machine from unsolicited IPv6 traffic, while the peer-to-peer platform makes it simple to write distributed solutions.
Date: July 23, 2003
http://msdn.microsoft.com/library/default.asp?url=/downloads/list/winxppeer.asp
The new Windows XP Peer-to-Peer SDK and the related Advanced Networking Pack for Windows XP will help developers create advanced networking applications. The SDK provides documentation and sample code while the Pack adds advanced networking support to the XP client, including enhanced IPv6 support, APIs for Peer-to-Peer name resolution, network graphing, grouping, and identity management. This SDK will help developers to create decentralized applications that harness the collective power of edge of the network PCs.
Microsoft Windows XP Peer-to-Peer Software Development Kit (SDK)
http://www.microsoft.com/downloads/details.aspx?FamilyId=5116A614-A487-4DFF-B384-829CD8CE977D&displaylang=en
The Windows XP Peer-to-Peer SDK provides documentation, sample code and other tools that allow developers to build peer-to-peer applications or services that capitalize on the new Advanced Networking Pack for Windows XP available for users.
Note: In order to run applications built with the Windows XP Peer-to-Peer SDK, the Advanced Networking Pack for Windows XP must be installed.
Date: July 23, 2003
Microsoft Advanced Networking Pack for Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=E88CC382-8CE6-4739-97C0-1A52A6F005E4&displaylang=en
The Advanced Networking Pack for Windows XP is a set of platform technologies designed to run on Windows XP to enable the use and deployment of distributed, peer-to-peer applications based on Internet standards. The update includes a new version of the IPv6 stack, including support for NAT traversal for IPv6 applications. An IPv6 firewall is included to protect the end-user's machine from unsolicited IPv6 traffic, while the peer-to-peer platform makes it simple to write distributed solutions.
Date: July 23, 2003
http://msdn.microsoft.com/library/default.asp?url=/downloads/list/winxppeer.asp
What's the problem with CGI scripts?
The problem with CGI scripts is that each one presents yet another opportunity for exploitable bugs. CGI scripts should be written with the same care and attention given to Internet servers themselves, because, in fact, they are miniature servers. Unfortunately, for many Web authors, CGI scripts are their first encounter with network programming.
CGI scripts can present security holes in two ways:
They may intentionally or unintentionally leak information about the host system that will help hackers break in.
Scripts that process remote user input, such as the contents of a form or a "searchable index" command, may be vulnerable to attacks in which the remote user tricks them into executing commands.
CGI scripts are potential security holes even though you run your server as "nobody". A subverted CGI script running as "nobody" still has enough privileges to mail out the system password file, examine the network information maps, or launch a log-in session on a high numbered port (it just needs to execute a few commands in Perl to accomplish this). Even if your server runs in a chroot directory, a buggy CGI script can leak sufficient system information to compromise the host.
http://www.w3.org/Security/faq/wwwsf4.html
The problem with CGI scripts is that each one presents yet another opportunity for exploitable bugs. CGI scripts should be written with the same care and attention given to Internet servers themselves, because, in fact, they are miniature servers. Unfortunately, for many Web authors, CGI scripts are their first encounter with network programming.
CGI scripts can present security holes in two ways:
They may intentionally or unintentionally leak information about the host system that will help hackers break in.
Scripts that process remote user input, such as the contents of a form or a "searchable index" command, may be vulnerable to attacks in which the remote user tricks them into executing commands.
CGI scripts are potential security holes even though you run your server as "nobody". A subverted CGI script running as "nobody" still has enough privileges to mail out the system password file, examine the network information maps, or launch a log-in session on a high numbered port (it just needs to execute a few commands in Perl to accomplish this). Even if your server runs in a chroot directory, a buggy CGI script can leak sufficient system information to compromise the host.
http://www.w3.org/Security/faq/wwwsf4.html
Tuesday, August 05, 2003
SCO's Smoking-Gun Tour
Is SCO's smoking gun against IBM a sheet of 8 x 11 paper with pertinent lines of programming highlighted in red and blue?
This code, which was allegedly lifted almost verbatim from Unix to Linux, belongs to a large unnamed hardware vendor that isn't IBM, according to SCO, which was waving it around late in July.
But SCO argues it is evidence that many companies are violating its intellectual property, says Chris Sontag, general manager for SCO's SCOsource unit. SCO acquired not just the source code for Unix System 5 from AT&T years ago—but the contracts that pertain to its use by commercial software and hardware makers.
Sontag is making the rounds with press and analysts, arguing IBM is the "ringleader," something akin to an industrywide porting of Unix to Linux without permission.
His presentation boils down to this: IBM "donated" some of the functionality from its own Unix variant, known as AIX, to Linux version 2.4 and beyond. This helped the open-source software grow to handle nonuniform memory access (NUMA), journal file system and other important features for an operating system asked to be a workhorse of enterprise computers. "How did this happen in that short of time?" asks Sontag. "A third or more of the Linux 2.4 kernel is at issue."
According to Sontag, IBM, along with other vendors, gave Linux a helping hand and violated a "derivatives clause" in the contracts for using Unix System 5. The contracts appear to say the source code can be only used for internal purposes and can't be redistributed elsewhere.
http://www.baselinemag.com/article2/0,3959,1208916,00.asp
Is SCO's smoking gun against IBM a sheet of 8 x 11 paper with pertinent lines of programming highlighted in red and blue?
This code, which was allegedly lifted almost verbatim from Unix to Linux, belongs to a large unnamed hardware vendor that isn't IBM, according to SCO, which was waving it around late in July.
But SCO argues it is evidence that many companies are violating its intellectual property, says Chris Sontag, general manager for SCO's SCOsource unit. SCO acquired not just the source code for Unix System 5 from AT&T years ago—but the contracts that pertain to its use by commercial software and hardware makers.
Sontag is making the rounds with press and analysts, arguing IBM is the "ringleader," something akin to an industrywide porting of Unix to Linux without permission.
His presentation boils down to this: IBM "donated" some of the functionality from its own Unix variant, known as AIX, to Linux version 2.4 and beyond. This helped the open-source software grow to handle nonuniform memory access (NUMA), journal file system and other important features for an operating system asked to be a workhorse of enterprise computers. "How did this happen in that short of time?" asks Sontag. "A third or more of the Linux 2.4 kernel is at issue."
According to Sontag, IBM, along with other vendors, gave Linux a helping hand and violated a "derivatives clause" in the contracts for using Unix System 5. The contracts appear to say the source code can be only used for internal purposes and can't be redistributed elsewhere.
http://www.baselinemag.com/article2/0,3959,1208916,00.asp
Even Antivirus Scanners Make Mistakes
Security fundamentally requires trust. You can't function without trusting some other users and some programs. On the other hand, you can't completely trust everything, and that includes normally trustworthy software, such as Symantec's Norton AntiVirus.
http://security.ziffdavis.com/article2/0,3973,1203522,00.asp
Security fundamentally requires trust. You can't function without trusting some other users and some programs. On the other hand, you can't completely trust everything, and that includes normally trustworthy software, such as Symantec's Norton AntiVirus.
http://security.ziffdavis.com/article2/0,3973,1203522,00.asp
Microsoft Security Bulletin MS03-026 Print
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003
Revised: July 21, 2003
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Run code of attacker’s choice
Maximum Severity Rating: Critical
Recommendation: Systems administrators should apply the patch immediately
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp.
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Not Affected Software:
Microsoft Windows Millennium Edition
Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the “mitigating factors” and “workarounds” discussions in the original security bulletin did not clearly identify all of the ports by which the vulnerability could potentially be exploited. We have updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked, and to ensure that customers who have chosen to implement a workaround before installing the patch have the information that they need to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability, and need take no further action.
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003
Revised: July 21, 2003
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Run code of attacker’s choice
Maximum Severity Rating: Critical
Recommendation: Systems administrators should apply the patch immediately
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp.
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Not Affected Software:
Microsoft Windows Millennium Edition
Microsoft originally released this bulletin and patch on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. The patch was and still is effective in eliminating the security vulnerability. However, the “mitigating factors” and “workarounds” discussions in the original security bulletin did not clearly identify all of the ports by which the vulnerability could potentially be exploited. We have updated this bulletin to more clearly enumerate the ports over which RPC services can be invoked, and to ensure that customers who have chosen to implement a workaround before installing the patch have the information that they need to protect their systems. Customers who have already installed the patch are protected from attempts to exploit this vulnerability, and need take no further action.
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp
Monday, August 04, 2003
Attack bot strikes Windows flaw
Online vandals are using a program to compromise Windows servers and remotely control them through Internet relay chat (IRC) networks, system administrators said Saturday.
Several programs, including one that exploits a recent vulnerability in computers running Windows, have been cobbled together to create a remote attack tool. The tool takes commands from an attacker through the IRC networks and can scan for and compromise computers vulnerable to the recently discovered flaw in Windows.
Files left behind on a compromised server by the worm were posted to a security mailing list. Computer security company Symantec analyzed the files and determined that what was first thought to be a worm was actually an attack program.
Based on our analysis, the threat does not appear to be a worm," said Oliver Friedrichs, senior manager for Symantec's security response team. "It doesn't go and try to spread." Friedrichs was in Las Vegas attending the Black Hat Briefings and DefCon hacking conferences.
The ability to spread automatically is the hallmark of a computer worm. The collection of programs that Symantec analyzed is a tool that compromises computers and is referred to as an autorooter. It also acts like an IRC bot, listening to specific channels on the chat network and taking commands from attackers via IRC.
The initial post describing what security researchers thought might be a worm appeared at 10 a.m. PDT Saturday on the Full-Disclosure security list.
The tool consists of six files that work together to find vulnerable systems and attack them. Ever since the Windows flaw was announced, security researchers widely expected a worm to be written to exploit it. The IRC bot is one step removed from a worm and less disruptive.
This bot compromises computers using a flaw that Microsoft warned the public about on July 16.
The flaw is in the distributed component object model (DCOM) interface, a part of the OS that allows other computers to request the system to perform an action or service. The object, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the DCOM interface, an attacker can cause the system to grant full access to the computer.
A week ago, hackers from the Chinese X-Focus security group publicly posted a program to several security lists designed to allow an intruder to use the vulnerability to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Windows. In the past week, security researchers and hackers have been refining the exploit code.
That program is one of the six that make up the tool. The files include rpc.exe, rpctest.exe, tftpd.exe, worm.exe, lolx.exe and dcomx.exe. Although one of the programs sports the name "worm.exe," the resulting set of files is not a worm, because it doesn't spread automatically, Friedrichs said.
http://zdnet.com.com/2100-1105_2-5059263.html
Online vandals are using a program to compromise Windows servers and remotely control them through Internet relay chat (IRC) networks, system administrators said Saturday.
Several programs, including one that exploits a recent vulnerability in computers running Windows, have been cobbled together to create a remote attack tool. The tool takes commands from an attacker through the IRC networks and can scan for and compromise computers vulnerable to the recently discovered flaw in Windows.
Files left behind on a compromised server by the worm were posted to a security mailing list. Computer security company Symantec analyzed the files and determined that what was first thought to be a worm was actually an attack program.
Based on our analysis, the threat does not appear to be a worm," said Oliver Friedrichs, senior manager for Symantec's security response team. "It doesn't go and try to spread." Friedrichs was in Las Vegas attending the Black Hat Briefings and DefCon hacking conferences.
The ability to spread automatically is the hallmark of a computer worm. The collection of programs that Symantec analyzed is a tool that compromises computers and is referred to as an autorooter. It also acts like an IRC bot, listening to specific channels on the chat network and taking commands from attackers via IRC.
The initial post describing what security researchers thought might be a worm appeared at 10 a.m. PDT Saturday on the Full-Disclosure security list.
The tool consists of six files that work together to find vulnerable systems and attack them. Ever since the Windows flaw was announced, security researchers widely expected a worm to be written to exploit it. The IRC bot is one step removed from a worm and less disruptive.
This bot compromises computers using a flaw that Microsoft warned the public about on July 16.
The flaw is in the distributed component object model (DCOM) interface, a part of the OS that allows other computers to request the system to perform an action or service. The object, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the DCOM interface, an attacker can cause the system to grant full access to the computer.
A week ago, hackers from the Chinese X-Focus security group publicly posted a program to several security lists designed to allow an intruder to use the vulnerability to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Windows. In the past week, security researchers and hackers have been refining the exploit code.
That program is one of the six that make up the tool. The files include rpc.exe, rpctest.exe, tftpd.exe, worm.exe, lolx.exe and dcomx.exe. Although one of the programs sports the name "worm.exe," the resulting set of files is not a worm, because it doesn't spread automatically, Friedrichs said.
http://zdnet.com.com/2100-1105_2-5059263.html
Patch your software--it'll help secure the Net
When a security researcher or vendor first releases information about a software vulnerability, the clock starts ticking. How long will it be until a malicious user takes advantage of it?
According to Gerhard Eschelbeck, CTO of computer security company Qualys, not very long. He says that, for about 80 percent of publicly known vulnerabilities, exploit code (such as a worm or virus) appears within 60 days of their announcement.
THIS INFORMATION was presented by Eschelbeck at last week's Black Hat USA 2003 conference in Las Vegas, as part of his Law of Vulnerability project. The project is the result of about a year's worth of analysis of the company's extensive vulnerability database.
Eschelbeck's findings give validity to what security experts have been saying for years: There's a limited window between the time a vulnerability is announced and when a patch must be applied.
If home users and corporate system administrators don't already know how important it is to apply fixes as soon as they're available, now there's concrete data to prove it. Eschelbeck's research should also help sys admins justify the time and expense of implementing these patches to their bosses--and thus shorten the life of destructive worms and viruses.
After discussing the "60-day rule," Eschelbeck went on to present another key point from the Law of Vulnerability project: Half of all affected systems are patched within 30 days of the vulnerability's announcement--while the other half remain open to attack.
These unpatched systems keep vulnerabilities--and the worms and viruses that take advantage of them--alive on the Internet long after they're released. As an example, Eschelbeck cited the MS Index Server vulnerability that gave rise to Code Red in 2001. Code Red disappeared for a while, but now is back thanks to the recent appearance of unpatched installations of the server software.
JOINING ESCHELBECK at the Black Hat session were several other security experts, including Black Hat Briefings CEO Jeff Moss and BindView's Mark Loveless (aka Simple Nomad). Loveless pointed out that along with public announcements, malicious users find out about unannounced or recently announced vulnerabilities through an online "black market."
This means malicious users may know about even more vulnerabilities than many security experts or the general public, and underscores the need for software developers to hold off on releasing products until they are truly secure.
http://www.zdnet.com/anchordesk/stories/story/0,10738,2914418,00.html
When a security researcher or vendor first releases information about a software vulnerability, the clock starts ticking. How long will it be until a malicious user takes advantage of it?
According to Gerhard Eschelbeck, CTO of computer security company Qualys, not very long. He says that, for about 80 percent of publicly known vulnerabilities, exploit code (such as a worm or virus) appears within 60 days of their announcement.
THIS INFORMATION was presented by Eschelbeck at last week's Black Hat USA 2003 conference in Las Vegas, as part of his Law of Vulnerability project. The project is the result of about a year's worth of analysis of the company's extensive vulnerability database.
Eschelbeck's findings give validity to what security experts have been saying for years: There's a limited window between the time a vulnerability is announced and when a patch must be applied.
If home users and corporate system administrators don't already know how important it is to apply fixes as soon as they're available, now there's concrete data to prove it. Eschelbeck's research should also help sys admins justify the time and expense of implementing these patches to their bosses--and thus shorten the life of destructive worms and viruses.
After discussing the "60-day rule," Eschelbeck went on to present another key point from the Law of Vulnerability project: Half of all affected systems are patched within 30 days of the vulnerability's announcement--while the other half remain open to attack.
These unpatched systems keep vulnerabilities--and the worms and viruses that take advantage of them--alive on the Internet long after they're released. As an example, Eschelbeck cited the MS Index Server vulnerability that gave rise to Code Red in 2001. Code Red disappeared for a while, but now is back thanks to the recent appearance of unpatched installations of the server software.
JOINING ESCHELBECK at the Black Hat session were several other security experts, including Black Hat Briefings CEO Jeff Moss and BindView's Mark Loveless (aka Simple Nomad). Loveless pointed out that along with public announcements, malicious users find out about unannounced or recently announced vulnerabilities through an online "black market."
This means malicious users may know about even more vulnerabilities than many security experts or the general public, and underscores the need for software developers to hold off on releasing products until they are truly secure.
http://www.zdnet.com/anchordesk/stories/story/0,10738,2914418,00.html
Music Downloading, File-sharing and Copyright: A Pew Internet Project Data Memo
More than two-thirds of Americans who swap songs online don't care whether the music is copyrighted, according to a study, despite the record industry's antipiracy crackdown.
The struggle to enforce copyright laws in the digital age continues to be an uphill battle for content owners. Data gathered from Pew Internet & American Life Project surveys fielded during March - May of 2003 show that a striking 67% of Internet users who download music say they do not care about whether the music they have downloaded is copyrighted. A little over a quarter of these music downloaders - 27% - say they do care, and 6% said they don’t have a position or know enough about the issue.
The number of downloaders who say they don’t care about copyright has increased since July-August 2000, when 61% of a smaller number of downloaders said they didn’t care about the copyright status of their music files.
Of those Internet users who share files online (such as music or video) with others, 65% say they do not care whether the files they share are copyrighted or not. Thirty percent say they do care about the copyright status of the files they share, and 5% said they don’t know or don’t have a position.
http://www.pewinternet.org/reports/toc.asp?Report=96
More than two-thirds of Americans who swap songs online don't care whether the music is copyrighted, according to a study, despite the record industry's antipiracy crackdown.
The struggle to enforce copyright laws in the digital age continues to be an uphill battle for content owners. Data gathered from Pew Internet & American Life Project surveys fielded during March - May of 2003 show that a striking 67% of Internet users who download music say they do not care about whether the music they have downloaded is copyrighted. A little over a quarter of these music downloaders - 27% - say they do care, and 6% said they don’t have a position or know enough about the issue.
The number of downloaders who say they don’t care about copyright has increased since July-August 2000, when 61% of a smaller number of downloaders said they didn’t care about the copyright status of their music files.
Of those Internet users who share files online (such as music or video) with others, 65% say they do not care whether the files they share are copyrighted or not. Thirty percent say they do care about the copyright status of the files they share, and 5% said they don’t know or don’t have a position.
http://www.pewinternet.org/reports/toc.asp?Report=96
Subscribe to:
Posts (Atom)
Posts
