Cafaro’s Ramblings

Well, I’m getting ready for LinuxWorld/OpenSolutionsWorld next week. Not to much to do, most things I’m responsible for, I’ve taken care of. Looking forward to it. I hope people enjoy the Security Track I’ve put together. Guess I’ll know soon.

In related news, I’ve been asked back to do be on the Program Committee for San Francisco as well! I’ll also be doing the Security Track again, hopefully I can make it even better.

Going to be fun!

There are a couple of new security threats out for Microsoft Windows and Internet Explorer. The primary one of concern is this one:

http://www.theregister.co.uk/2006/03/27/another_ie_security_flaw/

Basically, if you click on a malicious website, that website could run any software it wants on your computer and take it over. The reason for this warning is that there is proof of concept code out already, and that means that it is more likely that someone may actually develop a >malicious program (virus/trojan) to try and take advantage of this.

Currently, there is not a patch for this. It is possible to disable activeX in Internet Explorer, but this will also disable a lot of functionality you may be used to.

The best protection is to not open any web links in emails sent to you, and avoid visiting websites you do not trust.

As of now, Microsoft plans to wait till April 11th before releasing a patch for this. If we are lucky, maybe they will release it earlier.

Oh, this is a good one. If you’re not familiar with RFID tags, they are tiny chips (tiny as in they can be woven into fabric so that they are invisible to careful scrutiny) that can help provide information on an item that is easily scannable by computers from a short distance.

Now, the above statement is almost correct, except that “item” should be read as meaning anything (piece of clothes, box of cereal, your pet, you) and “short distance” should mean as far as someone is willing to build their scanner to read from (think 100+ feet possible).

Well, besides the privacy concerns, now it looks like the companies that use them have to be worried. An RFID tag could contain a virus that can infect their scanning systems and the databases they connect to, and this can be spread to other RFID tags.

Here is the article from The Register

Looks like there is a bug in GPG that would allow someone to inject misc. data into a cyptographically signed or encrypted message without invalidating the signature of the message. Basically, it means that checking the signature status of a GPG email will not guarantee that the message is what the original sender sent.

Seems to effect all versions prior to 1.4.2.2, there are updates available.

More information here.

Well SELinux has begun the long needed improvement in simplification this week. Tresys Technology (I used to work for them for about a year), has released two new tools to make SELinux Policy writing easier. They are both very early additions (consider them Beta), and they are opensource.

SELinux Policy Development IDE (SLIDE)

CDS Frameworkd IDE

The CDS IDE is more for a very targeted audience (If you don’t know what CDS means, it’s probably not a priority for you), but the other tools are a nice first step towards making Policy writing within the reach of mere mortals (and not just Policy gurus). There is still more work needed, but I think the people at Tresys know what is needed and are trying to get there in baby steps.

Well, here’s an interesting one, a cell phone Java based trojan. It’s not a huge threat at the moment (requires a lot of user interaction), but good to know about anyway:

Description of Trojan

This just means that like your normal computer, you should not open files that you don’t know about or trust 100%. It will only affect phones with Java, and only if you let it (i.e., you click on the link and say yes to it sending SMS messages).

What’s more important are the possibilities, this isn’t as much a failure of technology as a failure of user education if this goes anywhere. Get used to this, it’s the future.

In case you missed it, some interesting things came out concerning Mac OSX security issues. Apparently, there is an issue where an web link or email attachment that may look like a file (say a jpeg image) can actually cause software to be run instead without a user knowing it. So, if you click on a link in safari or an attachment in Apple Mail, instead of seeing an image as you would expect, some form of malicous code could run on your computer with full user rights (admin rights if you user has admin permissions). And there is no warning to the user. Currently there is no patch, more info here:

Unpatched Mac OS X hole poses critical risk

Advisery

Also affects Apple Mail

I should probably post these kinds of things closer to when I actually find out about them as opposed to weeks later. Still got to get used to this blog thing…

UPDATE:

They fixed the security bug, and there is now a patch available from Apple, so no worries, just update Article Here

I was attending ShmooCon this weekend and have to say it was one of the best conferences I’ve attended yet! Incredible show, LOTS of great info and great speakers. I learned a lot. A must do for next year. Oh, and if you don’t know, ShmooCon is an east coast hackers convention. Incredible amount of computer security knowledge at that show.

ShmooCon