Computer Security & Technology

Working in Computer Security, one of the biggest threats we face today is the threat of an Insider, an Employee who might casually walk in with his 4 GB USB Flash drive, plug it in to their computer within the corporate network and walk away with valuable data. I have seen solutions ranging from expensive Intrusion Prevention Systems to disabling access to the USB drive all together.

In the first scenario, a company might not have enough financial resources for such an expensive IPS solution. The second scenario is impossible to implement in a corporation, think about the external USB keyboards, mouse or a LCD screen.

Prevent a user from writing to a USB drive

In this scenario, let us think that a corporation has migrated to Windows Vista from Windows XP. It does not wish to use an expensive solution but at the same time lock down users from having access to the WRITE capability with regard to a USB device.

1. Open Notepad and copy the following

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“EncryptionContextMenu”=dword:00000001

2. Save the file as USBNoWrite_Vista.reg

Read more »

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Operating Systems Security: Year 2007 Vulnerability Report

This paper analyzes the vulnerability disclosures and security updates during the year 2007 for Windows Vista Operating System when compared to its predecessor, Windows XP, along with other modern Client Operating Systems Red Hat, Ubuntu and Apple Mac OS X.

The results of this analysis based on the Vulnerability Count Metric and Days of Risk suggest that Windows Vista is the most secure Operating System when compared to the other leading Desktop Operating Systems for the year 2007 based on its lower vulnerability profile. Windows Vista is also significantly easier to administer for IT Security of various corporations as well as individual users based on the number of Security Bulletins and updates it issues besides the excellent security support provided through Microsoft TechNet Security Center.

With the vulnerability and risk data available, I also wanted to tackle the topic of Browser security. The analysis reveals that Firefox 2.x on Ubuntu platform was the most secure browser for the year 2007 in terms of the lowest Days of Risk and vulnerability profile. While these results represent only the vulnerability dimension of security risk, they do provide insight into the aspects of security quality that are under the control of the vendors – code security quality and security response. These metrics however, must be considered in combination with several other important qualitative factors when choosing a platform based upon security maintenance and likelihood of a security breach in your environment.

Beyond patches and vulnerabilities, there are “softer” qualities of security that are difficult to quantify but undeniably impact deployed security. Qualities like security lifecycle support, bulletin descriptiveness, default security features and the like all have a direct impact on deployed role security.

Note: This report is an update to the previously published Windows Vista One Year Vulnerability Report by Jeff Jones1, a VP at Microsoft, who concluded that Windows Vista is more secure by analyzing vulnerability data of Windows Vista and other Operating Systems based on the first year of their operation. However, as Jeff admits, this kind of first year analysis may be good to evaluate the security practices and product development methodologies of a vendor more than measure the security of an Operating system. This paper expands on his findings while following a similar structure used in Jeff’s report presenting a deeper level of analysis and comparison of the modern workstation Operating Systems using the entire 2007 vulnerability and risk data which would more accurately reflect the “present security state” of these different Operating Systems.

Also, please note for non-windows fans, this is a Vulnerability Report not a ranking the most secure operating system report. Before you make any conclusions, I have presented the data used to come to the conclusions in this paper for everyone to access. I tried my best to level the playing field by having similar components for all Operating Systems accessed in this report. Read more »

Ryan Naraine over at eweek.com has come up with an interesting list of the top 15 most influential people in Computer Security.

1. Tavis Ormandy, Google Security Team’
2. Ivan Krstic, One Laptop Per Child’
3. Chris Paget, IOActive’ , Google
4. Bunnie Huang, Bunnie Studios’
5. Michal Zalewski, Google’
6. Window Snyder, Mozilla
7. The MOAB Hackers’
8. Dino Dai Zovi’
9. Michael Howard, Microsoft’
10. HD Moore, Metasploit ‘
11. Dave Aitel, Immunity’
12. Bronwen Matthews, Microsoft’
13. John Pescatore, Gartner’
14. Rob Thomas and Team Cymru’
15. Stefan Esser, Hardened PHP Project’

Check out Ryan’s list of the most influential people in Security, in this slideshow at eweek.

This article lists some Computer Security Terms and Computer Security Terminology. For anyone reading any of the computer security terms below for the first time, I highly recommend that you Google these keywords and learn more about them.

Adware: The difference between Adware and Spyware is very subtle. Both Adware and Spyware is installed without the user’s permission on a machine. An Adware’s main purpose is to display targetted ads based on the user behaviour it is tracking.

It is not uncommon for people to confuse “adware” with “spyware” and “malware”, especially since these concepts overlap. For example, if one user installs “adware” on a computer, and consents to a tracking feature, the “adware” becomes “spyware” when another user visits that computer, and interacts with and is tracked by the “adware” without their consent.
Read more »

Is Open Source Software Really more Secure?

The constant stream of Windows vulnerability attacks result not solely due to security holes in the Operating System, but also because of the ubiquity of Windows as both a client and server operating system makes it a prime target for any malicious intent. While open source zealots declare Linux to be inherently more secure by virtue of its communal development process, Linux has yet to attain the level of success of Windows and thereby remains a lesser target to hackers, making such claims difficult to quantify fairly.

Linux market share is rapidly growing, and some claim that the operating system may become scrutinized more closely for vulnerabilities, creating the possibility of more attacks as it becomes more attractive to hackers. However, this scrutiny certainly has a benign effect, as well. Turnaround times for patches in Linux and other popular Open Source offerings have traditionally been very rapid, which allows proactive organizations and individuals to more quickly reap the benefits of a strong patch management strategy.

The security of open source software has been both idealized and made the subject of targeted disinformation.

Generally, two philosophies exist:

that open source is more secure because it is more rigorously reviewed;
and, that proprietary software is more secure because access to the source code is limited.

While seeming contradictory, both schools of thought have validity depending on circumstances. Open source philosophy states that open source software cannot rely on obscurity for security — because the source code is transparent, security
must be implemented well at the source code level. Also, open collaboration is thought to result in the earlier discovery and correction of security flaws—an aspect of the thesis that “given enough eyeballs, all bugs are shallow.”

Even the most ardent open source believers would say that neither of these two claims actually guarantees the security of all open source code. As Gartner analyst John Pescatore states,

“…just releasing source code on the Internet doesn’t mean that the software is more secure, and it often can result in less-secure software.”

Having enough eyeballs reviewing the code depends on the open source project having a strong community, with many sharp individuals contributing to reviewing the source code. Projects such as OpenSSL, Apache and the Linux kernel itself enjoy such large communities, and consequently have excellent security records. Lesser-known projects for which community enthusiasm is spare may not deliver the same level of security.

Overall, two factors generally assure a greater capability to be more security-hardened than proprietary software: broad community involvement and trusted certifications or evaluations, such as Common Criteria.

Conversely, in open source projects for which community enthusiasm has yet to build, proprietary software may be more
secure, as well as have a richer feature set. For this reason, it is recommended that one blend open source software with proprietary offerings to adequately meet an organization’s or an individual’s desired security requirements.

For more information check out “The Benefits of Open Source,” a short excerpt from Unix System Security Tools, at:
http://www.albion.com/security/intro-7.html.