IT News
Odds & Ends
Windows (1)
Windows (2)
Apple (1)
Apple (2)
Linux/Unix (1)
Linux/Unix (2)
Hardware (1)
Hardware (2)
History
More News
High Tech
Software (1)
Software (2)
Elementary
Basics
Internet (1)
Internet (2)
Viruses (1)
Viruses (2)
Spyware
Spam
Scams
Games (1)
Games (2)
Networks
Security
Music
A I
The Future
Miscellaneous
Gallery (1)
Gallery (2)
Links
e-mail me

SECURITY FLAWS SLOW TO DISAPPEAR
  [from the BLACK HAT Conference]

Security flaws have a half-life, just like radioactive materials, according to new research unveiled at the Black Hat security meetings being held in Las Vegas. Rather than disappear entirely, security vulnerabilities only degrade in danger over time, said Gerhard Eschelbeck, the chief technology officer of Qualys, a vulnerability assessment and management firm in a presentation at the Black Hat Briefings, a conference of software and security experts that's currently convened.

Based on analysis of 1.24 million vulnerabilities scanned over an 18-month period, Eschelbeck's research laid out what he called the "Laws of Vulnerabilities", a group of observations about security flaws' behaviour and longevity. Critical vulnerabilities, such as SQL Slammer, Code Red, and the in-the-news Microsoft Windows DCOM Remote Procedure Call vulnerability, have a half-life of 30 days, Eschelbeck said.

"Typically, within the first 30 days, only about 50 percent of the vulnerable systems are patched," said Eschelbeck. "That's a pretty reasonable response when you think about it," he added, but also noted that the data was a bit disappointing. I'm not surprised by the behaviour [of companies patching slowly]," he said, "but I expected the half-life to be shorter". In a presentation at Black Hat, Eschelbeck urged security firms and software companies to make an effort to drive down that half-life, and set a goal of 15 to 20 days by this time next year.

Another factor which may contribute to the 'half-life' phenomenon is that companies continue to bring online servers running older editions of operating systems or other software, which may be vulnerable because updates haven't been done.
The half-life analogy means that some vulnerabilities never disappear entirely. "In the second 30 days, another 50 percent of the vulnerable systems are patched," he said, "and another 50 percent in the 30 days after that. And so on and so on. It's like stepping half the distance to a door; theoretically, you never reach it."

The impossibility of eradicating a prominent, high-profile vulnerability, he said, is what drives another phenomenon: persistence.

Code Red, which wreaked havoc in 2001, is a good example. Even though it's fallen out of the public, and IT, eye, it's not gone. In fact, it's coming back, albeit in a slight way. "From April of 2002 to June of 2003, the data shows that Code Red vulnerabilities actually increased about five percent."

Vulnerabilities lower on the threat food chain, however, have a half-life double that of more critical flaws, because companies and organisations patch the most serious vulnerabilities first, then leave those they view as less dangerous for later, Eschelbeck said. "The lower the degree [of the vulnerability] the longer the half-life."

Among his other 'laws' are ones that describe the prevalence and exploitation of vulnerabilities. Half of the most common, and threatening, security holes are regularly refreshed annually with new vulnerabilities by attackers. And exploits for the bulk of vulnerabilities--80 percent--are available within 60 days of the flaw becoming known.

In response to the data it's collected and analysed, Qualys debuted a top 10 list of vulnerabilities that's updated daily, and so shows a real-time snapshot of the most prominent, and potentially dangerous, vulnerabilities. Called the Real-Time Top 10 Vulnerabilities (RV10), the list is posted on the Qualys Web site.

A recent list included the Microsoft DCOM RPC vulnerability -- the one that has government officials and security researchers concerned -- as well as four others relating to Microsoft products. Others vulnerabilities on the top 10, which isn't ranked, include one for the Apache Web server and another for the Sendmail email server. "Until our research, there was only anecdotal data on which vulnerabilities were most critical and prevalent," claimed Eschelbeck. "There was nothing to back it up. But this is an opportunity to predict the most prevalent vulnerabilities. With RV10, we're trying to give guidance of those vulnerabilities which are the most likely to be exploited."

The Windows DCOM RPC vulnerability deserves special attention, said Eschelbeck -- repeating what most every other security expert has said over the past week--because of the speed with which it climbed the RV10 charts since its 16 July disclosure. "Within two days, it was in the top 10, and within four, it was the top vulnerability," he said.

NEW MOTHERBOARDS COMPARED
  If you're looking to build a system around Intel's new 875P chipset, you've come to the right place. These new boards are speedy and feature-packed. But there are real differences between the 8 top motherboards. So we've brought all of our reviews into a single place, to help you get the most out of these high-end, but not high-priced components.

We start off with a look at the chipset and the architecture, and then look at a quick summary of the capabilities and features of each products. In the past few months, we've reviewed eight different 875P motherboards:

*Abit IC7-G
*Aopen AX4C Max
*Asus P4C800 Deluxe
*DFI Lanparty Pro875
*Gigabyte 8KNXP Ultra
*Intel D875PBZ
*MSI 875P Neo-FIS2R
*Soyo P4I875P Dragon 2 Pentium 4 Motherboard

We first present a summary of each board, and then compare all 8 on performance using a 3.06Ghz CPU. Finally we bring you a combined look at our pros/cons and score, and then end with our recommendations of which ones to purchase.

Reshaping the Desktop PC Landscape.

It must frustrate Intel's competitors that the Santa Clara chip company gets substantial credit for bringing key PC technologies to the desktop. After all, dual-channel DDR support first arrived in the Nforce2 chipset for the Athlon XP. Via shipped AGP 8x support for both Athlon XP and Pentium 4 systems long before it was part of Intel's mainstream. But when Intel begins adding key technologies to the desktop PCs, then the industry -- and potential customers -- sit up and take notice.

It's also interesting that Intel was able to respond to competitive pressures quickly enough to add DDR400 to their product support mix. Late last year, it really appeared that DDR400 would be a niche product, while DDR333 (PC2700) looked to be the mainstream choice. In fact, publicly available product roadmaps showed Intel processors supporting a 667MHz effective frontside bus (166MHz, quad sampled) in their next iteration of core logic. Instead, the company skipped dual channel DDR333 and went straight to DDR400.

It was a smart move. The Pentium 4 processor's hunger for memory bandwidth is well known, and beefing up the frontside bus clock to 200MHz (800MHz effective) boosted performance substantially, particularly in content creation application and a most PC 3D games.

Canterwood and Springdale Architectures.
Today, Intel supports two different core logic lines with dual-channel DDR support: the 875P and the 865P, formerly known as Canterwood and Springdale, respectively. We "previewed Canterwood" back in April and "took a look at Springdale" about a month later. Still, it's worth briefly reprising the architectural details.

The 865PE and 875P chipsets are identical, except for something Intel calls "PAT" -- performance acceleration technology. All PAT does is allow more aggressive memory timings in the 82875P Memory Controller Hub. The 865PE is essentially the same chipset, but lacking support for PAT. However, it should be noted that some motherboard companies have found a way to "enable PAT-like functionality" in the 865PE.

It's likely though, that Intel will move to completely block this in future 865 releases. Whatever the case, the 875P remains Intel's top-of-the-line chipset for performance desktop PCs. The 876P/865PE also supports several other key technologies:

 AGP 8x: These are the first mainstream chipsets from Intel to support AGP 8x. This allows for faster transfers of large amounts of data (such as large geometry models or texture data) to the graphics card, although the card itself must also be AGP 3.0 capable.
 Native support for Serial ATA: Intel now supports two SATA channels. The ICH5R variant of the I/O hub also supports RAID 0 and "now RAID 1". Note that most of the 875P motherboards we've reviewed also support at least two more SATA channels via additional added SATA PCI chips.
 CSA (communications streaming architecture): This allows a specific version of Intel's Pro/1000 gigabit Ethernet chip to connect directly to the memory controller. This bypasses the need to use Intel's hublink interface between the memory controller and I/O controller, which is still limited to 266MHz. Note that the I/O controller still supports a 10/100 Ethernet interface.
 Eight USB 2.0 ports: 8 ports are supported, previously only six were available with ICH4.
 Dual-Channel DDR 400: As noted above, the 875P and 865PE both support dual-channel DDR400. Both can run in single channel mode as well. The 865PE will run with older 400MHz frontside bus processors, but the 875P only supports 533MHz and 800MHz FSB Pentium 4 CPUs. Note that dual channel DDR400 yields a burst throughput of 6.4GB/sec, DDR333 a maximum of 4.2GB/sec and DDR266 a peak transfer speed of 3.2GB/sec (all in dual-channel mode). So now lets take a quick look at the eight 875P boards in this roundup.

WHAT TO BUY.

Perhaps the most cogent comment we can make about these eight motherboards is that they've all demonstrated great stability, and the performance across the board doesn't show much variance, except in the game tests, where the Asus P4C800 seems to rule the roost.

Most of these boards are solid, average performers. Of the boards that scored below a 9, our favorite is probably the Soyo P4I875P Dragon 2 and the DFI Lanparty 875Pro. Both offer interesting options that may appeal to certain users. Abit and MSI Are Best Choices: Our favorites today are the Abit IC7-G and MSI 875P Neo-FIS2R, and both received our coveted ExtremeTech Approved award.

You won't go wrong with either of these boards. The IC7-G is just solid, never hiccupping, and offers a clean, competent layout and I/O cluster. The MSI Neo-FIS2R is relatively speedy, and offers excellent stability as well, but the ATX I/O cluster seems a bit antiquated. Asus Close Runner-Up: The Asus P4C800 received an ExtremeTech Approved award, and scores just below these two, due to its component limitations. These are somewhat minor, but they give us some cause for concern in an environment that may have high PCI traffic. We're interested in the new P4C800-E, but we haven't had a chance to test it.

In the end, though, can't go wrong with any of our ExtremeTech Approved boards. Once you figure out your needs and budgets, one of the three winners will probably serve your needs admirably and without complaint.

[Excerpt from article by Loyd Case, Extreme Tech, July 25]

IS INTERNET EXPLORER NOW TOO DANGEROUS TO USE?
  By Linux & Open Source Editor, Steven J. Vaughan-Nichols,

[Opinion: Although Linux & Open Source Editor Steven J. Vaughan-Nichols once used IE on his Windows machines, he now finds Microsoft's browser seriously insecure and endorses open-source ones instead.]

OK, I confess it: I've used Internet Explorer a lot. After being a die-hard Netscape user, I finally got fed up with the sheer bulk of that browser and started using Internet Explorer on my Windows machines.

As time went on and open-source Mozilla matured, I started using Mozilla as my main Linux Web browser and as my secondary Windows browser. This past Friday, though, I started installing Firefox, the browser-only side of Mozilla, on every one of my production Windows machines.

Why? Because Internet Explorer, like Outlook Express, has finally become, to my mind, a permanent security hole that masquerades as a useful application.

Strong words? Have you really thought about this latest exploit? It could hit every Internet Explorer (IE) browser that merely visited any page served by an infected Microsoft IIS (Internet Information Server).

No anti-virus program would stop it, no firewall would slow it down and no shipping IE security patch would even notice it. Visit the page, get the infection. It was that simple.

Oh, but the few thousand people running Release Candidate 2 of Windows XP Service Pack 2 were not vulnerable to the client-side attack. And if you were one of the very few people who had all of the current critical patches installed and were running IE with its security settings at "high," you'd be OK. That leaves, oh, say, 95 percent of all IE users wide open to this attack. I feel so much better now.

And just how bad was this attack? Boys and girls, let me tell you, this was the worst security violation I have ever seen. But don't take my word for it.

Johannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote, "A large number of Web sites, some of them quite popular, were compromised earlier this week to distribute malicious code.

"The attacker uploaded a small file with JavaScript to infected Web sites and altered the Web server configuration to append the script to all files served by the Web server (IIS). The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched."

What sites were spreading the infections? We still don't know. Neither the security companies nor the businesses running the infected sites are talking. Since they're not being any help, I can only suggest that you update your anti-viral software and run it—now.

The only other thing I can say is that sites running IIS 5, which hadn't been patched up to April's MS04-011, were the ones targeted by this exploit. But, I'm sorry to say, it's still not clear that even sites that had been patched with MS04-011 were safe. There are reports that even patched IIS servers were infected.

What happened next was that after simply visiting what looked like a perfectly ordinary page, the JavaScript hidden with the page would direct your browser to quietly download and install one of several different programs from a Russian Web site. "These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system," Ullrich said.

Many of the people talking about the exploit have discussed how your computers might be used by these back-door programs to launch a DDoS (distributed denial of service) attack. Yeah, that's bad news, but that's not the real problem.

In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen. Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.

Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope that's all there is to it and continue to use IE. But as for me, I'm done with it. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Yes, by Friday, most of the major anti-viral programs could stop this particular attack. But what about the next one?

According to the U.S. CERT (Computer Emergency Response Team), "Microsoft Internet Explorer does not adequately validate the security context of a frame that has been redirected by a Web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE."

There is, at this time, no shipping patch to stop this. Wonderful. If you must run IE, and unfortunately, I do for at least one remote application I use every day, you can disable all active scripting and ActiveX on all IE zones. Between CERT's frequently asked questions about malicious Web scripts redirected by Web sites and Microsoft's Knowledge Base article on how to strengthen the security settings for the Local Machine zone in Internet Explorer, you should be safe from most variations of this kind of attack.

Frankly, though, I think CERT's other suggestion is an even better one: Use a different Web browser. Open-source browsers, such as Mozilla Firefox, are simply more secure than IE. Yes, I know all of the tired, old arguments about how if open-source programs were as popular as Microsoft's products; they'd be just as vulnerable. You know what? I don't have time today to deal with the fundamentally inane idea that security by obscurity is somehow the best way to secure software.

The bottom line is that for all practical purposes for today, open-source browsers are inherently more secure than Internet Explorer, and I still have half a dozen more workstations to switch over to Firefox. Go ahead, stick with Internet Explorer for everyday use. It's your funeral.

Russian-based KASPERSKY to introduce its VAR program to North America
  [EChannelLine,1 May, 2005]

Kaspersky Lab. continues to deepen its VAR* (See definition of VAR below) channel. The Russian-based security firm, which historically has primarily addressed the commercial market through OEM relationships, has announced its (http://www.kaspersky.com/partners) first VAR program for North America. That follows its establishment of its first North American office in February, in Woburn Massachusetts.

"Until the opening of the US office in February, there has not been any commercial presence in the US to speak of, only a small handful of resellers," said Steve Orenberg, president of Kaspersky Lab, Inc., the company's U.S. operation. The company began strictly as an OEM company when it started up in the 1990s, and while it began selling its own branded product several years ago, these were primarily sold in Russia and eastern Europe. The company has never sold direct.

But in a heavily saturated North American security software market with several large players and many smaller ones, what makes Kaspersky see a significant market opportunity here?

"SMB channel partners, which will be our initial focus, are not getting the support they need to grow their business," Orenberg said. "There is a percentage of the channel out there that is seeking alternatives. What we've seen happen over the last few years is the market leaders have had difficulties at certain times and in certain segments keeping their partners happy and incented. They have been forced to cut margins, and more sales are being taken direct, and you have situations where product is overdistributed."

Orenberg said Kaspersky is building a select channel to try and pre-empt those problems.

"We want a limited number of partners, which is why we are not going to a two tier distribution," he said. "We really want to keep a very tight handle on price integrity with partners that we have, that the product will not be overdistributed. We want to have select partners geographically or vertically and protect them. We want to avoid multiple partners going into the same account and a price war where nobody is happy.

"We're also making a commitment we wont take any renewals direct. If a partner sells that account they own that account. Their discounts on the renewals will not be cut. They will make the same percentage to keep a customer on their sales as they will to get a new customer."

Part of Kaspersky's task in recruiting select partners and building brand, Orenberg said, is to get a message across that their product really does have an edge on the market.

“The perception is that all the products out there are good and they do what they are supposed to do -- that these products are a commodity. What our strong messaging is is that the technology of a product to detect viruses is only half the story. That because of the massive amounts of malware being written on a daily basis, the ability to distribute remedies as quickly as possible is extremely important. You need a very fast response to shut that window of vulnerability." That, Orenberg said, is Kaspersky's strength, offering hourly updates.

The program has three levels -- Premier Partner, Certified Partner and Accredited Partner. The primary difference is the level of support they offer. Certified gives level 1 support, and Accredited gives level 1 and 2. The Authorized level is for those who won't have the infrastructure to provide support.

"We're coming up with some very aggressive programs, and pricing will be extremely competitive," Orenberg said. "At the end if the day we feel we can present a situation to a partner they will affect their bottom line more positively if they are dealing with Kaspersky."

What is VAR?
In the computer and other industries, a VAR (value-added reseller) is a company that takes an existing product, adds its own "value" usually in the form of a specific application for the product (for example, a special computer application), and resells it as a new product or "package."

For example, a VAR might take an operating system such as IBM's OS/390 with Unix services and, adding its own proprietary UNIX application designed for architects, resell the package to architectural firms. Depending on sales and installation requirements, the VAR could choose whether or not to identify OS/390 as part of the package.


|IT News| |Odds & Ends| |Windows (1)| |Windows (2)| |Apple (1)| |Apple (2)| |Linux/Unix (1)| |Linux/Unix (2)| |Hardware (1)| |Hardware (2)| |History| |More News| |High Tech| |Software (1)| |Software (2)| |Elementary| |Basics| |Internet (1)| |Internet (2)| |Viruses (1)| |Viruses (2)| |Spyware| |Spam| |Scams| |Games (1)| |Games (2)| |Networks| |Security| |Music| |A I| |The Future| |Miscellaneous| |Gallery (1)| |Gallery (2)| |Links|