Nine principles of security architecture

“Security architecture is a new concept to many computer users. Users are aware of security threats such as viruses, worms, spyware, and other malware. They have heard of, and most use, anti-virus programs and firewalls. Many use intrusion detection. Architectural security, though, remains a mystery to most computer users.”

The truth is, anti-virus software, firewalls, and intrusion detection are only the surface of security. They are all reactive measures that attempt to respond to active threats, rather than proactive measures that anticipate threats and try to make them harmless. These applications have a major role to play, but are not enough in themselves.

Behind reactive security measures is the much broader field of architectural security: How to set up a secure system to prevent security breaches, how to minimize breaches if they occur, and how react to an intrusion and recover from it if it happens.

Architectural security is a subject that fills dozens of books. However, if you ignore the exact configuration techniques, you can break down architectural security into nine basic principles which are widely agreed upon by security architects. They apply whether you are programming, doing systems administration, or using desktop applications, and they apply whether you are managing a single home machine or a large network. They are not exact laws so much as methods of how you should think about security.

If you learn these basic principles, you can not only make more informed choices when installing and configuring software, but also learn more about your operating system. As a side benefit, you’ll also understand the reasoning behind claims that OpenBSD is more secure than GNU/Linux, or that both are more secure than Windows. (more…)

Security News Portal, computer networking security hacking and virus news alerts and advisories

New Internet Explorer Vulnerability leaves users at risk
Unfortunately MS says they don’t have a fix for it…
11-22-2005 1:56:23 PM CST — from the folks at Microsoft…

Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Microsoft Windows 98, on Windows 98 Second Edition, on Windows Millennium Edition, on Windows 2000 Service Pack 4, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected.
Microsoft has also been made aware of a proof of concept code targeting the reported vulnerability but they are not aware of any customer impact at this time. MS will continue to investigate these public reports. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed….continued….

For more information visit the Microsoft site by clicking here….

Hmmmm… so the only advice that Microsoft has to offer is to ” encourage users to exercise caution when they open links in e-mail.”… Doh ! Too bad that back in May 2005 MS didn’t take the Denial of Service potential of this vulnerability more serious and instead chose to put it on their backburner. Which leaves us to wonder about how many other “things: are sitting on the MS backburner. And I am curious about those months that went by where no patches or only one patch was issued for the month. Why didn’t they get around to fixing the DOS problem during those patchless months ? The mind boggles at the questions that this revelation raises…

VETERANS DAY:

VETERANS DAY:
To Bring Freedom to the World
11 November 2005

As he left for Europe during World War I, Private Lester Hensler wrote a brief letter to his mother saying, “I am thankful that I can take a place among men who will bring freedom to the
world.”
Private Hensler was a simple man, an artillery soldier of humble rank. Yet, when you think about it, his ambition was simply colossal. This ordinary young American actually wanted to change the course of civilization.
What an idea: to alter the direction of the entire world!

Yet this astonishing drive to change the course of human events on a global scale is a hallmark of America’s fighting men and women.
Ask them what they’re doing in the Armed Forces, and they’ll tell you they’re fighting for freedom – your freedom …my freedom … the freedom of the whole world.
They don’t think of this as some kind of noble dream. It’s a practical reality for the men and women of America’s Armed Forces – something they take for granted.
Their hearts are pure as they pursue this grand vision that they adopted as their daily duty. The cynical stain that taints the motives of the world’s political capitals never touches their souls.
Our soldiers, sailors, airmen and Marines stand with the people of America. They stand with the people of the world – especially those whose lives and freedoms are crushed beneath
the iron-heeled boots of dictators.

That was true when Private Hensler went to fight in Europe during World War I. And it’s absolutely true today as our troops fight in Iraq and Afghanistan.
Yet there’s a problem in our times – a danger really – in the way our nation deals with the people who are fighting these two wars. It’s what some people would call a mental dis-connect.
In a recent Time Magazine editorial, Joe Klein captured the core of the problem.
During dinner with Mr. Klein, a military officer just back from combat in Iraq said something very striking – something one American journalist felt the people of his country desperately
needed to hear. Let me quote that officer:

“I lost five lieutenants in a year. I collected body parts. I don’t know how I’ll ever get over that.
And you just get the feeling that the rest of the country doesn’t understand. They’re not part of this.
It’s peacetime America, and a few of us are at war.”

As we gather here today, on Veterans Day, it’s difficult to hear words like those from a soldier, recently home from the war our nation asked him to fight. But Mr. Klein was right to make his readers stop and hear from a combat veteran.
We might also do well to listen to Joe Klein’s insights about his friend’s comments. He has some sobering ideas about America’s attitude toward the men and women who are fighting our wars:

“We have had a long season of sunshine patriotism in the U.S. since the terrorist attack on September 11, 2001,” wrote Mr. Klein.
“We love our troops without qualification, and rightly so. They have fought with courage and restraint in a horrifying chaos of battle … But there is a growing sense that mere patriotic displays won’t cut it anymore.”

Joe Klein’s language may be a little stronger than the words we’ve used in the DAV and the other veterans’ organizations.
But we’ve been making the same point for a while now. Some Americans are paying a horrible price in Iraq and
Afghanistan, but the lives of most of our country’s people are virtually untouched. That’s where the dis-connect comes into play.
Here’s how one young veteran described the dis-connect when he went back to college following a tour of duty in Iraq.
When he goes into a coffee shop on campus, he says he sometimes wants to shake people. He just wants to ask them:

Don’t you realize what’s going on in this world?
This young veteran isn’t talking about the uncomfortable stretch of mental distance that exists when any war veteran returns to civilian society. That distance will always be there.
Nothing can change that.
This young man was talking about something far beyond the normal distancing a veteran feels upon coming home from war.

His insight into American society upon entering the campus coffee shop is very real. The lack of connection between the students and the war is very thorough.
Can you remember a period of war that has asked so little of the American people?
The wars in Iraq and Afghanistan ask almost nothing of the kids in the coffee shop … or of our society as a whole.
Only a small percentage of American families have members in the Armed Forces. For them, the wars are a constant source of worry. For two thousand families, these wars have cost the lives
of dearly loved children, parents, brothers and sisters.
But for just about every other American family, it’s been a far different experience. War has been something that happens on television. After the news broadcast, life goes on as it would in a time of peace.
No one planned things to be this way. It just happened.

And the students in the coffee shop are good kids, I’m sure. If they knew our young friend was a veteran, they’d try their best to welcome him with open arms. That would help, believe me. But still, the war would not touch them personally.
And so the dis-connect continues.
Again this year, Americans will celebrate Veterans Day with gigantic retail sales. Our citizens will flock to the malls rather than ceremonies like this or VA hospitals where our wounded warriors wait to be welcomed home.
This is a problem of thoughtlessness, not malice. As Joe Klein pointed out, the American people love their troops – and their veterans.
Opinion research proves this.
If Americans are divided over the war in Iraq, they’re nearly unanimous in support of veterans. A recent poll showed them supporting veterans’ programs at an astonishing 95 percent.

Americans understand Private Hensler, the World War I soldier I mentioned at the beginning of my remarks. They
understand the purity in his heart … and the hearts of all the generations of veterans who followed him.
They want the Private Henslers of this world to be treated well when they come home from defending the cause of freedom.
Our political leaders, however, seem to be caught in the disconnect.
While they’re good at what Joe Klein calls “mere patriotic displays,” their words are not backed by action.
In the interest of our nation’s veterans, we must not mince words about this: At one and the same time, our government is conducting two wars abroad and shortchanging veterans’ programs at home. This is hypocrisy.
Our leaders made a promise to veterans of Iraq and Afghanistan, saying they’ll give them only the best. But they
placed a two-year limit on that promise.

When their time is up, these veterans go into the general pool of those disabled in the World Wars, Korea, Vietnam, the Persian Gulf, and the numerous armed conflicts we’ve seen over the years.
And it’s not always wonderful when those two years come to an end.
Don’t get me wrong, the medical treatment offered by the Department of Veterans Affairs is second to none. Over a period of decades, however, Congress has not provided enough money to fully fund the VA.
The results of all the corner-cutting are telling now, as the VA confronts the burden of two unexpected wars. The foundations of those corners have been carved away, and they’re crumbling.
So what faces our youngest, most vulnerable veterans? The same problems the rest of us face:

• Health care is rationed with schemes like spacing doctor’s
appointments further and further apart.

• Despite what the public is led to believe, the vast bulk of
America’s veterans are excluded from VA health care
altogether.

• Hospitals are run on bare-bones staffing during endless
hiring freezes.

• Though things have improved somewhat, veterans still wait
far too long for disability claims to be processed.

The list goes on and on. Believe me, this is not what America wants for the men and women fighting in Iraq and Afghanistan.
This is not what our nation’s people want for any of their beloved veterans.
This Veterans Day, I ask Congress and the White House to face reality:

If you go to war, you have to face the costs of war – ALL OF THE COSTS OF WAR.
Some of those costs – borne by the men and women our nation asked to do the fighting – persist for decades after the guns of war fall silent.

Here are some of those costs:

• Men and women in uniform are wounded as a result of direct enemy action. That’s obvious, but it doesn’t end there.

• Others are injured in the extremely hazardous circumstances of military service, especially as they exist in war zones.

• Few things stress the human mind as severely as war; no compassionate society can turn its back on those who come home with psychological wounds.

• As anyone who has read Homer’s Iliad or yesterday’s news should know, illness has always been a significant factor in war. This is still true today, especially in Iraq and Afghanistan.

• People are widowed and children are orphaned when a service member is killed or a veteran dies due to a serviceconnected disability.
America has a clear responsibility to the men and women who
bear these costs of war.

Our government cannot walk away from these costs when they become inconvenient or someone has other priorities in
mind.
If you ask our political leaders about this, they’ll point to slight increases in the dollar-amounts budgeted for the VA and pat themselves on the back.
But small-dollar budget increases have never kept pace in a very long era of double-digit growth in health care costs. In terms of real need, the budget for veterans’ programs has consistently fallen behind year after year.
This is not a recent development. It’s been going on since the end of the Vietnam War.

The dis-connect has to end.

It evades the responsibility of the United States to the men and women our nation asks to defend our freedom and our shores. It fails to match the expectations of the American public. It falls short of our moral vision of ourselves as a people.

The dis-connect has to end.

We veterans like the patriotic displays that Joe Klein talked about. We want to see the President lay a wreath at the Tomb of the Unknowns on patriotic holidays. On Veterans Day, it’s good to hear political leaders recognize what we did for our country.
However, we don’t want these events to descend into mere patriotic displays.
That is why, today, I ask our nation’s leaders to remember that programs are the proof of their patriotic sentiments – programs, not words.
Nothing less than adequate programs will be good enough for the men and women who, in the words of Private Lester Hensler, placed their lives on the line to “take a place among men who will bring freedom to the world.”

Thank you.

New worm targets Linux systems | CNET News.com

New worm targets Linux systems | CNET News.com
A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm “Lupper.”

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf’s Webhints Remote Command Execution Vulnerability, according to Symantec’s online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf’s Webhints is a hint generation script; no fixes are available for the script, according to Symantec’s DeepSight Alert Services.

McAfee rates Lupper as low risk. Symantec, which calls the worm “Plupii,” rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.