Tag Archives: xp

Ubuntu Karmic ctrl-alt-backspace lives!

by

0

For those of you that converse with me on twitter, you know I’m a pretty vocal Linux and Ubuntu proponent.

However, as the distribution moves more toward the mainstream, Canonical and the volunteer devs are forced to make decisions for the good of the whole community rather than the whimsy or convenience of more experienced user. I’ve no beef with this philosophy, as long as it contributes to the broader user experience.

Formerly, one of the cooler keyboard combinations in linux has been the ability to restart xserver  (the GUI/Desktop experience that Ubuntu deploys by default) to have a quicker restart than the full unmounting and rebooting of the system.

With Jaunty and Karmic,  this option was removed, ostensibly to prevent accidental keyboard resetting of the end users’ Desktop.

For us power users, this became sort of a nuisance.

Not to worry, however,  for UbuntuGeek.com has you covered with several mechanisms to re-able this convenient ‘reset’ feature for xwindows.

Howto Enable Ctrl + Alt + BackSpace in Ubuntu Jaunty | Ubuntu Geek.

Worth peeking at your VPN Configs: US-CERT Vulnerability Note VU#261869

by

0

This was getting some discussion on teh twitter today, but the list of affected VPN vendors was substantial enough, you might want peek at your own configs. The hyperbole might not yet be warranted, but it might be worth a peek under your hood.

The description of the vuln implies potentially that some VPN vendors’ default settings might make attacks more viable. taken from  US-CERT Vulnerability Note VU#261869:

Vulnerability Note VU#261869

Clientless SSL VPN products break web browser domain-based security models

Overview

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks.

Later in the bulletin, a mention of the potential exploit method:

By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page. Because all content runs at the privilege level of the web VPN domain, mechanisms to provide domain-based content restrictions, such as Internet Explorer security zones and the Firefox add-on NoScript, may be bypassed. For additional information about impacts, please see CERT Advisory CA-2000-02.

There’s a broad variety of affected software- and appliance-based VPNs in the CERT list, it’s certainly worth a call to your vendor to be certain you’re using the safest possible configs for your VPN’s environment. Read full bulletin here.

New Malware Re-Writes Online Bank Statements to Cover Fraud

by

0

Pretty unnerving trick, if this is efficient. I wonder if this will prompt banks to render balance amounts via Captcha-type technology to circumvent this. Even though the flaw is client-side. It will be interesting to watch how prevalent this sort of exploits become.

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

“The Trojan is hooked into your browser and dynamically modifies the text in the html,” Ben-Itzhak says. “It’s a very sophisticated technique.”

Read  on, via Threat Level

ZDNet warns self-hosted WordPress blogs at risk from worm

by

0

WordPress is pretty much the easiest turnkey blog/content management software out there, but by the very nature of it’s exceedingly popular, extensible existence, we haz flawz.

The latest major versions of WP have easy, embeded tools for pushing upgrades, and the directions lead you by the hand.

If your host — other than wordpress.org — hasn’t updated your installation in a while, or if your access in in some way restricted: Write, call, nag. Srsly.

If no results, then, backup your data and change providers.

WordPress is easy to use, sometimes easy to hack, but equally easy to patch.

Be your own advocate. Here’s why:

A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.

The worm can be tough to catch, as Mullenweg explains: “It registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.”

The vulnerability allowing the attack was discovered on August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making progress by the hour.

The worm does not affect the current version 2.8.4 and the one prior to it, and it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.

More detail via Tech News on ZDNet.

Intell chief: Source of cyberattacks still unknown

by

0

U.S. authorities haven’t figured out who was behind the recent cyberattacks that temporarily knocked some federal Web sites off-line, the country’s top intelligence official said today.Dennis Blair, the director of national intelligence, said officials haven’t learned who carried out the attacks that hijacked tens of thousands of computers around the world. Affected computers sent out massive amounts of information to overwhelm systems, which shut down government sites in the United States and South Korea.Blair said the government is working with partners in other nations to compare data to nail down who was behind the attacks that he called a “relatively unsophisticated botnet-type attack.”After the attacks, initial press reports said South Korean intelligence authorities suspected that North Korea or its supporters were involved. However, security experts have said definitively identifying who is behind the cyberattacks might be difficult, if not impossible.In March, Blair told reporters that improving authorities’ abilities to attribute cyberattacks was a high priority.

via Federal Computer Week.

“Chrome vs. Bing vs. You and Me”? Um, not really

by

0

Uh, I hate to burst the PR bubble here, but any “Google OS” will be mostly re-branded linux.

While I find this very exciting — I’m already fully committed Ubuntu and Fedora/CentOS user, this article’s contention is only hyperbole, as of yet. I’ll risk a rare actual blog posting on my assertions.

Large industries that have in the past committed to IIS-based web presence and Content Management/Sharepoint sites, no fear of any imminent Google OS will make any immediate dent.

I’d re-label this more an incursion than a war. Individuals who might someday be able to choose their OS from the sales floor will still gravitate towad the familiar branding of Microsoft.

Where the landscape will change is with us experimenters out here, the early adopters who threw a Live CD on an old pc just to get more life out of it…and learned that it could, without the bloat. That moment introduces the first seduction of the linux platform.

The next seduction is after you’ve learned to use cross-platform applications like OpenOffice, perhaps Mozilla Thunderbird, with plugins that cope marginally well with Exchange.

The big argument opposing linux in the larger market is the lack of a phone-support model. However Ubuntu supports this with a paid support model that’s optional from the Ubuntu site, or Dell, even.

And for what it’s worth, you have to pay *extra* for true microsoft support if doing business directly with MS, and you pay a lot.

As individual consumers, that PC’s vendor support (i.e. Dell, HP, etc) might be free for that first year, but without paying for the extension of the warranty, after the first year you’re on your own as an end user anyway. Think about it.

However out in the commercial world, the temptation won’t be there yet; industry is firmly and necessarily wrapped around closed-source MS-based vendor dependency for the near term.

However market share for every user’s small-business and home desktop might well diminish for Microsoft, and there might be where those trenches will be dug.

THE battle between Microsoft and Google entered a new phase last week with the announcement of Google’s Chrome Operating System — a direct attack on Microsoft Windows.

This isn’t the first salvo in a war that has already seen Google lob its Chrome Web browser against Microsoft’s Internet Explorer, Google pit its Android smart-phone operating system against Microsoft’s Windows Mobile, and Microsoft, in turn, aim its new search technology, Bing, against Google’s very heart — the Google search engine.

This is all heady stuff and good for lots of press, but in the end none of this is likely to make a real difference for either company or, indeed, for consumers. It’s just noise — a form of mutually assured destruction intended to keep each company in check.

Microsoft makes most of its money from two products, Microsoft Windows and Microsoft Office. Nearly everything else it makes loses money, sometimes deliberately. Google makes most of its money from selling Internet ads next to search results. Nearly everything else it does loses money, too.

Neither company really cares because both make so much from their core products that it simply doesn’t matter. But companies, like people, strive and dream and in this case both dream, at least sometimes, of destroying the other. Only they can’t — or won’t — do it in the end, because it is against the interests of either company to do so.

via NYTimes.com.

Microsoft issues record 31 patches for bugs in Windows, IE, Office apps

by

0

Microsoft Corp. last week issued 10 security updates that patched a record 31 vulnerabilities — 18 marked “critical” — in Windows, Internet Explorer, Excel, Word and other applications.

The bugs are the largest number that Microsoft has patched in a single month since the company began its regular update program in 2003. The previous record of patches for 28 flaws was set last December.

“This is a very broad bunch,” said Wolfgang Kandek, chief technology officer at security company Qualys Inc.

“You've got work [to do] everywhere — servers and workstations, and even Macs if you have them. It's not getting any better. The number of vulnerabilities [Microsoft discloses] continues to grow,” he added.

Of the 10 bulletins, six patched some part of the Windows operating system, three patched an application or component in the Office suite, and one fixed several flaws in IE.

Eighteen of the 31 bugs carried Microsoft's most serious label in its four-step ranking, while 11 were tagged as “important,” the next-lowest level, and two were judged “moderate.”

Andrew Storms, director of security operations at nCircle Network Security Inc., suggested that users first patch the IE bugs.

“IE's, by far, take the cake,” Storms said. “There are eight [common vulnerabilities and exposures], and there's no doubt that it will be exploited.”

via Microsoft issues record 31 patches for bugs in Windows, IE, Office apps.