This week’s security events include news of Apple patching its Java vulnerabilities, the United States and China topping a cybercrime list compiled by SecureWorks, a new class of browser attacks called “clickjacking” and warning of a new Trojan that could be used to steal banking-related information.

—————————————————————————————————————-

Apple patches Java bugs

Apple has issued a giant patch release that fixes numerous Java vulnerabilities in the Mac OS X operating system, some of which have been around for months. Two of these vulnerabilities specific to Leopard were considered critical, and could allow hackers to run arbitrary code by means of a malicious Java applet. Obviously, the attacker will first have to get a victim to view a Web site containing the applet with a Java-enabled browser.

Full details can be found at the Apple support site. Users can get the update from Apple’s Software Update server, or immediately download it from Apple’s download site.

US and China tops cybercrime list

Security provider SecureWorks have released a report showing the United States and China topping a list which ranks the number of attacks launched on other computers via the Internet. The US has 20.6 million attacks attempted from within its own borders, while China was the runner-up with 7.7 million such attempts. Computers in universities, data centers, and companies are infected, apparently unnoticed by administrators.

Excerpt from the report:

“On the other hand, we have found that many of the Chinese hackers will compromise large networks within their own country and use them as bots to attack other organizations,” continued [Don] Jackson. “For example, entire university networks in China will belong to local hacker groups.” (Don Jackson is the Director of Threat Intelligence for SecureWorks.)

Jackson also noted that the findings show, among other things, the ineffectiveness of simply blocking incoming communications from foreign IP addresses to defend against attacks. This is due to hackers hijacking computers outside their borders from which to attack their victims.

New Trojan goes for banking data

A new Trojan horse software is gaining popularity with fraudsters. Called Limbo, the malware integrates itself with a Web browser using a technique called HTML injection. By manipulating a page’s layout, it does its work by attempting to ask for confidential information that is never actually requested.

A user could be at a real bank site, for example, and be requested by the Trojan for password or other confidential data. The only clue? That a user is being asked to provide information that has never been asked before.

You can read more about the Limbo Trojan from this PC World article.

Researchers warn of new clickjacking attack

Security researchers have warned of a new class of browser vulnerabilities dubbed as “clickjacking”. Users of every major platform are apparently at risk from this new attack method.

Multiple types of flaws have been identified at this point, though details are sketchy for now as the researchers have deliberately kept a number of details confidential.

One of two researchers who discussed this bug at OWASP ApSec 2008 earlier in the week, Robert Hansen noted in an interview with Network World that clickjacking is similar to cross-site request forgery, sometimes known as CRSF or “sidejacking.” However, clickjacking is different enough that current generations of anti-CRSF measures are essentially worthless.

How does clickjacking work? Following is an excerpt from Network World:

“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls,” Grossman said in an e-mail on Friday. “Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”

It is not necessary for hackers to compromise a legitimate site in order to conduct a clickjacking attack underneath it. As such, the only way that this problem can be fixed in a meaningful way would be by browser vendors. At the moment, the security researchers who found this vulnerability are in contact with all the major vendors of browsers.

Read Source

The apachectl command is an often overlooked program that allows you a great deal of control over Apache processes. Vincent Danen explains the basics of this command, which you can use to debug or test Apache configurations.

—————————————————————————————————————-

The Apache Web server is arguably the best and most powerful Web server software available for any operating system. While many learn to edit the configuration files and configure or enable various modules, the bulk of what most people do with Apache is manage the content that Apache serves, with very little attention paid to what Apache itself can do.

Distributions provide initialization scripts for Apache that take the guesswork out of using it. For instance, service httpd start would start the server and an associated stop command would bring it down. These initscripts, while a convenience, largely mask the power of the command they are calling, namely apachectl.

The apachectl command is a rather overlooked program when it comes to working with Apache; however, it can be used to do some very interesting things. For instance, you can debug or test configurations by starting Apache with an alternative configuration file, leaving the working/production configuration untouched until changes can be tested. This can be accomplished with the -f option and the specification of an alternate configuration file:

# apachectl -f /etc/httpd/conf/httpd-testing.conf

This will start an Apache (httpd) process using the httpd-testing.conf file as the primary configuration file rather than the production httpd.conf.

A companion option here would be the -t option which performs a syntax check on configuration files, validating any changes you make. The command will warn if it detects any problems with the configuration file. Use it in conjunction with the -f option to validate in-progress configuration changes on non-default files: apachectl -t -f /etc/httpd/conf/httpd-testing.conf.

Another useful set of options are those that allow you to examine configuration content without actually opening and scanning configuration files. The apachectl -M command will list all loaded modules, those compiled-in and those that are shared. apachectl -l will display only those static modules that Apache loads; these would be the modules compiled into the httpd binary.

The apachectl -L option displays all available directives that Apache understands, and which module they are associated with. This is a great way to find out what options come from which module, and what they do. For instance:

# apachectl -L

<Directory (core.c)

     Container for directives affecting resources located in the specified directories

     Allowed in *.conf only outside <Directory>, <Files> or <Location>

...

The apachectl command also allows you to override directives on the command-line by using the -c option. This can be useful to temporarily test a new site or code. For instance, to override the default ServerLimit directive, use:

# apachectl start -c "ServerLimit 1024"

Other useful directives to override include DocumentRoot and Listen, among others.

Reading the apachectl manpage will provide other options and, hopefully, other ideas on how to put this often-overlooked tool to good use.

Get the PDF version of this tip here.

Vincent Danen is the Security Team Manager for Mandriva and lives in Canada. He has been writing about and developing on Linux for over 10 years.

Delivered each Tuesday, TechRepublic’s free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

Read Source

CA HIPS combines application whitelisting with host-based security firewall, IPS and operating system protections.
-

I deployed the CA Host-Based Intrusion Prevention System in quot;verbose quot; mode so that I could see the local console. It can be deployed silently and with no local user interface. Notice that the firewall, intrusion prevention and operating system protection modules are also installed…

Read Source

Google entered the mobile phone market this week when T-Mobile rolled out the first handset running the search engine's Android mobile operating system. Oracle also ventured into new territory by announcing that it will sell a hardware product — a database server the company developed with Hewlett-Packard. IBM threatened to leave the standards bodies that determine software interoperability regulations over concerns that the standardization process is unfair. And Microsoft is still searching for a search strategy to compete with Google.

Read Source

Vincent Danen admires the Mac text-expanding tools like Typinator or TextExpander and has been looking for a similar tool in Linux. The best counterpart he found is a program called Snippits. Here are the basics.

——————————————————————————————————————

Perhaps one of my favorite features or tools with the Mac OS X operating system is the ability to use text-expanding programs such as Typinator or TextExpander. These programs allow you to type a keyword, regardless of the focused application, and have it expand into a custom string, set of text, or image. These text-expanding tools are a constantly-used time saver.

On Linux, there is nothing as comprehensive as Typinator or TextExpander on the Mac. There is one program that comes close, but is not as fluid or elegant as the Mac equivalents.

The program is called Snippits, and it also expands text based on predefined keywords. Snippits is a Ruby program and requires a little bit of effort to install, depending on the Linux distribution in use.

On Debian and Ubuntu it is easier to install because one of the prerequisite packages, xautomation, is readily available. On Mandriva Linux, the package is not available and so must be compiled from source, which is easy enough to accomplish.

With any distribution, at the very least you will need to install aspell and its development files; Ruby and its development files; and also whichever package provides Ruby’s gem support. On a Debian system, this can be accomplished by executing:

# apt-get install ruby ruby1.8-dev rdoc rubygems libruby-extras xautomation xsel aspell libaspell-dev aspell-en build-essential

On Mandriva Linux, because xautomation must be compiled from source, the following is required. Note the commands on a # prompt are executed as root, whereas those with a $ prompt should be executed as a regular user. As a result, the below is somewhat abbreviated; you may elect to use sudo (if you have configured it appropriately) or su to the root user when required.

# urpmi ruby-RubyGems ruby-devel aspell-devel aspell-en x11-devel png-devel

$ curl -O -L http://hoopajoo.net/static/projects/xautomation-1.02.tar.gz

$ tar xvzf xautomation-1.02.tar.gz

$ cd xautomation-1.02

$ ./configure && make

# make install

Once this is done, the Snippits gem must be installed and Ruby configured to use Rubygems by modifying the ~/.bashrc startup file:

$ echo 'export RUBYOPT="rubygems"' >>~/.bashrc && source ~/.bashrc

# gem install raspell

# gem install snippits

This will install the RASpell gem which is required by the Snippits gem, and then compile and install the Snippits gem.

Once this is completed, you can test Snippits. Snippits are stored in the ~/.snippits/ directory; each file is its own snippit. For instance:

$ mkdir ~/.snippits

$ echo "this is a snippit test" >~/.snippits/test

$ snippit test

this is a snippit test

$ ks test

this is a snippit test

$ this is a snippit test

The snippit [name] command outputs the contents of the file named [name]; in this case ~/.snippits/test. Using the ks command, the contents are not only outputted, but are also used as input for the next command.

Snippits allows for a lot of extra modifiers to really manipulate text, such as {enter} to type an enter keystroke or {tab} to enter a tab keystroke. For instance, if a snippit were defined in ~/.snippits/pstest as:

ps aux|grep {cursor}|wc -l

Executing ks pstest would result in the above being printed on the command-line with the cursor being positioned where the {cursor} string is located, exactly where you would want the cursor to be to type what to grep for.

The above has only illustrated Snippits’ use for command-line usage. It is possible to bind the ks command to a global hotkey in KDE or GNOME which would allow for Snippits to be used in any application. The drawback here, compared to the Mac-equivalent programs, is the need for the hotkey to begin with as there doesn’t seem to be a way to make Snippit automatically transform text based on the appearance of the keyword — perhaps in a future version. The application is under active development and definitely looks to have promise.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic’s free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

Read Source

Multimedia complications are a well-worn complaint with Linux users who have to figure out which hoops to jump through to get decent sound and video playback for all their movies and music. Ubuntu has made a couple of deals to offset these problems (more accurately, Canonical, Ltd., Ubuntu’s commercial sponsor), particularly for users who download Ubuntu for free, rather than buying the boxed version at BestBuy. The two software vendors are Cyberlink, which provides the DVD player application, and Fluendo, which offers audio codecs for Windows Media formats. Both of these packages will be made available in the Ubuntu store for “one-click” installation, and of course, a price. According to Canonical’s marketing manager, Gerry Carr in NetworkWorld’s report:

“We’re never going to make you pay for anything that is fundamental to the operating system. You do need this to play DVDs. You do need this to play certain types of audio. We are not diametrically opposed to anyone selling software to add on for Ubuntu users. We will be adding additional software to that store as we can. It’s entirely optional. It’s building that ecosystem.”

While I think Canonical is simply doing what it has to do to smooth over the experience for its users, it is unfortunate that once you buy your DVD or your music — I mean, it’s yours — you then have to turn around any pay again for the privilege of actually being able to watch or listen to it the way you want. That’s really annoying; in fact, it seems downright wrong.

On to other testy subjects, Ubuntu users and developers have been frothing at the mouth over Mozilla’s EULA, included in the newest build of Firefox, version 3.0.1. The latest word, after both Canonical CEO Mark Shuttleworth and Mozilla have been trying to smooth the waters, is that “Mozilla has admitted making a mistake and said it will strip the legalese from the browser’s next update,” according to the article in NetworkWorld.

Now if you really want to skip the Firefox controversy, you can download Codeweaver’s CrossOver “Chromium,” a port of Google Chrome, that does not require Windows XP or Vista to run. Google is still working on its version of the Chrome browser for Mac and Linux platforms. The downloadsquad notes:

Although CrossOver Chromium works, please note that this is not intended to be used as a default browser. CodeWeaver’s website even states that this is just “a proof of concept, for fun, and to showcase what Wine can do.”

I doubt that anyone here would really plan to make Chrome, much less Chromium, their default browser quite yet, but if you’re just looking to play around with it, you can download Chromium here.

Read Source

I know, I know…you’re wondering why this is in the open source blog. The reason is simple: I have used open source operating systems for a long, long time now. I have championed against Microsoft for over ten years. But when Techrepublic liked the idea of me writing some Vista content for them, I couldn’t say no. Of course this meant me actually using Vista. So I thought it would be interesting for the open source crowd to get my initial reaction to my explorations with Windows Vista. You know, see how (or if) it stands up to Linux. It was a hard pill to swallow for me. It might be a equally as hard for you. Let’s find out. Shall we?

Installation
To begin with I didn’t have to do any installation. I wish I would have but I knew how finicky Vista was with hardware, so I wound up having to purchase a new laptop. This was the first strike against Vista. Why? Because I knew, with 100 percent assurance, that I could download the latest, greatest version of Linux and get it up and running (with full-blown 3D desktop and everything the Aero desktop has to offer) on any machine I have. With Vista - it’s a crap shoot. Unless you have hardware with that magical sticker that says that the machine is certified for Vista, you just never know.

And of course this brings up one of the many really nasty points about purchasing a machine with a Windows operating system - you rarely get an install disk. Why is that? I paid the “tax.” I bought the machine with an operating system on it. And we all know that Windows likes to be re-installed every so often. But without that disk - no dice. Fortunately I could create a “back up” disk so I could re-install the OS should it need…but only on that laptop. Oh but wait - this is Microsoft so I can only install the OS on one machine anyway. So much for that gripe.

First boot
Then after I unpacked the laptop it was time for the first boot. There was a small part of me that so badly wanted to toss in my Mandriva 2008 CD and forget the whole Vista experiment. But I behaved and let it boot.

During the boot process I couldn’t believe how much I had to go through to get to the desktop. When I first powered up the laptop I thought I was watching a full installation going on. It took nearly 30 minutes to get to the point where I could start agreeing to every possible EULA I could imagine. And after all of those agreements, I finally reached the initial setup. The final setup was mostly just the standard username/password/timezone information.

Once the setup was complete I was greeted with a screen asking me if I was interested in peeking at the typical “free trials” that always seem to accompany any Windows operating system. I really hate this part of Windows. Why is it they seem to think ANYONE wants any AOL product these days? Why not offer something like Hotmail or any other product owned by Microsoft. These products just take up space, annoy the users, and ultimately wind up being deleted from the system. You never see a Linux operating system with annoying free trials of worthless software.

Getting to work
Finally. The desktop is loaded and I can get to work. The first order of business is to install Firefox, OpenOffice, and The Gimp. I may be using a Windows operating system, but that doesn’t mean I have to use Office, Explorer, and some proprietary graphics application. The installation of these applications brought about the next really annoying issue with Vista. Being a long-time open source software user I am accustomed to having to give the root password in order to install software. But just giving permission to continue to perform an installation does nothing more than annoy the user. What good does it do? I click on the OpenOffice install icon and then I have to give Vista permission to install OpenOffice? Didn’t I just do that by clicking the OpenOffice install icon? Seriously…what is the purpose of this? There is no safety with this system. It’s not like you have to enter an administrator password - you just say “sure Vista, you can go ahead with this installation.” So of course, after too many instances of having to allow the UAC (User Access Controls) to do what I had already told the system to do, I decided to disable this control. It didn’t really take me long to figure this out (doing a search in Explorer for “user” finds the configuration setting) and, once I had it disabled, I was able to do a bit more work with a little less hassle.

With the UAC out of my way, Vista just seemed like yet another Windows operating system. I was limited with my configuration options; I couldn’t control sub-systems the way I can with Linux, and Aero is seriously limited to what it could do. The former two points I expected (Windows is very limiting in user control). The latter point really surprised me though. Microsoft had proclaimed Vista’s Aero to be the next level of user interface. Really? Some half-attempt at transparency and a bit of a reconfiguration of the Start Menu? Seriously? No. I think the next level of user interface is what I am currently working with - Compiz. And besides, Linux has been doing transparency for over five years (remember AfterStep 1.6?)! So where is the innovation? I can understand that the standard Windows user would look at Aero and ooh and ahh because that’s how Microsoft works the public opinion - they steal ideas and make everyone think they where the originators (Can anyone say “Mouse”?).

Now, at this point I started having good feelings about the Vista Media Center. It’s pretty simple to use. But very quickly the lack of options and customizations really hit me. There are a few Linux versions of the media center, and with each version, they can be customized in nearly any way you want. With the Vista Media Center customizations/optimizations are very limited. Typical Microsoft micro-management.

 Loading …

Another issue. I wanted to make sure the laptop always connected to my wireless network by default. I failed to check that option when I first set up the connection on the laptop and had a LOT of trouble figuring out how to make it so (without having to delete the wireless connection and start over). Again, with Linux this is simple.

The verdict
I can’t say I hate Vista. I can say that, in comparison to the open source operating system that I use day in and day out, Vista pales in comparison. Vista can not do nearly the things Ubuntu or Mandriva (or SuSE, or PCLinuxOS, etc.) can do. And, at least from my perspective, the various forms of Linux can do all of these things much easier and much more efficiently.

My point is this: It seems that everyone assumes that the Windows operating system is the most user-friendly available. I think they are wrong. I think that Microsoft has actually managed to “dumb down” the operating system (in Vista at least) to the point where very little makes sense. Very basic tasks should be obvious. They are not. Obvious locations for certain tools are no longer valid. Administration that should be quick and easy is time consuming and confusing (at times).

If you think about it like this: Microsoft has basically created a new distribution of Windows. And migrating from one distribution (XP) to another (Vista) isn’t as easy as it should be. Now migrating from, say, Ubuntu to Mandriva is simple. In either Ubuntu or Mandriva everything makes sense. And, in the case of Ubuntu/Mandriva you’re migrating to an entirely different package management system…and it still makes sense. But migrating from one Windows distro to another becomes a task even administrators don’t want to undertake.

I interviewed a head teacher at a local school that offers classes in various Windows topics (from MS Office to administrator-level SQL to programming) and he said they can’t find anyone to teach and no one who wants to learn Vista. So they are sticking with XP. When I told him I had to pick up a Vista-ready laptop his first question was if I had already installed another operating system over Vista. I said “no;” he winced and apologized.

I’m not so quick to get rid of Vista. I find it challenging and I like a good challenge. But I will say that I find this Windows distribution (Vista) not nearly as user-friendly as most of the modern Linux distributions. Not only are the Linux desktops easier to use they are far more flexible and easier to administer. And yes, as soon as I no longer have a need for Vista, that Sony Vaio will sport Mandriva.

Read Source

Google co-founder Sergey Brin says the new Chrome Web browser is not the Web operating system many people see it as, but acknowledges it will get more robust through the open-source community under the Chromium project. Microsoft and other search engines and Web services providers must be wary about this evolution in application development. Google may be treading lightly with Chrome now, but the browser, combined with Google’s search and Apps, could end up being a big threat to Microsoft Windows’ market share.
- Despite attempts by reporters to goad Google into spiking Microsoft, Google
co-founder Sergey Brin denied that Google views its new Chrome browser as an
operating system for Web applications.

quot;I would not call Chrome the operating system of Web apps, quot; Brin said
after a demo of Chrome…

Read Source

One stone-cold fact about Windows 7 is that we need more stone-cold facts in order to understand the new operating system that is likely to arrive in early 2010.

Read Source

Microsoft’s financial health, which is wrapped up almost entirely on sales of fat clients running the latest Windows operating system with the latest version of Microsoft Office, is completely at odds with the mesh model.
- Last week, Microsoft made two major online services announcements, both focused on initiatives intended to address data accessibility pain points by knitting together the devices you own with Web-based services that Microsoft provides and promises to maintain.

What should be giving users and deve…

Read Source