[SecurityRatty] tag: version

How to create a SQL Server linked server to DB2

Thu, 21 Aug 2008 07:57:37 +0000

Many SQL Server environments run DB2 servers, too, and often the two servers must be linked. Here's a step-by-step process that shows how to create a SQL Server linked server using Microsoft's DB2 driver, the OLE DB provider data access tools and the AS400 version of DB2.

Wee-Fi: Houston-Fi, ASCII WPA Passphrases, Green Wi-Fi

Tue, 19 Aug 2008 06:26:25 +0000

Houston flips switch on free downtown Wi-Fi: Dwight Silverman of the Houston Chronicle accidentally discovers the soft launch of the network funded by EarthLink's $5m default fee. (The fee was paid when they missed a milestone, and the firm later walked away.) The downtown area now has a limited pilot project that's free; the real effort in Houston is supposed to be at 10 housing projects and in parks where service would be used to bridge the digital divide and improve the quality of life. How, exactly, is part of what's being tested.

That's ASCII, not hex: An article on wardriving raises security hackles by repeating some slightly overheated statements about Wi-Fi security. The article opens with a 63-character ASCII WPA passphrase, which is later described as "hex." (ASCII passphrases in WPA can be up to 63 "printable" characters - ASCII 32 to 127 - while a hex version of a 256-bit TKIP or AES password is 64 hexadecimal digits long.) The article tries to conflate Wi-Fi attacks that led to the largest set of breaches in retail credit-card systems and wardriving, a hobbyist activity that's never been looked on very favorably by law enforcement. The sense of ennui of wardriving pioneers is pretty clear; when Wi-Fi is everywhere and generally secured, it's far less interesting. The wardriver in the article convinced the reporter that a maximum-length WPA passphrase stored on a USB drive for automatic use was the best way to go. But, really, 20 characters containing letters and punctuation and no words found in a dictionary along with changing your network's SSID (network name) provides all the security you'll ever need for a home or small business. (If you need more, deploy WPA/WPA2 Personal.)

Green Wi-Fi's Senegal efforts hit snags: The folks at Green Wi-Fi are well motivated, and they're running up against all forms of security theater and bureaucracy both here and in Senegal, where they have an active project. The San Francisco Chronicle notes the group's effort to build solar-powered, self-sustaining Internet access via mesh networked nodes. Getting devices out of the country, clearing customs in Senegal, and hooking up their solar system all hit problems they're working through. As with the One Laptop Per Child program, I see a "build it and they will come" mentality in Green Wi-Fi's mission statement: the notion that providing computing power and Internet access will result in good things, rather than an effort to figure out what good things need to be achieved, and whether computers and the Internet will assist.

PCI Compliance: Reaction to the Summary of Changes

Mon, 18 Aug 2008 20:00:00 +0000

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

Beware of Rogue Anti-Malware

Mon, 18 Aug 2008 06:16:04 +0000

Rogue anti-virus and anti-spyware products are not a new story, but they are a relatively growing threat. One of these threats made some news this week and taught some lessons about just how suspicious you have to be of them. We had heard of XP Antivirus—also known by a plethora of name variants, including Antivirus XP and year variants like Antivirus XP 2008. Click here for a description from Sunbelt Software. Last week, advertisements for this product started appearing on CNET (specifically their Download.com service) through syndicated Google ads. Not to pick on CNET specifically; Google ads are likely to be appearing elsewhere, but we were referred to them on that site. The hallmark of such malware is to start with a free version. This version conducts a fake malware scan that finds lots of malware on the system, and the user is told to pay for the "premium" version in order to remove the malware that doesn't really exist in the first place. Often rogue anti-malware software such as this is not strictly malicious in the sense of spreading itself to other systems or hiding any functions; it is simply a scam. Of course, by buying the product you may also expose personal and credit card details to untrustworthy people. Later last week, GlobalSign, the certificate authority that had issued a code signing certificate for use with Antivirus XP 2008, revoked that certificate after complaints that the software was malicious. They verified that the company existed but couldn't contact them. The investigation is ongoing. The bottom line and moral of the story is that rogue anti-malware vendors are merciless and shameless when it comes to masquerading as legit software. Ads on legit sites don't prove anything, and code-signing certificates don't prove anything. You still need to use common sense and exercise precautions, like running well-known and respected anti-malware, like Sunbelt Software's. They have a lot of special in-house expertise on rogue products like this.

Check Point goes virtual with VPN-1

Sun, 17 Aug 2008 20:00:00 +0000

Check Point is introducing a version of its VPN-1 software that runs on VMware ESX or ESXi to protect virtual machines from one another when they are running on a single piece of hardware.

Links List 8.15.08

Fri, 15 Aug 2008 16:04:33 +0000

Cloud Computing will also cure the common cold! Not really. But amidst all the hype and overly-used marketing speak it’s hard to tell the difference. Researchers from the University of Michigan announced CloudAV, a network service using the “cloud-computing” concept to fight malware. Please stop the insanity! I’m just waiting for someone to put “my” and “cloud computing” together…

Here’s an interesting post on High Earth Orbit about the usage and promotion of open source software for defense contracts. As a developer of open source tools, Andrew Turner of course brings up some “pros” for the government to push open source, but it’s the “cons” that are really interesting. A big “con” – the US government having something called “sovereign immunity” which apparently means something like it can’t be sued unless it consents to be sued. Hunh – the Republic of ScienceLogic-Land? Closing the loop here, a federal appeals court just boosted open-source software licenses by saying that any infringements can now get more severe remedies under copyright law (instead of contract law); here’s the case, Jacobsen v Katzer. But apparently not if it’s the US government?? Who knows more?

Does Linus Torvalds hate everyone except for developers? You have to check out this article on an email exchange he had with Network World this week, talking about how fed up he is with the “security circus”. Over the course of the exchange and some other comments from last month, he manages to blast security folk, OpenBSD (on security) in particular, vendors and PR people (of course). In the midst of the barrage of colorful language, it’s difficult to really get his point – which if you can dig it out, ends up being surprisingly sensible.

Sharon Taylor, Chief Architect of ITIL V3, recently wrote that with the release of the latest version of ITIL, BSM is now an ‘ITIL best practice.’ You say potato… “The distinction between IT and the business has blurred, and the language of IT has been replaced with the language of the business.”

UK Police Seize War on Terror Board Game

Fri, 15 Aug 2008 02:50:02 +0000

They said -- and it's almost to stupid to believe -- that:

the balaclava "could be used to conceal someone's identity or could be used in the course of a criminal act".

Don't they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone's identity?

The game sounds like it could be fun, though:

Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other.
Then the reality of world politics kicks and terrorist states emerge.

Andrew said: "The terrorists can win and quite often do and it's global anarchy. It sums up the randomness of geo-politics pretty well."

In their cardboard version of realpolitik George Bush's "Axis of Evil" is reduced to a spinner in the middle of the board, which determines which player is designated a terrorist state.

That person then has to wear a balaclava (included in the box set) with the word "Evil" stitched on to it.

Buy yours here; I first blogged about it in 2006.

Popular BitTorrent Client Quietly Patched An Old Zero-Day Vulnerability

Thu, 14 Aug 2008 13:29:00 +0000

Popular BitTorrent client µTorrent has silently patched a vulnerability that created a means for hackers to load malware onto PCs of file sharing users by persuading them to open a poisoned Torrent file. The vulnerability has been confirmed in version 1.7.7 of µTorrent. Earlier versions may also be vulnerable. News of the bug emerged in a [...]

When turning updates off really doesnt

Thu, 14 Aug 2008 09:31:32 +0000

In any business dealings, if you cant trust the company to do what they say they will do,
You go elsewhere right?
Its your decision. Not in this instance folks.

clipped from windowssecrets.com

You’ll get a new Windows Update, like it or not

This time, Microsoft is being more up-front about its forthcoming
refresh of Windows Update. For example, product manager Michelle Haven described in a
blog post on July 3 some new features that the upgrade will add.

The new version will reportedly reduce the time WU takes to scan for and send out new updates. In addition, if you use the online version of WU, and you click an update for more information, the new version will offer you more links with additional details.

But the Redmond company hasn’t changed the wording of the Control Panel settings that appear to prevent Windows Update from performing silent downloads — but don’t.

In light of these potentially misleading controls, a few tricks on managing Windows Update are just what the doctor ordered.

Should you upgrade to SQL Server 2005 or SQL Server 2008?

Thu, 14 Aug 2008 06:50:07 +0000

Even though SQL Server 2005 was released almost three years ago, many companies haven't upgraded yet. With last week's release of SQL Server 2008, it's time to put some serious thought into an upgrade. SQL Server expert Roman Rehak examines the options: to follow the sequential upgrade path or skip SQL Server 2005 altogether. Considerations include licensing costs, database size, benefits of the new features and confidence – or lack thereof – in the newest version.