Information Protection and Security

IPS is experimenting with a new service. I'm producing a weekly report of threats and vulnerabilities which may be of particular interest to individuals responsible for IT producs and services at Rutgers.

Ubuntu 9.10 is out and I re-installed my desktop with it. It is a pretty big improvement and should be wonderful for netbook and laptop use. Unfortunately I had to work through some X issues like so many others are reporting.

Microsoft's Security Essentials was released this month and has recieved good reviews in comparison to AVG and Avast (the other options for free AV tools.)

Over the summer Rutgers has had a few instances of unix/linux servers being successfully compromised through their SSH service. I suspect, but do not know for sure, that these hacks were due to weak passwords. Sysadmins should really consider putting some protections in place against these attacks and possibly even try to crack their own user's passwords to check their strength.

I've been working with our sysadmins to get CAS working on our group's apache web servers. CAS is great because a web server never sees a user's password and so if the server is compromised there is no chance that people's passwords will be logged by the hacker.

From The Register:

Twelve of the 35 anti-virus products put through their paces by independent security certification body Virus Bulletin failed to make the grade for one reason or another and therefore failed to achieve the VB100 certification standard.

Naming trick opens mail server

A number of Vietnamese spam sources are currently attracting attention because the spammers have equipped the relevant hosts with DNS pointer records called "localhost". [...]mail servers give preferential treatment to "localhost" and grant the Far-Eastern clients a special privilege, namely the "relaying" of emails to arbitrary recipients even outside the local network, because the servers or administrators have assumed that "localhost" is part of the local network.

This is a graph of significant security alerts over the past 90 days. In the beginning of the graph you can see the level droping off as the students finished up their finals and took their problems home with them.

I've released a new web-based interface to our SNORT alerts database. Sysadmins can use this to check a host and see if it is doing anything suspect. I'm providing this to help staff verify that they have cleaned malware off a host without requiring they call us up or wait a day to see if we see their host again in our daily reports the next day.

IPS routinely notifies departments about systems of theirs which have become infected with various types of malware and which, as a result, are doing Bad Things to other Rutgers hosts or to other sites on the internet. Occasionally I'm asked if IPS has a recommendation for AV software other than Trend Mico. Here are some suggestions. Full comparisons of top products are available from av-comparatives.org which is where I go for my information (cross checked by reviews from cnet and others.)