ZDNEt Reports .....

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

• Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

[ Read the article on ZDNet ]

More than a week after a cryptic note hinted at a security breach at Fedora, the open-source group has finally fessed up to two separate server intrusions that compromised the security of Red Hat’s OpenSSH packages.

The confirmation follows eight days of media speculation and conjecture over a brief e-mail that simply mentioned “an issue in the infrastructure systems” and calls into question Red Hat’s ability to promptly — and accurately — disclose security breaches.

[ Read the full article HERE at ZDNet ]

Data Structures and Algorithms: Annotated Reference with Examples

This book written by Granville Barnett and Luca Del Tongo is part of an effort to provide all developers with a core understanding of algorithms that operate on various common, and uncommon data structures.

Data Structures and Algorithms: Annotated Reference with Examples is completely free!

[ CILICK HERE ]

#8 | Changing Membership Settings in the Default Membership Schema

#9 | Configuring SQL To Work with Membership Schemas

#10 | Understanding ASP.NET Memberships

[ Get them here ]

Lots, even MOST PHP applications are Open Souce but what if you want to distribute your application but don't want to distribute your PHP Source Code ?

Check out Nu-Coder from NuSphere.

Nu-Coder converts the source code of PHP Script into compiled PHP bytecodes for both accelerated runtime performance and maximum security.

http://www.nusphere.com/products/nucoder.htm

Dolores Labs posted recently "Amazon’s S3 Web Service, our #1 cause of failure" [ Click HERE to READ ]

Amazon.com is a great company and a early innovator in the Web Services Community. (God knows I send them ALOT of money.)

So this is not an indictment of Amazon as a technology provider. In fact, it is because a Amazon is a great company with a solid infrastructure that this is significant.

As Geeks, we tend to get all jazzed about the latest buzz - and cloud computing is certainly one of them. But, I think it's important to remember, while services in the cloud can be very cost effective. You can't control the cloud.

When you build it and own it you always have options when you're not getting the service level you need. In the cloud, you're held hostage by 3rd party service levels.... ad as we all know, stuff happens.

When you're using a cloud hosted service, remember to build support for graceful degradation your application. You application need not fail completely because you can't fetch images, ads, etc.

Not only is this good design practice, but it mitigates a DOS security threat. If I wanna bring your web application down and you haven't built resilience into your site, all I need to to is successfully attack any one service your application depends on and your application is down !!

Dies UAC give you a rash ?

It does me !!!

It's not that it isn't a good idea - it is. But I really wish I could train it or over ride it.

Maybe in a future Windows version - in the mean time, I'm trying Tweak UAC which provides a "Quiet Mode" for UAC.

[ Click HERE to get Tweak UAC ]

Note: UAC is a Security feature. Strictly speaking "Quiet Mode"  reduces your system's security.

Please checkout the first videos in my new Web Developer's Security Video Series.

http://www.asp.net/learn/security-videos/

I'm hoping to do 100 Videos this year !

PLEASE SEND YOUR REQUESTS !!!

T

Check out this 2 day security brain fest. It happens to be right after Black Hat in Vegas. See you there ?

The LifeCycleSecurity conference was started to provide a venue where professionals in the Application Security industry can learn from each other's experiences.  We will be addressing security from the server to the browser. 

Application Security : We will have topics that address how professionals are creating systems that are resistant to attacks against the web application layer and the systems that support these web applications.

Browser security: With the increase in attacks against browsers such as malware and other attack vectors, protecting your users is more important than ever.  This is increasingly being done with content filtering devices.  The Lifecyclesecurity conference will include several tracks that address techniques that are being used to protect against these browser / content based attacks.

http://www.lifecyclesecurity.com/

While at TechEd 2008 I got to spend some time in the "Fish Bowl" with Georgeo Pulikkathara.

Georgeo interviewed me on Microsoft's Secure Development Lifecycle (SDL) and my upcoming Developer Security Activities.

Please [ click HERE ] to check out Georgeo's blog post and [ Click HERE ] to have a listen to the show.