PostgreSQL Information Disclosure and Denial of Service Vulnerabilities

PostgreSQL is prone to information-disclosure and denial-of-service vulnerabilities; fixes are available.An attacker can exploit these vulnerabilities to cause the backend database to crash and reveal sensitive information. This may lead to other attacks. These issues affect versions 8.0, 8.1, and 8.2. The second issue described also affects version 7.3 and 7.4.

Patches are available - a good reference is the following page on SecurityFocus:
http://www.securityfocus.com/bid/22387/solution

Logon Warning Banner

I've been asked many times for a logon banner, so here's my favorite:

WARNING!!!This system is solely for the use of authorized users for official purposes. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action. You have no expectation of privacy in its use and to ensure that the system is functioning properly, individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.

802.11n Draft 2.0 gets thumbs up from Working Group

Draft 2.0 of the 802.11n spec has been approved by the 802.11 Working Group, moving the increasingly popular wireless networking technology a step closer to its final form.



read more | digg story

Two Factor Authentication (Strong Authentication)

Or why does RSA/EMC have a monopoly on this stuff, anyway? Don't get me wrong - SecurID is a good product, with wide support and a large user base. However, it uses proprietary algorithms (we're big fans of open source), and is getting a bit tattered around the edges with age. I recently came across an interesting new approach from WikID Systems - WikID Strong Authentication. An open source commercial app, it is written from the ground up to be "Web 2.0" aware (hate marketing buzzwords) in that it is extensible with PAM, java, etc. Basically, the technology works like this. A secure token client on your local machine passes your PIN to the WikID server, using the server's public key for encryption. The server then returns a one time password to your client, which is then used to complete authentication. I've run some quick tests with the client, and it looks promising. Test it for yourself here, or they also offer an evaluation. We'll be doing some real world evaluation, and will follow up with a later post. BTW - ViewPoint is not affiliated with WikID Systems in any way - these are just my observations, and YMMV.

Microsoft's Antivirus Deletes User's Emails

According to postings on Microsoft's OneCare forum, erasures have been caused when the antivirus programm finds a virus in an email attachment. Instead of then quarantining that single email, users have reported that entire .pst or .dbx files have been deleted, along with other important emails.



read more | digg story

OpenID: Too many providers, not enough consumers

There have been a spate of announcements recently with a number of companies both large and small announcing that their products will ’support’ OpenID. Each of these announcements was met with a rousing standing ovation by the bloggers over at Techmeme. First Microsoft (with Hypercard), then AOL, Digg, Wordpress, SmugMug and many more.



read more | digg story

First post ;-)

Everybody's gotta have one, right? So I finally got off my ass and started a blog for ViewPoint Security. This will be an informal site where the ViewPoint guys will share observations and experience from the field, as well as our opinions. We'll also try to post relevant security bulletins and articles of interest to he community.

Hopefully it will be of use to our clients, associates, and anybody else who feels like stopping by.