Sun Unveils Sizzle, World's Smallest Secure Web Server

Sun has just announced the debut of Sizzle (from SSSL, or Slim SSL), the world's smallest secure web server. Sizzle runs on the Berkeley/Crossbow "motes" -- battery-powered, wireless devices equipped with an 8-bit microprocessor, 128KB of FLASH and a mere 4KB of RAM. Sizzle implements SSL, and uses Elliptic Curve Cryptography (ECC), which has been chosen by the National Security Agency as the next generation public-key cryptographic technology for protecting sensitive U.S. Government information. [Press Release]

Security: Windows vs. Linux

     Koetzle, L. (2004). Is Linux More Secure Than Windows? Forrester Research, Cambridge, Mass.
     Petreley, N. (2004). Security Report: Windows vs. Linux. The Register. (Published October 22, 2004 and retrieved January 5, 2005.)

     Koetzle's paper was published in March 2004 and compares Debian, MandrakeSoft, Microsoft, Red Hat and SuSE. Each platform was evaluated based on data gathered between June 1, 2002 and May 31, 2003, according to four metrics — "all days of risk," quantifying the platform's actual vulnerability to attack; "distirbution days of risk," comparing the Linux distributors' responsvieness to a vulnerability; "flaws fixed," measuring the platform maintainers' thoroughness, and the percentage of high-severity vulnerabilities. Among the study's findings: Microsoft demonstrated the lowest average "all days of risk," and Red Hat and Microsoft tied in terms of relative severity and thoroughness.
     Petreley's study, published in October 2004, compared Microsoft Windows Server 2003 and Red Hat Enterprise Linux AS v.3, based on the severity of the security vulnerability (determined by the damage potential, the exploitation potential, and the exposure potential), and the number of critically severe vulnerabilities. Petreley found that whereas 10% of Red Hat's patches and alerts addressed critical vulnerabilities, 38% of Microsoft's patches and alerts addressed vulnerabilities ranked by Microsoft as critical. The report also includes a detailed discussion of security and severity metrics.

NIST Releases Draft Guidelines for VoIP Security

The National Institute of Standards and Technology (NIST) has released draft guidelines for securing Voice Over IP technology. The suggestions include putting voice and data traffic on logically different networks and denying access to the voice gateway from the data network. NIST is accepting comments on the draft through June 18.

Open Source Vulnerability Database

Reblogged from Marcus Zillman:

OSVDB is an independent and open source database created by and for the security community. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project will promote greater, more open collaboration between companies and individuals, eliminate redundant works, and reduce expenses inherent with the development and maintenance of in-house vulnerability databases. This will be added to Security Resources 2004 Internet MiniGuide.

Information Security Governance for Higher Education

The National Cyber Security Partnership has released Information Security Governance: A Call to Action, which urges corporations, nonprofit organizations, and higher education institutions to integrate effective information security governance (ISG) programs into their organizational processes. Contributing to the report was the EDUCAUSE/Internet2 Computer and Network Security Task Force. "Information security is of critical importance for the conduct of both research and education in today's networked environment. A successful security program will require that the boards and executive leaders of our colleges and universities assume appropriate, active roles in information security governance." (Mark Luker, Vice President, EDUCAUSE)

Openess and Security on Campus

A Balancing Act? Openess and Security on Campus, an interview with Jeff Schiller, MIT's network manager and security strategist, appears in the April issue of Syllabus Magazine. "With open source, if there�s a problem I can fix it as the consumer. Obviously I have to have the skills to do that, but I do have the ability — the access — to do it. With closed source I don�t. I�m literally at the mercy of the vendor to fix it."