[ISN] Linux Security Week - January 2nd 2006

From: InfoSec News (isn@private)
Date: Wed Jan 04 2006 - 03:04:33 PST

|  LinuxSecurity.com                         Weekly Newsletter        |
|  January 2nd, 2006                          Volume 7, Number 1n     |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin D. Thomas      ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Adaptive
Firewalls with iptables," "Bandwidth monitoring with iptables,"
"Four Security Resolutions For The New Year," and "DNS Name Prediction
With Google."


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home




This week, advisories were released for phpbb2, ketm, tkdiff,
dhis-tools-dns, Mantis, NDB, rssh, OpenMotif, scponly, msec,
fetchmail, cpio, php-mbstring, and libgphoto. The distributors
include Debian, Gentoo, and Mandriva.



* EnGarde Secure Community 3.0.2 Released
  6th, December, 2005

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.2 (Version 3.0, Release 2). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool, the SELinux policy, and the LiveCD environment.



Hacks From Pax: SELinux Administration

This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux.



Hacks From Pax: SELinux And Access Decisions

Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.

SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Ethereal 0.10.14 Release Notes
  30th, December, 2005

Ethereal 0.10.14 has been released. Several security-related
vulnerabilities have been fixed. Everyone is encouraged to upgrade.
The following features are new (or have been significantly updated)
since the last release.


* Adaptive Firewalls with iptables
  26th, December, 2005

Up until now, we've looked at stateless and stateful firewalls.
Remember, stateless firewalls only have the features of a given packet
to use as criteria for whether that packet should be passed, blocked,
or logged. With a stateful firewall, in addition to the fields in
that packet, we also have access to the kernel's table of open
connections to use in deciding the fate of this packet.


* Bandwidth monitoring with iptables
  27th, December, 2005

Linux has a number of useful bandwidth monitoring and management
programs. A quick search on Freshmeat.net for bandwidth returns a
number of applications. However, if all you need is a basic overview
of your total bandwidth usage, iptables is all you really need -- and
it's already installed if you're using a Linux distribution based on
the 2.4.x or 2.6.x kernels.

Most of the time we use iptables to set up a firewall on a machine,
but iptables also provides packet and byte counters. Every time an
iptables rule is matched by incoming or outgoing data streams, the
software tracks the number of packets and the amount of data that
passes through the rules.


* Cisco vulnerability posted to Internet
  29th, December, 2005

One day after a security researcher and organizers of the Black Hat
USA conference agreed not to post details of vulnerabilities in Cisco
's router software, the information has been published on the
Internet.On Friday, the Web site Cryptome.org posted what appear to
be slides written to accompany a presentation given by former
Internet Security Systems Inc. (ISS) researcher Michael Lynn, at the
Black Hat conference in Las Vegas.


* An Inexpensive and Versatile IDS
  27th, December, 2005

An intrusion detection system can be an effective technical control
in the modern world of information and network security. One option
that provides for low cost NIDS sensor deployment is the use of the
open source IDS software Snort in combination with a consumer grade
LinkSys cable/DSL router and the open source firmware distribution
OpenWrt. These three items together form a powerful yet inexpensive
unit that delivers IDS, routing, firewall, wireless, and NAT
functionality for use in a light-weight environment, i.e. consumer or
small business deployments.


* D@TA Protection and the Linux Environment
  28th, December, 2005

This is an exciting time for people involved in data protection, and
not in the bad way that things can be exciting. Many more options,
techniques, and practices have become available to IT professionals.
The new technology solves a great many problems.


* Researchers pore over biometrics spoofing data
  29th, December, 2005

Sweaty hands might make you unpopular as a dance partner but they
could someday prevent hackers from getting into your bank account.

Researchers at Clarkson University have found that fingerprint
readers can be spoofed by fingerprint images lifted with Play-Doh or
gelatine or a model of a finger moulded out of dental plaster. The
group even assembled a collection of fingers cut from the hands of


* Linux in a Business - Got Root?
  30th, December, 2005

I work for a government contractor, and have recently convinced them
to purchase a Beowulf cluster, and start moving their numeric
modelers from Sun to Linux. Like most historically UNIX shops, they
don't allow users even low-level SUDO access, to do silly things like
change file permissions or ownerships, in a tracked environment. I am
an ex-*NIX admin myself ,so I understand their perspective and wish
to keep control over the environment, but as a user, I'm frustrated
by having to frequently call the help-desk just to get a file
ownership changed or a specific package installed.


* Financial institutions lead march to Linux in Korea
  29th, December, 2005

In the latest in a series of moves aimed at getting Korean government
institutions to move away from their reliance on Windows and Unix and
adopt open source software, two state-owned financial institutions
planned to launch the country's first Linux-based Internet banking
services in December.

The state-owned Korea Post and the National Agricultural Cooperative
Federation (NACF) have both said their systems will be up and running
for Linux users before the end of December as a part of the open
source software fostering projects of the Ministry of Information and


* Four Security Resolutions For The New Year
  26th, December, 2005

I always know what my first New Year=E2..s resolution is going to be,
because it=E2..s the same every year: lose weight. Chances are, you
have the same one. But by the time the Super Bowl happens, and you
eat seven thousand calories on that one day, you=E2..ll have already
have given up on that resolution.


* IT security professionals moving up the corporate pecking order
  26th, December, 2005

Ultimate responsibility for information security is moving up
corporate management hierarchies, as board-level directors and CEOs
or CISO/CSOs are increasingly held accountable for safeguarding
IT infrastructures, new research has revealed. The second annual
Global Information Security Workforce Study, conducted by global
analyst firm IDC and sponsored by not-for-profit IT security
educational organisation, the International Information Systems
Security Certification Consortium (ISC)2, expects this accountability
shift to continue as information security becomes more relevant in
risk management and IT governance strategies.


* Browser developers meet, see eye to eye on security
  27th, December, 2005

Developers of four major Web browsers -- Konqueror, Mozilla Firefox,
Opera, and Internet Explorer (IE) -- gathered at an informal meeting
in Toronto on November 17 to review plans and share progress on
security improvements and standards. The intents were making security
information more meaningful to users, and balancing security for
high-traffic sites (such as banks) and smaller organizations and


* Security Is Not Insurance
  27th, December, 2005

What's the hardest part of a chief security officer's job? Evaluating
new technologies? Establishing policies for users to follow?
Actually, it's more political than that, Jim Routh, chief security
officer of Depository Trust & Clearing Corp., said during an Interop
presentation Tuesday. "The hardest part of a CSO's job is influencing
information security and practices that will be implemented
throughout an organization," he said. "It's a delicate process,
particularly when you're asking an IT or business manager to rethink
how they operate. Education is probably the most important strategic
tool for a CSO, without a doubt." And you thought wayward data tapes
throwing themselves off of the back of delivery trucks were going to
be your biggest challenge.


* Rootkits, cybercrime and OneCare
  28th, December, 2005

The year 2005 in net security will likely be remembered as the year
of the Sony rootkit DRM controversy. In other ways the last 12 months
continued the trend of profit becoming a primary driver for the
creation of computer viruses. The last 12 months also witnessed a
number of high-profile cybercrime prosecutions, including the
sentencing of NetSky author Sven Jaschan.


* The Linux Year: A Look Back at 2005
  29th, December, 2005

With the birth of each new year, the accolade of 'year of the
penguin' has been dusted off and pre-emptively awarded time after
time. 2005 was no different, and there's little reason to suppose
that 2006 will underwhelm either.


* What Tech Skills Are Hot For 2006?
  29th, December, 2005

There's continued demand for people with information security skills,
say Symons and others. And even though long-term demand is expected
to remain strong, the growing ranks of people who have obtained IT
security certifications has had a short-term dampening effect on


* Record bad year for tech security
  30th, December, 2005

2005 saw the most computer security breaches ever, subjecting
millions of Americans to potential identity fraud, according to a
report published Thursday.  Over 130 major intrusions exposed more
than 55 million Americans to the growing variety of fraud as personal
data like Social Security and credit card numbers were left
unprotected, according to USA Today.


* All the Rage: It's 2006: Do You Know Where Your Security Policies Are?
  2nd, January, 2006

It's the beginning of a new year--time to review your approach to
security policy. If you think implementing firewalls, IDSs and
antivirus/antispam products is enough, you're sorely mistaken. No
matter the size of your enterprise, you must define a framework of
security policies, standards and procedures for securing valuable
corporate assets. If you don't, you may be leaving your company open
to a variety of vulnerabilities.


* Marriott customer data missing
  29th, December, 2005

A division of the Marriott International hotel empire has notified
more than 200,000 clients of back-up security tapes missing from the
company's Orlando corporate offices.

The breached records contained personal information of about 206,000
associates, timeshare owners and timeshare customers, the company
said this week in a statement.


* Data Security Movement Back-Burnered By Lawmakers
  28th, December, 2005

Despite a year's worth of highly publicized security breaches and a
lot of talk in Congress this summer on ways to protect consumers,
there's been too little done to protect U.S. consumers' data, Gartner
research director Avivah Litan says.


* DNS Name Prediction With Google
  2nd, January, 2006

As discussed in Google Hacking for Penetration Testers from
Syngress publishing[1], there are many different ways to perform
network reconnaissance using Google. Since the publication of that
text, many different ideas and techniques have come to light. This
document addresses one interesting technique, which we=E2..ll call DNS
name[2] prediction.  This document assumes you have some knowledge of
basic network recon, and is not intended as a hand-holding approach
to hacking. If you're evil, stop reading this and go work out some
aggression on a sack-o-potatoes or something.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.

This archive was generated by hypermail 2.1.3 : Wed Jan 04 2006 - 03:21:41 PST