+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 9th, 2005 Volume 7, Number 2n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Demystifying Security Enhanced Linux," "INFOSEC Assurance Capability Maturity Model," and "The Importance of a Security, Education, Training and Awareness Program." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec --- LINUX ADVISORY WATCH This week, advisories were released for tkdiff, scponly, XnView, pineentry, KPdf, libgphoto, printer-filters-utils, nss_ldap, mdkonline, tkcvs, and ethereal. The distributors include Debian, Gentoo, and Mandriva. http://www.linuxsecurity.com/content/view/121170/150/ --- * EnGarde Secure Community 3.0.3 Released 6th, December, 2005 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. http://www.linuxsecurity.com/content/view/121150/65/ --- Hacks From Pax: SELinux Administration This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux. http://www.linuxsecurity.com/content/view/120700/49/ --- Hacks From Pax: SELinux And Access Decisions Hi, and welcome to my second of a series of articles on Security Enhanced Linux. My previous article detailed the background of SELinux and explained what makes SELinux such a revolutionary advance in systems security. This week, we'll be discussing how SELinux security contexts work and how policy decisions are made by SELinux. SELinux systems can differ based on their security policy, so for the purposes of this article's examples I'll be using an EnGarde Secure Linux 3.0 system, which by default uses a tightly configured policy that confines every included application. http://www.linuxsecurity.com/content/view/120622/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Review: Advancing Firewall Protection 9th, January, 2006 With more than one million users, U.K.-based SmoothWall.s Firewall may just be the most popular software firewall that has yet to become a household name. Test Center engineers recently took at look at products from SmoothWall to see what all the buzz is about and to see exactly why one million users have chosen the product. http://www.linuxsecurity.com/content/view/121188 * What are Rootkits? 3rd, January, 2006 Rootkits are Internet-based threats that have recently been discussed at great length, basically in the light of the fact that a large company distributed a rootkit with some of its products. But, what exactly is a rootkit? Why are rootkits so dangerous? Is it true that they cannot be removed from systems? We are going to try to give answers to these questions and lay various myths to rest. http://www.linuxsecurity.com/content/view/121138 * A better VNC with FreeNX for remote desktop control 9th, January, 2006 VNC is well-known for allowing the remote control of another desktop machine via your own computer. For instance, using VNC you can easily control your home PC from work, and vice versa. The problem with VNC is that it's not overly secure and it can be quite slow, particularly if you have a lot of fancy graphics or backgrounds on the remote computer. Other solutions also exist for remote control of a GUI, such as running X over ssh, proprietary tools like Apple's Remote Desktop, etc., but they all tend to have the same drawbacks; they are either insecure or tend to be slow. http://www.linuxsecurity.com/content/view/121185 * Registration Open for the Second Security-Enhanced Linux Symposium and Developer Summit 5th, January, 2006 Registration for the Security-Enhanced Linux (SELinux) Symposium is now open at www.selinux-symposium.org. The event, scheduled for February 27-March 3, 2006 in Baltimore, Maryland, explores the emerging SELinux technology and the power of flexible mandatory access control in Linux. http://www.linuxsecurity.com/content/view/121164 * Demystifying Security Enhanced Linux 6th, January, 2006 In this paper I will try to explain the philosophy behind the Security Enhanced Linux (SE Linux). I will however try to explain the concept with an example but to keep the length readable I will restrain myself to go into much of implementation details for e.g. commands and similar stuff. http://www.linuxsecurity.com/content/view/121180 * Security Hole Claimed for BlackBerrys 3rd, January, 2006 New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail. http://www.linuxsecurity.com/content/view/121148 * Linux Kernel Multiple Denial of Service and Privilege Escalation Issues 4th, January, 2006 Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious [local] users to cause a denial of service and potentially obtain elevated privileges. http://www.linuxsecurity.com/content/view/121159 * Debian developers trim platform support 5th, January, 2006 Debian Etch, the next major version of the Linux distribution, will only be available on eight architectures, with four getting the boot. http://www.linuxsecurity.com/content/view/121165 * McAfee Settles Fraud Charges 5th, January, 2006 Security vendor McAfee agreed on Wednesday to pay a $50-million fine to the U.S. Securities and Exchange Commission to settle charges that it overstated its revenue and earnings by hundreds of millions of dollars, closing an unpleasant chapter in the company.s history. http://www.linuxsecurity.com/content/view/121168 * Apache shot with security holes 9th, January, 2006 Companies running Apache and a PostgreSQL database are at risk from serious Internet intrusion. Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache module that allows authentication against information in popular open-source database PostgreSQL. http://www.linuxsecurity.com/content/view/121187 * Linux Netwosix Creator Discusses 2.0 Vision, Future 3rd, January, 2006 The recent announcement of the 2.x branch of Linux Netwosix may prompt LinuxWorld readers to ask why there were two releases--1.3 and 2.0-rc1--of this software within a week. So we contacted its creator, 19-year-old Vincenzo Ciaglia of the University of Salerno, Italy to find the answer to this and other questions. http://www.linuxsecurity.com/content/view/121142 * Network Forensic Traffic Reconstruction with Tcpxtract 4th, January, 2006 Today I got a chance to try Nick Harbour's Tcpxtract program. I had heard of it several months ago, but I had trouble compiling it on FreeBSD. Just now I tried the regular ./configure, make, make install routine using version 1.0.1 and had no problems. http://www.linuxsecurity.com/content/view/121155 * All the Rage: It's 2006: Do You Know Where Your Security Policies Are? 2nd, January, 2006 It's the beginning of a new year--time to review your approach to security policy. If you think implementing firewalls, IDSs and antivirus/antispam products is enough, you're sorely mistaken. No matter the size of your enterprise, you must define a framework of security policies, standards and procedures for securing valuable corporate assets. If you don't, you may be leaving your company open to a variety of vulnerabilities. http://www.linuxsecurity.com/content/view/121132 * Over 5,000 bugs in 2005 2nd, January, 2006 The end of an old year and beginning of a new one is always a favorite time to compile lists. One such compendium comes from the US-CERT, the US Computer Emergency Readiness Team, which has come up with a list of 5,198 software bugs that were discovered during 2005, a 38 percent increase from 2004. The bugs ran the gamut from A (Aaron Outpost ASP inline Corporate Calendar Permits Remote SQL Injection on Windows OSes) to Z (the multiplatform Zyxel Prestige 650R-31 Router Remote Denial of Service). http://www.linuxsecurity.com/content/view/121135 * All the Rage: Happy Rue Year 3rd, January, 2006 If 2005 seemed a particularly overwhelming year in terms of security problems, you're not imagining things. According to an annual report compiled by U.K.-based security vendor Sophos, there were about 16,000 new worms, viruses and Trojans identified during the year--48 percent more than the 10,724 detected in 2004. Some 1,940 new threats were discovered in November alone--the largest monthly increase Sophos has ever registered. http://www.linuxsecurity.com/content/view/121139 * CISOs Move Beyond Tech 3rd, January, 2006 Top security executives will have some of the most fluid job descriptions in the industry this year. There will be a continuing separation of operational security from policy setting and oversight, predicts Paul Stamp, an analyst at Forrester Research. http://www.linuxsecurity.com/content/view/121140 * Reporter's Notebook: Security 3rd, January, 2006 Compliance will dominate the security agenda for 2006. The growing number of regulations -- and the consequences of not complying with them -- have elevated security into the boardroom. CIOs will use compliance to justify most of their information security spending this year -- even for technologies IT would have implemented anyway. http://www.linuxsecurity.com/content/view/121141 * Marriott loses data on 200,000 customers 3rd, January, 2006 Hotel chain Marriott admitted last Tuesday that backup computer tapes containing data on approximately 206,000 customers were missing from a company office in Florida. The data, which relates to customers of its time-share division, Marriott Vacation Club International, included personal information such as the credit card details, Social Security numbers and, in a few cases, the bank details of customers. http://www.linuxsecurity.com/content/view/121143 * Linux vs. Windows security 3rd, January, 2006 Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior due to Linux Security Modules, SELinux, and winbind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel. http://www.linuxsecurity.com/content/view/121145 * INFOSEC Assurance Capability Maturity Model 4th, January, 2006 <a href="http://www.iatrp.com/IA-CMMv3_1-%20FINAL-NOV04.doc">The INFOSEC Assurance - Capability Maturity Model (IA-CMM)</a> is based on the System Security Engineering Capability Maturity Model (SSE-CMM) and modified to address the INFOSEC assurance processes. Whereas IATRP methodology training focuses on an individual's ability to conduct an INFOSEC assurance service, the IA-CMM appraisal focuses on a provider organization's capability to support INFOSEC analyst in conducting their mission objectives (i.e. to provide quality INFOSEC Assurance or Evaluation). http://www.linuxsecurity.com/content/view/121153 * More IT Security Pros Filling Executive Roles 4th, January, 2006 Information security professionals, already experiencing a surge in demand for their badly needed technical skills, may also get a chance this year to flex their business acumen. IT security professionals are being invited into corporate board rooms around the globe, wielding more influence and finding increased opportunities. The 2005 Global Information Security Workforce Study, sponsored by the International Information Systems Security Certification Consortium, or (ISC)2, found that more than 70 percent of respondents believe they exercised more influence on executives in 2005 than in the previous year. More than 73 percent expect their influence to continue growing. http://www.linuxsecurity.com/content/view/121154 * Sad State Of Data Security 4th, January, 2006 How does this keep happening? Companies have been publicly humiliated, slapped with audits, and threatened with prosecution, but sensitive personal data continues to be compromised. The U.S. Department of Justice is the latest to demonstrate its information-security incompetence. The mistake: exposing Social Security numbers on its Web site. http://www.linuxsecurity.com/content/view/121156 * 2006: Year of the Hacker? 5th, January, 2006 Computer hackers sought to create havoc on the Web last week by launching two attacks targeting Microsoft Windows users -- one circulating a virus disguised as the company's instant messenger client, the other exploiting a previously unknown flaw in its operating system. The attacks came as computer security Relevant Products/Services from Microsoft experts warned that following a year that saw an unprecedented 150,000 computer viruses emerge, 2006 could be the worst on record for hacker mayhem. http://www.linuxsecurity.com/content/view/121161 * Massive demand for unauthorised Windows patch 5th, January, 2006 Ilfak Guilfanov's personal Web site has been taken offline by his hosting provider after hordes of Microsoft users scrambled to download his unofficial patch against the Windows Metafile vulnerability. According to antivirus firm F-Secure, demand for the unauthorised Windows Meta File (WMF) patch developed by Guilfanov was so high his hosting provider temporarily shut his Web site on Wednesday morning. http://www.linuxsecurity.com/content/view/121162 * The Importance of a Security, Education, Training and Awareness Program 5th, January, 2006 End-user computing has emerged as a vital component of the overall information resource of the organization. [1] This emergence has made its way not only into the information resource but also in the information security of an organization. The end-user has access to the most vital information a company has and either has the knowledge in how to circumvent the systems that have been put in place to protect the organizations information, or the lack of knowledge that is needed to protect this information, as well as the well-being of the organization's network itself. http://www.linuxsecurity.com/content/view/121163 * Why Linux Is More Secure Than Ever 5th, January, 2006 As Linux becomes more prevalent in today.s enterprise systems, it raises questions about the best way to protect the open source technology. David Humphrey, senior technology advisor for Ekaru, a Westbrook, Mass.-based technology services company, discussed some of those issues with Security Pipeline. http://www.linuxsecurity.com/content/view/121167 * You can.t manage what you can.t see! 6th, January, 2006 Security threats have grown more menacing with the appearance of the likes of Sober, Mytob, and Bagle. Along with the newer trends of spyware, phishing and key logging the implications of ineffective information security have become potentially debilitating to business operations and indeed strategy. http://www.linuxsecurity.com/content/view/121179 * US-CERT's FUD 6th, January, 2006 Everywhere you look in the trade press today, you'll find glowing misrepresentations of US-CERT's latest annual summary of vulnerabilities discovered in 2005. If you take the summary findings at face value, you would likely conclude that Windows -- with 812 reported vulnerabilities -- is a much safer operating system than something called "Unix/Linux," which totaled 2,328. The US-CERT summaries have become the fodder for a FUD festival, and many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges. http://www.linuxsecurity.com/content/view/121182 * Experts question Windows win in flaw tally 6th, January, 2006 Critics have taken aim at a study published by the U.S. Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows last year. The report, Cyber Security Bulletin 2005, was released last week. It claimed that out of 5,198 reported flaws, 812 were found in Microsoft's Windows operating system, 2,328 were found in open-source Unix/Linux systems. The rest were declared to be multiple operating-system vulnerabilities. http://www.linuxsecurity.com/content/view/121183 * A Step-By-Step Guide to Computer Attacks and Effective Defenses 9th, January, 2006 Five years after writing one of the original books in the hack attack and countermeasures genre of books, Ed Skoudis has teamed up with Tom Liston to create a revised and updated version. Counter Hack Reloaded brings Counter Hack up to date with new technologies and attack types as well as providing the informaion you need to protect your computer and network from being targeted by these attacks. http://www.linuxsecurity.com/content/view/121184 * Three more states add laws on data breaches 9th, January, 2006 Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as new security-breach notification laws went into effect in Illinois, Louisiana and New Jersey on Jan. 1. Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers. http://www.linuxsecurity.com/content/view/121186 * DNS Name Prediction With Google 2nd, January, 2006 As discussed in .Google Hacking for Penetration Testers. from Syngress publishing[1], there are many different ways to perform network reconnaissance using Google. Since the publication of that text, many different ideas and techniques have come to light. This document addresses one interesting technique, which we'll call DNS name[2] prediction. This document assumes you have some knowledge of basic network recon, and is not intended as a hand-holding approach to hacking. If you're evil, stop reading this and go work out some aggression on a sack-o-potatoes or something. http://www.linuxsecurity.com/content/view/121131 * How to sue a British spammer 6th, January, 2006 Chartered engineer Nigel Roberts became the first person to win a court judgment over a company's breach of the UK's anti-spam law late last year. His success received widespread media coverage . and now he's encouraging others to do the same. Roberts sued Media Logistics (UK) Ltd, a marketing firm based in Falkirk, Scotland, for sending him unsolicited emails about contract car hire and fax broadcasting businesses. http://www.linuxsecurity.com/content/view/121178 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Jan 09 2006 - 22:56:16 PST