[ISN] Linux Security Week - January 9th 2005

From: InfoSec News (isn@private)
Date: Mon Jan 09 2006 - 22:34:38 PST

|  LinuxSecurity.com                         Weekly Newsletter        |
|  January 9th, 2005                          Volume 7, Number 2n     |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin D. Thomas      ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Demystifying
Security Enhanced Linux," "INFOSEC Assurance Capability Maturity
Model," and "The Importance of a Security, Education, Training and
Awareness Program."


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home




This week, advisories were released for tkdiff, scponly, XnView,
pineentry, KPdf, libgphoto, printer-filters-utils, nss_ldap,
mdkonline, tkcvs, and ethereal.  The distributors include
Debian, Gentoo, and Mandriva.



* EnGarde Secure Community 3.0.3 Released
  6th, December, 2005

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.3 (Version 3.0, Release 3). This release
includes several bug fixes and feature enhancements to the
Guardian Digital WebTool, the SELinux policy, and the LiveCD



Hacks From Pax: SELinux Administration

This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux.



Hacks From Pax: SELinux And Access Decisions

Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.

SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Review: Advancing Firewall Protection
  9th, January, 2006

With more than one million users, U.K.-based SmoothWall.s Firewall
may just be the most popular software firewall that has yet to become
a household name. Test Center engineers recently took at look at
products from SmoothWall to see what all the buzz is about and to see
exactly why one million users have chosen the product.


* What are Rootkits?
  3rd, January, 2006

Rootkits are Internet-based threats that have recently been discussed
at great length, basically in the light of the fact that a large
company distributed a rootkit with some of its products.

But, what exactly is a rootkit? Why are rootkits so dangerous? Is it
true that they cannot be removed from systems? We are going to try to
give answers to these questions and lay various myths to rest.


* A better VNC with FreeNX for remote desktop control
  9th, January, 2006

VNC is well-known for allowing the remote control of another desktop
machine via your own computer. For instance, using VNC you can easily
control your home PC from work, and vice versa. The problem with VNC
is that it's not overly secure and it can be quite slow, particularly
if you have a lot of fancy graphics or backgrounds on the remote
computer. Other solutions also exist for remote control of a GUI,
such as running X over ssh, proprietary tools like Apple's Remote
Desktop, etc., but they all tend to have the same drawbacks; they are
either insecure or tend to be slow.


* Registration Open for the Second Security-Enhanced Linux Symposium
and Developer Summit
  5th, January, 2006

Registration for the Security-Enhanced Linux (SELinux) Symposium is
now open at www.selinux-symposium.org. The event, scheduled for
February 27-March 3, 2006 in Baltimore, Maryland, explores the
emerging SELinux technology and the power of flexible mandatory
access control in Linux.


* Demystifying Security Enhanced Linux
  6th, January, 2006

In this paper I will try to explain the philosophy behind the
Security Enhanced Linux (SE Linux). I will however try to explain the
concept with an example but to keep the length readable I will
restrain myself to go into much of implementation details for e.g.
commands and similar stuff.


* Security Hole Claimed for BlackBerrys
  3rd, January, 2006

New research released over the weekend indicated that BlackBerrys --
the ubiquitous handheld devices favored by on-the-go types -- are
vulnerable to a security hole that could let attackers break in to
the gadgets by convincing users to open a specially crafted image
file attached to an e-mail.


* Linux Kernel Multiple Denial of Service and Privilege Escalation
  4th, January, 2006

Multiple vulnerabilities were identified in Linux Kernel, which could
be exploited by malicious [local] users to cause a denial of service
and potentially obtain elevated privileges.


* Debian developers trim platform support
  5th, January, 2006

Debian Etch, the next major version of the Linux distribution, will
only be available on eight architectures, with four getting the boot.


* McAfee Settles Fraud Charges
  5th, January, 2006

Security vendor McAfee agreed on Wednesday to pay a $50-million fine
to the U.S. Securities and Exchange Commission to settle charges that
it overstated its revenue and earnings by hundreds of millions of
dollars, closing an unpleasant chapter in the company.s history.


* Apache shot with security holes
  9th, January, 2006

Companies running Apache and a PostgreSQL database are at risk from
serious Internet intrusion.

Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache
module that allows authentication against information in popular
open-source database PostgreSQL.


* Linux Netwosix Creator Discusses 2.0 Vision, Future
  3rd, January, 2006

The recent announcement of  the 2.x branch of Linux Netwosix may
prompt LinuxWorld readers to ask why there were two releases--1.3 and
2.0-rc1--of this software within a week.  So we contacted its
creator, 19-year-old Vincenzo Ciaglia of the University of Salerno,
Italy to find the answer  to this and other questions.


* Network Forensic Traffic Reconstruction with Tcpxtract
  4th, January, 2006

Today I got a chance to try Nick Harbour's Tcpxtract program. I had
heard of it several months ago, but I had trouble compiling it on
FreeBSD. Just now I tried the regular ./configure, make, make install
routine using version 1.0.1 and had no problems.


* All the Rage: It's 2006: Do You Know Where Your Security Policies
  2nd, January, 2006

It's the beginning of a new year--time to review your approach to
security policy. If you think implementing firewalls, IDSs and
antivirus/antispam products is enough, you're sorely mistaken. No
matter the size of your enterprise, you must define a framework of
security policies, standards and procedures for securing valuable
corporate assets. If you don't, you may be leaving your company open
to a variety of vulnerabilities.


* Over 5,000 bugs in 2005
  2nd, January, 2006

The end of an old year and beginning of a new one is always a
favorite time to compile lists. One such compendium comes from the
US-CERT, the US Computer Emergency Readiness Team, which has come up
with a list of 5,198 software bugs that were discovered during 2005,
a 38 percent increase from 2004. The bugs ran the gamut from A (Aaron
Outpost ASP inline Corporate Calendar Permits Remote SQL Injection on
Windows OSes) to Z (the multiplatform Zyxel Prestige 650R-31 Router
Remote Denial of Service).


* All the Rage: Happy Rue Year
  3rd, January, 2006

If 2005 seemed a particularly overwhelming year in terms of security
problems, you're not imagining things. According to an annual report
compiled by U.K.-based security vendor Sophos, there were about
16,000 new worms, viruses and Trojans identified during the year--48
percent more than the 10,724 detected in 2004. Some 1,940 new threats
were discovered in November alone--the largest monthly increase
Sophos has ever registered.


* CISOs Move Beyond Tech
  3rd, January, 2006

Top security executives will have some of the most fluid job
descriptions in the industry this year. There will be a continuing
separation of operational security from policy setting and oversight,
predicts Paul Stamp, an analyst at Forrester Research.


* Reporter's Notebook: Security
  3rd, January, 2006

Compliance will dominate the security agenda for 2006. The growing
number of regulations -- and the consequences of not complying with
them -- have elevated security into the boardroom. CIOs will use
compliance to justify most of their information security spending
this year -- even for technologies IT would have implemented


* Marriott loses data on 200,000 customers
  3rd, January, 2006

 Hotel chain Marriott admitted last Tuesday that backup computer
tapes containing data on approximately 206,000 customers were missing
from a company office in Florida.

The data, which relates to customers of its time-share division,
Marriott Vacation Club International, included personal information
such as the credit card details, Social Security numbers and, in a
few cases, the bank details of customers.


* Linux vs. Windows security
  3rd, January, 2006

Microsoft and Linux both provide support for authentication, access
control, audit trail/logging, Controlled Access Protection Profile,
and cryptography. However, Linux is superior due to Linux Security
Modules, SELinux, and winbind. The user of a Linux system can decide
to add additional security mechanisms to a Linux distribution without
having to patch the kernel.


* INFOSEC Assurance Capability Maturity Model
  4th, January, 2006

<a href="http://www.iatrp.com/IA-CMMv3_1-%20FINAL-NOV04.doc">The
INFOSEC Assurance - Capability Maturity Model (IA-CMM)</a> is based
on the System Security Engineering Capability Maturity Model
(SSE-CMM) and modified to address the INFOSEC assurance processes.

Whereas IATRP methodology training focuses on an individual's ability
to conduct an INFOSEC assurance service, the IA-CMM appraisal focuses
on a provider organization's capability to support INFOSEC analyst in
conducting their mission objectives (i.e. to provide quality INFOSEC
Assurance or Evaluation).


* More IT Security Pros Filling Executive Roles
  4th, January, 2006

Information security professionals, already experiencing a surge in
demand for their badly needed technical skills, may also get a chance
this year to flex their business acumen.

IT security professionals are being invited into corporate board
rooms around the globe, wielding more influence and finding increased

The 2005 Global Information Security Workforce Study, sponsored by
the International Information Systems Security Certification
Consortium, or (ISC)2, found that more than 70 percent of respondents
believe they exercised more influence on executives in 2005 than in
the previous year. More than 73 percent expect their influence to
continue growing.


* Sad State Of Data Security
  4th, January, 2006

 How does this keep happening? Companies have been publicly
humiliated, slapped with audits, and threatened with prosecution, but
sensitive personal data continues to be compromised. The U.S.
Department of Justice is the latest to demonstrate its
information-security incompetence. The mistake: exposing Social
Security numbers on its Web site.


* 2006: Year of the Hacker?
  5th, January, 2006

Computer hackers sought to create havoc on the Web last week by
launching two attacks targeting Microsoft Windows users -- one
circulating a virus disguised as the company's instant messenger
client, the other exploiting a previously unknown flaw in its
operating system.

The attacks came as computer security Relevant Products/Services from
Microsoft experts warned that following a year that saw an
unprecedented 150,000 computer viruses emerge, 2006 could be the
worst on record for hacker mayhem.


* Massive demand for unauthorised Windows patch
  5th, January, 2006

Ilfak Guilfanov's personal Web site has been taken offline by his
hosting provider after hordes of Microsoft users scrambled to
download his unofficial patch against the Windows Metafile

According to antivirus firm F-Secure, demand for the unauthorised
Windows Meta File (WMF) patch developed by Guilfanov was so high his
hosting provider temporarily shut his Web site on Wednesday


* The Importance of a Security, Education, Training and Awareness
  5th, January, 2006

End-user computing has emerged as a vital component of the overall
information resource of the organization. [1] This emergence has made
its way not only into the information resource but also in the
information security of an organization. The end-user has access to
the most vital information a company has and either has the knowledge
in how to circumvent the systems that have been put in place to
protect the organizations information, or the lack of knowledge that
is needed to protect this information, as well as the well-being of
the organization's network itself.


* Why Linux Is More Secure Than Ever
  5th, January, 2006

As Linux becomes more prevalent in today.s enterprise systems, it
raises questions about the best way to protect the open source
technology. David Humphrey, senior technology advisor for Ekaru, a
Westbrook, Mass.-based technology services company, discussed some of
those issues with Security Pipeline.


* You can.t manage what you can.t see!
  6th, January, 2006

Security threats have grown more menacing with the appearance of the
likes of Sober, Mytob, and Bagle. Along with the newer trends of
spyware, phishing and key logging the implications of ineffective
information security have become potentially debilitating to business
operations and indeed strategy.


  6th, January, 2006

 Everywhere you look in the trade press today, you'll find glowing
misrepresentations of US-CERT's latest annual summary of
vulnerabilities discovered in 2005. If you take the summary findings
at face value, you would likely conclude that Windows -- with 812
reported vulnerabilities -- is a much safer operating system than
something called "Unix/Linux," which totaled 2,328. The US-CERT
summaries have become the fodder for a FUD festival, and many scribes
sympathetic to the Microsoft cause go out of their way to make sure
the real picture never emerges.


* Experts question Windows win in flaw tally
  6th, January, 2006

Critics have taken aim at a study published by the U.S. Computer
Emergency Readiness Team that said more vulnerabilities were found in
Linux/Unix than in Windows last year.
The report, Cyber Security Bulletin 2005, was released last week. It
claimed that out of 5,198 reported flaws, 812 were found in
Microsoft's Windows operating system, 2,328 were found in open-source
Unix/Linux systems. The rest were declared to be multiple
operating-system vulnerabilities.


* A Step-By-Step Guide to Computer Attacks and Effective Defenses
  9th, January, 2006

Five years after writing one of the original books in the hack attack
and countermeasures genre of books, Ed Skoudis has teamed up with Tom
Liston to create a revised and updated version. Counter Hack Reloaded
brings Counter Hack up to date with new technologies and attack types
as well as providing the informaion you need to protect your computer
and network from being targeted by these attacks.


* Three more states add laws on data breaches
  9th, January, 2006

 Companies struggling to keep up with a patchwork of state laws
related to data privacy and information security have three more to
contend with, as new security-breach notification laws went into
effect in Illinois, Louisiana and New Jersey on Jan. 1.

Like existing statutes in more than 20 other states, the new laws
prescribe various actions that companies are required to take in the
event of a security breach involving the compromise of personal data
about their customers.


* DNS Name Prediction With Google
  2nd, January, 2006

As discussed in .Google Hacking for Penetration Testers. from
Syngress publishing[1], there are many different ways to perform
network reconnaissance using Google. Since the publication of that
text, many different ideas and techniques have come to light. This
document addresses one interesting technique, which we'll call DNS
name[2] prediction.  This document assumes you have some knowledge of
basic network recon, and is not intended as a hand-holding approach
to hacking. If you're evil, stop reading this and go work out some
aggression on a sack-o-potatoes or something.


* How to sue a British spammer
  6th, January, 2006

Chartered engineer Nigel Roberts became the first person to win a
court judgment over a company's breach of the UK's anti-spam law late
last year. His success received widespread media coverage . and now
he's encouraging others to do the same.

Roberts sued Media Logistics (UK) Ltd, a marketing firm based in
Falkirk, Scotland, for sending him unsolicited emails about contract
car hire and fax broadcasting businesses.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Mon Jan 09 2006 - 22:56:16 PST