[ISN] Linux Security Week - January 30th 2006

From: InfoSec News (isn@private)
Date: Mon Jan 30 2006 - 22:42:33 PST

|  LinuxSecurity.com                         Weekly Newsletter        |
|  January 30th, 2006                         Volume 7, Number 5n     |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin D. Thomas      ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Chrooted SSH
HowTo," "Oracle no longer a 'bastion of security," and "Defending
against unsafe coding practices with 'libsafe'.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



EnGarde Secure Community 3.0.3 Released

 Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.3 (Version 3.0, Release 3). This release
includes several bug fixes and feature enhancements to the
Guardian Digital WebTool, the SELinux policy, and the LiveCD



Hacks From Pax: SELinux Administration

This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux.



Hacks From Pax: SELinux And Access Decisions

Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.

SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* OpenSSL receives FIPS certification
  23rd, January, 2006

The Cryptographic Module Validation Program (CMVP), a joint effort of
the US and Canadian governments, approved the validation of the
OpenSSL open source security toolkit for implementation of the Secure
Sockets Layer (SSL) and Transport Layer Security (TLS) protocols on


* The Art of Intrusion
  27th, January, 2006

Book review I'm not that keen on the word 'hacker' in the modern,
pejorative sense (I remember when it meant a good UNIX programmer)
and I'm generally not that that impressed by hackers either - mostly
they're not particularly clever and just got lucky.  So, I came to
this book in a not very positive frame of mind; except I do think
that the famous Kevin Mitnick was unfairly demonised, and I'm not
sure how much actual damage he did in the end. Although unauthorised
intrusion into production systems is always bad, what chance is there
they were tested for resilience during the sorts of things intruders
do, for example.


* The Perfect Linux Firewall Part I -- IPCop
  26th, January, 2006

This document describes how to install the GNU/Linux GPL IPCop
firewall and create a small home office network. In the second
installment we cover creating a DMZ for hosting your own web server
or mail server and the Copfilter proxy for filtering web and email

This is intended to be a quick and dirty overview on creating a IPCop
firewall and comes without warranty of any kind!


* Put Up A Strong Defense
  23rd, January, 2006

Most security breaches by insiders are unintentional. They come from
employees who make ill-advised or uninformed choices regarding
storage of their passwords, the Web sites they visit, and the E-mails
they send. The Computing Technology Industry Association's annual
survey on IT Security and the Workforce trends, to be published in
March, indicates that nearly 80% of corporate security breaches are
caused by computer-user error.


*  Opening Keynote Speaker Announced for the Second Security-Enhanced
Linux Symposium
  24th, January, 2006

Steve Walker, president of Steve Walker & Associates and managing
partner of Walker Ventures, will be the opening keynote speaker for
the second annual Security-Enhanced Linux (SELinux) Symposium
scheduled for February 27-March 3, 2006 in Baltimore, Maryland.


* Recon 2005 Conference Videos
  25th, January, 2006

REcon is a computer security conference being held in Montreal. The
conference offers a single track of presentations over the span of
three days. Check the conference page for more details.

A three day training course on reverse engineering will be presented
by Nicolas Brulez. Two sessions are being made available, both before
and after the conference. Check the training page for more details.


* Software dotDefender protects Linux & Solaris web servers
  23rd, January, 2006

Applicure announced today the release of dotDefender 2.0 for Solaris
and Linux Web servers. dotDefender secures websites against a broad
range of HTTP-based attacks, including Session attacks (e.g. Denial
of Service, Session Hijacking), Web application attacks (e.g. SQL
injection, Cross-site scripting, and known attack signatures), as
well as requests originating from known attack sources (e.g. spammer
bots and compromised servers).


* Oracle no longer a 'bastion of security': Gartner
  24th, January, 2006

Analyst group Gartner has warned administrators to be "more
aggressive" when protecting their Oracle applications because they
are not getting enough help from the database giant.

Gartner published an advisory on its Web site just days after
Oracle's latest quarterly patch cycle, which included a total of 103
fixes with 37 related to flaws in the company's database products.
Some of the flaws carry Oracle's most serious rating, which means
they're easy to exploit and an attack can have a wide impact.


* Chrooted SSH HowTo
  25th, January, 2006

This tutorial describes how to install and configure OpenSSH so that
it will allow chrooted sessions for users. With this setup, you can
give your users shell access without having to fear that they can see
your whole system. Your users will be jailed in a specific directory
which they will not be able to break out of.


* Oracle in war of words with security researcher
  26th, January, 2006

A security researcher released details of a critical flaw in Oracle's
application and Web software on Wednesday, criticising the company
for not cooperating with the security community and taking too long
to fix software issues that threaten its customers.

The flaw occurs in the way that a module in Oracle's Apache Web
server distribution handles input and could give external attackers
the ability to take control of a backend Oracle database through the
Web server, said David Litchfield, principal researcher of database
security firm Next-Generation Security Software, during a
presentation at the Black Hat Federal security conference.


* MailArchiva: Open Source Email Archiving Server
  26th, January, 2006

There was much hype around the growth of the email archiving market
last year. For example, the IDC predicted that 2005's email
archiving application revenue reached US $310 million worldwide. Good
news! The open source community has just released MailArchiva, a
competitive email archiving product that integrates directly with
Microsoft Exchange.


* SARA, spawn of SATAN
  26th, January, 2006

If you are an old school Linux or Unix user, you probably remember
the System Administrator's Tool for Scanning Networks (SATAN). In
1995, SATAN brought browser-based network auditing to the world.
Despite its initial splash, SATAN fell to the wayside due to lack of
updates. Thanks to the kind folks at the Advanced Research Corp.,
SATAN is back, in the form of the Security Auditor's Research
Assistant (SARA), a kinder, gentler, easier to use, and more updated
auditing tool.


* Hacker PC networks getting harder to find
  23rd, January, 2006

Hacked computer networks, or botnets, are becoming increasingly
difficult to trace as hackers develop new means to hide them, says
security experts.

Botnets are used to send spam, propagate viruses and carry out denial
of service attacks - something that has again come to light with a
high-profile attack on The Million Dollar Home Page, a novel
advertising website idea by a British college student.


* KDE flaws put Linux, Unix systems at risk
  23rd, January, 2006

 A serious vulnerability has been found in the popular KDE
open-source software bundle. The flaw, deemed "critical" by the
research outfit the French Security Incident Response Team, could
allow a remote attacker to gain control over vulnerable systems. KDE
is a desktop software package for Linux and Unix systems and includes
the Konqueror Web browser and other applications.


* IBM Predicts 2006 Security Threat Trends
  23rd, January, 2006

 IBM recorded more than 1 billion suspicious computer security events
in 2005, despite a leveling off in the amount of spam e-mail and a
decrease in major Internet worm and virus outbreaks.

Enterprises should expect to see the same level of malicious traffic
in 2006, even as online criminal groups shift to stealth attacks and
cyber-extortion instead of massive, global malicious code attacks,
said David Mackey, director of security intelligence at IBM.


* Security Hot Issue for Open-Source Database Developers
  24th, January, 2006

Open-source database deployments rose dramatically in the last half
of 2005, and as one might expect, as more IT pros get acquainted with
these non-proprietary systems, security is a chief concern.
Open-source database makers like MySQL and PostgreSQL simply must
answer some of the most prevalent security-related questions in order
to win more market share.


* IT security becomes 'top priority' for European financial
  25th, January, 2006

The growing threat from hackers, new regulations, reputation issues
and the growing importance of direct channel self-service banking are
pushing IT security to the very top of the corporate agenda for
Western European financial institutions, new research has revealed.

According to the report from IDC company Financial Insights, banking
and finance firms are increasingly finding that their IT security is
coming under pressure from both external hackers and ever-tightening
corporate regulations.


* Users get to the root of Linux security holes
  25th, January, 2006

IT pro Sid Boyce said he did not believe that, in his own words, "the
wet-finger-in-the-wind analysis" applies to Linux as it does with

Boyce, a retired IBM/Amdahl mainframe tech support specialist, said
the assumption that Linux was just as prone to attacks as Windows
because it ran on a PC is incorrect.

"I'm not saying Linux isn't vulnerable, but to compare it in the same
light as Windows is a gross distortion," Boyce said.


* (IN)SECURE Magazine issue 5 has been released
  25th, January, 2006

A new issue of (IN)SECURE magazine has been released in PDF format.
(IN)SECURE Magazine is a freely available digital security magazine
discussing some of the hottest information security topics.


* IT security "top priority" for European financial institutions
  27th, January, 2006

According to the report from IDC company Financial Insights, banking
and finance firms are increasingly finding that their IT security is
coming under pressure from both external hackers and ever-tightening
corporate regulations.

Angela Vacca, senior research analyst for European IT Opportunity:
Financial Services research, said: "Financial institutions are under
constant pressure because hackers' strategies evolve very rapidly and
regulators constantly require stricter levels of control, which
involve continuous upgrades of IT systems. Therefore, financial
institutions that do not tackle security issues are expected to face
huge tangible and intangible costs."


* Cybercrime Feared 3 Times More Than Physical Crime
  26th, January, 2006

Three times more Americans think they'll be hit by computer crime in
the next year than real-world wrongdoing of the old-fashioned kind, a
survey released Wednesday by IBM said.


* Cyber crime strides in lockstep with security
  26th, January, 2006

Information Security made great strides last year.

Sadly, so did cyber crime.

In the U.S. "according to a recent FBI study" almost 90 per
cent of firms experienced computer attacks last year despite the use
of security software.

So what happened in 2005?

In a year when rootkits went mainstream and malware went criminal,
information security improved.


* Sharp Ideas Slurp Audit Exposes Threat Of Portable Storage
Devices For Corporate Data Theft
  27th, January, 2006

The application was designed to raise awareness within the corporate
community about the risks associated with unmanaged portable storage
devices in the workplace.


* Defending against unsafe coding practices with "libsafe"
  27th, January, 2006

In a previous tip about securing Linux applications with compiler
extensions, we described a defense-in-depth layered methodology
("defense in depth") to proactively mitigate the potential for risk
or damage arising from fatally-flawed programming constructs.


* Researchers: Rootkits headed for BIOS
  27th, January, 2006

Insider attacks and industrial espionage could become more stealthy
by hiding malicious code in the core system functions available in a
motherboard's flash memory, researchers said on Wednesday at the
Black Hat Federal conference.


* IT industry prepares for the worst over ID cards
  25th, January, 2006

After years in which suppliers have absorbed most of the blame for
government IT failures, the case for there being equal measures of
ineptitude in the civil service is gaining momentum behind the
concerted campaign against ID Cards.

The latest evidence was submitted as a statement this week by
Intellect, the UK's IT trade association, in a thinly veiled case of
passing the blame.


* Accused phone hacker walks free
  24th, January, 2006

Sahil Gupta, the second man charged over the Telecom voicemail
hacking incident in April, walked free from an Auckland court last

Gupta was charged along with a teenager who cannot be identified for
legal reasons. The teen was charged with unauthorised access of a
computer system and pleaded guilty. Gupta was charged under the same
section of the Crimes Act and faced up to two years in prison.


* Man pleads guilty to felony hacking
  24th, January, 2006

A 20-year-old man pleaded guilty Monday to surreptitiously seizing
control of hundreds of thousands of Internet-connected computers and
renting the zombie network to people who mounted attacks on Web
sites, served up pop-up ads and sent out spam.


* Shmoocon 2006: Dan Geer keynote
  27th, January, 2006

Dan Geer's keynote was one of my favorite talks from the con. He
believes that if people respect you enough to have you deliver a
keynote, respect your audience enough to write it out. Thanks to
that provided the full text and a pdf of the slides from his
talk. My summary won't do it justice, but you can at least know
what you are getting yourself into.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Mon Jan 30 2006 - 22:53:03 PST