+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 20th, 2006 Volume 7, Number 12n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "An introduction to Elliptic Curve Cryptography," "The 7 myths about protecting your web applications," and "Wi-Fi Security's Personal Problems." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Cryptography in the Database: The Last Line of Defense 14th, March, 2006 Excerpt: This chapter discusses how cryptography can address the concerns raised in the previous chapter. After explaining what cryptography is and providing a general idea of how it works, we dig into the various types of cryptographic algorithms and see where the strengths and weaknesses of each lie. http://www.linuxsecurity.com/content/view/121920 * Philip Zimmermann releases Zfone for Linux 15th, March, 2006 Phil Zimmermann thinks Zfone is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. http://www.linuxsecurity.com/content/view/121925 * An introduction to Elliptic Curve Cryptography 17th, March, 2006 Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement for RSA public key cryptography largely based on its efficiency, but also because the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems. Public key cryptography is the basis for tools like ssh as well as Secure Sockets Layer (SSL) for encrypting web traffic. For readers who would like more information, a nice introduction to public key cryptography and the RSA algorithm can be found on Wikipedia. http://www.linuxsecurity.com/content/view/121963 * Linux Dictionary 19th, March, 2006 (SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways. http://www.linuxsecurity.com/content/view/121977 * Febuary's Security Streams 11th, March, 2006 It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January. http://www.linuxsecurity.com/content/view/121888 * SC Magazine CSO of the Year: Thomas Dunbar, Global Chief Security Officer, XL Capital 15th, March, 2006 As the global chief security officer at a leading multinational insurance company, Thomas Dunbar has a lot of data to protect, a range of regulations with which to comply and a huge number of employees whose access to corporate IT assets he must manage. The efforts he undertakes on a daily basis to achieve these and other mandates are the primary reasons why the SC Magazine Awards U.S. for 2006 saw him walk away with the title of CSO of the Year. http://www.linuxsecurity.com/content/view/121939 * 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) 16th, March, 2006 The newest contender on the block of course is BackTrack, which we have spoken about previously. An innovative merge between WHax and Auditor (WHax formely WHoppix). BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions Whax and Auditor, combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out. http://www.linuxsecurity.com/content/view/121946 * US Government Studies Open Source Quality 17th, March, 2006 "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. http://www.linuxsecurity.com/content/view/121967 * FrSIRT Puts Exploits up for Sale 17th, March, 2006 Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service). http://www.linuxsecurity.com/content/view/121969 * Social Engineering Reloaded 15th, March, 2006 The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program. http://www.linuxsecurity.com/content/view/121941 * Anti Phishing Toolbars - Can You Trust Them? 12th, March, 2006 A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive. How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? http://www.linuxsecurity.com/content/view/121890 * VM Rootkits: The Next Big Threat 13th, March, 2006 Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. http://www.linuxsecurity.com/content/view/121906 * Useful Firefox Security Extensions 18th, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here's a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/121975 * Kids Learn About Cyber Security 13th, March, 2006 A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security. http://www.linuxsecurity.com/content/view/121907 * Skype Branded Danger To Enterprise IT Security 16th, March, 2006 Although cost savings and improved communications are luring enterprises to Skype, the popular voice over IP service may violate security policies, industry experts have warned. Burton Group recommended enterprises assess the risks vs. rewards of Skype as the simplest solution for evaluating its use. http://www.linuxsecurity.com/content/view/121942 * The Enemy Within The Firewall 16th, March, 2006 Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey. http://www.linuxsecurity.com/content/view/121958 * How to Create RFID Access for Your Front Door 17th, March, 2006 There are many uses for RFID such as supply chain management, but access control is one of the most relevant applications for personal use. Many people use RFID access cards to get into buildings, use elevators, or even open the doors to those special penthouse type hotel suites. Setting up your own front door (or any door for that matter) with an RFID enabled access mechanism is pretty easy. http://www.linuxsecurity.com/content/view/121974 * Digital Forensics and Hacking Investigations 13th, March, 2006 We discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts. http://www.linuxsecurity.com/content/view/121901 * Security Podcasts Roundup 13th, March, 2006 We at PaulDotCom security weekly listen to many podcasts in an attempt to assimilate as much information as possible. Each podcast we listen to has its own strengths, and there are few on this list that I would dismiss altogether, but I'll let you be the judge. There have been a few other blog postings related to security podcasts. http://www.linuxsecurity.com/content/view/121902 * Photoshop Concepts For Law Enforcement 13th, March, 2006 With its comprehensive suite of powerful digital imaging products, Adobe software provides the solutions law enforcement agencies need to conduct enhanced forensic investigations. With its unmatched set of image management tools, Adobe Photoshop software is widely used by law enforcement agencies to make digital phtots of suspects and crime scenes clearer for positive identification. http://www.linuxsecurity.com/content/view/121904 * Married Couple Indicted for Corporate Espionage 14th, March, 2006 An Israeli couple has been charged with corporate espionage after the two were discovered engineering and distributing a Trojan horse application found to be responsible for several cases of data theft. The Tel Aviv District Attorney filed the 65-page indictment Sunday and announced that prosecutors had entered into a plea bargain agreement with the two defendants. The couple, formerly residents of London, were extradited to Israel. Prosecutors consider Ruth Haephrati, 29, the ringleader and principal party responsible for the couple's criminal enterprise. According to the indictment, Haephrati was the one who sought out new clients to increase business. http://www.linuxsecurity.com/content/view/121917 * 'Security pro' - an oxymoron? 14th, March, 2006 The term 'infosec professional' is almost a contradiction in terms, according to analyst group Gartner, which warns the field of IT security is still finding its feet. The analyst house said there is little agreement on what constitutes professionalism. This means hiring decisions are complicated by a lack of consensus on the skills needed and, as a result, many security problems will remain unsolved until specialists pool their knowledge and experience, Gartner said in a briefing note. http://www.linuxsecurity.com/content/view/121919 * The 7 myths about protecting your web applications 15th, March, 2006 Web applications are currently proving to be one of the most powerful communication and business tool. But they also come with weaknesses and potential risks that network security devices are simply not designed to protect. http://www.linuxsecurity.com/content/view/121923 * Basketball Social Engineering 15th, March, 2006 On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win. Enter "Victoria." Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For the previous week, "she" had been chatting with Gabe Pruitt, USC's starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends. http://www.linuxsecurity.com/content/view/121927 * Study Says RFID Tags Are Vulnerable To Viruses 15th, March, 2006 A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented Wednesday at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information. http://www.linuxsecurity.com/content/view/121938 * LAMP lights the way in open-source security 16th, March, 2006 The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible. The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday. http://www.linuxsecurity.com/content/view/121947 * Top 50 malicious code samples reveals secrets 16th, March, 2006 While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said. In its previous report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second half of 2005. http://www.linuxsecurity.com/content/view/121948 * BS7799 Ver 3 Security Standard Published 17th, March, 2006 The new security standard from BSI, BS7799 3, has been published today. This is titled "Guidelines for Information Security Risk Management", and supports the more general security management standard, ISO27001, which was published last year. http://www.linuxsecurity.com/content/view/121962 * Report: 80 percent of emails out to manipulate 14th, March, 2006 Four out of five inbound emails are designed to deceive the recipient, according to a new report studying the scope of abusive online messages. The Messaging Anti-Abuse Working Group's (MAAWG) Email Metric Report, which analyzed data from more than 127 million mailboxes during last year's fourth quarter, found that more than 142 billion emails either were tagged or blocked before they reached the end user. Another 61.3 billion emails were the victims of dropped connections, the study showed. Nearly 37 billion emails were unaltered before reaching their destination. http://www.linuxsecurity.com/content/view/121918 * Human Rights and Wrongs Online 14th, March, 2006 A government's position on censorship used to protect its citizenry is dictated by who they are. The well-popularized censorship of Internet content in China by Google and other big players, and criticism of this by the U.S. government, is really just the tip of the iceburg. On Febrary 15, the United States Congress held hearings on the role of U.S. Internet companies like Google, Microsoft, Yahoo and Cisco in suppressing free expression and therefore encouraging repressive tactics by countries like China. The hearings explored the role and the responsibility of these companies for deliberately filtering communications, assisting in the interception of citizen's communications, and using technology to restrict access by citizens to information. http://www.linuxsecurity.com/content/view/121921 * Search firms surveyed on privacy 15th, March, 2006 We asked the same seven questions of each company. Their answers are reproduced below, with the responses sorted by the companies' names in alphabetical order. What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)? Weinstein: Any time a search is done on the AOL service or AOL.com, the left rail on the results page offers a list of the most recent searches conducted by that user. http://www.linuxsecurity.com/content/view/121928 * Federal Budget For 2007 To Boost Cybersecurity 11th, March, 2006 Although President Bush's proposed budget for fiscal 2007 (starting Oct. 1, 2006) increases spending for key cybersecurity programs, it is not clear how that money would be spent, raising concerns in the information security industry. One of the biggest security-related boosts would be a $35 million infusion to the "critical infrastructure outreach and partnerships" initiative within the Department of Homeland Security. The goal of that effort is to increase cooperation and information sharing among DHS, state and local governments and infrastructure providers. Thirty million dollars of that allocation would go toward implementing partnership plans for private industry verticals like information technology, finance and electrical utilities. http://www.linuxsecurity.com/content/view/121887 * How To Legislate Against Hackers 16th, March, 2006 Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act. http://www.linuxsecurity.com/content/view/121952 * NIST sets FISMA Standards For Federal IT Systems 17th, March, 2006 The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls. http://www.linuxsecurity.com/content/view/121968 * Linux Zero IP ID Vulnerability? 15th, March, 2006 I've recently stumbled upon an interesting behaviour of some Linux kernels that may be exploited by a remote attacker to abuse the ID field of IP packets, effectively bypassing the zero IP ID in DF packets countermeasure implemented since 2.4.8 (IIRC). http://www.linuxsecurity.com/content/view/121940 * Trojan Cryzip Extorts Decryption Fee 18th, March, 2006 A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989. http://www.linuxsecurity.com/content/view/121976 * Wi-Fi Security's Personal Problems 13th, March, 2006 With security such an important concern for wireless networks, most new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2), the latest standard for encrypting data sent over the air. As of this month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2 compatibility a mandatory part of its interoperability tests. But there are two kinds of WPA2, and most Wi-Fi phones and many other gadgets support only the lesser version, which was originally designed for home networks. http://www.linuxsecurity.com/content/view/121908 * ISO Rejects China's WAPI Wireless Security Protocol 16th, March, 2006 The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules. http://www.linuxsecurity.com/content/view/121953 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Mar 21 2006 - 01:40:29 PST