+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 5th, 2006 Volume 7, Number 23n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Post- Encryption Security," "Setup a transparent proxy with Squid in three easy steps," and "Small Security Risk Still Big Selling Point for Linux." --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Linux v3.0.6 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.6 (Version 3.0, Release 6). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and a couple of new packages available for installation. http://www.linuxsecurity.com/content/view/122648/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Password Hashing 29th, May, 2006 In this article I'm going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I've been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords http://www.linuxsecurity.com/content/view/122924 * Post-Encryption Security 3rd, June, 2006 Last month I reviewed Voltage Security's secure email product, a worthy exercise since email is the most common method of transmitting documents from one department to another. http://www.linuxsecurity.com/content/view/122982 * How To Automate Spamcop Submissions 29th, May, 2006 Spamcop is a service which provides RBLs for mailservers in order to reject incoming mail from spammers. Their philosophy is to process possible spam complaints from users. When they receive a certain amount of complaints during a time-period then they will blacklist the offender. This system is dependant on spam reporting from users. However, their submission process is not very user-friendly. http://www.linuxsecurity.com/content/view/122923 * Disaster Practice 4th, June, 2006 When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems. All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England. http://www.linuxsecurity.com/content/view/122979 * MicroWorld to Launch Futuristic Network Firewall 27th, May, 2006 MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal. eConceal is a comprehensive network firewall developed to prevent unauthorized access to a computer or network connected to the Internet. It enforces a boundary between two or more networks by implementing default or user-defined Access Control Policies or Rules. These rules function as filters by analyzing data packets to see if they fulfill the filter criteria and then allow or block the traffic accordingly. http://www.linuxsecurity.com/content/view/122910 * Can single sign-on be simple sign-on? 29th, May, 2006 Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access. Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work? http://www.linuxsecurity.com/content/view/122917 * Taking Steps To Protect Customer Data 29th, May, 2006 With so much attention paid to malicious attacks by hackers, worms and viruses, it's a common misconception that outside forces pose the greatest danger to a company's data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters. http://www.linuxsecurity.com/content/view/122922 * Biometrics - The Wave of the Future? 1st, June, 2006 Will biometrics be a factor in our future? Of course it will, at least to the extent that it has been in our past history. We as citizens must decide upon the best methods to use and the best way to utilize this technology. Biometrics can be defined in several ways such as the study of measurable biological characteristics. In reference to Information Security it specifically applies to the automated use of physiological or behavioral characteristics to determine or verify identity. http://www.linuxsecurity.com/content/view/122958 * Security Management From One Platform 28th, May, 2006 Managing network security gets harder every day as the number and types of threats multiply. Security is also a double-edged sword, and an incorrectly implemented or mismanaged security policy can prevent network commerce and stand in the way of the mission of the enterprise. http://www.linuxsecurity.com/content/view/122911 * Linux: Setup a transparent proxy with Squid in three easy steps 29th, May, 2006 Yesterday I got chance to play with Squid and iptables. The job was to setup Squid proxy as a transparent server. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies. http://www.linuxsecurity.com/content/view/122925 * Follow the Appiant way to a more secure network. 29th, May, 2006 Hardly a day goes by that we don't hear new information about some company getting themselves hacked. Sure they all have firewalls, but HOW are the hackers getting in? I was hired to perform an application security audit for a local university. They wanted to make sure that they didn't become part of the growing statistics. http://www.linuxsecurity.com/content/view/122926 * Network auditing on a shoestring 30th, May, 2006 What do you do when the auditors are breathing down your neck, wanting to see an exhaustive report on the Windows network security of a 2,000-user network across eight sites? That's easy. Break out a text editor and start writing some Perl. That's what my colleague Matt Prigge and I did when we were tasked with locating every share available on a network and documenting who had access to their files. At first blush, it was a Herculean effort. When we started coding and the pieces began to fall into place, however, it became much simpler. http://www.linuxsecurity.com/content/view/122930 * Execs Express Top Security Concerns 30th, May, 2006 When it comes to protecting corporate assets there seems to be little security managers don't worry about. That the impression of security executives attending this week's Converge '06 conference - also known as security vendor Courion's annual customer meeting. http://www.linuxsecurity.com/content/view/122935 * Security expert recommends 'Net diversity 31st, May, 2006 What do you see as the top three information security threats that are most likely to hit U.S.-based multinationals? One of the biggest threats we have right now is deployment of resources intended either to save on cost or enhance features without thinking through the consequences. VoIP and wireless fall in this category. They have failure modes that are very different than what they are replacing and are not well understood. Perceived cost advantages are driving these technologies, but that is overcoming the caution that should be in place. That's a threat not in the sense of a particular attack, but it is a systemic problem that leads to weakness in security posture and therefore may lead to attacks. http://www.linuxsecurity.com/content/view/122942 * Most sites ready for SSL progress 2nd, June, 2006 Despite the enormous success of SSL for securing web traffic, there has been little technical change in the way that SSL is used for secure HTTP in the ten years since SSL version 3 was introduced. Although it has been around since 1996, most browsers have continued to make connections compatible with the older SSL version 2 protocol. But now the major browser developers are aiming to drop SSL v2 completely; export-grade encryption ciphers are also to be dropped. SSL version 2 was supported by Netscape 1.0, back in 1994, and it was made obsolete by SSL version 3, published in 1996. But while SSL version 3 was soon widely supported . and over 97% of HTTPS sites also support its successor, TLS . most browsers have continued to make SSL-v2-compatible connections, in order to stay compatible. http://www.linuxsecurity.com/content/view/122972 * The Games Hackers Play 2nd, June, 2006 This clash has nothing to do with the simulated battles on Gindis, Eternal Duel, Mobstar or any of the more hip gaming sites. No, this one's for real. The villains in this combat are criminal hackers and phishing scammers, and their targets: unsuspecting on-line gamers. http://www.linuxsecurity.com/content/view/122975 * Log Analysis for Intrusion Detection 29th, May, 2006 Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools. However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs. We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential. http://www.linuxsecurity.com/content/view/122919 * Cybersecurity Contests go National 1st, June, 2006 It has all the makings of a B-movie plot: A corporate network targeted by hackers and a half dozen high-school students as the company's only defense. Click here for Core!! Yet, teams of students from ten different Iowa high schools faced exactly that scenario during a single night in late May in the High School Cyber Defense Competition. The contest tasked the teenagers with building a network in the three weeks leading up to the competition with only their teachers, and mentoring volunteers from local technology firms, as their guides. http://www.linuxsecurity.com/content/view/122961 * Small Security Risk Still Big Selling Point for Linux 27th, May, 2006 When the Indiana Department of Education rolled out PCs running Linux to schools last year, it installed open source Latest News about open source antivirus software on the servers connected to the desktop systems to scan incoming e-mail. However, it didn't bother to put antivirus tools on the PCs themselves. "I hate to admit this, but I wasn't worried," said Forrest Gaston, a consultant who is managing the project for the Indianapolis-based agency. And despite heavy Internet usage by students, Gaston's optimism has been borne out thus far. Desktop security "hasn't been an issue," he said. http://www.linuxsecurity.com/content/view/122908 * 13 Ways To Get Your Developers On Board With Software Security 2nd, June, 2006 It's easy to understand that software security starts with writing secure code. Keep the flaws out from the beginning and you've bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task. At first glance, it might seem that selling software security to developers would require the same approach as getting buy-in from executive management and the average user. It's not quite that simple. http://www.linuxsecurity.com/content/view/122976 * Macro virus aims at OpenOffice, StarOffice 30th, May, 2006 An unknown virus writer has created the first macro virus that targets computers running the alternative word processors OpenOffice and StarOffice, antivirus firm Kaspersky Labs said on Tuesday. http://www.linuxsecurity.com/content/view/122937 * Linux comes to Sun SPARC servers 31st, May, 2006 Sun is officially giving customers a wider choice on its SPARC servers with the announcement that it will support Linux on its new multicore UltraSPARC T1 systems. http://www.linuxsecurity.com/content/view/122951 * Firefox 2.0 Bakes in Anti-Phish Antidote 31st, May, 2006 Mozilla has reached the latest development milestone for its next-generation Firefox 2.0 "Bon Echo" browser with a little anti-phishing help from Google. http://www.linuxsecurity.com/content/view/122953 * Red Hat releases testing and integration tools to Linux developers 1st, June, 2006 Red Hat has released development tools to the open source community, which are designed to make it easier for enterprises and developers to quickly test and integrate new applications with Red Hat Linux and other Linux distributions. http://www.linuxsecurity.com/content/view/122965 * The Intelligence Cycle for a Vulnerability Intelligence program on-the-cheap 30th, May, 2006 A Vulnerability Intelligence program should be a key component of any sound network security strategy. It should dovetail with a Vulnerability Assessment process and a patching/remediation process. While a Vulnerability Assessment process will tell you what needs to be patched, Vulnerability Intelligence should tell you what needs to be patched first and what new patches need to be evaluated. http://www.linuxsecurity.com/content/view/122929 * The Finnish security vendor said the services are for small to midsize ISPs and their private custom 30th, May, 2006 The Finnish security vendor said the services are for small to midsize ISPs and their private customers. The services are PC Protection, which includes virus and spyware detection and a firewall, and PC Protection Plus, which adds a parental and spam control features. http://www.linuxsecurity.com/content/view/122938 * John the Ripper Pro 30th, May, 2006 This is to announce three things at once: 1) I have started making and maintaining commercial releases of John the Ripper password cracker, known as John the Ripper Pro. 2) A new version of the tiny POP3 server, popa3d 1.0.2, has been released adding a couple of minor optimizations specific to x86-64 to the included MD5 routines. 3) A new version of the password hashing package (for use in C/C++ applications and libraries), crypt_blowfish 1.0.2, has been released adding a minor optimization specific to x86-64. http://www.linuxsecurity.com/content/view/122939 * Everybody's a Server 28th, May, 2006 The IT world has a reputation of being extremely fast-paced. And it is: an accounting program in the .80s would have been written in COBOL. In the .90s it would have been written with a RAD (Rapid Application Developer) environment such as Delphi or Visual Basic. In the... .00s (noughties?), today, the same application would probably be written as a web system, possibly using all of the .Web 2.0. technologies to make it responsive and highly usable. http://www.linuxsecurity.com/content/view/122909 * Application Security Hacking Videos 29th, May, 2006 With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand. http://www.linuxsecurity.com/content/view/122920 * Oracle exec hits out at 'patch' mentality 29th, May, 2006 Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers." Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said. http://www.linuxsecurity.com/content/view/122921 * Malware Challenges in a Cross-Platform World 30th, May, 2006 With the advent of the inexpensive and powerful personal computer, networks have evolved and are now implemented exclusively using small computers connected among themselves and to the Internet. Don't get me wrong, though -- the mainframe isn't dead yet. In fact, Gartner estimates that more than 80% of business applications are written in Cobol, one of the earliest high-level programming languages. But the truth is that, although still alive and kicking, the mainframe has nevertheless lost ground in our current environment, which is focused on PCs and distributed server architectures. http://www.linuxsecurity.com/content/view/122934 * Users Versus Hackers: Which Are Worse? 31st, May, 2006 It.s 5 p.m. on a Friday, and you're the lead security engineer for the headquarters site of a major corporation. Just as you.re getting ready to ease out the door for the weekend, the phone rings and there's a frantic voice on the other end of the line. It's one of the managers from your financial department, and it seems that someone has accessed the payroll records of a number of higher-ranking executives within the company and attempted changes to their salaries and monthly paychecks. http://www.linuxsecurity.com/content/view/122946 * Perspective: Hyperlink insecurity 31st, May, 2006 Imagine a world where no Web site or hyperlink can be trusted, and a simple click on a hyperlink could slam your computer with a malicious driveby download. Sound far-fetched? It's not. Today, trusted Web sites can no longer be trusted. Those of us who collectively click on the billions of hyperlinks generated each day by search engines, blogs and e-mail are playing Russian roulette with our computers. http://www.linuxsecurity.com/content/view/122952 * Chief Hacks Around With Google 1st, June, 2006 A reader asked me months ago to talk about the threat of 'Google Hacking' to an organization, and asked if I used 'Google Hacking' in any of my risk assessments. In short: hell yes. If you're not attempting to do any type of reconnaissance with Google on your organization or clients, you're setting yourself up for a very unwelcome surprise down the road. http://www.linuxsecurity.com/content/view/122957 * Security Spending Shifts 3rd, June, 2006 Lingering concern about the overall state of the economy has many CIOs forecasting a slowdown in IT spending in 2007, according to a new survey from analyst firm Merrill Lynch. But compliance concerns and the looming threat of organized crime online mean that security spending remains healthy. The survey of 75 U.S. and 25 European CIOs reveals that users expect 5.2 percent spending growth in 2006 and 4.8 percent in 2007. American execs predict only 4.4 percent spending growth over the coming 12 months, compared to their more bullish international counterparts who expect 6.1 percent growth. http://www.linuxsecurity.com/content/view/122978 * Hackers Found to Target University Systems 31st, May, 2006 Increasing numbers of university systems are becoming targets for hackers. The recent incident involves the Fairfield, Connecticut-based Sacred Heart University. The university's system containing information on 135,000 individuals was hacked recently and data consisting of personal information like names, addresses, and Social Security numbers were stolen. http://www.linuxsecurity.com/content/view/122945 * FAQ: The new 'annoy' law explained 1st, June, 2006 So what does the rewritten law now say? The section as amended reads like this: "Whoever...utilizes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet... without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person...who receives the communications...shall be fined under title 18 or imprisoned not more than two years, or both." http://www.linuxsecurity.com/content/view/122959 * Euro Security Initiatives Proposed 1st, June, 2006 The European Commission today issued a report that calls for greater education on IT security, and the creation of a common framework for collecting incident data. In its report, the EC states that European spending on IT security "represents only around 5 to 13 percent of IT expenditure, which is alarmingly low." The commission calls for a cross-border effort to educate users about security and to unify disjointed national efforts to track exploits. http://www.linuxsecurity.com/content/view/122963 * Study: Companies should do more to protect employees' personal information 2nd, June, 2006 A study on workplace privacy found that less than half of the people surveyed believe their employers are doing a good job protecting the privacy of their personal information. The independent study, "Americans' Perceptions about Workplace Privacy," was conducted by Elk Rapids, Mich.-based Ponemon Institute LLC, which looks at information and privacy management practices in business and government. The report, which was released yesterday, is based on 945 responses from adults across the U.S. who work for companies with at least 1,000 employees. http://www.linuxsecurity.com/content/view/122973 * Stolen YMCA Computer Contains Members' Personal Information 2nd, June, 2006 The Y-M-C-A of Greater Providence is reporting that one of its two missing laptop computers contains members information. The non-profit organization that provides a range of educational, social and recreational services says it discovered last week that the computers were missing. http://www.linuxsecurity.com/content/view/122974 * The growing challenge of identity management 2nd, June, 2006 Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies. http://www.linuxsecurity.com/content/view/122981 * Stronger cybersecurity bill passes House committee 31st, May, 2006 The U.S. House of Representatives Judiciary Committee today approved a bill that would significantly strengthen existing federal cybercrime law and provide law enforcement with increased enforcement tools.The bill also offers authorities greater enforcement powers and resources. Included is a section that provides an additional $10 million annually to the Secret Service, FBI and Department of Justice to investigate and prosecute cybercrimes. The bill makes failing to report breaches to the FBI or Secret Service than involve at least 5,000 customers a crime punishable by up to five years in prison. http://www.linuxsecurity.com/content/view/122941 * Fed plan for cybersecurity R&D released 2nd, June, 2006 The government has outlined its first steps for coordinating and expanding federal research and development efforts aimed at improving cybersecurity. The new Federal Plan for Cyber Security and Information Assurance Research and Development, issued in April and now available online, lays the groundwork for developing an R&D agenda that will help address critical gaps in current technologies and capabilities. http://www.linuxsecurity.com/content/view/122980 * Phar out! Phishers are now Pharming 29th, May, 2006 If the phishers don't get you the pharmers will, police have warned. People are now getting wary of the scam called phishing - where people are sent emails claiming to be from their bank asking them to "confirm" their account details and passwords. http://www.linuxsecurity.com/content/view/122918 * Hostage Threat to Home PCs 30th, May, 2006 Family photos and other priceless content stored in your home computer could one day be held hostage by a new breed of security threat called "ransomware". Ransomware typically takes the form of a trojan horse that holds personal computer files "hostage" and then then demands a ransom for their safe return. http://www.linuxsecurity.com/content/view/122933 * Video: Hacking A College... or Two 31st, May, 2006 Joel over at appiant.net has posted a great video of how he used SQL injection to bypass security controls on a college website. While his methods may seem 1-2-3 to web application security testers, they are a great example of just how simple this type of attack is, and a reminder that you MUST perform this same type of testing on EVERY web application you deploy, period. http://www.linuxsecurity.com/content/view/122943 * Turkish Hackers go on Defacement Rampage 31st, May, 2006 Two Sony websites were hacked yesterday by a Turkish hacker (thanks to Roberto Preatoni of Zone-H.org for heads up and explanation). The two site URLs are: http://sonymusic.it/index.php and http://sonymusicstudios.co.uk/ http://www.linuxsecurity.com/content/view/122944 * Woman Targeted by Web Hackers 1st, June, 2006 A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back. Helen Barrow, a 40-year-old nurse from Rochdale, is believed to be one of the first victims of the con in the UK. http://www.linuxsecurity.com/content/view/122962 * Swedish police Web site shut down by hacker attack 2nd, June, 2006 The Web site of Sweden's national police was shut down after a hacker attack that investigators on Friday said could be a retaliation for a crackdown on a popular file-sharing site called The Pirate Bay. http://www.linuxsecurity.com/content/view/122977 * Police will not pursue ransom hackers 4th, June, 2006 After a Manchester woman was held to ransom by hackers, experts and senior police officers have voiced concern that such cases are falling between the cracks. Greater Manchester Police (GMP) will not be pursuing the criminals who used a Trojan horse program to lock a Manchester woman's files and demanded a ransom to release them. http://www.linuxsecurity.com/content/view/122983 * Triangulation homes in on rogue WLan access points 30th, May, 2006 Although wireless access points use encryption to secure network traffic, access to the WLan is open to anyone with a valid log-in. Foundry Networks aims to control this access based on the physical location of the end-user. The technology uses triangulation between three access points to determine the location of a WLan user to within five metres, said the company. http://www.linuxsecurity.com/content/view/122931 * Wireless Authentication Solutions 1st, June, 2006 As is the case with any valuable resource, there must be limitations on who can access and use your wireless medium. In some situations, such as when offering wireless access to attract customers, these limitations will be minimal. In others, we want the greatest possible protection available. Controlling access to computer resources is best illustrated in the AAA framework: Authentication, Authorization, and Accounting. http://www.linuxsecurity.com/content/view/122964 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 06 2006 - 22:16:10 PDT