+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 12th, 2006 Volume 7, Number 24n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Building a heterogeneous home network for Linux and Mac OS X," "Fundamentals of Storage Media Sanitation," and "Password Cracking and Time-Memory Trade Off." --- Security on your mind? Protect your home and business networks with the free, community version of EnGarde Secure Linux. Don't rely only on a firewall to protect your network, because firewalls can be bypassed. EnGarde Secure Linux is a security-focused Linux distribution made to protect your users and their data. The security experts at Guardian Digital fortify every download of EnGarde Secure Linux with eight essential types of open source packages. Then we configure those packages to provide maximum security for tasks such as serving dynamic websites, high availability mail, transport, network intrusion detection, and more. The result for you is high security, easy administration, and automatic updates. The Community edition of EnGarde Secure Linux is completely free and open source. Updates are also freely available when you register with the Guardian Digital Secure Network. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Linux v3.0.7 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation. http://www.linuxsecurity.com/content/view/123016/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Cleaning up data breach costs 15x more than encryption 7th, June, 2006 Protecting customer records is a magnitude less expensive than paying for cleanup after a data breach or massive records loss, a research company said Tuesday. Gartner analyst Avivah Litan said in a research note that data protection is cheaper than a data breach. She recently testified on identity theft at a Senate hearing held after the Department of Veterans Affairs lost 26.5 million vet identities. http://www.linuxsecurity.com/content/view/123023 * A Comparison of SNMP v1, v2 and v3 5th, June, 2006 During its development history, the communities of researchers, developers, implementers and users of the DARPA/DoD TCP/IP protocol suite have experimented with a wide range of protocols in a variety of different networking environments. The Internet has grown, especially in the last few years, as a result of the widespread availability of software and hardware supporting this system. The scaling of the size and scope of the Internet and increased use of its technology in commercial applications has underscored for researchers, developers and vendors the need for a common network management framework within which TCP/IP products can be made to work. http://www.linuxsecurity.com/content/view/122997 * Disaster Practice 4th, June, 2006 When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems. All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England. http://www.linuxsecurity.com/content/view/122979 * May's Security Streams 5th, June, 2006 Here's May's summary of all the security streams during the month. This is perhaps among the few posts in which I can actually say something about the blog, the individual behind it, and its purpose, which is to - question, provoke, and inform on the big picture. After all, "I want to know God's thoughts... all the rest are details", one of my favorite Albert Einstein's quotes. The way we often talk about a false feeling of security, we can easily talk about a false feeling of blogging, and false feeling of existence altogether. It is often assumed that the more you talk, the more you know, which is exactly the opposite, those that talk know nothing, those that don't, they do. There's nothing wrong with that of refering to yourself, as enriching yourself through past experience helps you preserve your own unique existence, and go further. Awakening the full potential within a living entity is a milestone, while self preservation may limit the very development of a spirit -- or too much techno thrillers recently? :) http://www.linuxsecurity.com/content/view/122995 * (IN)SECURE Magazine Issue 7 Has Been Released 9th, June, 2006 (IN)SECURE Magazine is a free digital security magazine in PDF format. In this issue you can read about SSH port forwarding, server monitoring with munin and monit, compliance vs. awareness, and much more. Get your copy today! http://www.linuxsecurity.com/content/view/123055 * Abandon E-mail! 5th, June, 2006 Back in 1972, by some accounts, a new form of communication known as e-mail was born. It was a practical implementation of electronic messaging that was first seen on local timeshare computers in the 1960s. I can only imagine how much fun and revolutionary it must have been to use e-mail in those early years, to have been at the bleeding edge of the curve. Almost ten years later, in November 1981, Jonathan Postel published RFC 788 (later deprecated by RFC 821, also by Postel, and RFC 822 by David Crocker), thereby inventing the foundations of the Simple Mail Transport Protocol (SMTP) - a proposal that would revolutionize e-mail again. Since that time, e-mail has become as important an invention to the world as the telegraph and the telephone, and it has long been synonymous with the Internet itself. http://www.linuxsecurity.com/content/view/122992 * Building a heterogeneous home network for Linux and Mac OS X 8th, June, 2006 You can find plenty of information online about building heterogeneous networks involving Windows, but relatively little about connecting Macs with Linux PCs in a home or small office network. Mac OS X's Unix base, however, means there are plenty of good options for networking a Mac with a Linux PC, despite the relative lack of documentation. In this article, I'll discuss how to set up Mac-Linux printer and file sharing using NFS and SSH. http://www.linuxsecurity.com/content/view/123057 * Security Without Firewalls: Sensible Or Silly? 6th, June, 2006 For years, infosec experts have called the firewall a critical ingredient to security, whether it's in a large enterprise or on a home PC. But the San Diego Supercomputer Center (SDSC) has defied that logic with what some would consider surprising success. Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained how companies can maintain strong firewall-free security at the 2006 USENIX Annual Technical Conference Thursday. He has also produced a presentation (.pdf) on the subject. http://www.linuxsecurity.com/content/view/122999 * Standards In Desktop Firewall Policies 7th, June, 2006 The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events. The purpose of this article is to discuss the need for a desktop firewall policy within an organization, determine how it should be formed, and provide an example of one along with the security benefits it provides an organization. http://www.linuxsecurity.com/content/view/123025 * Users hit by multi-browser threat 8th, June, 2006 Security vendors have warned of a flaw that affects an unusually broad cross-section of browsers -- Internet Explorer, Firefox and the Mozilla suite on Windows, Linux and Mac OS X -- and could be used to hoover up files from vulnerable systems. The problem is in the way the browsers implement scripting -- JavaScript in Firefox and Active Scripting in IE. Both browsers have a design error in which a script can cancel certain keystroke events when users are entering text. http://www.linuxsecurity.com/content/view/123042 * UTM - Preparing for New Generation of Security Threats 6th, June, 2006 Securing networks has rapidly taken center stage among most enterprises as the threat from increasingly sophisticated attacks becomes more complex and costly to manage. According to the research group IDC, enterprises worldwide spent an estimated $32.6Bn in 2005 on network security but are still faced with an ever-changing landscape of new security threats. Traditional network defense solutions such as firewalls and intrusion prevention devices must be supplemented by secure content management devices in order to block the full range of sophisticated attacks including viruses, spyware, spam and phishing. http://www.linuxsecurity.com/content/view/122998 * Social Engineering, The USB Way 7th, June, 2006 We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees. The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network. http://www.linuxsecurity.com/content/view/123031 * Researchers eye machines to analyze malware 8th, June, 2006 The reverse engineer--better known amongst security researchers by his nom de plume, Halvar Flake-- created an automated system for classifying software into groups, a process he believes for which machines are much better suited. Research using the system has underscore the sometimes-arbitrary decisions humans make in classifying malicious programs, he said. http://www.linuxsecurity.com/content/view/123050 * The top five ways to prevent IP spoofing 9th, June, 2006 The term "spoofing" is generally regarded as slang, but refers to the act of fooling -- that is, presenting a false truth in a credible way. There are several different types of spoofing that occur, but most relevant to networking is the IP spoof. Most types of spoofing have a common theme: a nefarious user transmits packets with an IP address, indicating that the packets are originating from another trusted machine. http://www.linuxsecurity.com/content/view/123066 * How To Analyze HijackThis Logs 5th, June, 2006 HijackThis is a free tool developed by Merijn Bellekom, a student in The Netherlands. Spyware removal software such as Adaware or Spybot S&D do a good job of detecting and removing most spyware programs, but some spyware and browser hijackers are too insidious for even these great anti-spyware utilities. HijackThis is written specifically to detect and remove browser hijacks, or software that takes over your web browser, alters your defaut home page and search engine and other malicious things. http://www.linuxsecurity.com/content/view/122989 * How-To: Back-up your blog (Linux) 7th, June, 2006 Bad things happen. If you've ever worried that the over caffeinated tech might spill his latte down your web server, then today's How-To will help you out. Forgetting to back up your blog (or your website) is something that isn't a big deal until you need it -- like backing up anything, really. But your blog's files and databased aren't really so simply accessible as the files on your PC, so today we're showing you how to automatically back up your blog (or website) with some freely available tools that will use a minimum amount of your precious bandwidth. http://www.linuxsecurity.com/content/view/123019 * EnGarde Secure Community 3.0.7 6th, June, 2006 Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation. http://www.linuxsecurity.com/content/view/123016 * Symantec to Port Veritas Storage Software to IBM Linux Platform 8th, June, 2006 Software security and storage specialist Symantec June 7 announced an agreement with IBM to port its Veritas Cluster Server, Veritas Storage Foundation family and NetBackup recovery technology to IBM's Linux on POWER platform, opening a new door to the open-source enterprise storage market. http://www.linuxsecurity.com/content/view/123056 * Announcement: RSBAC 1.2.7 9th, June, 2006 The RSBAC team is happy to announce that RSBAC 1.2.7 has just been released for both kernels 2.4.32 and 2.6.16. http://www.linuxsecurity.com/content/view/123060 * Non-standard Incident Prediction 5th, June, 2006 We are all familiar with the use of firewall logs, intrusion detection alerts, antivirus warnings, and watching for "funny" entries in our system logs as ways to indicate that somebody on the Internet is up to no good. But those traditional detection systems don't do any good against attacks that are not oriented on one of the traditional seven layers of the OSI model. http://www.linuxsecurity.com/content/view/122988 * The Enterprise Gets Googled 5th, June, 2006 On February 14, 2006, many Google e-mail users received an unexpected Valentine's Day present. When they logged in to their accounts, there it was: instant messaging, fully integrated with their e-mail system. Gmail users could now chat in the same browser window as their inbox. Just as with e-mail, the system would save a transcript of every chat and, better yet, the text of archived transcripts would be searchable. There was nothing to download, nothing to install. http://www.linuxsecurity.com/content/view/122990 * Spyware infections spreading, security expert says 5th, June, 2006 Spyware programs are increasing in number and growing in sophistication to avoid detection, making it harder to guard against infections and more costly to repair their damage, according to a security expert whose company tracks them on a regular basis. http://www.linuxsecurity.com/content/view/122993 * Open source consortium addresses security 5th, June, 2006 The Open Web Application Security Project (OWASP) has announced the availability of a process guide that it hopes will help a broad range of developers incorporate security into the software application development lifecycle (SDLC). http://www.linuxsecurity.com/content/view/122994 * Fundamentals of Storage Media Sanitation 6th, June, 2006 One of the most fundamental principles of information security is that its all about the data. Data in transit or at rest is the primary focus of administrative, physical, and technical safeguards. Security professionals are doing better every day when it comes to protecting information in static production environments. But what happens when magnetic, optical, or semiconductor media is repurposed or retired? In this paper, I define media sanitation and how it fits into an overall security program. Next, I examine how attackers can extract information from electronic media even after its been overwritten. Finally, I explore ways you can protect your organization from attacks both casual and highly motivated. http://www.linuxsecurity.com/content/view/123003 * How to win friends and influence people with IT security certifications 7th, June, 2006 The public and private sectors put IT Security on top of their agenda these days, and, as a result, the IT and Information Security job market is growing. At some point though, the market will saturate as businesses seek to curb their investments, security services become more standardized and IT as a whole moves to a more service-oriented business model. Is your career strategy ready? http://www.linuxsecurity.com/content/view/123009 * A Continuing Work in Progress: The State of Linux 2006 7th, June, 2006 To label Linux a purely enthusiast or hobbyist operating system is overly facile; such a stance also categorically denies that Linux has any real industry presence. On the contrary, prominent top-tier manufacturers such as Dell, IBM, Sun Microsystems, and Hewlett-Packard all openly support Linux in select product lines, and many lower-tier manufacturers have adopting this platform to establish cost-effective price points in various highly competitive marketplaces. Government support for Linux also comes in a variety of forms. Most notably, this includes the NSA-sponsored Security Enhanced Linux (SELinux) policy extensions adopted into the mainstream by Red Hat starting with Fedora Core 2 (the current version is Fedora Core 5). SELinux extends basic security functionality to the Linux platform, and makes it easier to create a hardened installation. These are only a few examples of where Linux is actively developed by high-visibility organizations, all of which take this platform very seriously. http://www.linuxsecurity.com/content/view/123020 * JavaScript security threat to Internet Explorer and Firefox 7th, June, 2006 A JavaScript security bug has been discovered in both the Internet Explorer and Firefox browsers. The threat covers the Windows, Linux, and Mac operating systems, say internet security software companies. http://www.linuxsecurity.com/content/view/123022 * Cybercrime Spurs College Courses In Digital Forensics 7th, June, 2006 One of the hottest new courses on U.S. college campuses is a direct result of cybercrime. Classes in digital forensics - the collection, examination and presentation of digitally stored evidence in criminal and civil investigations - are cropping up as fast as the hackers and viruses that spawn them. About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful. http://www.linuxsecurity.com/content/view/123026 * Cyber extortion, A very real threat 7th, June, 2006 Criminal gangs are increasingly using the internet as a tool to extort money from businesses. Thousands of distributed denial of service attacks (DDoS) are occurring globally every day and it is vital that senior management wakes up to the very real risk of such an assault. http://www.linuxsecurity.com/content/view/123028 * Password Cracking and Time-Memory Trade Off 8th, June, 2006 Every time I go on line, I usually am up to no good. My intentions are often never hostile, but I do take part in the shady business of password cracking. Meaning I actively use unorthodox methodology, that I know for a fact the FBI frowns down upon, to obtain hashes. Once obtained I usually spend a few hours cracking these hashes via good old fashion bruteforcing. Now, bruteforcing is the most reliable method of password cracking in existence today. http://www.linuxsecurity.com/content/view/123041 * The top 9 ways to secure mobile devices 8th, June, 2006 In the past six months a disturbing trend has emerged involving the theft of laptops containing sensitive personal information -- most recently from the home of a U.S. Department of Veterans Affairs data analyst. http://www.linuxsecurity.com/content/view/123048 * Digital forensics hits U.S. college campuses 9th, June, 2006 About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful. http://www.linuxsecurity.com/content/view/123062 * British Library to secure its digital treasures 9th, June, 2006 The British Library is adopting a new data security system that will enable it to safely store web publishing content. The library has selected nCipher to protect the integrity of its National Digital Library. This library will contain everything from digitised versions of centuries-old manuscripts to digital journals and web archives, and is expected to amass up to 300 terabytes of content over the next five years. http://www.linuxsecurity.com/content/view/123063 * Browsers, Phishing, and User Interface Design 6th, June, 2006 Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail. Take Arnold Rothstein, for instance. One of the kingpins of organized crime in New York City during Prohibition and before, the "Great Brain," as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favor of the Cincinnati Reds. http://www.linuxsecurity.com/content/view/123005 * Personal Displays Keep Data Private 7th, June, 2006 The dueling needs for privacy and data sharing played out here at the annual SID (Society of Information Display) International Symposium. Vendors showed new technologies that can keep neighbors on a flight from getting a glimpse of the corporate secrets on a laptop screen and new ways to share video on an iPod or handheld. http://www.linuxsecurity.com/content/view/123024 * When data walks 7th, June, 2006 The recent theft of data on 26.5 million veterans sends agencies a chilling message: Lock down your own data security and privacy policies immediately or you might wind up with confidential data walking out your own door. The Veterans Affairs Department probably is not the only agency whose security and privacy policies have gaping holes, government and industry experts agree. http://www.linuxsecurity.com/content/view/123027 * IRS missing laptop with employee data 7th, June, 2006 The IRS said that one of its laptops containing data about 291 IRS employees and job applicants went missing in early May when it was lost in transit to an agency event. The information contained on the laptop included fingerprints, names, dates of birth and Social Security numbers for the 291 individuals. http://www.linuxsecurity.com/content/view/123021 * Ervin: DHS Fails Security Mission 8th, June, 2006 Clark Ervin was strolling down a Manhattan street in April 2005 when the red light on his BlackBerry indicated he had a message. The former inspector general of the Homeland Security Department looked at the device and saw that the Associated Press had reported the results of the latest IG investigation on airport security. Those results showed no improvement in screeners abilities to detect deadly weapons, compared with the results of similar investigations done in 2001 and 2003. It was far easier than it should have been even after the [Sept. 11, 2001] attacks for government investigators to sneak these weapons through, said Ervin, who served as the department's first IG for about two years. He recounted the story in his keynote speech today at the 26th Annual Management of Change Conference sponsored by the American Council for Technology and by the Industry Advisory Council, to illustrate an important point. http://www.linuxsecurity.com/content/view/123051 * House rejects Net neutrality rules 9th, June, 2006 The U.S. House of Representatives definitively rejected the concept of Net neutrality on Thursday, dealing a bitter blow to Internet companies like Amazon.com, eBay and Google that had engaged in a last-minute lobbying campaign to support it. http://www.linuxsecurity.com/content/view/123067 * Police will not pursue ransom hackers 4th, June, 2006 After a Manchester woman was held to ransom by hackers, experts and senior police officers have voiced concern that such cases are falling between the cracks. Greater Manchester Police (GMP) will not be pursuing the criminals who used a Trojan horse program to lock a Manchester woman's files and demanded a ransom to release them. http://www.linuxsecurity.com/content/view/122983 * A degree in hacking 6th, June, 2006 The University of Advancing Technology (UAT) in Phoenix, Ariz., is marketing its new Network Security program as a way to get a degree in hacking. The school is drawing the interest of geeks who use Windows, Linux, and Macintosh, according to UAT's IT manager Raymond Todd Blackwood, and even a few who want to go to the dark side of network security. Hackerdegree.com's Web page looks like a non-Windows desktop with a few terminals open, inviting the curious to learn more about fighting "cybercrime," "cybertheft," and even "cyberterrorism." http://www.linuxsecurity.com/content/view/123004 * Forget your password? Be google! 8th, June, 2006 For more and more websites you need to register or pay to have full access. The odd thing is that Google has the complete and full index of the website. So what's going on here? Why must regular users pay or register to have access when the google search engine bot has full access?. The reason is simple; every site wants to use the benefits of the wonderful world of Google, for webmasters free advertising is always welcome. But there is a simple way to be the Google (search)Bot. In this little article i will try to explain it. http://www.linuxsecurity.com/content/view/123040 * Man charged with selling hacked VOIP services 8th, June, 2006 A Miami man was charged Wednesday with stealing more than 10 million minutes of VOIP (Voice over Internet Protocol) telephone service and then selling them to unsuspecting customers for as little as US$0.004 per minute. http://www.linuxsecurity.com/content/view/123052 * PC hidden in 'BlueBag' exposes Bluetooth flaws 8th, June, 2006 If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag. Billed as a research lab on wheels, BlueBag was created by Milan's Secure Network SRL to study how malicious software might be able to spread among devices that use the Bluetooth wireless standard. http://www.linuxsecurity.com/content/view/123053 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 12 2006 - 01:47:47 PDT