+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 10th, 2006 Volume 7, Number 28n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints," "Installing a firewall on Ubuntu," and "Limiting Vulnerability Exposure Through Effective Patch Management." --- Earn an NSA recognized IA Masters Online The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/linsec/ --- EnGarde Secure Linux v3.0.7 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation. http://www.linuxsecurity.com/content/view/123016/65/ --- Review: How To Break Web Software With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand. http://www.linuxsecurity.com/content/view/122713/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Malicious Cryptography, part one 3rd, July, 2006 Cryptology is everywhere these days. Most users make good use of it even if they do not know they are using cryptographic primitives from day to day. This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. http://www.linuxsecurity.com/content/view/123414 * Malicious Cryptography, part two 4th, July, 2006 In part one of this article series, the concepts behind crytovirology were discussed. Two examples of malicious cryptography were used, involving weaknesses in the SuckIt rootkit and the potential for someone to design an effective SSH worm. The concept of armored viruses were also introduced. http://www.linuxsecurity.com/content/view/123415 * Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 5th, July, 2006 This document describes a method of verifying Secure Shell (SSH) host keys using Domain Name System Security (DNSSEC). The document defines a new DNS resource record that contains a standard SSH key fingerprint. http://www.linuxsecurity.com/content/view/123451 * The real security solution 4th, July, 2006 I had yet another computer journalist call me to ask if Vendor X's security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they've read the vendor's own PR, another newspaper article, or even my own column touting a particular product. The typical conversation goes something like this: http://www.linuxsecurity.com/content/view/123436 * You Can Never Be Too Secure 6th, July, 2006 When I think about our security strategy, I have to ask myself if we've done enough. Have we covered all the bases? If we haven't, do we have a work-around or some other risk-mitigation plan in place? The best security approach is applied in layers. You can apply the layers from the inside out or the outside in, but most companies start from the outside, putting firewalls at every entry point to the network. At my state agency, though, we work from the inside out. State systems are sprawling. When I came to work at this agency, the state-level WAN guys assured me that they had adequately protected the state network, including my agency. But when you realize how vast the network is, stretching to every state government office and university classroom, you wonder how secure it can be without assistance from the various agencies. And so we have taken responsibility for the agency's security, working from the inside out. http://www.linuxsecurity.com/content/view/123452 * Installing a firewall on Ubuntu 4th, July, 2006 Ubuntu's desktop install provides a bunch of useful software for desktop users, but it doesn't install a firewall by default. Luckily, it's really simple to get a firewall up and running on Ubuntu. Frankly, I'm glad that the default install doesn't set up a firewall. Most of my computers live behind a firewall at all times anyway, and I've always been annoyed by installers that demand I deal with firewall questions when I've already got the situation well in hand. If I want a firewall on a machine, I can set one up on my own. Since Ubuntu is, in part, aimed at corporate desktops, a firewall is unnecessary for many installations. http://www.linuxsecurity.com/content/view/123438 * Limiting Vulnerability Exposure Through Effective Patch Management 4th, July, 2006 This paper aims to provide a complete discussion on vulnerability and patch management.It looks first at the trends relating to vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and vulnerability management. http://www.linuxsecurity.com/content/view/123428 * SSH Tricks 5th, July, 2006 SSH (secure shell) is a program enabling secure access to remote filesystems. Not everyone is aware of other powerful SSH capabilities, such as passwordless login, automatic execution of commands on a remote system or even mounting a remote folder using SSH! In this article we.ll cover these features and much more. SSH works in a client-server mode. It means that there must be an SSH daemon running on the server we want to connect to from our workstation. The SSH server is usually installed by default in modern Linux distributions. The server is started with a command like /etc/init.d/ssh start. It uses the communication port 22 by default, so if we have an active firewall, the port needs to be opened. After installing and starting the SSH server, we should be able to access it remotely. http://www.linuxsecurity.com/content/view/123444 * Defense-in-Depth against SQL Injection 6th, July, 2006 A few years ago, mentioning the phrase SQL Injection to developers or asking to adopt a defense-in-depth strategy would probably get you a blank stare for a reply. These days, more people have heard of SQL Injection attacks and are aware of the potential danger these attacks present, but most developers. knowledge of how to prevent SQL Injection is still inadequate. http://www.linuxsecurity.com/content/view/123459 * How to Bypass BIOS Passwords 7th, July, 2006 BIOS passwords can be add extra layer of security for desktop and laptop computers, and are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. BIOS passwords can also be a liability if a user forgot their passwords, or if a malicious user changes the password. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in an a typical warranty. However, there are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS password on most systems. http://www.linuxsecurity.com/content/view/123479 * Using ICMP tunneling to steal Internet 1st, July, 2006 The scenario is you are without Internet connectivity anywhere. You have found either an open wireless access pointed or perhaps you're staying in a hotel which permits rented Internet via services like Spectrum Interactive [1] (previously known as UKExplorer). You make the connection, whether its physically connecting the Ethernet cables, or instructing you're wireless adapter to lock onto the radio signal. You are prompted with some sort of authorization page when you open a browser. You don't have access to it, so what do you do? http://www.linuxsecurity.com/content/view/123404 * Introduction to ipaudit 3rd, July, 2006 IPAudit is a handy tool that will allow you to analyze all packets entering and leaving your network. It listens to a network device in promiscuous mode, just as an IDS sensor would, and provides details on hosts, ports, and protocols. It can be used to monitor bandwidth, connection pairs, detect compromises, discover botnets, and see whos scanning your network. When compared to similar tools, such as Cisco System's Netflow it has many advantages (see the SecurityFocus articles on Netflow, part 1 and part 2). It is easier to setup than Netflow, and if you install it on your existing IDS sensors, there is no extra hardware to purchase. Since it captures traffic from a span port, it does not require that you modify the configuration of your networking equipment, or poke holes in firewalls for Netflow data. http://www.linuxsecurity.com/content/view/123412 * HP: Hacking techniques help security 6th, July, 2006 HP is to launch a penetration-testing service for businesses in October, but has denied reports that it will unleash worms on its customers. The company said on Tuesday it would use the same techniques as hackers to gain access to its customers' machines. However, the exploit code it will use will be controlled and will not propagate itself, HP said. http://www.linuxsecurity.com/content/view/123457 * Spam once again on the rise 6th, July, 2006 Spam is again on the rise, led by a flood of junk images that spammers have crafted over the past few months to trick e-mail filters, according to security vendors. Called "image-based" spam, these junk images typically do not contain any text, making it harder for filters that look for known URLs or suspicious words to block them. http://www.linuxsecurity.com/content/view/123461 * Basic journey of a packet 7th, July, 2006 The purpose of this introductory article is to take a basic look at the journey of a packet across the Internet, from packet creation to switches, routers, NAT, and the packet's traverse across the Internet. This topic is recommended for those who are new to the networking and security field and may not have a basic understanding of the underlying process.Previous articles by this author have looked at the importance of two key areas of computer security for new users: programming and networking. While they are different disciplines, both networking and programming should largely be viewed as complimentary. If it were it not for the early programming of networking protocols there would be no network. That said, does one have to be a programmer in order to fully grasp networking concepts and theory at a low level? In many cases, you do not. However, a reader's natural curiosity will likely lead him toward programming at some point, in order to further experiment with various protocols and networking theory. http://www.linuxsecurity.com/content/view/123467 * Backup, backup and more backup 3rd, July, 2006 I've noticed recently that more and more of my clients and friends are having drive failures. Now I don't know if it's the recent heat waves, global warming, or the fact that most of the drives that are in play right now were purchased quite some time ago and have just run their spindles out, but at least once a week for the past two months I've heard about a full on drive failure or seen a drive showing the signs of impending doom. http://www.linuxsecurity.com/content/view/123410 * Tip of the Trade: Pyramid Linux 4th, July, 2006 When you need a new network border appliance you owe it to yourself to give serious consideration to the do-it-yourself option. You'll save a lot of money and have complete control, which are always good things when it comes to your network security. There are no shortage of DIY choices in the Free/Open Source software world; today we'll take a look at Pyramid Linux on small form-factor hardware. Pyramid Linux is designed for embedded wireless devices, but it lends itself quite nicely to ordinary wired networking as well. Based on Ubuntu Breezy, it weighs in under 64 MB. It installs read-only, making it perfect for Compact Flash devices because you don't want unnecessary writes on CF cards. http://www.linuxsecurity.com/content/view/123437 * The Holdup On DNSSEC 6th, July, 2006 When you type in a hostname like www.example.com, your computer's resolver looks in its local cache and uses the information found there, then it sends the query to a name server that it has defined. That DNS server is then responsible for resolving the name and sending the response to your computer. If the DNS server doesn't have the name in the local cache, then it starts at one of the root servers and works its way down to a so-called authoritative name server for that host name. Pretty straightforward -- and, as a distributed database, the DNS (I use "the DNS" to mean "the distributed name service" in general, not a specific DNS server) is pretty effective. But as security wonks, we care about the veracity of the data, and as DNS is deployed today, we can't even begin to verify DNS data. http://www.linuxsecurity.com/content/view/123460 * PC-based Sniffer makes the Rounds of Public Places 1st, July, 2006 If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag. http://www.linuxsecurity.com/content/view/123377 * ATMs Linked to IP Networks Vulnerable to Threats, security firm says 2nd, July, 2006 A continuing trend by banks to take automated teller machines off proprietary networks and put them on the banks. own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment. http://www.linuxsecurity.com/content/view/123379 * SCADA industry debates flaw disclosure 1st, July, 2006 The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities. . The guys who are setting up these systems are not security professionals. And many of the systems that are running SCADA applications were not designed to be secure--it's a hacker's playground. . Jonathan Pollet, vice president and founder, PlantData Technologies, a division of Verano http://www.linuxsecurity.com/content/view/123382 * Computers 'glued' to protect data 4th, July, 2006 SOME companies are taking drastic action - including supergluing computer connections - in a bid to stop data theft. A rise in the level of corporate data theft has spurred some companies to take measures to stop rogue employees sneaking corporate data out of the workplace on memory sticks, iPods and mobile phones, The Australian Financial Review reported. http://www.linuxsecurity.com/content/view/123434 * Web services increasingly under attack 4th, July, 2006 As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said. Users of Yahoo's e-mail service, Google, Orkut social networking site and eBay's PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes. http://www.linuxsecurity.com/content/view/123435 * Snail mail falters open source campaign 5th, July, 2006 Linux Australia's battle against proposed copyright laws had the Attorney General's Department a tad confused yesterday. The open source group issued an open letter to the Attorney General Philip Ruddock attacking anti-circumvention laws. http://www.linuxsecurity.com/content/view/123440 * Sophos: because of malware home users should switch to Macs 5th, July, 2006 Sophos has published new research into the past six months of cyber crime. The Sophos Security Threat Management Report Update reveals that while there has been a vast drop in new viruses and worms, this has been over-compensated by increases in other types of malware, as cyber criminals turn their attention to stealing information and money. http://www.linuxsecurity.com/content/view/123442 * DNSChanger redirects users to fake bank websites 6th, July, 2006 You want to pay up your credit card account immediately, as you just remembered that today is the due date. After getting on to your bank.s website by carefully typing in the URL, you put in your account number and password, go to the credit card payment section and perform the transaction. Satisfied with completing a task in time, you move onto other chores, till you find out that the website you visited and punched in confidential financial information was in fact a fake one! http://www.linuxsecurity.com/content/view/123455 * It's the Economy, Stupid 6th, July, 2006 I'm sitting in a conference room at Cambridge University, trying to simultaneously finish this article for Wired News and pay attention to the presenter onstage. I'm in this awkward situation because 1) this article is due tomorrow, and 2) I'm attending the fifth Workshop on the Economics of Information Security, or WEIS: to my mind, the most interesting computer security conference of the year. The idea that economics has anything to do with computer security is relatively new. Ross Anderson and I seem to have stumbled upon the idea independently. He, in his brilliant article from 2001, "Why Information Security Is Hard -- An Economic Perspective" (.pdf), and me in various essays and presentations from that same period. http://www.linuxsecurity.com/content/view/123462 * Spammers increase pump-and-dump scams 7th, July, 2006 Spammers are profiting from share manipulation by coaxing victims into investing in junk bonds. The spammers purchase cheap shares (which artificially raises the stock price) and sell them off as victim investment raises their value further. http://www.linuxsecurity.com/content/view/123480 * Secure Coding Catches Fire 7th, July, 2006 If you build security in from the get-go, will the malware still come? Of course. But proponents of secure software coding say attacks and exploits won't be as widespread or prevalent if developers build security into their operating systems, applications, and network device software from the ground up. Applications are increasingly becoming the targets of attacks and often represent the weakest link in the security chain. It gets dicier when these apps are as prevalent as systems management agent software, for instance, which Matasano Security's recent research has shown to be a security nightmare. (See Demons Lurk in Management Software.) http://www.linuxsecurity.com/content/view/123481 * Criminals Increasingly Blend IT Threats 7th, July, 2006 Security researchers at software maker MessageLabs contend that malware writers, hackers and other cyber-criminals are combining multiple forms of IT threats in an attempt to amplify their efforts. http://www.linuxsecurity.com/content/view/123486 * Security breaches hit 84% of surveyed companies 8th, July, 2006 CA has announced a security survey of 642 large North American organisations which shows that more than 84% experienced a security incident over the past 12 months, and that the number of breaches continues to rise. http://www.linuxsecurity.com/content/view/123488 * Thinking about email security 2nd, July, 2006 ith the National Security Agency (NSA) monitoring our phone calls, now might be a good time to think seriously about the security of our email as well. In particular, you might want to think about encrypting your email, and about whether it's safe in the hands of third-party providers like Yahoo!, Google, and Microsoft. http://www.linuxsecurity.com/content/view/123383 * EFF Defends Tech Liberties 5th, July, 2006 In March 1990, when few people had even heard of the internet, U.S. Secret Service agents raided the Texas offices of a small board-game maker, seizing computer equipment and reading customers' e-mail stored on one machine. A group of online pioneers already worried about how the nation's laws were being applied to new technologies became even more fearful and decided to intervene. And thus the Electronic Frontier Foundation was born -- 16 years ago this Monday -- taking on the Secret Service as its first case, one the EFF ultimately won when a judge agreed that the government had no right to read the e-mails or keep the equipment. http://www.linuxsecurity.com/content/view/123441 * Identity Thief Finds Easy Money Hard to Resist 5th, July, 2006 Note: free registration required to access this page By the time of Shiva Brent Sharma's third arrest for identity theft, at the age of 20, he had taken in well over $150,000 in cash and merchandise in his brief career. After a certain point, investigators stopped counting. http://www.linuxsecurity.com/content/view/123450 * EU opens public consultation on RFID 6th, July, 2006 Fears about new Radio Frequency Identification technology (RFID), have prompted the EU to open a public consultation process. The commission has been holding discussions with government agencies and the private sector since March based on general themes of standardising RFID frequencies and formats across Europe, but now the emphasis has changed slightly to inform citizens on how the technology can improve quality of life without encroaching on individual privacy issues. With this in mind, the commission has initiated an online public consultation on its 'Your Voice in Europe' website. http://www.linuxsecurity.com/content/view/123456 * Concerns About Fraud Potential Continue to Plague Users of Electronic Voting Machines 4th, July, 2006 Electronic voting machines will be vulnerable to fraud this election season unless countermeasures are taken, according to a report issued last week by the New York University School of Law. E-voting devices, such as touch-screen or optical scan systems, are becoming more prevalent nationwide, and most of them are vulnerable to external attack, according to the report compiled by the school's Brennan Center for Justice. http://www.linuxsecurity.com/content/view/123418 * Hacker attacks hitting Pentagon: But NSA's methods for safeguarding data are growing obsolete 3rd, July, 2006 (Baltimore Sun, The (KRT) Via Thomson Dialog NewsEdge) Jul. 2--WASHINGTON -- The number of reported attempts to penetrate Pentagon computer networks rose sharply in the past decade, from fewer than 800 in 1996 to more than 160,000 last year - thousands of them successful. At the same time, the nation's ability to safeguard sensitive data in those and other government computer systems is becoming obsolete as efforts to make improvements have faltered and stalled. http://www.linuxsecurity.com/content/view/123426 * A Good Start 3rd, July, 2006 It's a start. On June 23, the Office of Management and Budget announced that federal agencies have 45 days to put new data-protection measures in place. The new requirements (technically, they're "recommendations," but the OMB appears serious about this anyway) include encryption for all sensitive data on mobile devices, logging of all extracts from databases containing sensitive information and verification that the downloaded sensitive data is deleted after 90 days. http://www.linuxsecurity.com/content/view/123427 * U.S. gov't mandates laptop security 6th, July, 2006 The Bush Administration is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication. http://www.linuxsecurity.com/content/view/123464 * Hong Kong drafts first anti-spam law 7th, July, 2006 Hong Kong is readying its first anti-spam laws, promising fines and long prison terms for serious offenders. The Chinese territory currently has no laws specifically outlawing junk email, and recent surveys looking at the sources of spam have included Hong Kong and China among the worst in the world. http://www.linuxsecurity.com/content/view/123487 * VIDEO: Interview with Ex-Hacker Gary McKinnon 4th, July, 2006 In 2002, Gary McKinnon was arrested by the UK's national high-tech crime unit, after being accused of hacking into Nasa and the US military computer networks.He says he spent two years looking for photographic evidence of alien spacecraft and advanced power technology. America now wants to put him on trial, and if tried there he could face 60 years behind bars. http://www.linuxsecurity.com/content/view/123439 * Cross Site Scripting Vulnerability in Google 6th, July, 2006 Google is vulnerable to cross site scripting. While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however if you input a valid URL (like my RSS feed) it will return with a JavaScript function containing the URL. http://www.linuxsecurity.com/content/view/123463 * Reid agrees British hacker can be deported for US trial 9th, July, 2006 A Briton accused of hacking into the Pentagon's computers is to be extradited to the US, the Home Office has confirmed. Gary McKinnon, from north London, stands accused of what American prosecutors call the "biggest military hack of all time", and potentially faces a sentence of 70 years if found guilty. http://www.linuxsecurity.com/content/view/123489 * Securing wireless, remote and mobile computing 3rd, July, 2006 The rapid growth of wireless, remote and mobile computing is creating a significant increase in the risks that organisations face. All the indications are that this growth will continue, and indeed accelerate. It is clearly time to review what actions are required to manage access risks from these forms of computing. Fortunately, there are some quick fixes that are available. http://www.linuxsecurity.com/content/view/123385 * Cracking WEP with Ubuntu 3rd, July, 2006 This post should enable anyone to get Linux up and running and crack a WEP key. It took me about 2 days and myriad tutorials to finally get this to work, and now that I have I feel that I should share it with everyone. I am by no means a Linux expert, but this works regardless. All you need is a old laptop with a wireless card and a copy of Ubuntu Linux, currently one of the most popular and easily installed distributions of linux. If you haven.t already bought a wireless card, you should select one from this list to save yourself some trouble. http://www.linuxsecurity.com/content/view/123411 * Wardriving with Ubuntu Linux and Google Earth 5th, July, 2006 Wardriving is fun. Going around the neighborhood and mapping all the wireless networks may be nothing more than a geeky hobby but it can sure teach you alot. And viewing the results in Google Earth is icing on the cake. I.ve used NetStumbler on windows and this works great but since my computers at home are now nearly Microsoft-free, I had to relearn the process on Linux. It breaks down into a few easy steps: http://www.linuxsecurity.com/content/view/123443 * Wireless security "inadequate" in companies 5th, July, 2006 The adoption of wireless hotspots within the enterprise is growing fast, though there are concerns too little is being done to secure them. http://www.linuxsecurity.com/content/view/123453 * Raw Wireless Tools Homepage 7th, July, 2006 This is the main web site of several proof-of-concept tools using IEEE 802.11 raw injection. These tools are provided as-is and thus cannot be considered as a complete and functional tool set. http://www.linuxsecurity.com/content/view/123466 * A scanner for wireless interlopers 7th, July, 2006 Wireless security firm Network Chemistry recently released a cross-platform, free software security tool called RogueScanner in conjunction with its wireless network protection package RFprotect. RogueScanner, licensed under the GPL and the latest of three free software security modules available from Network Chemistry, allows you to monitor your network for rogue wireless devices. Release 1.0 comes in both Windows and Linux versions. http://www.linuxsecurity.com/content/view/123482 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:20:10 PDT