+------------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| October 21st, 2007 Volume 8, Number 42 |
| |
| Editorial Team: Dave Wreski <dwreski@private> |
| Benjamin D. Thomas <bthomas@private> |
+------------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "SELinux sparks
tussle over Linux security model," "How to Get a Grip on Ajax Security,"
and "Stand-Alone Appliances vs. Built Into the Infrastructure."
--
>> Linux+DVD Magazine <<
Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software. The majority of our readers is between 15 and 40
years old. They are interested in current news from the Linux world,
upcoming projects etc.
In each issue you can find information concerning typical use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.
http://www.linuxsecurity.com/ads/adclick.php?bannerid=26
--
* EnGarde Secure Linux v3.0.17 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.17 (Version 3.0, Release 17). This release includes
many updated packages and bug fixes, some feature enhancements to
Guardian Digital WebTool and the SELinux policy, and a few new
features.
http://www.engardelinux.org/modules/download/
---
Review: How To Break Web Software
With a tool so widely used by so many different types of people like the
World Wide Web, it is necessary for everyone to understand as many aspects
as possible about its functionality. From web designers to web developers
to web users, this is a must read. Security is a job for everyone and How
To Break Web Software by Mike Andrews and James A. Whittaker is written
for everyone to understand.
http://www.linuxsecurity.com/content/view/122713/49/
---
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week ]----------
+---------------------+
* SELinux sparks tussle over Linux security model (Oct 19)
--------------------------------------------------------
This issue has been bantered around for almost a month now, and it
seems that when they are addressing the future of the security in the
Kernel, many different issues are still developing. As he states in the
article:
Last night, another developer, Thomas Fricaccia, urged that "a free and
open operating system should preserve as much freedom for the end-user
as possible. ... 'Freedom' includes the power to do bad things to
yourself by, for example, making poor choices in security frameworks.
This possible and permitted end result shouldn't be the concern of
kernel developers."
So how far can this discussion go? Is too much emphasis being placed on
the kernel instead of the applications? Will this continue to be
discussed this feverishly?
http://www.linuxsecurity.com/content/view/130165
* Q&A: Former Fraudster Frank Abagnale Offers IT Security Advice (Oct 19)
-----------------------------------------------------------------------
At Computerworld's Storage Networking World conference here yesterday,
Frank Abagnale gave a keynote presentation on his life as an imposter
and fraudster, a story that was told in the book and subsequent Steven
Spielberg movie, Catch Me If You Can. Prior to his presentation,
Abagnale -- now a lecturer and consultant who works extensively with
the FBI and other clients -- spoke with Computerworld about ethics,
computer crime and security risks faced by IT professionals.
I know I sometimes forget that security goes beyond the scope of what
you can control by typing on a keyboard - it's ultimately the person
herself who could end up being deceived or hacked (in a sense). Read
on for an interview with one of the more highly publicized "security
figures" and see how IT can learn a lesson or two from this guy.
http://www.linuxsecurity.com/content/view/130160
* How to Turn Your Browser Into a Weapon (Oct 18)
-----------------------------------------------
Turn Firefox into a web application swiss army knife by applying the
methods shown in this article. From manipulating what cookies are
being sent to telling the site you're hacking "hey, I'm IE!", it's
interesting to know how the wonderful Firefox extensions (yay Firebug!)
can be used for more than just surfing.
http://www.linuxsecurity.com/content/view/130154
* Spam reaches all-time high of 95% of all email (Oct 18)
-------------------------------------------------------
Global spam levels reached an all-time high of 95% of all emails at its
peak during the quarter.
Since we're always on the forefront (usually getting blasted by them
first) of spamming evolution, this comes to no surprise to us. It
basically comes to a point where you wonder if there are any actual
people writing actual email to each other anymore. Read on for a study
of the most recent evolutions of spam, from pdf attachments, botnets,
to the works.
http://www.linuxsecurity.com/content/view/130148
* Beware of Hackers Targeting Storage Systems (Oct 17)
----------------------------------------------------
Corporate storage systems and networks are an attractive target for
hackers looking to steal sensitive data or launch computer attacks,
Alan Lustiger, security architect at TD Ameritrade, told an audience at
Computerworld's Storage Networking World user conference in Dallas
Monday
Looks like NAS systems are becoming the low-hanging fruit as far as
hackable network storage. The article states that the systems are most
attractive due to its reliance on well-known protocols, and that these
protocols could easily be studied and picked apart. This just sounds
to me like a poor use of security - certain protocols have been around
longer than the cast of Cocoon (ok maybe not THAT long) and yet many
open-source companies maintain and secure them daily. Read on and let
us know how you would defend "well known clear protocols"!
http://www.linuxsecurity.com/content/view/130116
* Security: #1 Reason Users in Asia choose Open Source (Oct 17)
-------------------------------------------------------------
According to a report performed by IDC Research:
organizations perceived open source technology as providing better
security compared to proprietary products...
In reality, it seems that the advantages of open source security are
taking hold, so much in fact, that they are the primary reason for
adoption in Asia and the region. So maybe, when Microsoft and other
firms can't artificially meddle with the system, look what happens -
the people speak and the choice is clear.
Is the reason because proprietary versions are so insecure, that Linux
is secure by comparison? Or is it that Linux, by nature, gets more
attention from a driven community to create platforms that are
inherently better engineered, for more security through development?
http://www.linuxsecurity.com/content/view/130114
* IPFire: Free firewall for your home or SOHO (Oct 17)
----------------------------------------------------
IPFire is a linux based firewall distribution with a lot of extras. The
base for the stable version 1.4.9 was the IPCop that has been hardly
modified. There were added: Asterisk PBX, Samba, MorningReconnect,
LPR-NG and many other things.
I've always been a fan of Shorewall and Firestarter - what have you
used as a good base firewall setup? Any thoughts how this will match
up in an enterprise server environment?
http://www.linuxsecurity.com/content/view/130111
* How to Get a Grip on Ajax Security (Oct 16)
-------------------------------------------
Asynchronous JavaScript + XML (AJAX), the technology of choice today
for building powerful, interactive Web applications, comes at a price.
If developers aren't careful they will pay that price in security.
My friend Luis is heavily into the Unix philosophy - he loves plain
text in his applications. We all love being able to keep things simple
and parse happily away whenever something goes wrong. However,
providing rich interactive Web experiences takes the developer farther
and farther away from simplicity at a cost. Read on for an interesting
article on the complexity of AJAX and how some end users are getting
better and better at exploiting holes in AJAX applications.
http://www.linuxsecurity.com/content/view/130109
* How much longer does AppArmor really have? (Oct 16)
---------------------------------------------------
As of today, Novel has dissolved the AppArmor development team,
centered around main developer, Crispin Cowan.
For a long time, AppArmor has been slow to be adopted due to the nature
of its security structure (it differs from SELinux by its adherence to
using names).
The issue here seems to be that without a funded back-end by Novell,
how much longer does AppArmor really have? Is this a case of survival
of the fittest? Could a name-based structure ever succeed? Certainly,
with backing from Novell now gone, it may be safe to say that the
project may only have another year. While a few distributions still
include that support, will they be willing to include it in one year,
without a large corporate backer?
It seems unlikely, at best, that another large organization is going to
rise to take Novell's place, and without that AppArmor's days may be
numbered.
http://www.linuxsecurity.com/content/view/130106
* Restricting Zone Transfers With IP Addresses in BIND DNS Server (Oct 16)
------------------------------------------------------------------------
One of the simplest ways to defend is limit zone transfers between
nameservers by defining ACL. I see many admin allows BIND to transfer
zones in bulk outside their network or organization. There is no need
to do this. Remember you don.t have to make an attacker.s life easier.
Point well made - your server may be assisting spammers in resolving
DNS requests without your own knowledge. Why help in scoring goals
against your own team? Read on for a quick summary of steps you can
take to ensure your zone transfers are secure! I know that Spamhaus's
DROP list can be utilized to block out whole network blocks of known
DNS attackers - what methods have you taken to secure your DNS
services?
http://www.linuxsecurity.com/content/view/130105
* Computer Forensics: Linux Style! (Oct 15)
-----------------------------------------
Which OS do you think is best for computer forensics? Obviously, being
as we are Linux users, we'd likely recommend admins consider using a
Linux-based approach for such a task. But which applications are
honestly available on this platform? Not only that, are any of them
open source?
This column brings up an interesting point in forensic research - since
there's a bountiful wealth of exploits being developed for Windows, as
well as its magnetism for spyware, why would you trust an OS that is
laden with such vulnerabilities to do your forensic research in the
first place? What open source tools do you recommend for computer
forensics?
http://www.linuxsecurity.com/content/view/130068
* NAC: Stand-Alone Appliances vs. Built Into the Infrastructure (Oct 15)
----------------------------------------------------------------------
The true question becomes, what kind of NAC should you invest in now
that will provide sustaining value to your enterprise for years to
come? In reality, the answer probably has more to do with the
capabilities of the NAC system than its form factor. We'll first talk
about which form makes sense in which deployments and then talk about
the sustainable feature set.
Read on for an interesting article on what to consider when applying
NAC to your network infrastructure. Do you have any tips for helping
someone implement a system that not only solves your NAC problems, but
leaves it extensible enough in the future for any changes?
http://www.linuxsecurity.com/content/view/130066
* Review : EnGarde Secure Linux (Oct 15)
--------------------------------------
Linuxhelp.blogspot.com decides to take EnGarde Secure Linux: Community
Edition for a spin in this thorough distro review. He describes the
installation, displays screen shots from various aspects of the
platform, and goes into some detail regarding managing services,
backing up files, checking logs, setting up firewalls, and more. He
had this to say about WebTool:
In short the web tool is a one stop shop for troubleshooting and
managing your server from a remote location. A very powerful interface
indeed.
http://www.linuxsecurity.com/content/view/130065
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Tue Oct 23 2007 - 00:19:39 PDT