[ISN] Linux Security Week - October 21st 2007

From: InfoSec News (alerts@private)
Date: Tue Oct 23 2007 - 00:07:09 PDT


+------------------------------------------------------------------------+
| LinuxSecurity.com                                    Weekly Newsletter |
| October 21st, 2007                                 Volume 8, Number 42 |
|                                                                        |
| Editorial Team:                Dave Wreski <dwreski@private> |
|                         Benjamin D. Thomas <bthomas@private> |
+------------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "SELinux sparks
tussle over Linux security model," "How to Get a Grip on Ajax Security,"
and "Stand-Alone Appliances vs. Built Into the Infrastructure."

--

>> Linux+DVD Magazine <<

Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software. The majority of our readers is between 15 and 40
years old. They are interested in current news from the Linux world,
upcoming projects etc.

In each issue you can find information concerning typical use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=26

--

* EnGarde Secure Linux v3.0.17 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.17 (Version 3.0, Release 17). This release includes
many updated packages and bug fixes, some feature enhancements to
Guardian Digital WebTool and the SELinux policy, and a few new
features.

http://www.engardelinux.org/modules/download/

---

Review: How To Break Web Software

With a tool so widely used by so many different types of people like the
World Wide Web, it is necessary for everyone to understand as many aspects
as possible about its functionality. From web designers to web developers
to web users, this is a must read. Security is a job for everyone and How
To Break Web Software by Mike Andrews and James A. Whittaker is written
for everyone to understand.

http://www.linuxsecurity.com/content/view/122713/49/

---

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------+
| Security News:      | <<-----[ Articles This Week ]----------
+---------------------+

* SELinux sparks tussle over Linux security model (Oct 19)
  --------------------------------------------------------
  This issue has been bantered around for almost a month now, and it
  seems that when they are addressing the future of the security in the
  Kernel, many different issues are still developing. As he states in the
  article:

  Last night, another developer, Thomas Fricaccia, urged that "a free and
  open operating system should preserve as much freedom for the end-user
  as possible. ... 'Freedom' includes the power to do bad things to
  yourself by, for example, making poor choices in security frameworks.
  This possible and permitted end result shouldn't be the concern of
  kernel developers."

  So how far can this discussion go? Is too much emphasis being placed on
  the kernel instead of the applications? Will this continue to be
  discussed this feverishly?

  http://www.linuxsecurity.com/content/view/130165

* Q&A: Former Fraudster Frank Abagnale Offers IT Security Advice (Oct 19)
  -----------------------------------------------------------------------
  At Computerworld's Storage Networking World conference here yesterday,
  Frank Abagnale gave a keynote presentation on his life as an imposter
  and fraudster, a story that was told in the book and subsequent Steven
  Spielberg movie, Catch Me If You Can. Prior to his presentation,
  Abagnale -- now a lecturer and consultant who works extensively with
  the FBI and other clients -- spoke with Computerworld about ethics,
  computer crime and security risks faced by IT professionals.

  I know I sometimes forget that security goes beyond the scope of what
  you can control by typing on a keyboard - it's ultimately the person
  herself who could end up being deceived or hacked (in a sense).  Read
  on for an interview with one of the more highly publicized "security
  figures" and see how IT can learn a lesson or two from this guy.

  http://www.linuxsecurity.com/content/view/130160

* How to Turn Your Browser Into a Weapon (Oct 18)
  -----------------------------------------------
  Turn Firefox into a web application swiss army knife by applying the
  methods shown in this article.  From manipulating what cookies are
  being sent to telling the site you're hacking "hey, I'm IE!", it's
  interesting to know how the wonderful Firefox extensions (yay Firebug!)
  can be used for more than just surfing.

  http://www.linuxsecurity.com/content/view/130154

* Spam reaches all-time high of 95% of all email (Oct 18)
  -------------------------------------------------------
  Global spam levels reached an all-time high of 95% of all emails at its
  peak during the quarter.

  Since we're always on the forefront (usually getting blasted by them
  first) of spamming evolution, this comes to no surprise to us.  It
  basically comes to a point where you wonder if there are any actual
  people writing actual email to each other anymore.  Read on for a study
  of the most recent evolutions of spam, from pdf attachments, botnets,
  to the works.

  http://www.linuxsecurity.com/content/view/130148

* Beware of Hackers Targeting Storage Systems (Oct 17)
  ----------------------------------------------------
  Corporate storage systems and networks are an attractive target for
  hackers looking to steal sensitive data or launch computer attacks,
  Alan Lustiger, security architect at TD Ameritrade, told an audience at
  Computerworld's Storage Networking World user conference in Dallas
  Monday

  Looks like NAS systems are becoming the low-hanging fruit as far as
  hackable network storage.  The article states that the systems are most
  attractive due to its reliance on well-known protocols, and that these
  protocols could easily be studied and picked apart.  This just sounds
  to me like a poor use of security - certain protocols have been around
  longer than the cast of Cocoon (ok maybe not THAT long) and yet many
  open-source companies maintain and secure them daily.  Read on and let
  us know how you would defend "well known clear protocols"!

  http://www.linuxsecurity.com/content/view/130116

* Security: #1 Reason Users in Asia choose Open Source (Oct 17)
  -------------------------------------------------------------
  According to a report performed by IDC Research:

   organizations perceived open source technology as providing better
  security compared to proprietary products...

  In reality, it seems that the advantages of open source security are
  taking hold, so much in fact, that they are the primary reason for
  adoption in Asia and the region.  So maybe, when Microsoft and other
  firms can't artificially meddle with the system, look what happens -
  the people speak and the choice is clear.

  Is the reason because proprietary versions are so insecure, that Linux
  is secure by comparison? Or is it that Linux, by nature, gets more
  attention from a driven community to create platforms that are
  inherently better engineered, for more security through development?

  http://www.linuxsecurity.com/content/view/130114

* IPFire: Free firewall for your home or SOHO (Oct 17)
  ----------------------------------------------------
  IPFire is a linux based firewall distribution with a lot of extras. The
  base for the stable version 1.4.9 was the IPCop that has been hardly
  modified. There were added: Asterisk PBX, Samba, MorningReconnect,
  LPR-NG and many other things.

  I've always been a fan of Shorewall and Firestarter - what have you
  used as a good base firewall setup?  Any thoughts how this will match
  up in an enterprise server environment?

  http://www.linuxsecurity.com/content/view/130111

* How to Get a Grip on Ajax Security (Oct 16)
  -------------------------------------------
  Asynchronous JavaScript + XML (AJAX), the technology of choice today
  for building powerful, interactive Web applications, comes at a price.
  If developers aren't careful they will pay that price in security.

  My friend Luis is heavily into the Unix philosophy - he loves plain
  text in his applications.  We all love being able to keep things simple
  and parse happily away whenever something goes wrong.  However,
  providing rich interactive Web experiences takes the developer farther
  and farther away from simplicity at a cost.  Read on for an interesting
  article on the complexity of AJAX and how some end users are getting
  better and better at exploiting holes in AJAX applications.

  http://www.linuxsecurity.com/content/view/130109

* How much longer does AppArmor really have? (Oct 16)
  ---------------------------------------------------
  As of today, Novel has dissolved the AppArmor development team,
  centered around main developer, Crispin Cowan.

  For a long time, AppArmor has been slow to be adopted due to the nature
  of its security structure (it differs from SELinux by its adherence to
  using names).

  The issue here seems to be that without a funded back-end by Novell,
  how much longer does AppArmor really have?  Is this a case of survival
  of the fittest? Could a name-based structure ever succeed? Certainly,
  with backing from Novell now gone, it may be safe to say that the
  project may only have another year.  While a few distributions still
  include that support, will they be willing to include it in one year,
  without a large corporate backer?

  It seems unlikely, at best, that another large organization is going to
  rise to take Novell's place, and without that AppArmor's days may be
  numbered.

  http://www.linuxsecurity.com/content/view/130106

* Restricting Zone Transfers With IP Addresses in BIND DNS Server (Oct 16)
  ------------------------------------------------------------------------
  One of the simplest ways to defend is limit zone transfers between
  nameservers by defining ACL. I see many admin allows BIND to transfer
  zones in bulk outside their network or organization. There is no need
  to do this. Remember you don.t have to make an attacker.s life easier.

  Point well made - your server may be assisting spammers in resolving
  DNS requests without your own knowledge.  Why help in scoring goals
  against your own team?  Read on for a quick summary of steps you can
  take to ensure your zone transfers are secure!  I know that Spamhaus's
  DROP list can be utilized to block out whole network blocks of known
  DNS attackers - what methods have you taken to secure your DNS
  services?

  http://www.linuxsecurity.com/content/view/130105

* Computer Forensics: Linux Style! (Oct 15)
  -----------------------------------------
  Which OS do you think is best for computer forensics? Obviously, being
  as we are Linux users, we'd likely recommend admins consider using a
  Linux-based approach for such a task. But which applications are
  honestly available on this platform? Not only that, are any of them
  open source?

  This column brings up an interesting point in forensic research - since
  there's a bountiful wealth of exploits being developed for Windows, as
  well as its magnetism for spyware, why would you trust an OS that is
  laden with such vulnerabilities to do your forensic research in the
  first place?	What open source tools do you recommend for computer
  forensics?

  http://www.linuxsecurity.com/content/view/130068

* NAC: Stand-Alone Appliances vs. Built Into the Infrastructure (Oct 15)
  ----------------------------------------------------------------------
  The true question becomes, what kind of NAC should you invest in now
  that will provide sustaining value to your enterprise for years to
  come? In reality, the answer probably has more to do with the
  capabilities of the NAC system than its form factor. We'll first talk
  about which form makes sense in which deployments and then talk about
  the sustainable feature set.

  Read on for an interesting article on what to consider when applying
  NAC to your network infrastructure.	 Do you have any tips for helping
  someone implement a system that not only solves your NAC problems, but
  leaves it extensible enough in the future for any changes?

  http://www.linuxsecurity.com/content/view/130066

* Review : EnGarde Secure Linux (Oct 15)
  --------------------------------------
  Linuxhelp.blogspot.com decides to take EnGarde Secure Linux: Community
  Edition for a spin in this thorough distro review.  He describes the
  installation, displays screen shots from various aspects of the
  platform, and goes into some detail regarding managing services,
  backing up files, checking logs, setting up firewalls, and more.  He
  had this to say about WebTool:

  In short the web tool is a one stop shop for troubleshooting and
  managing your server from a remote location. A very powerful interface
  indeed.

  http://www.linuxsecurity.com/content/view/130065

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Tue Oct 23 2007 - 00:19:39 PDT