+------------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 21st, 2007 Volume 8, Number 42 | | | | Editorial Team: Dave Wreski <dwreski@private> | | Benjamin D. Thomas <bthomas@private> | +------------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "SELinux sparks tussle over Linux security model," "How to Get a Grip on Ajax Security," and "Stand-Alone Appliances vs. Built Into the Infrastructure." -- >> Linux+DVD Magazine << Our magazine is read by professional network and database administrators, system programmers, webmasters and all those who believe in the power of Open Source software. The majority of our readers is between 15 and 40 years old. They are interested in current news from the Linux world, upcoming projects etc. In each issue you can find information concerning typical use of Linux: safety, databases, multimedia, scientific tools, entertainment, programming, e-mail, news and desktop environments. http://www.linuxsecurity.com/ads/adclick.php?bannerid=26 -- * EnGarde Secure Linux v3.0.17 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.17 (Version 3.0, Release 17). This release includes many updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, and a few new features. http://www.engardelinux.org/modules/download/ --- Review: How To Break Web Software With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand. http://www.linuxsecurity.com/content/view/122713/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * SELinux sparks tussle over Linux security model (Oct 19) -------------------------------------------------------- This issue has been bantered around for almost a month now, and it seems that when they are addressing the future of the security in the Kernel, many different issues are still developing. As he states in the article: Last night, another developer, Thomas Fricaccia, urged that "a free and open operating system should preserve as much freedom for the end-user as possible. ... 'Freedom' includes the power to do bad things to yourself by, for example, making poor choices in security frameworks. This possible and permitted end result shouldn't be the concern of kernel developers." So how far can this discussion go? Is too much emphasis being placed on the kernel instead of the applications? Will this continue to be discussed this feverishly? http://www.linuxsecurity.com/content/view/130165 * Q&A: Former Fraudster Frank Abagnale Offers IT Security Advice (Oct 19) ----------------------------------------------------------------------- At Computerworld's Storage Networking World conference here yesterday, Frank Abagnale gave a keynote presentation on his life as an imposter and fraudster, a story that was told in the book and subsequent Steven Spielberg movie, Catch Me If You Can. Prior to his presentation, Abagnale -- now a lecturer and consultant who works extensively with the FBI and other clients -- spoke with Computerworld about ethics, computer crime and security risks faced by IT professionals. I know I sometimes forget that security goes beyond the scope of what you can control by typing on a keyboard - it's ultimately the person herself who could end up being deceived or hacked (in a sense). Read on for an interview with one of the more highly publicized "security figures" and see how IT can learn a lesson or two from this guy. http://www.linuxsecurity.com/content/view/130160 * How to Turn Your Browser Into a Weapon (Oct 18) ----------------------------------------------- Turn Firefox into a web application swiss army knife by applying the methods shown in this article. From manipulating what cookies are being sent to telling the site you're hacking "hey, I'm IE!", it's interesting to know how the wonderful Firefox extensions (yay Firebug!) can be used for more than just surfing. http://www.linuxsecurity.com/content/view/130154 * Spam reaches all-time high of 95% of all email (Oct 18) ------------------------------------------------------- Global spam levels reached an all-time high of 95% of all emails at its peak during the quarter. Since we're always on the forefront (usually getting blasted by them first) of spamming evolution, this comes to no surprise to us. It basically comes to a point where you wonder if there are any actual people writing actual email to each other anymore. Read on for a study of the most recent evolutions of spam, from pdf attachments, botnets, to the works. http://www.linuxsecurity.com/content/view/130148 * Beware of Hackers Targeting Storage Systems (Oct 17) ---------------------------------------------------- Corporate storage systems and networks are an attractive target for hackers looking to steal sensitive data or launch computer attacks, Alan Lustiger, security architect at TD Ameritrade, told an audience at Computerworld's Storage Networking World user conference in Dallas Monday Looks like NAS systems are becoming the low-hanging fruit as far as hackable network storage. The article states that the systems are most attractive due to its reliance on well-known protocols, and that these protocols could easily be studied and picked apart. This just sounds to me like a poor use of security - certain protocols have been around longer than the cast of Cocoon (ok maybe not THAT long) and yet many open-source companies maintain and secure them daily. Read on and let us know how you would defend "well known clear protocols"! http://www.linuxsecurity.com/content/view/130116 * Security: #1 Reason Users in Asia choose Open Source (Oct 17) ------------------------------------------------------------- According to a report performed by IDC Research: organizations perceived open source technology as providing better security compared to proprietary products... In reality, it seems that the advantages of open source security are taking hold, so much in fact, that they are the primary reason for adoption in Asia and the region. So maybe, when Microsoft and other firms can't artificially meddle with the system, look what happens - the people speak and the choice is clear. Is the reason because proprietary versions are so insecure, that Linux is secure by comparison? Or is it that Linux, by nature, gets more attention from a driven community to create platforms that are inherently better engineered, for more security through development? http://www.linuxsecurity.com/content/view/130114 * IPFire: Free firewall for your home or SOHO (Oct 17) ---------------------------------------------------- IPFire is a linux based firewall distribution with a lot of extras. The base for the stable version 1.4.9 was the IPCop that has been hardly modified. There were added: Asterisk PBX, Samba, MorningReconnect, LPR-NG and many other things. I've always been a fan of Shorewall and Firestarter - what have you used as a good base firewall setup? Any thoughts how this will match up in an enterprise server environment? http://www.linuxsecurity.com/content/view/130111 * How to Get a Grip on Ajax Security (Oct 16) ------------------------------------------- Asynchronous JavaScript + XML (AJAX), the technology of choice today for building powerful, interactive Web applications, comes at a price. If developers aren't careful they will pay that price in security. My friend Luis is heavily into the Unix philosophy - he loves plain text in his applications. We all love being able to keep things simple and parse happily away whenever something goes wrong. However, providing rich interactive Web experiences takes the developer farther and farther away from simplicity at a cost. Read on for an interesting article on the complexity of AJAX and how some end users are getting better and better at exploiting holes in AJAX applications. http://www.linuxsecurity.com/content/view/130109 * How much longer does AppArmor really have? (Oct 16) --------------------------------------------------- As of today, Novel has dissolved the AppArmor development team, centered around main developer, Crispin Cowan. For a long time, AppArmor has been slow to be adopted due to the nature of its security structure (it differs from SELinux by its adherence to using names). The issue here seems to be that without a funded back-end by Novell, how much longer does AppArmor really have? Is this a case of survival of the fittest? Could a name-based structure ever succeed? Certainly, with backing from Novell now gone, it may be safe to say that the project may only have another year. While a few distributions still include that support, will they be willing to include it in one year, without a large corporate backer? It seems unlikely, at best, that another large organization is going to rise to take Novell's place, and without that AppArmor's days may be numbered. http://www.linuxsecurity.com/content/view/130106 * Restricting Zone Transfers With IP Addresses in BIND DNS Server (Oct 16) ------------------------------------------------------------------------ One of the simplest ways to defend is limit zone transfers between nameservers by defining ACL. I see many admin allows BIND to transfer zones in bulk outside their network or organization. There is no need to do this. Remember you don.t have to make an attacker.s life easier. Point well made - your server may be assisting spammers in resolving DNS requests without your own knowledge. Why help in scoring goals against your own team? Read on for a quick summary of steps you can take to ensure your zone transfers are secure! I know that Spamhaus's DROP list can be utilized to block out whole network blocks of known DNS attackers - what methods have you taken to secure your DNS services? http://www.linuxsecurity.com/content/view/130105 * Computer Forensics: Linux Style! (Oct 15) ----------------------------------------- Which OS do you think is best for computer forensics? Obviously, being as we are Linux users, we'd likely recommend admins consider using a Linux-based approach for such a task. But which applications are honestly available on this platform? Not only that, are any of them open source? This column brings up an interesting point in forensic research - since there's a bountiful wealth of exploits being developed for Windows, as well as its magnetism for spyware, why would you trust an OS that is laden with such vulnerabilities to do your forensic research in the first place? What open source tools do you recommend for computer forensics? http://www.linuxsecurity.com/content/view/130068 * NAC: Stand-Alone Appliances vs. Built Into the Infrastructure (Oct 15) ---------------------------------------------------------------------- The true question becomes, what kind of NAC should you invest in now that will provide sustaining value to your enterprise for years to come? In reality, the answer probably has more to do with the capabilities of the NAC system than its form factor. We'll first talk about which form makes sense in which deployments and then talk about the sustainable feature set. Read on for an interesting article on what to consider when applying NAC to your network infrastructure. Do you have any tips for helping someone implement a system that not only solves your NAC problems, but leaves it extensible enough in the future for any changes? http://www.linuxsecurity.com/content/view/130066 * Review : EnGarde Secure Linux (Oct 15) -------------------------------------- Linuxhelp.blogspot.com decides to take EnGarde Secure Linux: Community Edition for a spin in this thorough distro review. He describes the installation, displays screen shots from various aspects of the platform, and goes into some detail regarding managing services, backing up files, checking logs, setting up firewalls, and more. He had this to say about WebTool: In short the web tool is a one stop shop for troubleshooting and managing your server from a remote location. A very powerful interface indeed. http://www.linuxsecurity.com/content/view/130065 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Tue Oct 23 2007 - 00:19:39 PDT