+-----------------------------------------------------------
----------+
| LinuxSecurity.com Weekly
Newsletter |
| April 4th, 2006 Volume 7,
Number 14n |
|
|
| Editorial Team: Dave Wreski dave linuxsecurity.com |
| Benjamin D. Thomas benlinuxsecurity.com |
+-----------------------------------------------------------
----------+
Thank you for reading the LinuxSecurity.com weekly security
newsletter.
The purpose of this document is to provide our readers with
a quick
summary of each week's most relevant Linux security
headlines.
This week, perhaps the most interesting articles include
"Steganography
FAQ," "IPCop-OpenVPN HOWTO,"
"International Body Adopts Network
Security Standard," and "The Top 10 Information
Security Myths."
---
EnGarde Secure Linux: Why not give it a try?
EnGarde Secure Linux is a Linux server distribution that is
geared
toward providing a open source platform that is highly
secure by default
as well as easy to administer. EnGarde Secure Linux includes
a select
group of open source packages configured to provide maximum
security
for tasks such as serving dynamic websites, high
availability mail
transport, network intrusion detection, and more. The
Community
edition of EnGarde Secure Linux is completely free and open
source,
and online security and application updates are also freely
available with GDSN registration.
http://www.engardelinux.org/modules/index/register.cgi
---
EnGarde Secure Community 3.0.5 Released
Guardian Digital is happy to announce the release of EnGarde
Secure
Community 3.0.5 (Version 3.0, Release 5). This release
includes
several bug fixes and feature enhancements to the Guardian
Digital
WebTool and the SELinux policy, and several new packages
available
for installation.
http://www.linuxsecurity.com/content/view/121879/65/
---
pgp Key Signing Observations: Overlooked Social and
Technical Considerations
By: Atom Smasher
While there are several sources of technical information on
using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often
ignored,
misleading or incorrect in the technical literature. There
are also
technical issues pointed out where I believe other
documentation
to be lacking. It is important to acknowledge and address
social
aspects in a system such as pgp, because the weakest link in
the
system is the human that is using it. The algorithms,
protocols
and applications used as part of a pgp system are relatively
difficult to compromise or 'break', but the human user can
often
be easily fooled. Since the human is the weak link in this
chain,
attention must be paid to actions and decisions of that
human;
users must be aware of the pitfalls and know how to avoid
them.
http://www.linuxsecurity.com/content/view/121645/49/
---
--> Take advantage of the LinuxSecurity.com Quick
Reference Card!
--> ht
tp://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week
]----------
+---------------------+
* (IN)SECURE Issue 6 has been released
30th, March, 2006
The latest edition of this free PDF digital security
magazine is
packed with content that caters all levels of knowledge. Get
your
copy today!
http
://www.linuxsecurity.com/content/view/122162
* Steganography FAQ
29th, March, 2006
Steganography is a subject which is rarely touched upon by
most IT
Security Enthusiasts. Most people don't see Steganography
has a
potential threat, some people don't even know what
Steganography is.
With this FAQ I hope to answer any questions anyone may want
to ask
about Steganography, and to educate people so they can
understand
what exactly Steganography is. Is Steganography a potential
threat?
Well your about to find out.
http
://www.linuxsecurity.com/content/view/122140
* IPCop-OpenVPN HOWTO
30th, March, 2006
I=E2..m a huge fan of IPCop. It=E2..s a great firewall
distro that makes
administration a snap using a slick web interface. My goal
was to use
IPCop and an easy-to-use VPN client to allow access to my
LAN while
away from home. I ended up going with the ZERINA OpenVPN
addon for
IPCop and the OpenVPN GUI for Windows. If you=E2..ve ever
wanted full,
secure, encrypted access to your LAN from any remote
location, here
is your guide.
http
://www.linuxsecurity.com/content/view/122168
* Defeating the Hacker
31st, March, 2006
Way back in the early 1980s, Robert Schifreen shot to
notoriety as
one of the hackers who broke into Prince Philip's mailbox
on the
Prestel service. It was this case that, after the Law Lords
ruled
that the forgery laws did not cover typing a user name and
password
into a computer screen, instigated the drafting and passage
of the
Computer Misuse Act in 1984. Schifreen has spent the
intervening
years being a respectable computer journalist, and his
specialty --
as you might expect -- is security. Defeating the Hacker: A
Non-Technical Guide to IT Security is the result of years of
writing,
research and speaking at conferences on security topics.
http
://www.linuxsecurity.com/content/view/122178
* International Body Adopts Network Security Standard
25th, March, 2006
The International Organization for Standardization (ISO)
approved
last month a comprehensive model that identifies critical
requirements to ensure end-to-end network security.
Specifically,
the global standards group formally adopted ISO/IEC 18028-2,
which
defines a standard security architecture and provides a
systematic
approach to support the planning, design and implementation
of
information technology networks.
http
://www.linuxsecurity.com/content/view/122087
* Look Toward The Future
27th, March, 2006
Just like their larger brethren, small to medium-sized
enterprises
that wish to garner a competitive advantage must develop an
effective
IT plan. Increasingly, IT departments are becoming the hub
of the
company, and more and more companies expect their IT
managers to
accomplish a variety of tasks with limited resources. In
fact, having
an established plan goes far to empower smaller firms so
they=E2..ll be
able to play with the =E2..big boys=E2.=9D in their industry
arenas.
http
://www.linuxsecurity.com/content/view/122123
* Learning An Advanced Skillset
28th, March, 2006
It was almost two years ago now that I wrote the
SecurityFocus
article on TCP/IP skills required for security analysts.
That article
offered advice on how one can seek employment in the
security field
through education, training, and a strong focus on TCP/IP.
The idea
came about from all of the questions this author has been
asked on
the subject. There is often a lot of uncertainty as to what
one
should study to further one=E2..s career in the network
security world.
Much as I mentioned previously, it can be a daunting task.
What was
laid out as core skills required for a fully competent
security
analyst are in reality, but a baseline. From that foundation
of
skills learnt, and honed over time can you begin to think
about
acquiring more advanced skills.
http
://www.linuxsecurity.com/content/view/122133
* Visualization in the Security and New Media World
31st, March, 2006
Information visualization seems to be a growing trend in
today's
knowledge driven, and information-overloaded society. The
following
represents a URL tree graph of the Security Mind Streams
blog --
looks resourceful! Want to freely graph your site/blog? Take
advantage of Texone's tree, just make sure you don't
forget to press
the ESC key at a certain point.
http
://www.linuxsecurity.com/content/view/122180
* Are Cyber Criminals Or Bureaucrats The Industry's Top
Performer?
28th, March, 2006
Last week, I came across a great article at Forbes.com,
"Fighting
Hackers, Viruses, Bureaucracy", an excerpt:
"Cyber security largely
ends up in the backseat," says Kurtz, who prior to
lobbying did
stints in the State Department, the National Security
Council and as
an adviser to President George W. Bush on matters relating
to
computer security. "Our job is to shine a bright light
on it, to help
people understand it."
http
://www.linuxsecurity.com/content/view/122136
* Open Source Security Testing Methodology
30th, March, 2006
Truth is made of numbers. Following this golden rule,
Federico
Biancuzzi interviewed Pete Herzog, founder of ISECOM and
creator of
the OSSTMM, to talk about the upcoming revision 3.0 of the
Open
Source Security Testing Methodology Manual. He discusses why
we need
a testing methodology, why use open source, the value of
certifications, and plans for a new vulnerability scanner
developed
with a different approach than Nessus.
http
://www.linuxsecurity.com/content/view/122165
* Lundquist's Guide To Not Getting Fired for Losing Your
Laptop
2nd, April, 2006
How often do we have to read about someone losing a laptop
with a
bunch of client data? I've included some links to recent
stories:
Stolen Fidelity Laptop Exposes HP Workers and=09Lost
Fidelity Laptop
Stirs Fear of ID Theft. Stop and think for a second. You are
a
high-powered road warrior jetting around the world making
lots of
complex but incredibly lucrative financial deals. You lose
your
laptop with all that important information. You have to call
your
boss back at the home office. Your next job involves asking
customers
if they want the large or the super-jumbo Slurpee.
http
://www.linuxsecurity.com/content/view/122184
* Roll Your Own Firewall
27th, March, 2006
Over the years I have learned how to roll my own firewall
script and
call it from /etc directory. Of course, my firewall is only
INPUT
based, instead of INPUT and OUTPUT based, but I find that
building an
INPUT/OUTPUT based firewall is tremendously difficult and
not really
all that necessary if you use good download practices on
your Linux
server or PC and/or if you're already behind a NAT router
(such as a
home-based DSL or cable router or wireless router) or other
firewall.
http
://www.linuxsecurity.com/content/view/122120
* Domain Registrar Joker Hit by DDoS
27th, March, 2006
Domain registrar Joker.com says its nameservers are under
attack,
causing outages for customers. More than 550,000 domains are
registered with Joker, which is based in Germany. Any of
those
domains that use Joker's DNS servers are likely to be
affected.
"Joker.com currently experiences massive distributed
denial of
service attacks against nameservers," the registrar
says in an
advisory on its home page. "This affects DNS
resolution of Joker.com
itself, and also domains which make use of Joker.com
nameservers. We
are very sorry for this issue, but we are working hard for a
permanent solution."
http
://www.linuxsecurity.com/content/view/122108
* Detecting Botnets Using a Low Interaction Honeypot
26th, March, 2006
This paper describes a simple honeypot using PHP and
emulating
several vulnerabilities in Mambo and Awstats. We show the
mechanism
used to 'compromise' the server and to download further
malware. This
honeypot is 'fail-safe' in that when left unattended, the
default
action is to do nothing =E2.. though if the operator is
present,
exploitation attempts can be investigated. IP addresses and
other
details have been obfuscated in this version.
http
://www.linuxsecurity.com/content/view/122088
* The e-Crime Congress 2006. March 30 & 31 2006
27th, March, 2006
The e-Crime Congress 2006 will seek to challenge
conventional
attitudes on e-Crime and examine how business, government
and law
enforcement can continue to work together in order to tackle
a threat
that undermines public confidence in the Internet as a
viable and
secure commercial medium for the future.
http
://www.linuxsecurity.com/content/view/122112
* The Pathogenesis of Dark Traffic Attacks
29th, March, 2006
As well as straightforward spam, dark traffic comprises
directory
harvest attacks, email Denial of Service attacks, malformed
SMTP
packets, invalid recipient addresses, and other requests and
communications unrelated to the delivery of valid email
messages.
http
://www.linuxsecurity.com/content/view/122139
* Amanda 2.5 - A major new release of the Open Source Backup
Software
27th, March, 2006
Amanda is the world's most popular open source backup and
recovery
software. Amanda allows system administrators to set up a
single
server to back up multiple hosts to a tape- or disk-based
storage
system over the network. It uses native dump and/or GNU tar
facilities and can back up a large number of workstations or
servers
running various versions of Linux, Unix, Mac OS-X or
Microsoft
Windows operating systems. On March 23rd, 2006, the Amanda
team
released a major version (2.5) of the software. Overall the
focus of
the release is on security of the backup process &
backed up data,
scalability of the backup process and ease of installation
&
configuration of Amanda.
http
://www.linuxsecurity.com/content/view/122111
* Users of SELinux Now Have A Choice On Security
27th, March, 2006
The release of a new open-source security package has
sparked debate
over how many Mandatory Access Control applications Linux
really
needs, and if more than one would just dilute volunteer
efforts.
Novell Inc. of Provo, Utah, recently released the source
code for its
recently acquired Linux security application, AppArmor. It
also set
up a project site in hopes of attracting outside developers
to
further refine the program.
http
://www.linuxsecurity.com/content/view/122125
* Linux Supporters Fiddle While OpenSSH Burns
30th, March, 2006
Once again, the OpenBSD project is asking for donations to
keep its
operations in motion. It doesn't ask for much -- U.S.
$100,000 (small
potatoes in the operating system development industry) --
yet it
provides so much to the software world. Even if you don't
use
OpenBSD, you're likely to be benefiting from it
unknowingly. If
you're using Solaris, SCO UnixWare, OS X, SUSE Linux, or
Red Hat
Enterprise Linux, chances are you're using the
OpenBSD-developed
OpenSSH for secure shell access to remote machines. If so
many are
using this software, why are so few paying for it? Official
responses
(and non-responses) from Sun Microsystems, IBM, Novell, and
Red Hat
are below, but if you're one of the freeloaders who hasn't
contributed to OpenBSD or OpenSSH, what's your excuse?
http
://www.linuxsecurity.com/content/view/122166
* Computer Forensics Tool Testing (CFTT) Project
27th, March, 2006
There is a critical need in the law enforcement community to
ensure
the reliability of computer forensic tools. A capability is
required
to ensure that forensic software tools consistently produce
accurate
and objective test results. The goal of the Computer
Forensic Tool
Testing (CFTT) project at the National Institute of
Standards and
Technology (NIST) is to establish a methodology for testing
computer
forensic software tools by development of general tool
specifications, test procedures, test criteria, test sets,
and test
hardware.
http
://www.linuxsecurity.com/content/view/122109
* Version 0.7 of the OSSEC HIDS is now available
29th, March, 2006
OSSEC HIDS is an open source host-based intrusion
detection system. It performs log analysis, integrity
checking, rootkit detection, time-based alerting and
active response.
This is one of the most improved versions so far. It
now includes support for squid, pure-ftpd, postfix and
AIX ipsec logs (in addition to a lot of improvements
to the previous rules).
http
://www.linuxsecurity.com/content/view/122138
* Secure Coding
27th, March, 2006
The primary cause of commonly exploited software
vulnerabilities is
software defects that could have been avoided. Through our
analysis
of thousands of vulnerability reports, the CERT/CC has
observed that
most of them stemmed from a relatively small number of root
causes.
If we can identify the root causes of vulnerabilities and
develop
secure coding practices for illustration, software producers
may be
able to take practical steps to prevent introduction of
vulnerabilities into deployed software systems.
http
://www.linuxsecurity.com/content/view/122110
* Exegesis of Virtual Hosts Hacking
28th, March, 2006
There is a lot that we can say about finding virtual hosts
from a
given IP address. Sometimes this task is straightforward,
other times
a bit of thinking is required. However, in general it is not
a
mission impossible.
During the last few years, domain name databases have
emerged like
mushrooms after a rainy day. This has certainly increased
the
awareness among security professionals about the possibility
of using
virtual hosts as backdoors when testing the security of a
given
organization. In reality, a good attacker will try to break
into your
organization by knocking on the not-so-obvious doors.
http
://www.linuxsecurity.com/content/view/122128
* Ensure data doesn't leave with your staff
28th, March, 2006
With average employee turnover in the UK stable at about
15%, the
security implications of staff departures should not be
overlooked.
While most departing employees are honourable, there is,
unfortunately, a sizeable minority who will copy databases,
customer
requirements, tender documents or, in some cases, copy and
remove
proprietary code.
http
://www.linuxsecurity.com/content/view/122130
* Secure Your Applications From The Start
28th, March, 2006
Information security in financial services is one of the
highest
priorities for C-level executives. CEOs don't want the bad
press and
liabilities associated with a security breach, and CIOs know
that
their phones will be the first to ring if data is
compromised. Adding
to the urgency of the issue, the number of reported security
vulnerabilities and the cost per incident continue to rise,
according
to the 2005 Computer Security Institute/FBI Computer Crime
and
Security Survey. But most IT shops don't properly test
applications
for security flaws during the development life cycle,
resulting in
apps riddled with vulnerabilities. Too often, security and
application development are viewed as separate disciplines.
Part of
the problem is that security teams often are called in to
add
security to software post-development, rather than working
alongside
developers during the development process.
http
://www.linuxsecurity.com/content/view/122135
* Knoppix Hacks: Scanning For Viruses
28th, March, 2006
Ridding a network of Windows computers of a virus or worm
can seem
impossible. Viruses may cause computers to reboot and infect
new
machines while you are in the process of removing them.
Through the
use of the live-software installer, Knoppix provides a
solution to
this catch-22.
http
://www.linuxsecurity.com/content/view/122137
* Looking For Love In All The Wrong Places
29th, March, 2006
Despite all the dire warnings about legal liabilities and
security
risks, a new study indicates one in five workers uses his or
her
company's Web access for personal use. Among the industries
reporting
the highest abuse is the male-dominated manufacturing field,
where
nearly 13% of users try accessing forbidden pornography,
dating and
gambling sites. Its workforce also tended to chat longest
with
friends while at work.
http
://www.linuxsecurity.com/content/view/122160
* Security isn't always perfect, but it doesn't
necessarily have to
be
30th, March, 2006
A big part of being a security professional, or for that
matter an
informed citizen, is examining a proposed security control
and
identifying weaknesses or ways it could potentially
bypassed. But
there's a logic error frequently committed here, and
that's
assuming that because a control has some weakness, that
it's
useless. This is due to a poor understanding of what the
goal of the
exercise is and a poor understanding of what security is
really
about.
http
://www.linuxsecurity.com/content/view/122163
* The Top 10 Information Security Myths
30th, March, 2006
When it comes to information security, there's a lot of
popular
wisdom available, but much of it is unfounded and won't
necessarily
improve your organization's security. Only by cutting
through the
hype to separate reality from myth can IT professionals help
take
their enterprises to the next level. Here are 10 network
security
myths that bear further examination.
http
://www.linuxsecurity.com/content/view/122164
* E-mail Security: Detecting Spam (II)
30th, March, 2006
As spam filters get more advanced, less spam is allowed to
enter into
user=E2..s inbox so the business model of spammers gets
hurt. Instead
of thinking that people don=E2..t really like to receive
spam and they
would prefer less intrusive ways to get publicity, they try
to
workaround these filters in, sometimes, really clever ways.
So, spam
filters have to be continually modified and adapted to not
fall into
these new tricks.
http
://www.linuxsecurity.com/content/view/122167
* Why Phishing Attacks Work
30th, March, 2006
When asked if a phishing site was legit or a spoof, 23% of
users use
only the content of the website to make the decision! The
majority of
users ignore the address and SSL indicators in the browser.
Some
users think that favicons and lock icons in HTML are more
important
indicators. The paper hints that the proposed IE7 security
indicators
and multi-colored address bar will also suffer a similar
fate. This
study is brought to you by the people who developed the
security
skins Firefox extension."
http
://www.linuxsecurity.com/content/view/122169
* RSA Looks To Drown Phishers In Data Flood
1st, April, 2006
A novel tactic to defeat phishers is being employed by Cyota
staff:
flooding phishing sites with fake bank details to make the
real
information harder to find. RSA's Cyota division is helping
fight
phishing attacks by giving the online fraudsters what they
want =E2..
lots of user names, passwords, online banking credentials
and credit
card numbers.
http
://www.linuxsecurity.com/content/view/122183
* CYBEREYE: Security: Lots Of Lessons, Nothing Learned
28th, March, 2006
The issues of personal data security and identity theft
broke into
the national consciousness a year ago, when Choice-Point
reported
that thieves had established accounts with the data broker
to obtain
sensitive information on 145,000 people. Outrage was
immediate, but
the problem has persisted. Despite congressional hearings, a
plethora
of federal bills and the passage of laws in at least 22
states, data
on more than 53 million people was stolen, lost or exposed
in 121
more incidents over the next year, according to the Privacy
Rights
Clearinghouse. By far the largest exposure was at payment
processor
CardSystems Solutions Inc., which effectively was put out of
business
after data on 40 million people was hacked.
http
://www.linuxsecurity.com/content/view/122134
* GAO: Security Accreditation Program a Tough Sell
31st, March, 2006
The federal government's program for testing and
accrediting the
security of commercial technology has not been proven a
success,
according to a report by the Government Accountability
Office.=09The
National Information Assurance Partnership (NIAP), which is
sponsored
by the National Security Agency and the National Institute
of
Standards and Technology, was created to make it easier for
agencies
to find products that meet basic industry standards for
security.
http
://www.linuxsecurity.com/content/view/122181
* Consumer Data Security Bill Passes Out of House Committee
31st, March, 2006
A House committee this week unanimously approved a data
security law
that would establish federal standards for protecting
personal
information and would supersede state laws. The Data
Accountability
and Trust Act, (HR 4127), is one of a spate of bills
introduced last
year in the wake of publicity about the theft or loss of
data that
could lead to identity theft. The incidents came to light as
a result
of state laws requiring consumer notification of security
breaches
and spurred a consumer demand for tighter regulation.
http
://www.linuxsecurity.com/content/view/122182
* Industrial espionage worm authors jailed
28th, March, 2006
A married couple accused of using computer worms to conduct
industrial espionage has received jail terms of four and two
years
after pleading guilty in an Israeli court.
http
://www.linuxsecurity.com/content/view/122129
* Registrar Joker.com Suffers Attack
28th, March, 2006
Domain-name registrar Joker.com acknowledged this weekend
that
distributed denial-of-service attacks had caused numerous
problems
for customers that use its domain-name service (DNS) servers
to
advertise the Internet addresses of their domains.
http
://www.linuxsecurity.com/content/view/122132
* Two DNS Servers Hit By denial-of-service Attacks
29th, March, 2006
In the second attack of its kind in the past few days,
Domain Name
System (DNS) servers at Network Solutions Inc. were hit by a
denial-of-service attack this afternoon, resulting in a
brief
performance degradation for customers, according to the
company. The
attacks, which started at around 2:20 p.m. EST, were
targeted at the
company's WorldNIC name servers and resulted in a service
degradation for about 25 minutes before the server was
restored to
normal, a spokeswoman for the company said.
http
://www.linuxsecurity.com/content/view/122142
* Hackers Serve Rootkits with Bagles
31st, March, 2006
Malicious hackers have fitted rootkit features into the
newest
mutants of the Bagle worm, adding a stealthy new danger to
an already
virulent threat. According to virus hunters at F-Secure, of
Helsinki,
Finland, the latest Bagle.GE variant loads a kernel-mode
driver to
hide the processes and registry keys of itself and other
Bagle-related malware from security scanners.
http
://www.linuxsecurity.com/content/view/122179
------------------------------------------------------------
------------
Distributed by: Guardian Digital, Inc.
LinuxSecurity.com
To unsubscribe email newsletter-requestlinuxsecurity.com
with "unsubscribe" in the subject of
the message.
------------------------------------------------------------
------------
_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes
http://www.c4i.org/etha
n.html
|