LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 19th, 2014
Linux Security Week: September 15th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Security Week: March 14th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Digital encryption standard flawed," "An Illustrated Guide to Cryptographic Hashes," "Will SELinux Become More Widely Adopted?"


Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!

LINUX ADVISORY WATCH - This week, advisories were released for clamav, kernel, squid, kppp, helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim, libexif, gimp, yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm, dcoidlng, curl, gftp, cyrus-imapd, unixODBC, and mc. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE.

LinuxSecurity.com Feature Extras:

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple.

The Tao of Network Security Monitoring: Beyond Intrusion Detection - The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff.

Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).

 

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


  Researchers: Digital encryption standard flawed
  9th, March, 2005

In a three-page research note, three Chinese scientists -- Xiaoyun Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting researcher at Princeton University -- stated they have found a way to significantly reduce the time required to break a algorithm, known as the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting data files. Other cryptographers who have seen the document said that the results seemed to be genuine.

http://www.linuxsecurity.com/content/view/118359
 
  Crypto suite supports Linux-based devices
  7th, March, 2005

Cryptography specialist Certicom has launched a security software suite aimed at helping device makers create secure, Web-based user interfaces based on elliptic curve cryptography. The Certicom Security Architecture (CSA) for Embedded supports Linux, and includes SSL, IPSec, PKI, DRM, and Embedded Trust Services.

http://www.linuxsecurity.com/content/view/118524
 
  IBM releases Linux 2005 Software Evaluation Kit
  10th, March, 2005

This is the easiest way to get all of the fresh releases of IBM middleware for Linux. Take a look at what you get...

http://www.linuxsecurity.com/content/view/118549
 
  An Illustrated Guide to Cryptographic Hashes
  13th, March, 2005

With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments.But note: though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) the best available information into this Guide, but we welcome being pointed to the errors of our ways.

http://www.linuxsecurity.com/content/view/118560

 
  E-mail firewalls: A vital defense layer
  8th, March, 2005

The exponential rise in spam and e-mail-borne viruses has pushed must-have network security layers beyond traditional firewalls and intrusion-detection appliances. E-mail firewalls have emerged as a complementary appliance for detecting and protecting against threats in the inbound e-mail stream.

http://www.linuxsecurity.com/content/view/118530
 
  Review: Astaro Security Linux 5.1
  9th, March, 2005

One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance.

http://www.linuxsecurity.com/content/view/118539
 
  Informix: the good news and the bad news
  9th, March, 2005

There is both good news and bad news for Informix users. The good news is that Informix Dynamic Server (IDS) 10, which represents a major new release of the database, is now available. The bad news is that future versions of SAP (with NetWeaver) will no longer be available on the Informix platform, with this support to be phased out starting with the next SAP release.

http://www.linuxsecurity.com/content/view/118540
 
  DNS-Based Phishing Attacks on The Rise
  8th, March, 2005

Phishing fraudsters are using a pair of DNS exploits to help give them the illusion of credible domains, the latest ploy to dupe people into handing over their sensitive information. According to research firm Netcraft, phishers have begun to use wildcard DNS records to help trick unsuspecting users into giving up information about their identity.

http://www.linuxsecurity.com/content/view/118532
 
  HITBSecConf2004: Conference Videos Released
  7th, March, 2005

We are proud to announce the immediate availability of the Hack In The Box Security Conference 2004 videos [Pack-1 and Pack-2]. Held at The Westin Kuala Lumpur in Malaysia from October 4th till the 7th, HITBSecConf2004 saw some of the biggest names in the network security industry down to present their latest research and findings. HITBSecConf2004 was also the first time we had two keynote speakers namely Theo de Raadt, creator and project leader for OpenBSD and OpenSSH and John T. Draper infamously known as Captain Crunch. Other speakers who presented include the grugq, Shreeraj Shah, Fyodor Yarochkin, Emmanuel Gadaix, Adam Gowdiak, Jose Nazario, Meder Kydyraliev and several others.

http://www.linuxsecurity.com/content/view/118513
 
  Hosting Your Own Web Server: Things to Consider
  10th, March, 2005

When being your own web host you should be technically inclined and have basic knowledge of operating systems, understand technical terms, understand how to setup a server environment (such as: DNS, IIS, Apache, etc.) have basic knowledge of scripting languages and databases (PHP, Perl, MySQL, etc.), be familiar with current technologies, and have a basic understanding of hardware and server components.

http://www.linuxsecurity.com/content/view/118546
 
  OpenSSH 4.0 released
  9th, March, 2005

OpenSSH 4.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.

http://www.linuxsecurity.com/content/view/118541
 
  Novell's Linux desktop migration enters phase two
  10th, March, 2005

The Waltham, Massachusetts-based software vendor's Linux desktop migration began in 2004 and overachieved on its phase-one goals, the company's chief information officer, Debra Anderson told ComputerWire. The fact that Novell had just acquired Linux specialists Ximian and SUSE Linux and was making the transition to become a Linux vendor obviously helped, but Anderson is still stepping up the pace to ensure that Linux becomes the company's default desktop operating system.

http://www.linuxsecurity.com/content/view/118545
 
  Alternative browser spyware infects IE
  13th, March, 2005

Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand. The technique allows a raft of spyware to be served up to Windows users in spite of any security measures that might be in place. Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others.

http://www.linuxsecurity.com/content/view/118566
 
  More-Secure Linux Still Needs To Win Users
  7th, March, 2005

The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt.

http://www.linuxsecurity.com/content/view/118511
 
  Will SELinux Become More Widely Adopted?
  7th, March, 2005

"The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. (ed: not to mention adoption by Joe User, who is depending on his vendor to make this thing workable)

http://www.linuxsecurity.com/content/view/118525
 
  Nuclear cyber security debate hots up
  8th, March, 2005

Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems. The 15-page proposal, introduced last December by the US Nuclear Regulatory Commission (NRC), would rewrite the commission's "Criteria for Use of Computers in Safety Systems of Nuclear Power Plants." The current version, written in 1996, is three pages long and makes no mention of security.

http://www.linuxsecurity.com/content/view/118529
 
  Sensible IT Security for Small Businesses
  8th, March, 2005

This is a frequent question asked by owners of small businesses concerned about growing security threats infesting the Internet. But rather than relying on a single solution to address security challenges, small organizations instead should adopt a strategy of "defense in depth" -- using multiple mechanisms and levels for security.

http://www.linuxsecurity.com/content/view/118531
 
  Exploit Out For CA Bugs, Eval Users Also At Risk
  10th, March, 2005

Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. Even more important, said Firas Raouf, the chief operating officer of eEye Digital Security, is that ex-users of CA products -- including those who only evaluated the company's security titles, but then later uninstalled them -- are vulnerable to attack.

http://www.linuxsecurity.com/content/view/118547
 
  Application protection
  11th, March, 2005

Teros Gateway, developed by Teros, digs deep. In contrast to a Layer 3 or 4 firewall that may only identify problems in the primitive transport layers of the IP stack, Teros Gateway will dissect outgoing and incoming packets to examine compliance with security policies. Although a firewall may detect anomalies such as a port scan or other reconnaissance attempts, the Teros Gateway learns your critical applications' normal behavior. Based on that information, it can block any deviant behavior.

http://www.linuxsecurity.com/content/view/118551
 
  Combating "Cardholder Not Present" Fraud
  13th, March, 2005

Of the security issues facing banks everywhere, prevention of card fraud has always been a high priority, and is set to grow even further in importance. The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. For example, over the past decade, fraud losses on UK-issued plastic cards have risen from £96.8m to a staggering £402.4m a year. And these figures do not take into account the "soft" costs related to card fraud, such as tarnish to reputation and potential legal costs.

http://www.linuxsecurity.com/content/view/118559
 
  Infection Vectors
  13th, March, 2005

The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However... The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.

http://www.linuxsecurity.com/content/view/118561
 
  High Profile, Low Security
  13th, March, 2005

I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I find it a great way to take a break. You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot -- their Internet connection must be down.

http://www.linuxsecurity.com/content/view/118562

 
  Reliability and availability: What's the difference?
  13th, March, 2005

How do you design a computing system to provide continuous service and to ensure that any failures interrupting service do not result in customer safety issues or loss of customers due to dissatisfaction? Historically, system architects have taken two approaches to answer this question: building highly reliable, fail-safe systems with low probability of failure, or building mostly reliable systems with quick automated recovery. The RAS (Reliability, Availability, Serviceability) concept for system design integrates concepts of design for reliability and for availability along with methods to quickly service systems that can't be recovered automatically.

http://www.linuxsecurity.com/content/view/118564
 
  'Highly critical' security bugs listed for Linux products
  13th, March, 2005

Information about several vulnerabilities in Linux and Linux-based applications that are deemed to be "highly critical" were recently posted on the security Web site Secunia.com. Debian was cited as a system with operating system vulnerabilities that could be exploited. Meanwhile, users running RealNetworks' open-source Helix browser, the open-source phpWebSite manager utility, as well as users with a network backup product from Arkeia, were warned of software flaws that could leave systems potentially open to attack.

http://www.linuxsecurity.com/content/view/118565
 
  The National Security Agency Declassified
  13th, March, 2005

Internet wiretapping mixes "protected" and targeted messages, Info Age requires rethinking 4th Amendment limits and policies, National Security Agency told Bush administration "Transition 2001" report released through FOIA, Highlights collection of declassified NSA documents Posted on Web by National Security Archive, GWU National Security Archive Electronic Briefing Book No. 24

http://www.linuxsecurity.com/content/view/118563
 
  Hacked data boots identity theft to critical issue
  11th, March, 2005

The computer breach at consumer data broker Seisint raised identity theft in the United States to crisis proportions Thursday, a day after the second major data broker disclosed that its database containing a plethora of private information on virtually every American was compromised. LexisNexis' Seisint division and rival ChoicePoint, each with large computer centers in Boca Raton, sell consumers' addresses, Social Security numbers, driver license numbers and other personal information stored in electronic databases. These firms operate free from government regulation. That's almost certain to change as Congress is asking why this sensitive consumer information is not secured from computer hackers who are intent on stealing people's identities.

http://www.linuxsecurity.com/content/view/118552
 
  Online Banking Industry Very Vulnerable to Cross-Site Scripting Frauds
  13th, March, 2005

Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities. Well known banks have created an infestation of application bugs and vulnerabilities across the Internet, allowing fraudsters to insert their data collection forms into bona fide banking sites, creating convincing frauds that are undetectable to most customers. Indeed, a personal finance journalist writing for The Motley Fool was brave enough to publicly admit to having fallen for a fraud running on Suntrust's site and having her current account cleaned out. It's a reasonable premise that if a Motley Fool journalist can fall for a fraud, anyone can.

http://www.linuxsecurity.com/content/view/118567
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.