Internet
Productivity Suite: Open Source Security - Trust Internet Productivity Suite's
open source architecture to give you the best security and productivity applications
available. Collaborating with thousands of developers, Guardian Digital security
engineers implement the most technologically advanced ideas and methods into their
design. Click
to find out more!
LINUX ADVISORY
WATCH - This week, advisories were released for clamav, kernel, squid, kppp,
helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim, libexif, gimp,
yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm, dcoidlng, curl, gftp,
cyrus-imapd, unixODBC, and mc. The distributors include Conectiva, Debian, Fedora,
Gentoo, Mandrake, Red Hat, and SuSE.
LinuxSecurity.com
Feature Extras:
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple.
The
Tao of Network Security Monitoring: Beyond Intrusion Detection
- The Tao of Network Security Monitoring is one of the most comprehensive
and up-to-date sources available on the subject. It gives an excellent introduction
to information security and the importance of network security monitoring,
offers hands-on examples of almost 30 open source network security tools,
and includes information relevant to security managers through case studies,
best practices, and recommendations on how to establish training programs
for network security staff.
Encrypting
Shell Scripts - Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn't have a "ps -ef" loop running in an attempt to capture
that sensitive info (though some applications mask passwords in "ps" output).
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Researchers: Digital encryption standard flawed
9th, March, 2005
In a three-page research note, three Chinese scientists -- Xiaoyun
Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting
researcher at Princeton University -- stated they have found a way to
significantly reduce the time required to break a algorithm, known as
the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting
data files. Other cryptographers who have seen the document said that
the results seemed to be genuine.
Cryptography specialist Certicom has launched a security software
suite aimed at helping device makers create secure, Web-based user interfaces
based on elliptic curve cryptography. The Certicom Security Architecture
(CSA) for Embedded supports Linux, and includes SSL, IPSec, PKI, DRM,
and Embedded Trust Services.
With the recent news of weaknesses in some common security algorithms
(MD4, MD5, SHA-0), many are wondering exactly what these things are:
They form the underpinning of much of our electronic infrastructure,
and in this Guide we'll try to give an overview of what they are and
how to understand them in the context of the recent developments.But
note: though we're fairly strong on security issues, we are not crypto
experts. We've done our best to assemble (digest?) the best available
information into this Guide, but we welcome being pointed to the errors
of our ways.
The exponential rise in spam and e-mail-borne viruses has pushed
must-have network security layers beyond traditional firewalls and intrusion-detection
appliances. E-mail firewalls have emerged as a complementary appliance
for detecting and protecting against threats in the inbound e-mail stream.
One of the more popular uses for Linux is as a router/firewall
to secure a local area network (LAN) against intruders and share an Internet
connection. Several specialized distributions have sprung up to simplify
this task. These range from small, diskette-based distros like the Linux
Router Project and FREESCO to larger systems requiring a hard disk installation.
Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which
I recently reviewed as part of ongoing research into content filtering
products. ASL is an RPM-based distribution that allows an administrator
to easily turn an x86 PC or server into a router/firewall appliance.
There is both good news and bad news for Informix users. The
good news is that Informix Dynamic Server (IDS) 10, which represents a
major new release of the database, is now available. The bad news is that
future versions of SAP (with NetWeaver) will no longer be available on
the Informix platform, with this support to be phased out starting with
the next SAP release.
Phishing fraudsters are using a pair of DNS exploits to help
give them the illusion of credible domains, the latest ploy to dupe people
into handing over their sensitive information. According to research firm
Netcraft, phishers have begun to use wildcard DNS records to help trick
unsuspecting users into giving up information about their identity.
We are proud to announce the immediate availability of the Hack
In The Box Security Conference 2004 videos [Pack-1
and Pack-2].
Held at The Westin Kuala Lumpur in Malaysia from October 4th till the
7th, HITBSecConf2004 saw some of the biggest names in the network security
industry down to present their latest research and findings. HITBSecConf2004
was also the first time we had two keynote speakers namely Theo de Raadt,
creator and project leader for OpenBSD and OpenSSH and John T. Draper
infamously known as Captain Crunch. Other speakers who presented include
the grugq, Shreeraj Shah, Fyodor Yarochkin, Emmanuel Gadaix, Adam Gowdiak,
Jose Nazario, Meder Kydyraliev and several others.
When being your own web host you should be technically inclined
and have basic knowledge of operating systems, understand technical terms,
understand how to setup a server environment (such as: DNS, IIS, Apache,
etc.) have basic knowledge of scripting languages and databases (PHP,
Perl, MySQL, etc.), be familiar with current technologies, and have a
basic understanding of hardware and server components.
OpenSSH 4.0 has just been released. It will be available from
the mirrors listed at http://www.openssh.com/
shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and
2.0 implementation and includes sftp client and server support. We would
like to thank the OpenSSH community for their continued support to the
project, especially those who contributed source and bought T-shirts or
posters.
The Waltham, Massachusetts-based software vendor's Linux desktop
migration began in 2004 and overachieved on its phase-one goals, the company's
chief information officer, Debra Anderson told ComputerWire. The fact
that Novell had just acquired Linux specialists Ximian and SUSE Linux
and was making the transition to become a Linux vendor obviously helped,
but Anderson is still stepping up the pace to ensure that Linux becomes
the company's default desktop operating system.
Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand. The technique allows a raft of spyware to be served up to Windows users in spite of any security measures that might be in place. Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others.
The National Security Agency built a version of Linux with more
security tools that its technologists believe could help make the country's
computing infrastructure less vulnerable. They've won over the Linux developer
community with the changes. But success depends on its adoption by U.S.
companies and government agencies, something that remains very much in
doubt.
"The National Security Agency built a version of Linux with
more security tools that its technologists believe could help make the
country's computing infrastructure less vulnerable. They've won over the
Linux developer community with the changes. But success depends on its
adoption by U.S. companies and government agencies, something that remains
very much in doubt. (ed: not to mention adoption by Joe User, who is depending
on his vendor to make this thing workable)
Two companies that make digital systems for nuclear power plants
have come out against a government proposal that would attach cyber security
standards to plant safety systems. The 15-page proposal, introduced last
December by the US Nuclear Regulatory Commission (NRC), would rewrite
the commission's "Criteria for Use of Computers in Safety Systems of Nuclear
Power Plants." The current version, written in 1996, is three pages long
and makes no mention of security.
This is a frequent question asked by owners of small businesses
concerned about growing security threats infesting the Internet. But rather
than relying on a single solution to address security challenges, small
organizations instead should adopt a strategy of "defense in depth" --
using multiple mechanisms and levels for security.
Users of Computer Associates' products are now at an even greater
risk, a security firm said Wednesday, because exploit code has appeared
that takes advantage of vulnerabilities disclosed last week. Even more
important, said Firas Raouf, the chief operating officer of eEye Digital
Security, is that ex-users of CA products -- including those who only
evaluated the company's security titles, but then later uninstalled them
-- are vulnerable to attack.
Teros Gateway, developed by Teros, digs deep. In contrast to
a Layer 3 or 4 firewall that may only identify problems in the primitive
transport layers of the IP stack, Teros Gateway will dissect outgoing
and incoming packets to examine compliance with security policies. Although
a firewall may detect anomalies such as a port scan or other reconnaissance
attempts, the Teros Gateway learns your critical applications' normal
behavior. Based on that information, it can block any deviant behavior.
Of the security issues facing banks everywhere, prevention of
card fraud has always been a high priority, and is set to grow even further
in importance. The level of card fraud has risen significantly over recent
years, caused in the main, by the explosion in the number and usage of
payment cards and the associated high level of organised card crime activity.
For example, over the past decade, fraud losses on UK-issued plastic cards
have risen from £96.8m to a staggering £402.4m a year. And these figures
do not take into account the "soft" costs related to card fraud,
such as tarnish to reputation and potential legal costs.
The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However... The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.
I'll tell you a secret. If you're looking for a security consultant
during the day and he's not in the office, you might find him in a neighborhood
coffee shop consuming large doses of caffeine, and using a laptop with
wireless net access. It's nice to people watch, catch up on the news,
review technical articles and yes, even work, while enjoying that magic
elixir (coffee) thanks to the wonders of WiFi. I find it a great way
to take a break. You can imagine my disappointment early last week when
I swung by one of my favorite haunts, grabbed a latte, opened up a terminal
and watched my SSH attempt fail. Shoot -- their Internet connection
must be down.
Reliability and availability: What's the difference?
13th, March, 2005
How do you design a computing system to provide continuous service and to ensure that any failures interrupting service do not result in customer safety issues or loss of customers due to dissatisfaction? Historically, system architects have taken two approaches to answer this question: building highly reliable, fail-safe systems with low probability of failure, or building mostly reliable systems with quick automated recovery. The RAS (Reliability, Availability, Serviceability) concept for system design integrates concepts of design for reliability and for availability along with methods to quickly service systems that can't be recovered automatically.
'Highly critical' security bugs listed for Linux products
13th, March, 2005
Information about several vulnerabilities in Linux and Linux-based applications that are deemed to be "highly critical" were recently posted on the security Web site Secunia.com. Debian was cited as a system with operating system vulnerabilities that could be exploited. Meanwhile, users running RealNetworks' open-source Helix browser, the open-source phpWebSite manager utility, as well as users with a network backup product from Arkeia, were warned of software flaws that could leave systems potentially open to attack.
Internet wiretapping mixes "protected" and targeted messages, Info Age requires rethinking 4th Amendment limits and policies, National Security Agency told Bush administration "Transition 2001" report released through FOIA, Highlights collection of declassified NSA documents Posted on Web by National Security Archive, GWU National Security Archive Electronic Briefing Book No. 24
Hacked data boots identity theft to critical issue
11th, March, 2005
The computer breach at consumer data broker Seisint raised identity
theft in the United States to crisis proportions Thursday, a day after
the second major data broker disclosed that its database containing a
plethora of private information on virtually every American was compromised.
LexisNexis' Seisint division and rival ChoicePoint, each with large computer
centers in Boca Raton, sell consumers' addresses, Social Security numbers,
driver license numbers and other personal information stored in electronic
databases. These firms operate free from government regulation. That's
almost certain to change as Congress is asking why this sensitive consumer
information is not secured from computer hackers who are intent on stealing
people's identities.
Online Banking Industry Very Vulnerable to Cross-Site Scripting Frauds
13th, March, 2005
Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities. Well known banks have created an infestation of application bugs and vulnerabilities across the Internet, allowing fraudsters to insert their data collection forms into bona fide banking sites, creating convincing frauds that are undetectable to most customers. Indeed, a personal finance journalist writing for The Motley Fool was brave enough to publicly admit to having fallen for a fraud running on Suntrust's site and having her current account cleaned out. It's a reasonable premise that if a Motley Fool journalist can fall for a fraud, anyone can.
