Linux Security Week: March 21st 2005

very person or organization that spends time surfing the Web faces the risk of spyware and viruses. For those who spend time investigating sites that specialize in child pornography and other illicit material, the risk is even greater. That's why software to protect their machines is crucial. The National Center for Missing and Exploited Children on Wednesday began migrating its systems to Active Directory. That deployment had been on hold because of the large quantities of spyware, pop-ups, and other malicious software the center's workers ran into as they investigated potentially illicit Web sites, according to Steve Gelfound, director of IT at the center.

With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments.But note: though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) the best available information into this Guide, but we welcome being pointed to the errors of our ways.

news/cryptography/an-illustrated-guide-to-cryptographic-hashes

Certified Information Security Manager (CISM) is a certification developed by the Information Systems Audit and Control Association (ISACA). This certification is a confirmation for experienced information security managers that they know how to manage information security system. The CISM Prep Guide absorbs the key concepts for each of the five presented domains. The book should prepare the candidate for the CISM exam with text, practice tests, and techniques described by two bestselling authors. By reading this book, a candidate will get some knowledge about five domains of Information Security Management.

Large enterprises should not use Linux because it is not secure enough, has scalability problems and could fork into many different flavours, according to the Agility Alliance, which includes IT heavyweights EDS, Fuji Xerox, Cisco, Microsoft, Sun, Dell and EMC.

Not content with throwing rocks at the house of Big Blue, EDS is also turning up its nose at Linux, saying Open Source is still too risky to be invited into the fold. According to Rasmussen, Linux has some way to go when it comes to integrating security between high end server and applications platforms. "People are not content with code that is run on an open environment. It's when you knit [platforms and applications together], all these holes appear," Rasmussen said.

Only a day after flaming open source as insecure, unscalable and unfit for Australian consumption in its Agility Alliance, services vendor EDS has revealed it really does have a soft spot for the penguin deep in its heart. Contrary to the stern warnings on open source delivered by EDS global vice president for Agility Alliance Rob Rasmussen, a case study posted on EDS' Web site states the "Linux environment provides a level of security and stability unavailable elsewhere."

When you look in your closet, do you see a pile of obsolete hardware that you just cannot bring yourself to throw out, despite the pleas of your family? If you want to share your home Internet connection and save a little money at the same time, dust off that old hardware and set up a Linux-based firewall. All you need is a 486 or better processor, two network adapters (only one if you're on dial-up), a switch or hub, diskette drive, and 12MB of RAM. In this article, we'll take a look at floppyfw and Coyote Linux, two free, open source projects that have shrunk Linux down to diskette size to implement a firewall.

news/firewall/two-floppy-based-firewalls

Stealthy, remote system access programs called "rootkits" could fuel the next big wave of malicious code, and are already beginning to influence the design of new Internet worms and viruses, according to security experts. Now security software companies are sitting up and taking notice, releasing software that can spot and remove rootkits from infected systems.

Hundreds of thousands of Web sites running Windows NT 4 remain -- and will remain -- at risk from attack via a vulnerability patched for other operating systems a month ago, a U.S.-based security firm and a British-based Web monitoring vendor said Thursday. The bug in a key Windows protocol, Server Message Block (SMB), was patched for Windows XP, Windows Server 2003, and Windows 2000 in February, but because NT 4 had reached the end of its support lifecycle December 31, 2004, no public fix was issued by Microsoft. Microsoft does provide security patches for NT 4.0 customers who pay for custom support, a service available through the end of 2006.

news/server-security/web-sites-running-on-windows-nt-at-risk

Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand. The technique allows a raft of spyware to be served up to Windows users in spite of any security measures that might be in place. Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others.

news/vendors-products/alternative-browser-spyware-infects-ie

Teros Secure Application Gateway is an application-layer firewall that examines standard Web server traffic for security violations, such as hacker attacks or unauthorized data leaks, and stops them.

news/vendors-products/teros-security-gateway-prevents-attacks-on-applications

SSH Communications Security Corp. (HEX: SSH1V), a world-leading provider of enterprise security solutions and end-to-end communications security, and the original developer of the Secure Shell protocol, has joined Novell's Technology Partner Program and today announced that SSH Tectia supports Novell's SUSE LINUX Enterprise Server 9 running on all IBM eServer platforms.

news/vendors-products/ssh-partners-with-novell-to-promote-secure-suse-linux

Comodo, a leading provider of critical infrastructure solutions, has identified lack of usability as the critical hurdle standing between Linux and total back office server domination.

news/vendors-products/comodo-zeros-in-on-next-generation-of-linux-usability

The Tunneler is a graphical interface compatible with multiple platforms (Win, OSX, Linux) which creates an encrypted channel or ÒtunnelÓ between your computer and the Metropipe proxy servers throughout the world. Once installed, your web browsing and all internet activities that you send through it are encrypted between your machine and Metropipe, leaving your machine anonymous. This protects you from the many prying eyes out there. The ÔTunnelerÕ is controlled by its own application, a simple program that gives you the freedom to turn it On and Off as you please, and automatically configures your web browsers (Internet Explorer and Mozilla Firefox) proxies.

news/vendors-products/are-you-leaving-your-security-in-the-hands-of-your-web-browser

Is Firefox a more secure web browser than Microsoft's Internet Explorer? The answer may be yes, but the issues are more complicated than most people realize. In fact, Firefox has its share of security problems, and has probably been saved from real-world attack so far only by its single-digit market share,

news/security-projects/are-you-safer-with-firefox

Of the security issues facing banks everywhere, prevention of card fraud has always been a high priority, and is set to grow even further in importance. The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. For example, over the past decade, fraud losses on UK-issued plastic cards have risen from £96.8m to a staggering £402.4m a year. And these figures do not take into account the ÔsoftÕ costs related to card fraud, such as tarnish to reputation and potential legal costs.

The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However... The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors.

I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I find it a great way to take a break. You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot -- their Internet connection must be down.

How do you design a computing system to provide continuous service and to ensure that any failures interrupting service do not result in customer safety issues or loss of customers due to dissatisfaction? Historically, system architects have taken two approaches to answer this question: building highly reliable, fail-safe systems with low probability of failure, or building mostly reliable systems with quick automated recovery. The RAS (Reliability, Availability, Serviceability) concept for system design integrates concepts of design for reliability and for availability along with methods to quickly service systems that can't be recovered automatically.

Information about several vulnerabilities in Linux and Linux-based applications that are deemed to be "highly critical" were recently posted on the security Web site Secunia.com. Debian was cited as a system with operating system vulnerabilities that could be exploited. Meanwhile, users running RealNetworks' open-source Helix browser, the open-source phpWebSite manager utility, as well as users with a network backup product from Arkeia, were warned of software flaws that could leave systems potentially open to attack.

Surprisingly, securing a siteÕs production environment is a task that many ignore until itÕs too late. But the task need not be so onerous. Several LAMP tools can help shore up security. This month and next, letÕs look at two LAMP-based tools that can help protect your environment: Big Fish Firewall for deploying and configuring netfilter- based firewalls, and SNORT for intrusion detection. Once you realize how simple these tools are to deploy, youÕll want to get started immediately rather than after your first security incident.

There's nothing more important than your data. In today's world technology is the driving factor in almost every facet of business life. bar none. More and more, businesses across the globe are becoming what we refer to as "connected", in that they are connecting entire departments of computer equipment together for faster communication and those machines are inevitably tied to the Internet. What many system administrators don't understand is that at this point, their data becomes public domain. What "connected" admins sometimes fail to realize is the age-old basic rule of network computing: our data relies wholly on network security, and a computer network is only as strong as its weakest point.

Newly published research has warned that IT managers are not as secure as they think they are. According to a poll by research firm Dynamic Markets, over 90 per cent of IT managers believe that have good security protection, but 15 per cent of companies surveyed did not have any IT security systems in place beyond antivirus software and a firewall. Over a quarter indicated that they had found software that breached security policies on their networks.

With every year comes inevitable change. Hence, it makes sense to give your network security programme a formal evaluation to ensure that it meets your companyÕs changing goals and needs. Ê Let's take a look at proven techniques that will help you perform effective security evaluations and create plans that will align your companyÕs security with your requirements for this year. Ê

The second you send an e-mail from your PC, your personal privacy probably has been compromised.E-mail messages hop from your computer over a number of networks to their final destination, but like a postcard from a vacationer in Mexico, the content can be perused by anyone, at anytime, before it is delivered, experts told UPI's The Web."E-mail is completely open," said Jeff Multz, vice president of sales at SecureWorks Inc.,, a computer security services firm in Atlanta."People think it is secure when it is sent.

news/privacy/the-battle-for-privacy-online

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: "Yes, we will buy this machine because it makes twice as many diamond rings per hour and we'll be able corner the Valentine's Day market in North America."

news/privacy/how-to-justify-information-security-spending

Internet wiretapping mixes "protected" and targeted messages, Info Age requires rethinking 4th Amendment limits and policies, National Security Agency told Bush administration "Transition 2001" report released through FOIA, Highlights collection of declassified NSA documents Posted on Web by National Security Archive, GWU National Security Archive Electronic Briefing Book No. 24

news/government/the-national-security-agency-declassified

Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities. Well known banks have created an infestation of application bugs and vulnerabilities across the Internet, allowing fraudsters to insert their data collection forms into bona fide banking sites, creating convincing frauds that are undetectable to most customers. Indeed, a personal finance journalist writing for The Motley Fool was brave enough to publicly admit to having fallen for a fraud running on Suntrust's site and having her current account cleaned out. It's a reasonable premise that if a Motley Fool journalist can fall for a fraud, anyone can.

news/hackscracks/online-banking-industry-very-vulnerable-to-cross-site-scripting-frauds

Robert Lyttle, one of two hackers behind the Deceptive Duo team responsible for a number of network breaches in 2002, including a U.S. Navy database, has decided to plead guilty to the charges filed by the U.S. Attorneys' Office last year, according to documents filed in the case. The plea agreement between federal prosecutors and Lyttle in the case U.S. v. Robert Lyttle will be entered in U.S. District Court, Northern District of California, Oakland Division, Friday afternoon as part of a change of plea hearing. Kyle Waldinger, the assistant U.S. attorney listed on the agreement, was not available for comment at press time.

news/hackscracks/deceptive-duo-hacker-changes-plea

First came phishing scams, in which con artists hooked unwary internet users one by one into compromising their personal data. Now the latest cyberswindle, pharming, threatens to reel in entire schools of victims. Pharmers simply redirect as many users as possible from the legitimate commercial websites they'd intended to visit and lead them to malicious ones. The bogus sites, to which victims are redirected without their knowledge or consent, will likely look the same as a genuine site. But when users enter their login name and password, the information is captured by criminals.

news/hackscracks/pharming-out-scams-phishing

You've set up your Boingo account, you're hanging out at the Home Turf sports bar in LAX and you figure you'll do a little business or check your e-mail while sipping a Chardonnay. Well, that's the point of all this; being able to take care of a few things while in a relaxing atmosphere. Don't, however, get so relaxed that you ignore security and give all your confidential information to some unscrupulous hacker. Yeah, you see the guy. He's over in the corner wearing that fake nose and glasses with the ridiculous Bozo the Clown cap. Yep, drinking a Blatz.