Internet
Productivity Suite: Open Source Security - Trust Internet Productivity
Suite's open source architecture to give you the best security and productivity
applications available. Collaborating with thousands of developers, Guardian Digital
security engineers implement the most technologically advanced ideas and methods
into their design.
LINUX ADVISORY WATCH
This week, advisories were released for ppxp, gaim, clamav, razor, trac,
zlib, bzip2, cvs, spamassassin, sudo, ht, fuse, netpbm, kernel,
cryptsetup, selinux-policy, kdevelop, kde, php, gjdoc, javacc, lucene,
grep, php-xmlrpc, phpBB, realplayer, tikiwiki, and cacti. The
distributors include Fedora, Gentoo, and Red Hat.
LinuxSecurity.com
Feature Extras:
Pull The Plug Revisited: An Interview Five Years Later -
Five years after our original interview with Brian Gemberling, founder of
PullthePlug.org, we catch up with Daniel Alvarez and the rest of the
site's administrative management. Its structured management and focus on
the community will ensure many years of continued success. You're asking,
what is pull the plug? Read more to find out...
Linux File
& Directory Permissions Mistakes - One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I'll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction:
Buffer Overflow Vulnerabilities - Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
The Death Of A Firewall
8th, July, 2005
Three
years ago, I proposed to our technology architects that we eliminate
our network firewalls. Today, we're close to achieving that goal. Back
then, I thought that network-based firewalls were losing their
effectiveness, enabling a mind-set that was flawed. Today, I'm certain.
Linux
distributor is falling behind rivals in releasing security updates, due
to server configuration problems and manpower shortages
Debian is facing difficulties getting timely security updates to users
of its Linux distribution due to lack of manpower and software
problems.
Whenever
I've touched on the sensitive topic of Linux vs. Windows or Apache vs.
Microsoft IIS security, I expected the usual flame treatment and nasty
name calling to fly. It's usually taken as gospel in many IT circles to
assume that Windows Security is an oxymoron; anyone who dares to
suggest using Microsoft IIS 6.0 for a public web server faces serious
ridicule. To see if there was any truth to this presumption that
Windows Server is fundamentally insecure, I looked up these hacking
statistics from www.zone-h.org for 2003 to 2004. Not only did it not
show that Windows was hacked more often, but just the opposite. The
Linux servers were actually getting hacked and defaced far more often
than the Windows server and Apache was also being hacked and defaced
more than Microsoft IIS.
Pretend
you're a hacker. You just found a system that is no match for your
'leet skillz' and gained root access. Now what? Sooner or later, the
system administrator is going to notice his box is 'owned' and you'll
be kicked out after the system is patched. That's why you install a
rootkit.
Effective Network Management for Security and Compliance
8th, July, 2005
The
facts are astounding: Over 80% of enterprises have reported downtime
due to a network security incident; over 50% of all network security
break-ins occur from manual device configuration; and some companies
can face up to $1M per day in fines if their network infrastructures do
not comply with compliance legislation.
All
versions of Apache previous to 2.1.6 are vulnerable to a HTTP request
smuggling attack which can allow malicious piggybacking of false HTTP
requests hidden within valid content. This method of HTTP Request
Smuggling was first discussed by Watchfire some time ago. The issue has
been addressed by an update to version 2.1.6.
A
security flaw in the popular document-sharing software, Adobe Reader,
could be exploited to seize control of a computer system, according to
the software's maker.
Adobe Systems Inc. issued a warning on its Web site Tuesday saying
that the flaw affects only the Adobe Reader versions 5.0.9, 5.0.10,
which were written for the Unix computer operating system.
Popular Linux distributor Debian has moved quickly to address concerns it was falling behind on security.
The organisation's security team has issued a host of announcements and
informed the community it has resolved problems with the infrastructure
governing security updates.
Scanit
is holding an ethical hacking course from September 4-8 2005 at
Knowledge Village in Dubai in a bid to encourage regional network
professionals to use the black arts of hacking to make their companies
safer.
The course is intended for network and system engineers that want to
learn how to assess the security of their IT infrastructure and IT
consultants who want to learn to perform in-depth security assessments.
Not
too long ago my wife and I decided to try out a Chinese restaurant in
our area we had never visited before. I was looking at the menu and my
wife gasped, then laughed a bit. I looked up and she pointed out a rat
crawling right under the restaurant's buffet table.
I got the waitress's attention and pointed out the rat to her. The
waitress, a large Asian woman with a heavy oriental accent replied, "Oh
ya' his name is Tock." She giggled a bit then walked off.
It's
a topic of fierce debate among high-tech cognoscenti: What's more
secure -- "open source" code such as Linux and Apache, or proprietary
"closed source" operating systems and applications, Microsoft's in
particular?
The regularity with which Microsoft has taken to announcing
vulnerabilities and consequent software fixes has left few cheering
about its security. In contrast, high expectations endure for open
source, with proponents arguing that it's inherently more secure
because a much larger set of developers can read the code, vet it and
correct problems.
Consumers
aren't the only ones who pay when hackers steal credit-card numbers and
other customer data. Retailers, which often hold customer information
in their IT systems, can be liable for security breaches.
Reverse engineering patches making disclosure a moot choice?
5th, July, 2005
When
Microsoft released limited information on a critical vulnerability in
Internet Explorer last month, reverse engineer Halvar Flake decided to
dig deeper.
Using his company's tool for analyzing the differences in the
patched and unpatched versions of a program, Flake pinpointed the
portable networked graphics (PNG) vulnerability that Microsoft fixed
with its latest update, locating the specific changes in less than 20
minutes.
If
there's one thing the security industry is really good at, it's
pointing fingers. We all like to say that "security starts with you",
so that everyone can share a piece of the mud pie. While we're pointing
fingers, let's look at a few groups and individuals and see how they
can share the blame for their own insecurity - and prevent the spread
of viruses, Trojans and worms.
Software
security is quite often a subjective measure, mainly because there is
the risk of a security vulnerability being created with every line of
programming code. Each vulnerability has a degree of severity which may
or may not be important to the end user. The result is an infinite
number of interpretations of security, especially in a complex
application such as an operating system like Windows or Linux.
In the past, lone hackers defaced Web sites or launched global worm attacks, mainly to gain notoriety among their peers.
Today, they use their skills for profit. They hunt for security
flaws and find ways to exploit them, hijack computers and rent those
out for use as spam relays, or participate in targeted attacks that
steal sensitive information from individuals or spy on businesses.
Spyware
threats are becoming more sophisticated; hackers are finding ways to
lodge key logging, backdoor programs and trojans onto more desktops.
However, anti-spyware tools have not kept up with this increased
complexity.
A
serious security flaw has been identified in Zlib, a widely used data
compression library. Fixes have begun to appear, but a large number of
programs could be affected.
Zlib is a data compression library that is used by many third-party
programs and is distributed with many operating systems, including many
Linux and BSD distributions.
The
IT world may be an insecure place, but don't blame Linux. In fact, very
few IT pros participating in InformationWeek Research's Linux and
open-source survey say Linux has introduced security problems into
their IT environments.
Only 6% of 225 user sites report security issues from Linux
deployments on their servers, while 6% of 165 Linux PC users attribute
a security problem to the open-source operating system. The results
indicate a slight decrease in complaints about Linux security from a
year ago, when 11% of IT pros encountered security issues with Linux
servers and 7% had problems with Linux PCs.
Microsoft
has claimed that open source database products and servers such as
Linux have had a "significantly greater number and severity of
vulnerabilities compared with Windows Server 2003 and SQL Server 2000".
Hacking
magazine Phrack is closing after 20 years of publishing after its
editorial team decided to call it a day. The final date for submissions
for the special hardback last issue of the mag was Sunday 10 July.
Issue 63 will be released at the Defcon and WhatTheHack2005 hacker
conventions later this month.
Nine
out of 10 Internet users say they have changed their online habits to
avoid spyware and other Internet-based threats, according to a study
released on Wednesday.
Our
esteemed leaders in the U.S. Congress are vowing to enact new laws
targeting data thieves, backup-tape burglars and other information-age
miscreants.
The
recent arrest of a Florida man on charges of unauthorized use of a
wireless network could set legal ground rules for open Wi-Fi access.
A man sitting in a Chevy Blazer in a residential neighborhood
reportedly was poking around nearby wireless networks in violation of
computer crime laws, according to local police.
The
basic facts are that Benjamin Smith III used someone else's WiFi
network. The facts aren't in dispute; Smith parked his vehicle outside
the home of Richard Dinon, logged onto the network, and did some
surfing.
"Surprise! Stealing is illegal!" bellowed Larry Seltzer in his ZD security blog.
