Master of Science in Information
Security - Earn your Master of Science in Information Security online
from Norwich University. Designated a "Center of Excellence", the program offers
a solid education in the management of information assurance, and the unique case
study method melds theory into practice. Using today's e-Learning technology,
you can earn this esteemed degree, without disrupting your career or home life.
LINUX ADVISORY
WATCH - This week, advisories were released for courier, libpman-ldap,
simple proxy, backup-manager, kismet, php, phpldapadmin, maildrop, pstotext,
sqwebmail, polygen, audit, freeradius, openmotif, freeradius, openmotif, php,
ntp, openoffice, lesstif, libsoup, evolution, kernel, selinux- policy-targed,
policycoreutils, xen, dbus, evince, poppler, phpWiki, phpGroupWare, phpWebSite,
pam_ldap, and mplayer. The distributors include Debian, Fedora, Gentoo, and
Red Hat.
LinuxSecurity.com
Feature Extras:
Linux File
& Directory Permissions Mistakes - One common mistake Linux administrators
make is having file and directory permissions that are far too liberal and
allow access beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this article,
so I'll assume you are familiar with the usage of such tools as chmod, chown,
and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction:
Buffer Overflow Vulnerabilities - Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Do You Code Sign?
1st, September, 2005
"I am a regular reader of Bruce Schneier's Blog, Articles, and
Books, and I really like what he writes. However I recently read his book
titled 'Secret and Lies' and I think he has done some in-justice to the
security provided by the 'Code Signing'. On page 163 of his books, he
(Bruce Schneier) basically states that: 'Code signing, as it is currently
done, sucks'. Even though I think that Code Signing has its flaws, it
does provide a fairly good mechanism for increasing security in an organization."
Local police have arrested two people in Turkey and Morocco
under suspicion of involvement in the Zotob, Rbot and Mytob computer Windows
2000 worms, according to Microsoft.
Earlier this month, a series of worms--the first of which was
named Zotob--took down a significant number of Windows 2000 PCs around
the world. Microsoft issued a patch and said there was no threat to Windows
XP systems unless the attacker had valid log-on credentials. About two
weeks later, Microsoft discovered that wasn't the case, and said the same
vulnerability that Zotob used to victimize Windows 2000 systems also existed
on some Windows XP systems.
IPv6 is the replacement for IPv4, the protocol used to send and receive network traffic. The main benefit of the new version is that it offers an almost unlimited number of IP addresses. This is important as the number of internet users and connected devices, each requiring a unique IP
address, is set to increase rapidly over the next few years.
Although operating systems such as Unix and Linux already support IPv6, there is expected to be a huge increase in usage with the release of Windows Vista, the next version of the Microsoft operating system, next year.
The Internet can be a dangerous place, full of viruses, worms
and hackers bent on doing harm to your network. "Security first" has become
a kind of mantra for IT professionals and CIOs, while regulations like
Sarbanes-Oxley have made network protection as much a question of legal
responsibility as good business sense.
Fuelled by increasing fears of virus and hack attacks, global
network security appliance and software sales continue to climb steadily,
rising four per cent to $1bn between the first and second quarters of
this year, according to newly published figures.
The first fix prevents "GatewayPorts" from being "incorrectly
activated for dynamic ('-D') port forwardings when no listen address was
explicitly specified," according to the changelog. The update also prevents
GSSAPI credentials being "delegated to users who log in with methods other
than GSSAPI authentication (e.g. public key) when the client requests
it." The update also includes a host of bug fixes, improvements and added
features according to the announcement.
This must be a first: Linux image manipulation programme the
GIMP has been fingered as a possible tool in uncovering people's PIN numbers
as sent through the post. It's not all open source gloom, though, Photoshop
can also be used to, in certain circumstances, enhance illicitly-obtained
printed PIN numbers.
The next stable update of the Linux kernel will bring advances
in file system event monitoring, the Xtensa architecture, and a set of
system calls that allows users to load another kernel from the currently
executing Linux kernel. While the 2.6.13 –rc (release candidates) are
currently being tested, the stable version is expected to be released
in the next few weeks, kernel developers told eWEEK.
IT managers nationwide should take a cue from Hurricane Katrina's
destructive power and develop disaster-recovery plans to safeguard their
computer systems against catastrophe, security experts advise.
Sainsbury's vets suppliers over IT continuity plans
30th, August, 2005
Sainsbury's has begun a drive to ensure its key suppliers have
business continuity plans in place to deal with disruptions such as the
loss of IT systems or key sites becoming inaccessible.
CISSP vs. CCISP creating confusion for certification holders
30th, August, 2005
Some holders of the security industry's much vaunted Certified
Information Systems Security Professional [CISSP] certification are worried
their hard-earned credential will lose its cache with the introduction
of another, similar sounding designation awarded to those guarding critical
infrastructure networks. That certification, awarded by the Critical Infrastructure
Institute, is known informally as the CCISP.
Phishing involves the receipt of an e-mail message that appears
to come from a legitimate enterprise. Pharming attacks compromise at the
DNS server level, re-directing you to a hacker's site when you type in
a company's Web address.
The third stable major Linux Kernel update of the year, v. 2.6.13
was released this week. The new kernel includes a long list of updates,
a few enhancements and even an odd regression. Among the new enhancements
to the Linux kernel is "Kexec," which allows for a fast reboot without
the need to go through a bootloader.
Red Hat is accusing Microsoft of getting its facts wrong in
its latest attack on Linux security. In an update on security at Microsoft’s
recent worldwide partner conference, the company’s security head Mike
Nash took aim at Linux and singled out Red Hat.
Once seen as flaky, cheap and the work of amateur developers,
open source has emerged blinking into the daylight. So who's using open
source? Why are they using it? And are the benefits worth the risks? The
answers are surprising -- and dispel some of the myths surrounding open
source.
Suspected Zotob Hacker Also Wrote Mytob Worm, Security Firm Says
30th, August, 2005
One of the two men arrested last week on charges of creating
and mailing the Zotob bot worm also authored some, but not all, of the
many Mytob worms in circulation, a security firm said Monday. Finnish
anti-virus vendor F-Secure identified Farid Essebar, 18, who was arrested
by Moroccan authorities, as the author of some Mytobs. "We know that [Essebar]
had also authored several of the Mytob variants since February this year,"
F-Secure's Mikko Hypponen wrote on the company's blog. "However, he's
not behind all of them."
Creating Security Policies That Work for Your Company
1st, September, 2005
This week, our discussion on security and compliance continues
with Julian Waits, president and CEO of Brabeion Software, which provides
enterprise-class software for creating, managing and deploying IT security
policies, with support for a wide range of technologies from leading vendors,
including Microsoft, Cisco, Oracle and Red Hat Linux.
We live in an era where mobile devices are being used by all
levels of society. Today, it is fairly common to see a CEO or a school
kid carrying a PDA or mobile phone. According to a survey by Infocomm
Authority of Singapore (IDA), the penetration rate of mobile phones in
Singapore has grown to 91 percent in 2004. Sophisticated PDA phones and
other mobile devices such as the Blackberry are actually miniaturised
PCs and they have become ubiquitous.
