Linux Security Week: November 28th 2005

O3 magazine is a free magazine distributed electronically in PDF format. O3 is published on a monthly basis. The focus of O3 is on the use of Free and Open Source (FOSS) software in Enterprise Data Networking environments. Some articles in O3 will introduce open source solutions, while some are designed to demonstrate how to integrate open source solutions with leading Enterprise Data Networking hardware from a wide variety of vendors.

DHCP is now a key potential point of failure for many organisations, said Nominum as it introduced version 2 of its high-availability Dynamic Configuration Server (DCS), which it claimed can provide over 2,400 DHCP leases per second, 59 times more than a widely used open source equivalent. DHCP, or Dynamic Host Configuration Protocol, is the scheme that automatically assigns IP addresses within a network.

news/network-security/dchp-shared-feeds-and-lots-of-service-management

When you add the responsibility for information and security in an organisation that ranges across Europe, life becomes even more complex. You also need to accommodate differences in mindset about legislative severity, and differences in national character. Within countries, many of the challenges remain the same for CIOs, wherever they are based. They must try to operate a security model that has changed from a "fortress" - where everything was kept out - to an "airport" style security. Now everyone is rushing around in different directions aiming for different destinations, and their credentials to "fly" or interact with the company need to be checked.

news/network-security/security-freedom-to-enter-but-no-right-to-roam

There is no doubt that network security keeps IT directors awake at night. And it doesn't look like restful slumber is getting any closer. When the British Computer Society surveyed IT directors in May, it found security was the main concern for 61% of respondents.

news/network-security/making-your-security-fit

In the past few years, companies have spent billions of dollars to update their IT infrastructures to meet requirements from various European and US government regulations. One of the more noticeable and most important recommendations of these regulations is record-keeping. For example, Sarbanes-Oxley recommends that all companies "maintain financial records for seven years." In order to ensure the accuracy of corporate financial and business information, this recommendation also pertains to records that are used to "audit unauthorised access, misuse and fraud." Other regulations such as HIPAA also recommend keeping records for up to six years.

news/server-security/steps-for-preserving-the-integrity-of-log-data

It's a dangerous Internet out there, kids. If you are going to work on remotely connected machines, do it safely. Simple file transfers and interactive sessions have scp and ssh respectively; in fact there is hardly a commercial Web hosting provider left that doesn't support them. For more complicated scenarios we have VPN tools. But what if you need to work with files on a remote server, but find scp tedious in repetition and FreeS/WAN too cumbersome? You might find just what you're looking for in sshfs -- a tool for mounting a remote filesystem transparently and securely as if it were just another directory on your local machine.

news/server-security/secure-remote-file-management-with-sshfs

The bug that besets a Windows network today is very likely to infect a Linux or Unix network connected to it. Similarly, companies that fail to secure their Linux networks may find rogue code spreading and infecting interconnected Windows networks. Security is one of the foremost and fundamental components of the network infrastructure Latest News about network infrastructure and one that will negatively or positively impact the daily operations of any business. No software code or hardware device, be it proprietary oropen source Latest News about open source, is immune to hacks.

news/server-security/hey-linux-users-no-software-is-impenetrable

Web servers are among the most obvious targets for black hats. Whether used for basic e-commerce or more advanced Web services, they give attackers an always-on interface to an IT system and often a shortcut to the parts that handle financial transactions. Even better for the attacker, they increasingly run custom applications developed in-house. These are more likely than the basic Web server software to contain security vulnerabilities, as they haven't been subjected to the rigorous quality control procedures of the open-source community or a commercial vendor.

news/server-security/applying-security-to-web-servers

Microsoft went on the offensive earlier this week, announcing a study in which Windows Server trounced Novell's SUSE Enterprise Linux in both reliability and ease of use over a period of one year. Novell says the report simply "aims to confuse the market." In a company blog posting, Novell PR manager Kevan Barney notes that Microsoft funded the Security Innovation study, and says, "Independent studies regularly credit Linux in general, and SUSE Linux in particular, as secure, reliable, supported platforms."

news/vendors-products/novell-attacks-microsoft-linux-study

EnGarde Secure Linux is a server-based distribution developed with security in mind. It comes with a minimal set of services so that the server is not unnecessarily exposed, and no superfluous software -- including no X Window-based window manager. Even compilers, such as GCC, are not included. Yet EnGarde enables you to run any sort of Web presence, from a simple mail server to a complete e-commerce site.

news/vendors-products/test-drive-engarde-secure-linux

A recent survey of 100 US IT executives predicts that IT spending will decrease slightly in 2006 as more businesses worry about global economic conditions, but security software and enterprise IT upgrades remain top concerns, according to Goldman, Sachs & Co. Macroeconomic factors such as high oil prices and a devastating hurricane season in the U.S. have caused 40 percent of the executives surveyed by Goldman to consider reducing their 2006 IT budgets, according to survey results released Friday. Most executives, 52 percent, believe their IT spending will be unchanged in 2006 as compared to 2005.

Security architecture is a new concept to many computer users. Users are aware of security threats such as viruses, worms, spyware, and other malware. They have heard of, and most use, anti-virus programs and firewalls. Many use intrusion detection. Architectural security, though, remains a mystery to most computer users.

We have made a best effort to make this list meaningful for most organizations. Hence, the Top-20 2005 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute. A list of participants may be found at the end of this document.

news/security-projects/the-sans-top-20-internet-security-vulnerabilities

The reality is that in the last 14 years the number of global cases that identify corporate board members as being personally responsible for the loss of customer information, customer confidence and so forth have grown considerably. South Africa is no exception, since the promulgation of the ECT Act, companies have become increasingly vulnerable and face, like their international counterparts, possible legal action if proper security processes are neglected.

My colleague Larry Seltzer thinks we may be on the verge of an age of Linux worms that might rival the endless trouble Windows users encounter. Nah. First, none of the trio of vulnerabilities in the luppi worm actually have a thing to do with Linux. Yes, these worms target Linux systems, but the holes they use to target aren't Linux holes at all. They're Web service script holes. Saying that this is a Linux problem is like saying that the gaping Macromedia Flash hole is an XP problem.

news/server-security/is-linux-really-more-secure-than-windows

Peter Francis-Macrae, 23, of St Neots, Cambridgeshire, was jailed at Peterborough Crown Court this week after being found guilty of fraudulent trading, threatening to destroy or damage property, making threats to kill, and blackmail. In a six-week trial, the court heard how Francis-Macrae had tricked thousands of businesses into sending him money to register a dot-eu domain name on their behalf.

news/hackscracks/uk-spammer-jailed-for-six-years

Security developers representing four of the major browser firms have met up to discuss how to combat security threats. Techies working on Internet Explorer, Mozilla/FireFox and Opera teamed up with the folks from Konqueror to discuss how to combat security risks posed by phishing, aging encryption ciphers and inconsistent SSL Certificate practices. A surprising amount of consensus emerged through the informal meeting, hosted by Konqueror's George Staikos in Toronto last week.

news/hackscracks/browser-developers-team-up-to-thwart-hackers

Using public hotspots is convenient, however you may want to think twice before accessing confidential information via hotspots. Recent headlines raise concern about wireless security issues around hotspots. Particularly the "Evil Twin" attack has received much attention, even though it is based on a tool that is relatively straightforward and has been around for several years.