Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
LINUX ADVISORY WATCH - This week advisories were released for gdk-pixbuf, horde2, helix-player, Inkscape, horde2, Perl, Webmin, eagle-usb, spamassassin, mailman, xpdf, libc-client, and imap. The distributors include Debian, Gentoo, Mandriva, and Red Hat.
LinuxSecurity.com Feature Extras:
Hacks From Pax: SELinux Administration - This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.
Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Deciphering laptop encryption | ||
6th, December, 2005
During the past two weeks, I started up a disk encryption project, one of the technology initiatives under my company's intellectual asset protection program. Our goal with the disk encryption effort is to prevent the loss of intellectual property stemming from the theft of a laptop. On several occasions, executives' laptops have gone missing or been stolen. One of those missing laptops contained intellectual property and sensitive data, including information on a pending acquisition, product strategy and road maps. Luckily, it was recovered. |
||
| Encryption is not enough for DRM | ||
9th, December, 2005
Now let’s be clear right from the start that if you want to have any kind of control over the content of an electronic document you have first of all got to use encryption. But encryption is only the start of implementing a DRM service. Poorly packaged encryption, badly thought out licensing, integration that exposes weaknesses in the packaging of the method for displaying the document, are all ways in which even the most powerful encryption system can be made useless. And, of course, there is the very important question about what is actually encrypted, and what, if anything, is not. |
||
| A very long chat with Debian's Branden Robinson | ||
4th, December, 2005
What's your personal point of view about Security? I think it's important. To elaborate, security is important for pretty much the same reason software freedom is important. I believe the user needs to have control over his or her computing environment. A corporate colossus that won't let you modify the operation of your machine, and a malicious hacker who has turned your computer into a "zombie" for sending spam mail, are both examples of activity that disempower the person who should have authority over their property. |
||
| Cross-Site Scripting 101 | ||
7th, December, 2005
Cross-Site Scripting, or XSS for short, is a method used to compromise user access of a third party website in one manner or another. The actual result of the attack - ranging from session theft (you don't log out, and the evildoer returns to the site using your credentials) to elaborate automated account hijacking - is unimportant for the purposes of this discussion. What's important is the understanding that any small vulnerability (in either browser or web service) can easily be escalated into a full-scale, automated, "change your password and empty your paypal account" attack with the right time and devotion from the attacker. |
||
| The Five Security 'Musts' You Can't Ignore | ||
5th, December, 2005
First, you have to learn what sort of protection against intruders exists on your network, both at the site of your ISP and at your own site. Then learn what sort of connections you have to the outside world. Of course, this will include your DSL or cable connection, but it may also include dial-up access available to individual computers. Even if it’s just your home office, knowing that someone can dial out to the Internet over a phone line bypassing your firewall is important when you’re fighting against worms, viruses and intruders. |
||
| CLI Magic: More on SSH | ||
6th, December, 2005
We've covered SSH before in CLI Magic, but this week let's look at some additional SSH features that new users might not be aware of. For the purpose of this article, we'll be looking specifically at OpenSSH, but many of these features apply to other SSH variants as well. SSH is the best way to establish a secure connection to a remote networked machine. Whether you want to transfer files, encrypt traffic, or just log in to a remote machine, SSH is the way to go. |
||
| Speakers Confirmed for the Second Security-Enhanced Linux Symposium | ||
8th, December, 2005
The Security-Enhanced Linux (SELinux) Symposium announces papers and speakers for its second annual symposium. Experts from business, government, and academia will share and discuss the latest SELinux research and development results, application experience, and product plans. The event explores the emerging SELinux technology and the power of flexible mandatory access control in Linux. Registration for the SELinux Symposium, scheduled for February 27-March 3, 2006 in Baltimore, Maryland, will open soon at www.selinux-symposium.org. |
||
| Database Security Explained | ||
6th, December, 2005
Exposing a database directly to the public might earn you a call from the Society for the Prevention of Cruelty to Databases. A public database server is normally an internal server, accessed only by other servers and clients behind the firewall. In this article, we'll look at examples of the most common database users: web servers and database administrators. We'll also show how to insert multiple layers of protection between the sensitive database server and the harsh weather of the public Internet. The MySQL server listens for connections on a socketa Unix socket for connections on the same machine or a TCP socket for other machines. Its IANA-registered TCP port number is 3306, and I'll use this value in examples, but other port numbers can be used if needed. |
||
| Spam spits out Linux in high volume attack | ||
9th, December, 2005
Struggling to cope with increasing volumes of spam, Deakin University was forced to redeploy its Linux e-mail servers and implement an alternative system for e-mail security. Craig Warren, Deakin's operational service provision manager, said the Linux servers running antivirus and spam filtering software were effective for about three years, but "the spammers were steadily beating us". |
||
| Novell to Provide Security, Systems Management and Linux to United Kingdom's National Health Service | ||
5th, December, 2005
Novell has announced a 21.8 million pounds Sterling ($39 million) contract with the United Kingdom's leading Department of Health agency for a comprehensive set of security, management and infrastructure solutions that will improve delivery of health services to UK citizens. The three year agreement with the National Health Service (NHS) Connecting for Health program lets NHS leverage Novell® solutions across the entire NHS infrastructure, comprising upwards of 600,000 workstations, and will result in substantial cost savings for the NHS. As a strategic partner, Novell will help the NHS deliver its National Programme for IT, improving patient care and services and transforming the way the NHS works. |
||
| EnGarde Secure Community 3.0.2 Released | ||
6th, December, 2005
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.2 (Version 3.0, Release 2). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. |
||
| Small businesses using more open source | ||
5th, December, 2005
When Gary Mauldin, CEO of La-Z-Boy Furniture Galleries, died from complications from an accident on Sept. 19, 2002, Kevin Mauldin inherited his brother's job -- as well as an outdated computer network. "I'm a retailer, not a techie," Kevin Mauldin said. The younger sibling was adept at both retail and technology, increasing his company's sales by 35 percent in 2001 and virtually building the Denver-based furniture retailer's Unix-based operating system from the ground up. |
||
| Effective Interaction with Your Board of Directors | ||
5th, December, 2005
The board of director's agenda has changed radically in the past two years thanks to Sarbanes-Oxley and a host of other privacy and security regulations. Board meetings that used to focus on forward-looking strategy now concentrate on regulatory-related operational details. The shift has been uncomfortable for most board members, particularly as concern for their own personal liability has mounted. Today, board members have skin in the game. So much so that Harvard Business Review ran a case study in 2003 in which several experts advised readers not to join public boards. Their conclusion: It's just not worth the risk. |
||
| Security's Shaky State | ||
5th, December, 2005
Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with. The third annual Strategic Deployment Survey conducted by Secure Enterprise, an InformationWeek sister publication, polled more than 1,500 IT-security pros about their companies' security and their tactics for dealing with challenges. Follow-up interviews provided even more details on the state of IT security. |
||
| Document Security 101 | ||
6th, December, 2005
Few things in the world of digital documents are as pesky and revealing as "metadata" -- the information automatically embedded in documents by popular software such as Microsoft Word or Adobe Acrobat. When the government or a business forgets to purge metadata from documents before releasing them to the public, the results can range from embarrassing to dangerous. |
||
| My sysadmin toolbox: second helping | ||
6th, December, 2005
When I wrote last month's my sysadmin toolbox column, I knew that Linux.com readers would probably have a few suggestions. I was surprised, however, by the sheer number of responses we got from readers with suggestions for other tools. With all those good suggestions, it seemed like a good idea to compile a list of the most popular reader-suggested tools and utilities to cover some of the programs that didn't make the first column. |
||
| Is a New Vulnerability the Tip of the Perl Iceberg? | ||
6th, December, 2005
Last week a serious vulnerability was revealed to relatively little attention from the press, or even from security circles. I think it's a real nasty one, especially in as much as it will go widely unpatched. The program at issue is the ubiquitous Perl programming language. |
||
| Roundtable: Is the Cyberterror Threat Credible? | ||
7th, December, 2005
Normally, we keep all WatchGuard Wire articles short. This article is different. It proved so popular with LiveSecurity Service subscribers last month, we decided to share it with Wire readers, too. Over our years in security, we've noticed that the top security thinkers treat security not as their job, but as their lifestyle. The best researchers seem to think about IT security constantly. We've also noticed that they express their most provocative opinions and intriguing insights not when pitching a product by day, but when swapping stories over a beer at night. |
||
| Insiders: Who's the leak? | ||
7th, December, 2005
More than six out of 10 executives believe company insiders - and their use of email - are at least a moderate security risk to their companies. Of executives polled by a joint survey by Vericept and Enterprise Management Associates, 74 percent say personal email poses a moderate to very high risk for possible security breaches, while 41 percent saw it as a high to very high risk. |
||
| Source-Code Assessment Tools Kill Bugs Dead | ||
7th, December, 2005
Infosec practitioners worth their Red Bull know that perfect security is an ideal worth striving for but extremely difficult to achieve. No application of any size and complexity can be perfect in its first implementation; bugs will be present, and some will affect security. |
||
| For Security's Sake, There's No Shame in Sharing | ||
8th, December, 2005
Sharing information and bringing departments together is a recurring theme at this year's Infosecurity Conference & Exhibition. Wednesday, industry luminaries explained that security officers are more likely to succeed when they sacrifice a little control in order to build trust with other department heads. Share information with them and they'll be more likely to share with you, experts said. Then, by committee, the department heads can craft effective security policies and help top executives understand the need for certain technological investments. |
||
| Responding to the Inevitable Data Breach | ||
8th, December, 2005
"Experience makes it apparent that attempts to prevent data loss will ultimately fail," wrote Drew Robb in the September 19, 2005 issue of Computerworld magazine. The issue is not whether a business will experience a data breach triggering statutory disclosure obligations and subjecting it to public shame. Rather, the issue is how that business will respond when the inevitable happens. A statutorily-mandated breach disclosure will, for most companies, create a near-term public relations crisis. Fortunately for those who were not among the first to disclose data breaches under SB-1386, the experiences of those who were have created a template for how to respond. There are several key points to remember. |
||
| Users try to balance security, IT needs | ||
9th, December, 2005
As networks and digital data come under increasing attack and government regulations hold corporations to stricter standards when it comes to information security, IT managers are looking for ways to balance the need for security with the demand for IT flexibility. That was an underlying theme at this week's Computer Security Applications Conference, which brought together security experts from academia, government and industry to share the latest research and practices in information security. Topics covered everything from secure access technologies to vulnerability assessment to managing a secure IT environment. |
||
| Sober code cracked | ||
9th, December, 2005
The latest variant of the Sober worm caused havoc in November by duping users into executing it by masking itself as e-mails from the FBI and CIA. Antivirus companies were aware that the worm somehow knew how to update itself via the Web. The worm's author programmed this functionality to control infected machines and, if required, change their behavior. |
||
| New York breach notification law goes into effect | ||
8th, December, 2005
New York has joined the growing list of U.S. states requiring that companies notify their customers whenever private information has been compromised. On Wednesday, the state's Information Security Breach and Notification Act went into effect, according to a spokeswoman for the state's attorney general, Eliot Spitzer. The law, which is similar to California's SB-1386 notification law, requires businesses and state agencies to inform New York residents "whose unencrpyted personal information may have been acquired by an unauthorized person," according to the text of the legislation. |
||
| FBI: We're not worried about terrorist cyberattack | ||
8th, December, 2005
Terrorist groups lack the capability to launch a damaging Internet-based attack on the United States, and foreign governments are probably behind many online spying attempts, FBI officials said on Wednesday. Al-Qaida and similar groups do not have the ability to disable power plants, airports and other "critical infrastructure" through the Internet, said FBI Assistant Director Louis Reigel, who heads the enforcement agency's Cyber Division. |
||
| Forensic Analysis of Malcode - Step by Step | ||
8th, December, 2005
As many of you venture into a pervasive computing environment, it will not be long before you will be faced with a situation where forensics will be needed. This is an upcoming, and in my opinion, will be the hottest area of security. If you're one to chase the big bucks and you want to stay in the technology track, then this is the route for you. Otherwise, go off and write documentation for all of the new regulations. That too is hot and returning hefty salaries. |
||
