Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: January 30th 2005 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Chrooted SSH HowTo," "Oracle no longer a 'bastion of security," and "Defending against unsafe coding practices with 'libsafe'.

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. Feature Extras:

Hacks From Pax: SELinux Administration - This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux.

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  OpenSSL receives FIPS certification
  23rd, January, 2006

The Cryptographic Module Validation Program (CMVP), a joint effort of the US and Canadian governments, approved the validation of the OpenSSL open source security toolkit for implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols on Friday.
  The Art of Intrusion
  27th, January, 2006

Book review I'm not that keen on the word “hacker� in the modern, pejorative sense (I remember when it meant a good UNIX programmer) and I'm generally not that that impressed by hackers either - mostly they're not particularly clever and just got lucky. So, I came to this book in a not very positive frame of mind; except I do think that the famous Kevin Mitnick was unfairly demonised, and I'm not sure how much actual damage he did in the end. Although unauthorised intrusion into production systems is always bad, what chance is there they were tested for resilience during the sorts of things intruders do, for example.
  The Perfect Linux Firewall Part I -- IPCop
  26th, January, 2006

This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering web and email traffic. This is intended to be a quick and dirty overview on creating a IPCop firewall and comes without warranty of any kind!
  Put Up A Strong Defense
  23rd, January, 2006

Most security breaches by insiders are unintentional. They come from employees who make ill-advised or uninformed choices regarding storage of their passwords, the Web sites they visit, and the E-mails they send. The Computing Technology Industry Association's annual survey on IT Security and the Workforce trends, to be published in March, indicates that nearly 80% of corporate security breaches are caused by computer-user error.
  Opening Keynote Speaker Announced for the Second Security-Enhanced Linux Symposium
  24th, January, 2006

Steve Walker, president of Steve Walker & Associates and managing partner of Walker Ventures, will be the opening keynote speaker for the second annual Security-Enhanced Linux (SELinux) Symposium scheduled for February 27-March 3, 2006 in Baltimore, Maryland.
  Recon 2005 Conference Videos
  25th, January, 2006

REcon is a computer security conference being held in Montreal. The conference offers a single track of presentations over the span of three days. Check the conference page for more details. A three day training course on reverse engineering will be presented by Nicolas Brulez. Two sessions are being made available, both before and after the conference. Check the training page for more details.
  Software dotDefender protects Linux & Solaris web servers
  23rd, January, 2006

Applicure announced today the release of dotDefender 2.0 for Solaris and Linux Web servers. dotDefender secures websites against a broad range of HTTP-based attacks, including Session attacks (e.g. Denial of Service, Session Hijacking), Web application attacks (e.g. SQL injection, Cross-site scripting, and known attack signatures), as well as requests originating from known attack sources (e.g. spammer bots and compromised servers).
  Oracle no longer a 'bastion of security': Gartner
  24th, January, 2006

Analyst group Gartner has warned administrators to be "more aggressive" when protecting their Oracle applications because they are not getting enough help from the database giant. Gartner published an advisory on its Web site just days after Oracle's latest quarterly patch cycle, which included a total of 103 fixes with 37 related to flaws in the company's database products. Some of the flaws carry Oracle's most serious rating, which means they're easy to exploit and an attack can have a wide impact.
  Chrooted SSH HowTo
  25th, January, 2006

This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of.
  Oracle in war of words with security researcher
  26th, January, 2006

A security researcher released details of a critical flaw in Oracle's application and Web software on Wednesday, criticising the company for not cooperating with the security community and taking too long to fix software issues that threaten its customers. The flaw occurs in the way that a module in Oracle's Apache Web server distribution handles input and could give external attackers the ability to take control of a backend Oracle database through the Web server, said David Litchfield, principal researcher of database security firm Next-Generation Security Software, during a presentation at the Black Hat Federal security conference.
  MailArchiva: Open Source Email Archiving Server
  26th, January, 2006

There was much hype around the growth of the email archiving market last year. For example, the IDC predicted that 2005’s email archiving application revenue reached US $310 million worldwide. Good news! The open source community has just released MailArchiva, a competitive email archiving product that integrates directly with Microsoft Exchange.
  SARA, spawn of SATAN
  26th, January, 2006

If you are an old school Linux or Unix user, you probably remember the System Administrator's Tool for Scanning Networks (SATAN). In 1995, SATAN brought browser-based network auditing to the world. Despite its initial splash, SATAN fell to the wayside due to lack of updates. Thanks to the kind folks at the Advanced Research Corp., SATAN is back, in the form of the Security Auditor's Research Assistant (SARA), a kinder, gentler, easier to use, and more updated auditing tool.
  Hacker PC networks getting harder to find
  23rd, January, 2006

Hacked computer networks, or botnets, are becoming increasingly difficult to trace as hackers develop new means to hide them, says security experts. Botnets are used to send spam, propagate viruses and carry out denial of service attacks - something that has again come to light with a high-profile attack on The Million Dollar Home Page, a novel advertising website idea by a British college student.
  KDE flaws put Linux, Unix systems at risk
  23rd, January, 2006

A serious vulnerability has been found in the popular KDE open-source software bundle. The flaw, deemed "critical" by the research outfit the French Security Incident Response Team, could allow a remote attacker to gain control over vulnerable systems. KDE is a desktop software package for Linux and Unix systems and includes the Konqueror Web browser and other applications.
  IBM Predicts 2006 Security Threat Trends
  23rd, January, 2006

IBM recorded more than 1 billion suspicious computer security events in 2005, despite a leveling off in the amount of spam e-mail and a decrease in major Internet worm and virus outbreaks. Enterprises should expect to see the same level of malicious traffic in 2006, even as online criminal groups shift to stealth attacks and cyber-extortion instead of massive, global malicious code attacks, said David Mackey, director of security intelligence at IBM.
  Security Hot Issue for Open-Source Database Developers
  24th, January, 2006

Open-source database deployments rose dramatically in the last half of 2005, and as one might expect, as more IT pros get acquainted with these non-proprietary systems, security is a chief concern. Open-source database makers like MySQL and PostgreSQL simply must answer some of the most prevalent security-related questions in order to win more market share.
  IT security becomes 'top priority' for European financial institutions
  25th, January, 2006

The growing threat from hackers, new regulations, reputation issues and the growing importance of direct channel self-service banking are pushing IT security to the very top of the corporate agenda for Western European financial institutions, new research has revealed. According to the report from IDC company Financial Insights, banking and finance firms are increasingly finding that their IT security is coming under pressure from both external hackers and ever-tightening corporate regulations.
  Users get to the root of Linux security holes
  25th, January, 2006

IT pro Sid Boyce said he did not believe that, in his own words, "the wet-finger-in-the-wind analysis" applies to Linux as it does with Windows. Boyce, a retired IBM/Amdahl mainframe tech support specialist, said the assumption that Linux was just as prone to attacks as Windows because it ran on a PC is incorrect. "I'm not saying Linux isn't vulnerable, but to compare it in the same light as Windows is a gross distortion," Boyce said.
  (IN)SECURE Magazine issue 5 has been released
  25th, January, 2006

A new issue of (IN)SECURE magazine has been released in PDF format. (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.
  IT security "top priority" for European financial institutions
  27th, January, 2006

According to the report from IDC company Financial Insights, banking and finance firms are increasingly finding that their IT security is coming under pressure from both external hackers and ever-tightening corporate regulations. Angela Vacca, senior research analyst for European IT Opportunity: Financial Services research, said: "Financial institutions are under constant pressure because hackers' strategies evolve very rapidly and regulators constantly require stricter levels of control, which involve continuous upgrades of IT systems. Therefore, financial institutions that do not tackle security issues are expected to face huge tangible and intangible costs."
  Cybercrime Feared 3 Times More Than Physical Crime
  26th, January, 2006

Three times more Americans think they'll be hit by computer crime in the next year than real-world wrongdoing of the old-fashioned kind, a survey released Wednesday by IBM said.
  Cyber crime strides in lockstep with security
  26th, January, 2006

Information Security made great strides last year. Sadly, so did cyber crime. In the U.S. – according to a recent FBI study – almost 90 per cent of firms experienced computer attacks last year despite the use of security software.

So what happened in 2005? In a year when rootkits went mainstream and malware went criminal, information security improved.
  Sharp Ideas’ Slurp Audit Exposes Threat Of Portable Storage Devices For Corporate Data Theft
  27th, January, 2006

The application was designed to raise awareness within the corporate community about the risks associated with unmanaged portable storage devices in the workplace. “Many of today’s businesses haven’t grasped the severity of risks associated with unmanaged portable storage devices on a corporate network,� said Abe Usher, Founder of Sharp Ideas, LLC. “Slurp Audit was created to show how easy it is to steal large amounts of data from corporate PCs using mobile devices like iPods, and it reinforces the fact that organizations desiring comprehensive security must have strategies in place that address the endpoint.�
  Defending against unsafe coding practices with "libsafe"
  27th, January, 2006

In a previous tip about securing Linux applications with compiler extensions, we described a defense-in-depth layered methodology ("defense in depth") to proactively mitigate the potential for risk or damage arising from fatally-flawed programming constructs.
  Researchers: Rootkits headed for BIOS
  27th, January, 2006

Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard's flash memory, researchers said on Wednesday at the Black Hat Federal conference.
  IT industry prepares for the worst over ID cards
  25th, January, 2006

After years in which suppliers have absorbed most of the blame for government IT failures, the case for there being equal measures of ineptitude in the civil service is gaining momentum behind the concerted campaign against ID Cards. The latest evidence was submitted as a statement this week by Intellect, the UK's IT trade association, in a thinly veiled case of passing the blame.
  Accused phone hacker walks free
  24th, January, 2006

Sahil Gupta, the second man charged over the Telecom voicemail hacking incident in April, walked free from an Auckland court last week. Gupta was charged along with a teenager who cannot be identified for legal reasons. The teen was charged with unauthorised access of a computer system and pleaded guilty. Gupta was charged under the same section of the Crimes Act and faced up to two years in prison.
  Man pleads guilty to felony hacking
  24th, January, 2006

A 20-year-old man pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers and renting the zombie network to people who mounted attacks on Web sites, served up pop-up ads and sent out spam.
  Shmoocon 2006: Dan Geer keynote
  27th, January, 2006

Dan Geer’s keynote was one of my favorite talks from the con. He believes that “if people respect you enough to have you deliver a keynote, respect your audience enough to write it out�. Thanks to that he’s provided the full text and a pdf of the slides from his talk. My summary won’t do it justice, but you can at least know what you are getting yourself into.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.