Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: February 6th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "SSH Password Guessing: Linux Compromise and Forensics," "Trusted Computing comes under attack," and "Wi-Fi Trickery or How to Secure, Break and Have Fun with Wi-Fi."

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. Feature Extras:

Hacks From Pax: SELinux Administration - This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux.

Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  NIST updates cryptography guidelines for U.S. Federal Agencies
  31st, January, 2006

In a bid to help U.S. federal agencies protect sensitive, but unclassified information, the National Institute of Standards and Technology (NIST) has updated guidelines for selecting and implementing cryptographic methods.

Originally published in 1999, Guideline for Implementing Cryptography in the Federal Government (NIST Special Publication 800-21-1) is intended primarily for federal employees who design computer systems and procure, install and operate security products to meet specific needs.
  Covert Crawling: A Wolf Among Lambs
  30th, January, 2006

Web application IDS evasion techniques and countermeasures is a mature area of study. LibWhisker-based apps and Snort have been in a tug-of-war for years. However, the initial reconnaissance of a website or web app has been largely neglected. Its either done by hand (which is tedious) or with a traditional crawler like wget (which is very noisy). An automated crawl appears as an enormous spike in hit count and byte transfer that is well outside the bell-curve for normal users.
  The open-source programmer who means business
  2nd, February, 2006

Alan Cox is so well-regarded in the open-source software community that he can pull in a crowd of eager techies to discuss theoretical software stability on a Sunday afternoon, as he did at last year's FOSDEM conference in Brussels.
  Kevin Mitnick Interview on Art Bell
  30th, January, 2006

Computer security expert Kevin Mitnick touched on a variety of computer- and security-related topics, including OS vulnerabilities and defenses, hacking, and government communication monitoring. Mitnick said all computer operating systems have flaws that can be exploited. If you're connected to the Internet, he explained, you should assume you can be attacked and ask yourself, "What can I do to limit the damage?" Mitnick suggested computer users operate behind a firewall.
  OSS is an easier hack: Mitnick
  31st, January, 2006

In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment.

"Open source would be easier [to hack]," admits ex-hacker turned security consultant Mitnick. "It's less work." Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called "fuzzing".
  Cross Site Cooking
  31st, January, 2006

There are three fairly interesting flaws in how HTTP cookies were designed and later implemented in various browsers; these shortcomings make it possible (and alarmingly easy) for malicious sites to plant spoofed cookies that will be relayed by unsuspecting visitors to legitimate, third-party servers.
  Dial 'D' for DoS; VoIP's hidden security threat
  31st, January, 2006

Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.
  CERT Stats Under Fire
  30th, January, 2006

Linux supporters have roundly criticized a recent report from the United States Computer Emergency Readiness Team (CERT), which reported that during 2005, Linux and Unix combined had 2,328 vulnerabilities, compared with 812 vulnerabilities for Microsoft Windows. Linux practitioners say the counts are skewed because they count the same vulnerability each time it appeared last year in any given Linux distribution. By doing this, they say, one bug could actually show up in the list dozens of times, depending on the number of Linux variants it appeared in. The CERT stats also appear to include problems with scripting languages such as PHP or even applications that are not part of the core Linux operating system but instead are used with it.
  Computer security today
  2nd, February, 2006

Infosecurity Europe 2006 is just around the corner. Taking place at the Olympia in London 25-27 April 2006, it is the most important gathering of security professionals in Europe. At the press conference in London earlier this week, we were introduced to last year’s statistics as well as information about the 2006 conference with many presentations.
  CFP: New Security Paradigms Workshop
  3rd, February, 2006

NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. Each year, since 1995, we examine proposals for new principles upon which information security can be rebuilt from the ground up. We conduct extensive, highly interactive discussions of these proposals, from which we hope both the audience and the authors emerge with a better understanding of the strengths and weaknesses of what has been discussed.
  Louisville Geek Dinner
  5th, February, 2006

The purpose of this site is to organize a social networking event for geeks in Louisville and surrounding areas. The geek dinner concept came from listening to London Geek Dinner podcasts. London Geek Dinners have attracted crowds over 175. Hopefully we can pull strong numbers in Louisville.

Who is invited, and what does it mean to be a geek? Wikipedia defines geek as the following, "a person who is fascinated, perhaps obsessively, by obscure or very specific areas of knowledge and imagination." The simple fact is that we love technology. We need a social event where everyone speaks our language for a change. All geeks are invited. Please encourage your geek friends to Signup. The best way to ensure that you will have a good time is to invite other geeks that you know.
  SSH Password Guessing: Linux Compromise and Forensics
  31st, January, 2006

This document describes the compromise of a Debian Linux server on an internal network. We look at how the incident first came to light, the response procedures and an analysis of the actions of the attacker. This leads us to some recommendations on how to secure systems against this kind of exploitation in future. None of this is particularly new or surprising, but hopefully will serve as a welcome reminder, or as useful material when trying to justify particular security policies.
  Trusted Computing comes under attack
  1st, February, 2006

Technologies touted as providing a more secure computing experience are actually more likely to reinforce monopolies and lock customers in, security and free software experts have warned.The "Trusted Computing" technologies promoted by major IT companies such as Microsoft and IBM could have negative consequences for customers and rival software makers, according to security experts.
  Got Rootkits? Time to 'Fess Up
  2nd, February, 2006

Enterprise software vendors beware. If you have included rootkit-like technology in your products, now is the time to step forward, publicly own up to it, and get rid of it right away. Otherwise some enterprising hacker is going to do it for you.
  Bringing UNIX/Linux Networks into Compliance with the Sarbanes-Oxley Act of 2002
  3rd, February, 2006

his document addresses how an organization can use identity and access management solutions (IAM) such as Symark's PowerBroker and PowerPassword-UME for UNIX and Linux operating systems to meet Sarbanes-Oxley (SOX) requirements for effectiveness of internal controls for financial reporting requirements. Symark PowerBroker and PowerPassword-UME safely delegate administrative privileges (including root) and provide secure logins and strong password and user management policies, keystroke logging and indelible audit trails. This document demonstrates how Symark PowerPassword-UME and PowerBroker work in tandem to protect the integrity of data across heterogeneous UNIX/Linux systems to help bring your IT systems into compliance especially with the SOX section 404 requirements for internal IT controls.
  Nmap 4.00 Released
  31st, January, 2006

Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 4.00 from .
  ChoicePoint fined $15m over data security breach
  30th, January, 2006

Data broker ChoicePoint was yesterday fined $15m over a data security breach that led to at least 800 cases of identity theft. ChoicePoint agreed to pay $10m in civil penalties (a record fine) and $5m to compensate consumers as part of a settlement with US consumer watchdog the Federal Trade Commission (FTC). It also agreed to maintain a revamped security program, featuring regular third-party security audits until 2026, and promised to ensure it provides consumer reports only to legitimate businesses for lawful purposes.
  Security professionals back tougher laws for hackers
  30th, January, 2006

The IT security industry has almost unanimously given its backing to government plans to update the Computer Misuse Act (CMA) and introduce more severe custodial sentences for cyber criminals. And many are urging the government to now 'go the distance' and ensure the bill is passed and the new laws come into effect as soon as possible - and are policed effectively.
  Ten Threats You Probably Didn't Make Plans For
  30th, January, 2006

As an IT Manager or perhaps a more specialised IT Security Officer, you have your security policy in place, your physical security, network security and application security measures are all installed and functioning. Systems are patched up to date and for that split second it would seem that security is no longer an issue. Unfortunately, a second is probably as good as it gets, as there is bound to be another threat waiting around the corner. In today’s fast paced electronic world, whilst it is not possible to maintain a totally secure environment, 98 percent secure is far better than 97 percent secure. Every bit counts, but when it comes to applying security there are many practices that are overlooked simply because we choose to ignore that certain threats exist or worse still, as this is the more likely to be the case, simply don’t even realise that some threats exist.
  UK To Strengthen Cybercrime Laws
  1st, February, 2006

One of the biggest problems with cybercrime in the UK remains the law. Back in 1990, the government passed the Computer Misuse Act. Unfortunately, the government has failed to keep up with changes in cybercrime and in so doing leaves many individuals and businesses with no real legal protection to fend off many attacks. Parliament has been perusing a Police and Justice Bill, which would add too and toughen up the existing laws. The bill would make it illegal to make unauthorized modifications to computers with a penalty of ten years in prison.
  Instant messaging targeted for malicious worm attack
  1st, February, 2006

Businesses have been warned to prepare themselves for an onslaught of malicious worm attacks through corporate instant messaging systems. The number of new attacks released on to instant messaging, rose 17 fold in 2005 and could double again by next year, predicts research based on an analysis of 600 companies.
  SOX Compliance Is Worth the Effort
  1st, February, 2006

SOX compliance has helped to make ethics training more common within the corporate environment. According to a 2005 survey by the Ethics Resource Center, 69 percent of employees reported that ethics training in their organizations was up, as compared to 14 percent who said so in the same survey conducted in 2003.
  Feature: The Top 10 Infosec Myths
  2nd, February, 2006

Merriam-Webster defines a myth as a popular belief or tradition that has grown up around something or someone but is often unverifiable. When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security.

Why do such beliefs persist? The answer is that we don't challenge new and existing ideas enough. We must test and evaluate the validity of new security concepts, so the good ones can become standards. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination.
  Make Backups Of Pr0n, Go To Prison!
  2nd, February, 2006

If you've ever had the displeasure of investigating the possible downloading of child pornography by a user (or users), then I'm sure you can relate to how painful it is to recover any digital artifacts from the suspects' hard drives, portable media, etc. Some investigators say they become 'numb' to the images over time. I, for one, come close to being violently ill and wretching up my morning coffee during such artifact recoveries.
  British businesses not taking cybercrime seriously
  3rd, February, 2006

The Confederation of British Industry (CBI) has warned that small and medium-sized businesses are leaving themselves open to electronic attack through lack of planning, putting themselves and the rest of the supply chain in danger. Medium-sized firms came out particularly badly in the CBI's survey: while 60 percent of them engage with partners and clients online, more than half of these firms don't plan to put any security measures in place, the CBI said.
  Convergence and the rise of botnets
  3rd, February, 2006

At the recent Infosecurity Press Conference in London, Mark Sunner, CTO of MessageLabs, presented the results of the MessageLabs Intelligence Annual Report that provides us with an insight on how cyber criminals worked during the past year.
  ISPs ordered to hand over file-sharer details
  1st, February, 2006

The High Court has ordered 10 ISPs to hand over the customer details of 150 individuals accused of illegally sharing and downloading desktop software on the web. The illegal file-sharers were identified after a 12-month covert investigation by the Federation Against Software Theft (Fast), called Operation Tracker.
  Unauthorized Sale of Phone Records on the Rise
  2nd, February, 2006

Reports of the unauthorized sale of personal telephone records may be sending chills up the spines of callers across the county, but the practice does not occur underground or on the black market. It occurs right out in the open, and according to regulators it's a growing problem. Numerous data broker Web sites advertise personal phone records for sale, including the numbers called, the length of calls, and sometimes the location of cell phones.
  FAQ: The new 'annoy' law explained
  3rd, February, 2006

Q: So what does the rewritten law now say? The section as amended reads like this: "Whoever...utilizes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet... without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person...who receives the communications...shall be fined under title 18 or imprisoned not more than two years, or both."
  Cellcos and senate vs social engineering
  2nd, February, 2006

New legislation proposed by Senator Chuck Schumer (D, NY) and backed by heavyweights from both major parties, seeks to criminalize both the practitioners and the dupes of "social engineering". That's just a fancy way of smooth-talking someone out of some information they shouldn't normally impart, but it has been the most effective technique for fraudsters, hackers and private eyes over the years.
  Members of secretive group indicted in piracy plot
  3rd, February, 2006

A group of cyber-pirates stole copyrighted software, games and movies in what law enforcement authorities on Wednesday termed a "massive" theft for their own pleasure, not profit. The indictments were announced by U.S. Attorney Patrick Fitzgerald in Chicago against 19 members of the underground piracy group known as "RISCISO," led by Sean O'Toole, 26, of Perth, Australia. Another member of the group implicated in the FBI's investigation, dubbed "Operation Jolly Roger," was Linda Waldron, 57, of Barbados. Extradition will be sought for both.
  DHS wants to improve software security
  3rd, February, 2006

The Homeland Security Department wants public comment on two draft documents that are part of a federal program to improve software security, according to today's Federal Register.
  Millionaire on hacking charge
  31st, January, 2006

Matthew Mellon, heir to a £6.6 billion banking and oil fortune, will appear in court next month in connection with an investigation into an alleged phone-tapping and computer hacking gang. The former husband of Tamara Mellon, who runs the Jimmy Choo shoe empire, will appear alongside 17 other defendants accused of involvement in the operation, which allegedly provided clients with confidential information about wealthy people and businesses.
  Botnet Herders Hide Behind VoIP
  1st, February, 2006

Internet telephone applications like Skype and Vonage could become hacker hideouts, technologists and academics funded by MIT and Cambridge University say. Internet telephone applications like Skype and Vonage could become hacker hideouts, a group of technologists and academics funded by MIT and Cambridge University said Thursday. According to the Communications Research Network (CRN), voice-over-Internet (VoIP) software could give perfect cover for launching denial-of-service (DoS) attacks.
  Was the WMF vulnerability purchased for $4000?!
  2nd, February, 2006

Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.
  Boston Globe in clueless security breach
  3rd, February, 2006

Two Massachusetts papers - the Boston Globe and the Worcester Telegram & Gazette - have apologised after exposing the credit card details of up to 240,000 subscribers. Most of those affected were Globe readers. Information security breaches by major US corporations are becoming an almost weekly event but the breach involving the two papers, both part of the The New England Media Group owned by The New York Times, was especially boneheaded.
  Shmoocon 2006: Wi-Fi Trickery or How to Secure, Break and Have Fun with Wi-Fi
  1st, February, 2006

Franck Veysset and Laurent Butti, both from France Telecom R&D, presented several proof-of-concept tools at Shmoocon that use 802.11 raw injection. The first is Raw Fake AP. The original Fake AP is a script that generates thousands of fake access points. It is easy to spot because of tell-tale signs like the BSSID showing the AP has only been up for a couple milliseconds. Raw Fake AP tries to generate legitimate access points by modifying BSSIDs and sending beacon frames at coherent time intervals.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.