Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 23rd, 2015
Linux Advisory Watch: March 20th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: February 20th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Responding to Security Incidents on a Large Academic Network," "When Insider Threats Meet Sarbanes-Oxley," and "Linux/Unix Players Beef Up Security."

Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. Feature Extras:

EnGarde Secure Community 3.0.4 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

pgp Key Signing Observations: Overlooked Social and Technical Considerations - While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  Essential PHP Security
  14th, February, 2006

Given the remarkable popularity of PHP for developing dynamic Web sites, as well as the ever-increasing need for security on those same sites, one would think that there would be great demand for — and comparable supply of — books that explain how to create secure sites using PHP. However, such is not the case, and even the most extensive general purpose PHP books may only devote a single chapter to this critical topic, if that much. Essential PHP Security, written by PHP expert Chris Shiflett, aims to fill the gap.
  AJAX Security
  14th, February, 2006

Web developers cannot have failed to notice the excitement surrounding "AJAX" or Asynchronous JavaScript And XML. The ability to create intelligent web sites such as Google Suggest or compelling web-based applications such as Gmail is thanks in no small part to this technology. There is, however, a darker side - and accompanying the growth in AJAX applications we have noticed an equally significant growth in security flaws, with the potential to turn AJAX-enabled sites into a time bomb.
  Secure software is up to businesses
  16th, February, 2006

Most businesses aren't doing enough to build and buy securely written software, according to a panel of corporate security executives, academics and professional software developers speaking at the RSA Security Conference 2006 yesterday. The problem stems in part from failure to ask about how securely commercial software is written and failure to train in-house software developers how to write applications that leave few vulnerabilities, said the panel, drawn together by the Secure Software Forum, a group founded last year to promote applications that resist attacks.
  Responding to Security Incidents on a Large Academic Network:
  15th, February, 2006

This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats. I describe various techniques used and give an honest evaluation of them as implemented on a real network with tens of thousands of active users. Thanks to the relatively open nature of academic computing environments, the reader may notice that significant emphasis is given to detection and response capabilities; obviously, preventative measures are preferable when this is possible. I hope this information will be valuable when system administrators and IT security managers are evaluating preventative measures to deploy, and when they are responding to ongoing incidents.
  Security in the Cloud
  16th, February, 2006

One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there's no single point of failure and no assumed single vector for attacks. It is for this reason that a choice between implementing network security in the middle of the network -- in the cloud -- or at the endpoints is a false dichotomy. No single security system is a panacea, and it's far better to do both.
  Security experts look to the future
  15th, February, 2006

A panel discussion involving a group of experts held during DEMO ‘06 in Phoenix last week concluded that the state of security today is not where it should be. But the panelists also had suggestions on how to improve it. During the conference, which is owned by Network World, former IBMer and consultant John Patrick called together a panel of industry and academic figures to try to answer the question, “Will the good guys be able to stay ahead of the bad guys?? But first Patrick asked the panel to assess the current state of security, and the responses showed that the good guys aren’t necessarily ahead of the bad guys to begin with.
  Recent Haxdoor Distribution Breaks SSL via Pharming
  15th, February, 2006

Secure Science Corporation released an advisory regarding the fact that the latest Pharming techniques utilized within malware has broken SSL. Chapter 5 of Phishing Exposed, a book by Lance James, who happens to work for Secure Science, demonstrated this technique in his book as an upcoming threat that phishers will take advantage of. The report on how this SSL Pharming attack occurs can be found on the advisories page at Secure Science.
  Trusted Computing Standard Coming To The SAN--And The Sneakernet
  17th, February, 2006

Trusted Computing chips are already built into most new business PCs. At this week’s RSA Security show, the Trusted Computing Group unveiled a draft specification that will add a simplified version of the chip to storage devices, too. Intended mainly for hard disks and USB flash drives, it can be used for both and portable and networked storage. Seagate Technology last year launched a laptop drive that automatically encrypted all data at wire speed. At the show, the company announced that this was based on the draft specification, which allows encryption keys to be transferred between drives and the Trusted Platform Module (TPM) chips in PCs.
  Start-up seeks to spin a safer web
  14th, February, 2006

A group of graduates from the Massachusetts Institute of Technology (MIT) aim to change that by crawling the web with hundreds, and soon thousands, of virtual computers that detect which websites attempt to download software to a visitor's computer and whether giving out an e-mail address during registration can lead to an avalanche of spam.
  Is It the End of the Security World as We Know It?
  17th, February, 2006

The folks running the annual RSA Conference here this week will tell you that the show is bigger than ever and security is at the top of every CIO's list of concerns. And while all of that may well be true, if heavyweights such as Sun Microsystems, Cisco Systems and Microsoft have their way, enterprises soon will have little use for the wares that most of the security vendors here are hawking.
  Openwall GNU/*/Linux (Owl) 2.0 release
  16th, February, 2006

For those few who don't know yet, Openwall GNU/*/Linux (or Owl) is a security-enhanced operating system with Linux and GNU software as its core, intended as a server platform. After many Owl-current snapshots, Owl 2.0 release is finally out.
  Securing Secondary Storage for SOX
  13th, February, 2006

Although the purpose of the Sarbanes-Oxley Act was to ensure corporate financial accountability and eliminate the risk of any future Enron-type debacle, it has had a major impact on IT departments. Sarbanes-Oxley requires companies to store and protect all relevant financial records for seven years, and those records may include unstructured and semi-structured data such as e-mail in addition to spreadsheets, contracts, audit reports, and the like.
  Security Geek Advised New Harrison Ford Movie
  13th, February, 2006

Self-professed "geek" Lawrence Levine was in hog heaven for the three weeks he worked on the set of the Harrison Ford thriller "Firewall," which opens Friday. "I mean, how often does a security geek get to hang out with Harrison Ford? He's Han Solo and Indiana Jones!" said Levine, co-founder and current chairman of SecurePipe, an Illinois-based managed security services firm that specializes in working with financial organizations.
  Coping with A Major Security Breach? What’s your Contingency Plan?
  13th, February, 2006

Legal pressures, not to mention your moral obligation to assist unwitting victims, means that you should never delay when disclosing IT security incidents. What actions should be taken? This article shows what you will face in the case of a stolen laptop with confidential information.
  Linux 'easier to manage' than Windows
  14th, February, 2006

Linux administrators are able to effectively manage more servers than Windows administrators, according to a study published on Monday. The employees of over 200 companies that run Linux were interviewed for the Get the Truth on Linux Managementstudy, which was sponsored by pro-Linux organisation the Open Source Development Labs (OSDL) and Linux management software vendor Levanta.
  When Insider Threats Meet Sarbanes-Oxley
  14th, February, 2006

Many security practitioners divide security into three distinct but related areas: external threats, internal threats and compliance. While it is fashionable to say that security doesn’t equal compliance, and compliance doesn’t equal security, one must acknowledge that there is a tremendous amount of overlap between the two. This is certainly the case when considering Sarbanes-Oxley compliance and insider threats. Insider threat and Sarbanes-Oxley share many of the same dire consequences: loss of intellectual property, compromised data, damaged or destroyed assets and severed communications, to name a few. Failure to protect sensitive data and meet regulatory requirements can destroy customer trust, spur government fines, damage stock prices and invite lawsuits.
  Worms turn on Google to hunt for victims
  15th, February, 2006

Malware authors are increasingly creating digital pests that use Google to find their next victim. Using the search tool for automated vulnerability detection is the latest trend in a technique known as 'Google hacking'. George Kurtz, senior vice president for risk management at security firm McAfee, told about the phenomenon after a presentation at the RSA Conference in San Jose.
  IT Security Awareness on the Rise
  16th, February, 2006

Information security is now a considerably more prominent issue to private companies than it was just two years ago, according to a survey released by the Business Software Alliance this week. According to the poll of 410 information technology decision makers in North America and Europe, 81 percent now believe that the possibility of losing business because of downtime is a financial risk, up from 67 percent in 2004.
  Linux, Unix Players Beef Up Security
  16th, February, 2006

As expected, archrivals Sun, Red Hat and Novell unveiled major security improvements for their respective Unix and Linux platforms this week. At the RSA Conference in San Jose, Calif., Sun revealed plans to release Solaris Trusted Extensions into beta testing in April and simultaneously enter evaluation for Common Criteria Certification at EAL 4+ certification, against Labeled Security Protection Profile (LSPP). LSPP is one of three levels of advanced security options that are part of EAL 4+, deemed essential for financial, healthcare and government customers that need to protect multiple level of classified data on a single system.
  'Pentagon hacker' wants to see Bush's John Hancock
  17th, February, 2006

Alleged Pentagon Hacker Gary McKinnon was told in court today that the US Embassy would write a letter to help him avoid the full wrath of presidential anti-terror laws, if he were extradited for prosecution. McKinnon (aka Solo) was facing extradition proceedings in Bow Street Magistrates Court this morning so that he could be tried in US courts for allegedly hacking into 97 US military and NASA computers, disabling the Washington computer network, and leaving a message that read: "US foreign policy is akin to government sponsored terrorism these days... I am SOLO. I will continue to disrupt at the highest levels".
  Privacy and Anonymity
  16th, February, 2006

Privacy and anonymity on the internet are as important as they are difficult to achieve. Here are some of the the current issues we face, along with a few suggestions on how to be more anonymous. Online privacy issues are in the news every week now. This is good for us, because when it's newsworthy and notable it means people still care about the privacy of their personal information in some fundamental and important way. Privacy on the internet (or rather, a lack thereof) has been with us for ages, but as technology converges we are all forced to make some important new choices about what we are willing to disclose. Let's start with a few examples.
  Things you don't want Google to find
  16th, February, 2006

"Hacking Google" isn't exactly new. That is, using the search engine to look for confidential information. But as McAfee's senior vice president for Risk Management George Kurtz demonstrated today at RSA conference, that didn't prevent users and organisations to post those goodies online for anyone to find.
  America 'must consider banning rootkits'
  17th, February, 2006

Perhaps the best way to deal with rootkits is to outlaw them. At least when it comes to such mishaps as the Sony BMG Music Entertainment fiasco, that's what an official from the Department of Homeland Security suggested Thursday. "The recent Sony experience shows us that we need to be thinking about how we ensure that consumers are not surprised by what their software programs do," Jonathan Frenkel, director of law-enforcement policy at the US Department of Homeland Security said in a speech in San Jose at the 2006 RSA Conference.
  Locking down America's Net defenses
  17th, February, 2006

We'll soon find out, says Andy Purdy, acting director of the National Cyber Security Division of the Department of Homeland Security. Last week, Purdy oversaw the first large-scale mock cyberattack, aimed at gauging the nation's readiness to handle computer-based threats to critical infrastructure. The weeklong exercise, dubbed "Cyber Storm," came three years after the Bush administration signed off on the National Strategy to Secure Cyberspace. Results of the exercise will be made public this summer.
  'Cyber Storm' tests US defences
  13th, February, 2006

Vital US infrastructure including power grids and banking systems have been put under simulated attack in a week-long security exercise called Cyber Storm. The war game drew in 115 agencies from the FBI and CIA to the Red Cross, the Department of Homeland Security said. IT companies and state and foreign governments also played a role in responding to the mock attacks.
  3 accused of inducing ill effects on computers at local hospital
  13th, February, 2006

One day last year, things started going haywire at Northwest Hospital and Medical Center. Key cards would no longer open the operating-room doors; computers in the intensive-care unit shut down; doctors' pagers wouldn't work. This might have been just another computer-virus attack, a common and malicious scheme that sometimes is done for little more than bragging rights. But federal officials say it was something far more insidious.
  Breached! A Security Manager's Nightmare
  14th, February, 2006

It finally happened. We had a security breach that could have severe ramifications for a state agency. I was packing up to leave on a Friday when the webmaster came into my office and shut the door behind him. It was unusual for him to be in the office so late, and he looked particularly nervous. So I took off my coat, set down my briefcase and sat down. He refused the chair I offered him. "OK, what's going on?" I asked.
  Millionaire Hacker Story Not True
  14th, February, 2006

In our news story published on 2 February 2006 entitled "Millionaire charged over hacking affair" we reported that Matthew Mellon, the well-known member of the Mellon family and successful businessman, had been arrested and charged in connection with allegations of phone tapping and illegal access to NHS systems and private medical records for the purpose of blackmailing famous individuals over controversial medical records.
  Extradition hearing begins over Nasa hacker
  15th, February, 2006

Gary McKinnon began the next stage in his fight against extradition to the US to face charges of hacking US Army, Navy, Air Force and NASA computers on Tuesday. The British hacker is facing extradition to the US on charges of hacking and causing damage to US defence sites. If found guilty he could face over $1m in fines and 60 years in jail.
  Poor wireless security 'a liability' warns lawyer
  15th, February, 2006

Companies leave themselves open to legal threats if they fail to secure employee's laptops against wireless hackers in public hotspots, according to a London law firm. The warning for businesses followed an examination of the law by international law firm Charles Russell LLP. While there has been no reported litigation, the legal firm said it would only be a matter of time before poor security practices by U.K. companies would land them in legal tussles.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Tech Companies, Privacy Advocates Call for NSA Reform
Google warns of unauthorized TLS certificates trusted by almost all OSes
How Kevin Mitnick hacked the audience at CeBIT 2015
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.