Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: February 27th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Penetration Tester's Open Source Toolkit," "Network Filtering by Operating System," and "Recover Passwords Using the Power of Multiple Computers."

EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. Feature Extras:

EnGarde Secure Community 3.0.4 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

pgp Key Signing Observations: Overlooked Social and Technical Considerations - While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  US boffins tune up optical quantum cryptography
  21st, February, 2006

A team of Los Alamos National Laboratory scientists, in collaboration with researchers from the National Institute of Standards and Technology in Boulder, Colo., and Albion College, in Albion, Mich., have achieved quantum key distribution (QKD) at telecommunications industry wavelengths in a 50-kilometer (31 mile) optical fiber. According to the researchers, the work could accelerate the development of QKD for secure communications in optical fibers at distances far beyond current technological limits.
  Perimeter Defense Is Not Enough
  20th, February, 2006

Up until now, the primary basis for almost all security strategies has been the moat and castle model, whereby a strong perimeter is established that divides the network into a trusted interior and untrusted exterior. It’s a model that has served well in the past, but due to the emergence of two new market trends, it now represents a significant liability.
  Security Podcasts
  23rd, February, 2006

Do you want to listen to four and a half hours of security podcasts? Well, you don’t have to because I did. Here are the highlights from podcasts released this last week.

How Local Area Networks Work, Part 1 37:09 If you don't know the difference between DHCP and static IP, then this is the podcast for you! Next week promises to be a little more interesting when they get into the problems with ARP.
  John the Ripper 1.7, by Solar Designer
  23rd, February, 2006

Federico Biancuzzi interviews Solar Designer, creator of the popular John the Ripper password cracker. Solar Designer discusses what's new in version 1.7, the advantages of popular cryptographic hashes, the relative speed at which many passwords can now be cracked, and how one can choose strong passphrases (forget passwords) that are harder to break.
  Review: Penetration Tester’s Open Source Toolkit
  24th, February, 2006

The Penetration Tester’s Open Source Toolkit is a new offering from Syngress that primarily focuses on using the Auditor live CD. The 200605-02-ipw2100 version comes included with the book; if you have an IPW2200 wireless interface in your laptop, though, the 802.11x tools won’t work as it doesn’t include the proper driver.

The book walks through using a number of Open Source or free tools for overall reconnaissance, enumeration, and scanning (most of which everyone’s seen before), but then it delves into database, web application, and wireless testing as well as network devices. There’s a chapter on “Writing Open Source Security Tools�, but it’s a little misleading as it’s a quick guide to writing security tools without any real discussion of open source development or what it means other than an appendix that briefly includes and talks about the GPL and why it’s good.
  Dismantle Piece
  22nd, February, 2006

Since my first reading of last month's cautionary CSO Undercover column, 'To Convergence (and Back),' I've been brooding about its meaning. In case you missed it, our anonymous author recounted what happened when a change in company leadership resulted in the blunt-force dismantling of his carefully architected, risk-based security program. Reasonable people can disagree over whether converged security governance is in all cases the right approach, but what happened in our columnist's company went well beyond a difference of opinion over organizational strategy.
  Strict Liability For Data Breaches?
  21st, February, 2006

A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.
  Curing Malware Infections
  21st, February, 2006

When panic-stricken customers or users call for help with systems that have gone kablooey, the culprit is probably a malware infection. Common complaints from malware infections include dying audio, blinking video, even a system that mysteriously turns itself on and off. The reasons for infection can vary, too. Maybe the customers simply lowered their security settings...or failed to update the security software you already installed...or just had a spate of bad luck.
  Network Filtering by Operating System
  20th, February, 2006

You manage a heterogeneous network and want to provide different Quality of Service agreements and network restrictions based on the client operating system. With pf and altq, you can now limit the amount of bandwidth available to users of different operating systems, or force outbound web traffic through a transparent filtering proxy. This article describes how to install pf, altq, and Squid on your FreeBSD router and web proxy to achieve these goals.
  Domain Name Service as an IDS
  23rd, February, 2006

How DNS can be used for detecting and monitoring badware in a network.
  Preventing SSH Dictionary Attacks With DenyHosts
  20th, February, 2006

DenyHosts is a tool that observes login attempts to SSH, and if it finds failed login attempts again and again from the same IP address, DenyHosts blocks further login attempts from that IP address by putting it into /etc/hosts.deny. DenyHosts can be run by cron or as a daemon.
  Linux worm targets PHP flaw
  21st, February, 2006

Internet ne'er do wells have created a Linux worm which uses a recently discovered vulnerability in XML-RPC for PHP, a popular open source component used in many applications, to attack vulnerable systems. The Mare-D worm also tries to take advantage of a security flaw in Mambo to spread. If successful, the worm installs an IRC-controlled backdoor on compromised systems.
  The Truth About Rootkits
  21st, February, 2006

Rootkits are dangerous-perhaps the most dangerous piece of software in an attacker's arsenal. But competent policies and a sound architecture offer more protection than you might think.
  Security experts see vulnerabilities in embedded databases
  22nd, February, 2006

With Oracle Corp.’s purchase last week of open-source embedded software maker SleepyCat Software Inc., at least one security analyst believes that Oracle -- which has come under fire for security vulnerabilities in its core database -- could be adding more potential problems. SleepyCat’s BerkeleyDB database has been deployed more than 200 million times, according to London-based research firm Ovum Ltd. Those deployments range from network routers and cell phones to business applications and popular Web sites.
  AIDE 0.11 Released
  20th, February, 2006

This is probably the most overdue release in the history of open source software. It has been more than 2 years since the previous release. The most notable changes since version 0.10 are bug fixes, updated automake/autoconf scripts, use snprintf by Mark Martinec if not in C library, support for more (legacy) Unix systems and cygwin, open files with O_NOATIME on supported Linux systems, and added I/ANF/ARF directives.
  Red Hat Strengthens Security
  20th, February, 2006

Not content to rest on its laurels, Linux leader Red Hat is advancing its security aresenal with a number of enhancements and certifications. Red Hat Certificate System (RHCS) will be updated this year with support for smartcards and automated log-ins on Red Hat, as well as other platforms including Windows servers, desktop and Internet Explorer. RHCS, which evolved from technologies acquired from Netscape in 2004, triggers the deployment and maintenance of user identities via a Public Key Infrastructure (PKI) (define).
  Security Wars: Novell SELinux Killer Rattles Red Hat
  24th, February, 2006

Novell Inc. of Provo, Utah, has released the source code for its recently acquired open-source Linux security application, AppArmor, and has also set up a project site in hopes of attracting outside developers to further refine the program. The release of the software has sparked debate in the open-source community, however.
  Triple Threat To Mac OS X Largely Academic
  24th, February, 2006

At first blush, the past two weeks have not been good for the image of Apple's Mac OS X: Public descriptions of two worms and a trivial exploit for a serious software issue in the operating system appeared on the Internet.
  Malware Honeypot Projects Merge
  24th, February, 2006

Looking to streamline the collection of malware samples, two of the biggest honeypot projects�mwcollect and nepenthes�have merged operations.
  Recover Passwords Using the Power of Multiple Computers
  20th, February, 2006

Elcomsoft Distributed Password Recovery offers administrators a comprehensive solution for recovering passwords to MS-Office documents when employees forget their passwords, or when they deliberately add passwords to documents in an effort to sabotage their companies.
  Got Rootkits? Time to 'Fess Up
  20th, February, 2006

Enterprise software vendors beware. If you have included rootkit-like technology in your products, now is the time to step forward, publicly own up to it, and get rid of it right away. Otherwise some enterprising hacker is going to do it for you. Cases in point are the programmer Mark Russinovich and the research team at software vendor F-Secure. They are prowling the hidden paths of commercial products in search of rootkits. Both were involved in breaking the story on the Sony rootkit, and both have added Symantec’s Norton SystemWorks to the roster of products with rootkit-like technology built in by the vendor.
  Demystifying Layer 2 Attacks
  21st, February, 2006

The obvious question to ask is why the heck do I care for Layer 2? The obvious answer to this is - no matter how secure you make your TCP/IP fortress if a hacker can punch in at any of the layers he has the keys of kingdom. Moreover most of the firewalls are not capable for detecting these kinds of attacks. Also to successfully conduct most of these attacks we have to be on the segment as of the victim. So far VLANS was created as a means of secure LAN talks, but as we will see in the paper that with careful techniques these can also be subverted. Think of the scenario if the attacker can puncture the stack at Layer 2, he can now control all the above traffic.
  Two-thirds of UK businesses fail to patch
  21st, February, 2006

Nearly two-thirds of UK small businesses are failing to install patches as soon as they are released by vendors, according to a new study. The survey of 449 IT managers by secure email service company Inty, found that 59 percent of UK SMEs do not deploy new application software patches as soon as they are released by vendors. The main reason was the time required to test patches and roll them out to affected computers.
  Managing the Impact of Academic Research on Industry/Government: Conflict or Partnership?
  21st, February, 2006

In the world of Information Security, there is great potential for conflict between the research aims of academics on the one hand, and the interests of industry and government on the other. As just one example, consider the implications of publishing an academic research paper describing a cryptographic flaw in the Data Encryption Standard (DES). Even today, with DES in its original form gradually being phased out in most applications, this would be headline news in the academic community.
  Tracking Data over Bit Torrent
  22nd, February, 2006

Bit Torrent has a reputation of being difficult to find out who is downloading movies, games, documentation, and other information. This is not necessarily true in all cases; any Peer-to-Peer system at some point relies on IPv4 and TCP/IP to make its connections. Because of that, the sender and the receiver can be well known to anyone who is using a program or programs that have robust logging, and other programs that help geolocate where those IP addresses are physically located.
  New Bots Spearhead 2005 Malware Offensive
  22nd, February, 2006

There was a “significant increase� in the number of new malware specimens detected during 2005, with research published today reporting a year on year surge of over 240 percent.
  Official CISSP Study Guide Riddled with Plagiarism
  23rd, February, 2006

The official study guide for the CISSP Exam, created by (ISC)² appears to plagiarise several other works. The plagiarism was first noted by Dr Michael Workman, from the College of Information at Florida State University. In page 406 from the guide it states, "One of the main problems with simple substitution ciphers is that they are so vulnerable to frequency analysis..." It now appears this material was taken directly from the paper, "The Vigenere Cipher"
  Time To Send A Consistent Message On Security
  23rd, February, 2006

One of the great things about the Internet is anonymity. Assuming that you block cookies, you can go wherever you want to go and blend in with the crowd. When it comes to security, however, this user and device transparency creates a slew of problems.
  Interviewing Hackers
  24th, February, 2006

Many articles address the question of how to interview people when trying to fill a technical post. Perhaps the most important part of such an interview is the technical assessment. Here's a technique that we believe can improve the accuracy of technical assessment. The next time you have a candidate for a technical interview, try to gauge his self-study ability by assigning a problem that he never has solved before. If the candidate has never worked on a similar problem, so much the better. Place all available documentation within reach. Give the candidate a computer. Then watch what happens. If the candidate makes good progress towards a solution, tilt your mental scale toward hire.
  Legendary Hacker Mitnick Turns Legit
  24th, February, 2006

As he kneeled down and fumbled around in one of his two computer bags in search of extra business cards, Kevin Mitnick looked like your typical scatter-minded computer geek. Once found, however, his silver-coated card, designed to appear like a miniature kit of lock-breaking tools, embossed with the name of his company - Mitnick Security Consulting - told a different story: that of a formerly notorious computer hacker turned expert on preventing cyber-crime.
  Biometric Science Not Up To Fighting Terrorists
  24th, February, 2006

The science of biometric security “is filled with promise� but still has a long way to go before it can effectively counter the threats of terrorism and identity theft, according to an eminent U.S. scientist.
  Better fingerprint biometrics
  24th, February, 2006

University of Buffalo researchers say they have put their fingers on a way to improve security of wireless handheld devices and Web sites. The findings could also help eliminate the need to remember a dizzying array of passwords and aid forensics specialists, according to Venu Govindaraju, a University of Buffalo professor of computer science and engineering, and director of the school's Center for Unified Biometrics and Sensors (CUBS).
  Private Identities Become A Corporate Focus
  21st, February, 2006

The CEO of Sun Microsystems,--infamous for his pronouncement, "You have zero privacy anyway--Get over it."--took a conciliatory tone on the stage here, allowing that privacy might be something for which consumers should fight. He warned companies that, unless they protect consumer privacy, they could lose out on significant online growth.
  Stronger Laws Needed to Protect Privacy
  23rd, February, 2006

A new report by CDT details a widening gap between the technology that collects sensitive personal data and the laws designed to protect that data against government misuse. The National Security Agency's domestic spying program, the Justice Department's efforts to obtain millions of Internet search records, the government's use of cell phones to track suspects, and other developments highlight the law's failure to keep pace with technological advances, according to "Digital Search & Seizure: Updating Privacy Protections to Keep Pace with Technology." Stronger laws are needed to ensure that Americans retain their constitutional privacy protections, the report finds.
  Stronger Laws Needed to Protect Privacy, CDT Report Finds
  23rd, February, 2006

A new report by CDT details a widening gap between the technology that collects sensitive personal data and the laws designed to protect that data against government misuse. The National Security Agency's domestic spying program, the Justice Department's efforts to obtain millions of Internet search records, the government's use of cell phones to track suspects, and other developments highlight the law's failure to keep pace with technological advances, according to "Digital Search & Seizure: Updating Privacy Protections to Keep Pace with Technology." Stronger laws are needed to ensure that Americans retain their constitutional privacy protections, the report finds.
  Low - High Assurance SSL Certificates
  23rd, February, 2006

While we start to see a shift in the market of SSL certificates ,with the costs getting lower and lower - specially for low assurance certificates, there are some providers, which try to tell you otherwise.
  Secure Or Not, RFID Tag Adoption Is In The Cards
  20th, February, 2006

You manage a heterogeneous network and want to provide different Quality of Service agreements and network restrictions based on the client operating system. With pf and altq, you can now limit the amount of bandwidth available to users of different operating systems, or force outbound web traffic through a transparent filtering proxy. This article describes how to install pf, altq, and Squid on your FreeBSD router and web proxy to achieve these goals.
  GSA Details How HSPD-12 Interoperability Labs Will Work
  22nd, February, 2006

The General Services Administration outlined the final step vendors must take to get products and services on an approved list for Homeland Security Presidential Directive-12.
  Federated Identity 'Can Transform e-Government'
  22nd, February, 2006

Leading public sector IT bosses have told they would welcome moves by the UK government to adopt federated identity in order to provide the public with faster, more efficient access to online services. But one expert believes the government has been too preoccupied with the controversial ID cards project to consider such as solution.
  Coffee shop WiFi for dummies
  20th, February, 2006

My friend Philip is an expert at community activism and is a cracker-jack financial advisor as well. One thing he is not, however - and he would be the first to admit this - is a knowledgeable computer user. Oh sure, he can send emails and cruise the Web, and use Word and Excel, but he doesn't really grok his computer. And one thing he especially doesn't know much about is security. He knows there are bad guys out there, and he knows that he should try to practice safe computing, but he just doesn't know how.
  Mobile Security: Another Hole To Plug
  21st, February, 2006

As companies grant more network and application access via handheld devices such as smart phones, securing the devices is moving up the priority list. That explains why McAfee last week started selling a $30 security platform for mobile devices that identifies and removes viruses, worms, and other malicious applications.
  Utah Man Charged with Bringing down Wireless Internet Services
  22nd, February, 2006

A man skilled in the operation of commercial wireless Internet networks faces federal charges today alleging he intentionally brought down wireless Internet services in the region of Vernal, Utah. U.S. Department of Justice Assistant Attorney General Alice Fisher, Acting United States Attorney Stephen J. Sorenson, and Timothy Fuhrman, Special Agent in Charge of the Federal Bureau of Investigation in Salt Lake City, announced today that Ryan Fisher, age 23, of Vernal, Utah, has been charged in a one-count criminal indictment with intentionally damaging a protected computer. The indictment was returned late Wednesday afternoon.
  Is Your Cell Phone Due For An Antivirus Shot?
  24th, February, 2006

Programs that fight viruses have become a necessary evil on Windows PCs. Now the antivirus industry is turning its attention to mobile phones--but it's running into reluctance from cell service providers, who aren't so sure that the handset is the best place to handle security.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
MongoDB Patches Remote Denial-of-Service Vulnerability
DDoS Attack Against GitHub Continues After More Than Four Days
5 keys to hiring security talent
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.