Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 23rd, 2015
Linux Advisory Watch: March 20th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: March 6th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Public Sector Security Conference Will Stress Importance Of Usability," "How to setup penetration testing exercises," and "IT departments taking over physical security."

EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. Feature Extras:

EnGarde Secure Community 3.0.4 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

pgp Key Signing Observations: Overlooked Social and Technical Considerations - While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  New Gmail Vulnerability leads to Remote Javascript Execution
  1st, March, 2006

A recently discovered vulnerability in Google Gmail allows automatic javascript execution when using the preview function. While Google filters javascript sent among Gmail accounts, e-mail from outside accounts such as Yahoo! are not filtered.
  Public Sector Security Conference Will Stress Importance Of Usability
  1st, March, 2006

Increasingly computer security is focusing on the human component within a system. About five years ago, security research and practice accepted that most users do not comply with security policies, which is what makes attacks on computer systems possible. People are the weakest link in the security chain and, as reformed hacker Kevin Mitnick points out, social engineering attacks succeed because hackers now make the effort to acquire knowledge of these human factors, whereas the designers of security systems do not.
  How to setup penetration testing exercises.
  2nd, March, 2006

Based on the many responses we got regarding the 'Packetslinger' diary, here a few notes on how to setup a penetration/cracking exercise. As a remark: Laws change from area to area. Whatever you do, check your local laws and regulations. Corporate policies, university ethics guidelines and ISP contracts may have to be consulted. Any attack, even as simple as a portscan, should only be performed with written permission. Even in a lab environment, it may be a good exercise to go through the motions of obtaining written permission from the instructor. It is not always easy to identify the person who has to provide permission. But in general, this should be the 'network owner'. Remember that part of a corporate network may be owned by an ISP, and not the company (or university).
  Spreading Security Awareness For OS X
  28th, February, 2006

I am 25 years old and a current resident of Columbus, Ohio. I have been publicly active in the computer security scene since around 1998. Most of my research was published through Secure Network Operations, where I served as the Head of Research and Development. Since SNOSoft has dissolved, I have been focusing my time on a project called Digital Munition.
  BP Oils The Wheels Of Heated Security Debate
  29th, February, 2006

BP has provoked heated debate in the UK technology industry with plans to move thousands of laptops off its LAN claiming it will make the business more secure. BP said hiding behind a firewall simply creates a false sense of security and so 18,000 of its 85,000 laptops now connect straight to the internet, even when they are in an office.
  Professor Criticized For Online-Attack Test
  1st, March, 2006

A final practical test for a computer-security class has network administrators up in arms. According to handlers at the SANS Institute, a professor at a university (both have been promised anonymity) has assigned his students homework requiring them to perform attack reconnaissance on an Internet server.
  Cyberthieves Silently Copy Your Passwords as You Type
  27th, February, 2006

Most people who use e-mail now know enough to be on guard against "phishing" messages that pretend to be from a bank or business but are actually attempts to steal passwords and other personal information.
  Do We Really Need To Have IPv6 When Nat Conserves Address Space And Aids Security?
  28th, February, 2006

Internet: Love it or hate it, Network Address Translation will not be going away soon. It is a common belief that IP addresses are running out. Every device on a network needs to be uniquely identified by its IP address, and the problem is that there are simply not enough IPv4 addresses.
  Hunt Intensifies for Botnet Command & Controls
  2nd, March, 2006

Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers.
  Businesses Back New Professional Body to Raise IT Security Standards
  27th, February, 2006

A new professional body for information security professionals launched today (Monday 27 February) will help raise the standards of IT security across the UK, leading employers have said. The Institute for Information Security Professionals has won backing from major UK firms, which plan to use it as a benchmark for hiring IT security staff.
  Rootkit Hunting vs. Compromise Detection
  1st, March, 2006

The presentation I gave in Washington, D.C., at Black Hat Federal Conference in January 2006. It's about new generation of stealth malware, so called Stealth by Design (SbD) malware, which doesn't use any of the classic rootkit technology tricks, but still offers full stealth! The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting this new kind of SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems.
  Apache .htaccess tweaking tutorial
  28th, February, 2006

In this tutorial we are going to improve our website by tweaking out the .htaccess file. Why I wrote this article? Because on the net I have found many articles about this little beast, but every one of them dealt with a specific issue and not look at the overall usage of these files, or they are just too big when you need to do a thing in little time. So I’m trying to collect all the useful bits of data in a monolithic but slim tutorial, which will be updated as I collect more information. But first, let’s see what .htaccess file is.
  Common Insecurity
  1st, March, 2006

What do people who renew their driver's licenses, buy hard liquor or donate to a home for elderly and disabled veterans have in common? In New Hampshire, people who did any of those things within the past six months may have had their credit card numbers stolen because of computer security issues (see N.H. state server eyed in possible credit card data breach ).
  Oracle patches 11i Security Flaws
  1st, March, 2006

Oracle has issued an upgrade to its E-Business Suite 11i diagnostics module containing a number of the security fixes, according to applications security firm Integrigy. In releasing the upgrade, Oracle made an usual move by alerting its users about the security patches, according to Integrigy's advisory. Historically, the software maker has released product upgrades but not disclosed whether they included security fixes, Integrigy noted.
  How secure is open source?
  27th, February, 2006

Received wisdom would have it that transparency makes systems more secure by allowing anyone to view the underlying software code, identify bugs and make peer-reviewed changes. Computer security and cryptography expert Bruce Schneier certainly adheres to that theory. He's been saying engineers should "demand open source code for anything related to security" since 1999. But not all security experts agree.
  Google Hacking: Ten Simple Security Searches That Work
  27th, February, 2006

Google has become the de facto standard in the search arena. It's easy, quick and powerful. For those same reasons that the general user has gravitated to Google, so have the hackers. And as we all know, if the hackers use, the security professionals need to utilize it as well. And it doesn't hurt to have Johnny Long (with help from Ed Skoudis) showing you the ropes. Enjoy this highly informative book. We did!
  How to bypass your BIOS Password
  28th, February, 2006

Basic BIOS password crack - works 9.9 times out of ten. This is a password hack but it clears the BIOS such that the next time you start the PC, the CMOS does not ask for any password. Now if you are able to bring the DOS prompt up, then you will be able to change the BIOS setting to the default.
  Ernst & Young fails to disclose high-profile data loss
  28th, February, 2006

Ernst and Young should go ahead and pony up for its own suite of transparency services. The accounting firm failed to disclose a high profile loss of customer data until being confronted by The Register.

Ernst and Young has lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information have been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us.
  Ernst & Young loses four more laptops
  1st, March, 2006

Ernst and Young appears set on establishing a laptop loss record in February. The accounting giant has lost four more systems, according to a report in the Miami Herald. A group of Ernst and Young auditors toddled off for lunch on 9 February, leaving their laptops in an office building conference room. According to security footage, two men entered the conference room a couple of minutes after the Ernst and Young staffers left and walked off with four Dell laptops valued at close to $8,000, the paper reported.
  Who's Reading Your Cell's Text Messages?
  1st, March, 2006

Next, Bubrouski's phone started receiving SMS sports scores and news from ESPN, the sports cable network, which had struck up a partnership with Verizon.
  IT departments taking over physical security
  2nd, March, 2006

As firms move towards converged voice-data IP networks, IT departments will increasingly become responsible for the physical security of buildings via deployment of systems such as biometric access controls, IP-CCTV and card readers, new research has predicted. A third of the IT directors surveyed in a new study by research firm Vanson Bourne Limited said that, as a result of being able to control physical security systems over IP, the area of "security over IP" will become their responsibility. In the manufacturing sector, 57 percent expected their departments to become responsible for physical security, and in the retail, distribution and transport sector it was 32 percent. In other commercial sectors, it rose to 36 percent, while it fell to only 6 percent in the financial services sector.
  eDiscovery Challenges
  3rd, March, 2006

During the past two decades, the shift from paper to electronic filing of business documents introduced a new challenge: meeting the requirements of litigation discovery. Not only are organizations keeping more information; the vast amounts of email messages and other types of documents are typically not organized in a way that facilitates quick, cost effective extraction from personal and enterprise storage.

If you’re responsible for the security of your company’s information, your role extends to protecting documents required by discovery requests. Are you prepared to assure your executive management, or to testify, that you’ve done everything reasonable and appropriate to meet the court’s expectations?
  Manage Your Own Identity Online
  27th, February, 2006

Computer users' identity information is managed online today by several different data collection agencies. But imagine the freedom people would feel changing their address with one keystroke? Microsoft is working on such technology with its InfoCard identity metasystem. Now IBM, Novell and startup Parity Communications are joining the Eclipse open software foundation and Harvard Law School's Berkman Center for Internet & Society to tackle the challenge.

The three companies and are contributing code to the "Higgins Project," designed to give people more control over their online identity information.
  Feds: Google's privacy concerns Unfounded
  27th, February, 2006

The U.S. Justice Department has denied requesting anything from Google that could threaten the privacy of the search engine's users, as the company recently contended. And by trying to block the government's efforts to review a week's worth of search terms, Google is holding up efforts to protect children from pornography, according to a brief filed Friday by the Justice Department.
  IBM-led Group Backs New Identity Manager Tool
  28th, February, 2006

IBM and Novell Monday announced their support for an open source project aiming to give users more control over how information such as passwords and financial details are shared across multiple Web sites.
  Search Engines Are At the Center Of Privacy Debate
  1st, March, 2006

At the center of the square off over the access to private personal data online -- a much publicized debate that extends from Beijing to Washington -- stands an uncertain arbiter: the search engine. The companies that operate the most popular search engines -- Google, Yahoo and Microsoft -- are making decisions about how the information they collect about user behavior should be protected, in some cases from the eyes of governments that want to take a closer look but lack a clear legal right to do so.
  Got Data? Beware Privacy Pitfalls, Big Brother
  2nd, March, 2006

With controversy swirling around ID theft and electronic surveillance by the government, what should corporations do to protect customer data? Jim Dempsey, policy director at The Center for Democracy & Technology (CDT), spells out controversial advice such as "gather less data" and seemingly dire warnings such as "if you gather the data, the government will come calling." Whether you view CDT as an advocate or an adversary, its voice is being heard on Capitol Hill, so it's important to be aware of its stance on important corporate data policies and related issues.
  Communicating with Confidence
  3rd, March, 2006

Along with the benefits of networked systems – easy information sharing and the ability to work wherever and whenever – comes responsibility. Professionals in all industries have the responsibility to protect their customers’ (and their own) confidentiality. When professionals access their office networks and exchange information with other organisations, confidentiality is paramount, though not always easy to achieve.
  Confab To Examine Security Of Utility, Other Control Systems
  28th, February, 2006

Professionals concerned with securing the systems that run water and electric utilities, dams, railways and other critical infrastructures are gathering this week in Florida to understand better the challenges facing them and learn how to defend their systems.
  State Launches e-Passports, Rejects Security Concerns
  28th, February, 2006

The State Department started pilot production of electronic passports earlier this month and plans to roll out e-passports for the general public this summer, officials said. The senior official in charge of the project also said that technical issues raised recently about e-passport security would not prevent the general distribution of the documents.
  IRS Needs To Tighten Security Settings: TIGTA
  28th, February, 2006

The IRS has not consistently maintained the security settings it established and deployed under a common operating environment (COE), resulting in a high risk of exploitation for some of its computers, according to the Treasury Department’s inspector general for tax administration.
  OMB Delivers Positive IT Security Report
  2nd, March, 2006

The Office of Management and Budget today presented its report on managing information security systems to Congress. The report showed steady progress in closing security gaps in federal agencies.
  Computer Ills Hinder NSA
  3rd, March, 2006

Two technology programs at the heart of the National Security Agency's drive to combat 21st-century threats are stumbling badly, hampering the agency's ability to fight terrorism and other emerging threats, current and former government officials say. One is Cryptologic Mission Management, a computer software program with an estimated cost of $300 million that was designed to help the NSA track the implementation of new projects but is so flawed that the agency is trying to pull the plug. The other, code-named Groundbreaker, is a multibillion-dollar computer systems upgrade that frequently gets its wires crossed.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Tech Companies, Privacy Advocates Call for NSA Reform
Google warns of unauthorized TLS certificates trusted by almost all OSes
How Kevin Mitnick hacked the audience at CeBIT 2015
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.