Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: March 13th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "10 of the Best for Security," "Tips to Secure Linux Workstation," and "How IT security pay stacks up around the globe."

EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. Feature Extras:

EnGarde Secure Community 3.0.5 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

pgp Key Signing Observations: Overlooked Social and Technical Considerations - While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  Distributed Computing Cracks Enigma Code
  6th, March, 2006

More than 60 years after the end of World War II, a distributed computing project has managed to crack a previously uncracked message that was encrypted using the Enigma machine. The M4 Project began in early January, as an attempt to break three original Enigma messages that were intercepted in 1942 and are thought never to have been broken by the Allied forces.
  Thinking Out Loud: In The Age Of Cybercrime
  8th, March, 2006

A few weeks ago, I attended a meeting of university presidents and representatives of the CIA and FBI convened to discuss campus issues related to national security. The goal of the meeting was to establish a dialogue between the federal government and our major universities concerning topics such as immigration policies, export of sensitive technology, the protection of intellectual property and so forth. This was the second meeting of our group that I was able to attend, and I found the discussion to be both positive and hopeful. We are trying to find the proper balance between important national security concerns and our ability to attract the best and brightest talent from around the world, share information internationally and maintain on our campuses an open environment for information exchange.
  10 of the Best for Security
  9th, March, 2006

It must have taken vast amounts of self-discipline to avoid radiating smugness: When American Water was infected by the Sasser worm last year its exposure was limited to just 19 hosts out of a potential 10,000, thanks to early detection and active intervention. During the same period, a sister company suffered 4000 infected machines - virtually its entire infrastructure. "The remediation alone, much less the business interruption quantification, was in excess of a half a million [US] dollars value to us," says American Water director, security, Bruce Larson.
  Febuary's Security Streams
  11th, March, 2006

It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January.
  The Value Of Vulnerabilities
  8th, March, 2006

There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
  Virus Names Likely A Lost Cause
  10th, March, 2006

In early February, antivirus firms warned customers about a computer virus programmed to delete files on the third of each month, but almost every company called the program by a different name. A month later, the companies still use a hodge-podge of monikers for the program: Blackmal, Nyxem, MyWife, KamaSutra, Blackworm, Tearec and Worm_Grew all describe the same mass-mailing computer virus. The slew of names underscore that--while antivirus companies have been able to agree on the name for some threats, such as the recent Mac OS X worms--at other times, the companies instead go their own way and race to get public acceptance of their name for a particular threat.
  Where's My 0day, Please
  10th, March, 2006

A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots.
  Avoiding The Spam Trap
  6th, March, 2006

It was a typical first-thing activity. I'd turned my computer on, run the spam filter, and was checking through it for e-mails that shouldn't be there. As sometimes happens, there were a couple, and a couple of clicks later, McAfee SpamKiller sent them on their way to my e-mail. This is a habit that I've formed over the years because I've learned that despite the technology, false positives do exist and sometimes the e-mail that's on the kill list is important.
  Tips to Secure Linux Workstation
  8th, March, 2006

While waiting for ADSL to be enabled in my area, which (I've been told) will happen soon, I did some tinkering with my Gentoo Linux workstation to make it more protected against remote attacks, and I thought of compiling a list of security measures against the dangers of full-time Internet connection. Obviously the list is not complete, but it has tips that can surely help.
  Cyber Criminals Attempt To Dodge Phishing Site Shutdowns
  8th, March, 2006

Online fraudsters have developed a new phishing technique in response to increasingly aggressive moves to identify and shut-down traditional phishing sites. Dubbed "smart redirection attacks," the new threat is designed to ensure that potential phishing victims always link to a live website.
  Security The Priority For Mobile Workforce
  8th, March, 2006

Putting in place an organisation-wide mobility strategy will rise up the IT department agenda in 2006 and this, I am afraid, will cause pain. In many large enterprises, about 20% of the workforce has a company-provided mobile device ... That figure will rise during the next few years. According to research firm Forrester, CIOs in Europe and the US rate mobile workforce issues as a top five priority and CIOs worldwide expect mobile workforce issues to increase in importance.
  Securely deleting files with shred
  9th, March, 2006

Deleting a file with the rm command merely adds a file's data blocks back to the system's free list. A file can be restored easily if its "freed" blocks have not been used again. shred repeatedly overwrites a file's space on the hard disk with random data, so even if a data recovery tool finds your file, it will be unreadable. By default, shred does not delete a file, but you can use the -u or --remove switch to delete it.

You can use shred on a file or entire partitions or disks, but you cannot use shred on the partition from which you are running it. In other words, if you have Ubuntu 5.10 installed on /dev/hda1, you cannot boot into it and run the command shred /dev/hda1. Instead, try using Knoppix or another live CD with shred if you wish to work on an entire partition.
  Firefox To Get Phishing Shield
  9th, March, 2006

An upcoming version of Firefox will include protection against phishing scams, using technology that might come from Google. The phishing shield is a key new security feature planned for Firefox 2, slated for release in the third quarter of this year, Mozilla's Mike Shaver said in an interview Tuesday.
  19 Ways to Build Physical Security into a Data Centre
  9th, March, 2006

Protecting data is not just a job for technologists. It also takes physical security and business continuity experts. At information-intensive companies, data centres don't just hold the crown jewels; they are the crown jewels. Protecting them is a job for whiz-bang technologists, of course. But just as important, it's a job for those with expertise in physical security and business continuity. That's because all the encryption and live backups in the world are a waste of money if someone can walk right into the data centre with a pocket knife, a camera phone and bad intentions.
  Anti Phishing Toolbars - Can You Trust Them?
  12th, March, 2006

A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive. How should phishing be fought? Educating the end user not to trust that he/she's on, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building?
  Hey Neighbor, Stop Piggybacking on My Wireless
  9th, March, 2006

For a while, the wireless Internet connection Christine and Randy Brodeur installed last year seemed perfect. They were able to sit in their sunny Los Angeles backyard working on their laptop computers. But they soon began noticing that their high-speed Internet access had become as slow as rush-hour traffic on the 405 freeway.
  Sniffin Packets
  10th, March, 2006

There are very few open source tools I’ve yet to see that are more useful then Ettercap. What is Ettercap, you may ask? I’ll tell you. Ettercap is a Ethernet/LAN Sniffer. It allows you to sniff packets on a LAN network, but that’s not the kicker. Ettercap can sniff packets on a switched network.

There are two major devices used to connect computers together. A Hub, and a Switch. A hub is a dumb device. It takes the data it receives in one port and simply sends it out all the other ports on the unit, regardless of the destination. Thus, sniffing traffic on a hub is relatively easy- all you have to do is “listen�, and any traffic that goes through the hub is automatically repeated out every port, including the one you happen to be sniffing on.
  LAMP Lights The Way In Open-Source Security
  8th, March, 2006

The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible. The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.
  Web Application Security Testing Tools
  9th, March, 2006

Web application security is interesting to test, in particular because, unlike most network and operating system testing, most web applications are custom-built. Even when they’re not custom-built, there’s enough diversity out there that simply looking for known problems isn’t good enough. You need to review the application itself.
  Risky Web Sites Account for 5 % of Traffic
  6th, March, 2006

SiteAdvisor was founded by a group of MIT engineers who realized there was a gaping hole in existing Web security products. While traditional security companies had gotten relatively good at addressing technical threats like viruses, they were failing to prevent a new breed of "social engineering" tricks -- scams that trick users into downloading malicious software or signing up at Web sites that send unwanted e-mail or steal personal information.
  Symantec discontinues L0phtcrack
  7th, March, 2006

Four months after announcing that it would no longer ship LC5 (better known as L0phtcrack) to non-US locations, Symantec has officially dropped the entire L0phtcrack product line. L0phtcrack was first produced by L0pht, who merged with @stake in 2000, and was then acquired by Symantec in 2004. When asked why L0phtcrack was being discontinued Symantec replied, "The LC product line no longer fits into Symantec's future product strategy. As a result, Symantec will not be applying any future development resources to this product line and will discontinue all sales."
  Mac OS X Hacked Under 30 Minutes
  6th, March, 2006

Gaining root access to a Mac is "easy pickings," according to an individual who won an OS X hacking challenge last month by gaining root control of a machine using an unpublished security vulnerability. On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
  EnGarde Secure Linux v3.0.5 Now Available
  10th, March, 2006

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and a couple of new packages available for installation.
  Oracle On Track Of Secure Search
  10th, March, 2006

ORACLE, the world's third- biggest software maker, has begun selling software that allows users to search only personal data on their work computers such as email, word documents and calendar appointments. Chief executive Larry Ellison says the California company's new search program "is one of the biggest products in years," and may help draw users away from Google, which also offers software for searching content on computers and operates the world's most-used internet search site.
  Researchers Pioneer Digital Fingerprint Forensics To Nab Cyber Thieves
  10th, March, 2006

Researchers have demonstrated a new forensics technology designed to help catch cyber thieves and digital pirates. The digital fingerprinting technology, which was developed by academics at the University of Maryland's A. James Clark School of Engineering, is designed to help protect digital assets and identify national security leak sources. <>
  Execs want more IT security improvements
  6th, March, 2006

Information technology security ranked as the area where business executives most desire technological innovation, according to a survey released this week by the Business Software Alliance. In a poll conducted by Forrester Research, the company queried key IT decision makers, nearly a third of whom said their business' survival depends on technological innovation. An additional 46 percent of these leaders said their businesses rely heavily on technological innovation. Out of 11 categories, information security ranked as the top category among areas where these businesses most need innovation.
  How IT security pay stacks up around the globe
  7th, March, 2006

U.S. security professionals tend to be paid more than their foreign counterparts, according to the results of two recent studies from the International Information Systems Security Certification Consortium (ISC2) and the SANS Institute.

On behalf of ISC2, IDC polled 4,305 IT security professionals from the Americas, the Asia-Pacific region, Europe and elsewhere about their salary range, new skills their employers were requiring, and other concerns. The "2005 Global Information Security Workforce Study," published by ISC2 last December, found that more than a quarter of information security professionals in the Asia-Pacific region earned less than $30,000 last year.
  Tougher hacking laws get support
  8th, March, 2006

Both the Tories and Lib Dems have backed government measures to increase penalties for UK computer hackers. Anyone hacking a computer could be punished with 10 years' imprisonment under new laws. The move follows campaigning from Labour MP Tom Harris, whose ideas are now being adopted in the Police and Justice Bill. There will be a clearer outlawing of offences like denial-of-service attacks in which systems are debilitated.
  Experts welcome UK security training body
  9th, March, 2006

Industry experts have welcomed the recent launch of the UK-based Institute of Information Security Professionals (IISP) which aims to improve the training, certification and supply of staff in this field. Analyst firm Gartner said that, if the initiative is successful, it may spur other countries to set up similar institutes. The UK's initiative to form a professional development organisation was taken by information security leaders from business, government and academia.

The body will address two principal concerns: demand for information security expertise increasingly exceeding supply; and managers lacking a way to provide assurance about a job candidate's abilities.
  Web application security testing tools
  9th, March, 2006

Web application security is interesting to test, in particular because, unlike most network and operating system testing, most web applications are custom-built. Even when they’re not custom-built, there’s enough diversity out there that simply looking for known problems isn’t good enough. You need to review the application itself.
  ISPs must take lead in fighting spam
  9th, March, 2006

ISPs need to take the lead in the fight to curtail the nuisance caused by spam, according to a report by a UN agency this week.
  Internet "Cloaking" Emerges As New Web Security Threat
  9th, March, 2006

Terrorist organizations and other national enemies have launched bogus Web sites that mask their covert information or provide misleading information to users they identify as federal employees or agents, according to Lance Cottrell, founder and chief scientist at Anonymizer of San Diego.
  Sarbanes Oxley in Europe: The EU Data Protection Directive vs. Sarbanes Oxley
  10th, March, 2006

The Sarbanes-Oxley Act of 2002, adopted as a reaction to corporate scandals, has a significant impact on European companies. The reason is simple: Hundreds of European-headquartered companies are dually listed on two stock exchanges, one in Europe and the other in the United States. 470 non-US companies are listed on the New York Stock Exchange, with a combined market capitalization of $3.8 trillion, 30 per cent of the total value of capitalization of companies quoted on the exchange.
  Combating identity theft
  7th, March, 2006

Identity theft is the major security concern facing organisations today. Indeed, for the banking industry, it is the number one security priority for 2006. In a recent survey of security budget holders and influencers of UK banks, 73% of respondents cited identity management as the top transaction security concern.
  Google outspooks the spooks with Total Information Awareness plan
  8th, March, 2006

Google wants to mirror and index every byte of your hard drive, relegating your PC to a "cache", notes on a company PowerPoint presentation reveal. The file accompanied part of Google's analyst day last week. Google has since withdrawn the file, telling the BBC that the information was not intended for publication.
  FBI Cyber Action Teams: Traveling the World to Catch Cyber Criminals
  10th, March, 2006

The Turkish and Moroccan hackers must have thought they had come up with a brilliant moneymaking scheme: release a computer worm into cyber space, then sit back and watch it steal credit card numbers and other financial information from thousands of infected computers around the globe.
  Federal Budget For 2007 To Boost Cybersecurity
  11th, March, 2006

Although President Bush's proposed budget for fiscal 2007 (starting Oct. 1, 2006) increases spending for key cybersecurity programs, it is not clear how that money would be spent, raising concerns in the information security industry. One of the biggest security-related boosts would be a $35 million infusion to the "critical infrastructure outreach and partnerships" initiative within the Department of Homeland Security. The goal of that effort is to increase cooperation and information sharing among DHS, state and local governments and infrastructure providers. Thirty million dollars of that allocation would go toward implementing partnership plans for private industry verticals like information technology, finance and electrical utilities.
  Cyber criminals stepping up targeted attacks
  7th, March, 2006

Cyber criminals are stepping up smaller, more targeted attacks as they seek to avoid detection and reap bigger profits by stealing personal and financial information, according to a report issued Monday. Symantec's Internet Security Threat report said during the second half of 2005 attackers continued to move away from broad attacks seeking to breach firewalls and routers and are now taking aim at the desktop and Web applications.
  Schneier: 'Blame firms not staff for security breaches'
  6th, March, 2006

Security guru Bruce Schneier has hit out at the trend of blaming staff for security breaches, suggesting it's companies which must always face the strongest criticism. Schneier was responding specifically to an exclusive story on last week which reported a social experiment in the City of London which saw free CDs handed out to commuters to ascertain whether they would blindly access them on their work machines, despite knowing nothing of the source or the contents of the CDs.
  Antivirus Groups Fight Over Crossover Sharing
  6th, March, 2006

A virus that spreads from PCs to mobile devices has become the focus of a power play between the antivirus industry and the relatively young Mobile Antivirus Research Association, which obtained the only sample of the program.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.