Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: March 20th 2006 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "An introduction to Elliptic Curve Cryptography," "The 7 myths about protecting your web applications," and "Wi-Fi Security's Personal Problems."

EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. Feature Extras:

EnGarde Secure Community 3.0.5 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

pgp Key Signing Observations: Overlooked Social and Technical Considerations - While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  Cryptography in the Database: The Last Line of Defense
  14th, March, 2006

Excerpt: This chapter discusses how cryptography can address the concerns raised in the previous chapter. After explaining what cryptography is and providing a general idea of how it works, we dig into the various types of cryptographic algorithms and see where the strengths and weaknesses of each lie.
  Philip Zimmermann releases Zfone for Linux
  15th, March, 2006

Phil Zimmermann thinks Zfone is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world.
  An introduction to Elliptic Curve Cryptography
  17th, March, 2006

Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement for RSA public key cryptography largely based on its efficiency, but also because the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems. Public key cryptography is the basis for tools like ssh as well as Secure Sockets Layer (SSL) for encrypting web traffic. For readers who would like more information, a nice introduction to public key cryptography and the RSA algorithm can be found on Wikipedia.
  Linux Dictionary
  19th, March, 2006

(SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways.
  Febuary's Security Streams
  11th, March, 2006

It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January.
  SC Magazine CSO of the Year: Thomas Dunbar, Global Chief Security Officer, XL Capital
  15th, March, 2006

As the global chief security officer at a leading multinational insurance company, Thomas Dunbar has a lot of data to protect, a range of regulations with which to comply and a huge number of employees whose access to corporate IT assets he must manage. The efforts he undertakes on a daily basis to achieve these and other mandates are the primary reasons why the SC Magazine Awards U.S. for 2006 saw him walk away with the title of CSO of the Year.
  10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery)
  16th, March, 2006

The newest contender on the block of course is BackTrack, which we have spoken about previously. An innovative merge between WHax and Auditor (WHax formely WHoppix). BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions Whax and Auditor, combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out.
  US Government Studies Open Source Quality
  17th, March, 2006

"US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under Library, there is a link titled "NEW >> Open Source Quality Report".
  FrSIRT Puts Exploits up for Sale
  17th, March, 2006

Independent security research outfit is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service).
  Social Engineering Reloaded
  15th, March, 2006

The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program.
  Anti Phishing Toolbars - Can You Trust Them?
  12th, March, 2006

A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive. How should phishing be fought? Educating the end user not to trust that he/she's on, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building?
  VM Rootkits: The Next Big Threat
  13th, March, 2006

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
  Useful Firefox Security Extensions
  18th, March, 2006

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.
  Kids Learn About Cyber Security
  13th, March, 2006

A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security.
  Skype Branded Danger To Enterprise IT Security
  16th, March, 2006

Although cost savings and improved communications are luring enterprises to Skype, the popular voice over IP service may violate security policies, industry experts have warned. Burton Group recommended enterprises assess the risks vs. rewards of Skype as the simplest solution for evaluating its use.
  The Enemy Within The Firewall
  16th, March, 2006

Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey.
  How to Create RFID Access for Your Front Door
  17th, March, 2006

There are many uses for RFID such as supply chain management, but access control is one of the most relevant applications for personal use. Many people use RFID access cards to get into buildings, use elevators, or even open the doors to those special penthouse type hotel suites. Setting up your own front door (or any door for that matter) with an RFID enabled access mechanism is pretty easy.
  Digital Forensics and Hacking Investigations
  13th, March, 2006

We discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts.
  Security Podcasts Roundup
  13th, March, 2006

We at PaulDotCom security weekly listen to many podcasts in an attempt to assimilate as much information as possible. Each podcast we listen to has its own strengths, and there are few on this list that I would dismiss altogether, but I'll let you be the judge. There have been a few other blog postings related to security podcasts.
  Photoshop Concepts For Law Enforcement
  13th, March, 2006

With its comprehensive suite of powerful digital imaging products, Adobe software provides the solutions law enforcement agencies need to conduct enhanced forensic investigations. With its unmatched set of image management tools, Adobe Photoshop software is widely used by law enforcement agencies to make digital phtots of suspects and crime scenes clearer for positive identification.
  Married Couple Indicted for Corporate Espionage
  14th, March, 2006

An Israeli couple has been charged with corporate espionage after the two were discovered engineering and distributing a Trojan horse application found to be responsible for several cases of data theft. The Tel Aviv District Attorney filed the 65-page indictment Sunday and announced that prosecutors had entered into a plea bargain agreement with the two defendants. The couple, formerly residents of London, were extradited to Israel.

Prosecutors consider Ruth Haephrati, 29, the ringleader and principal party responsible for the couple's criminal enterprise. According to the indictment, Haephrati was the one who sought out new clients to increase business.
  'Security pro' - an oxymoron?
  14th, March, 2006

The term 'infosec professional' is almost a contradiction in terms, according to analyst group Gartner, which warns the field of IT security is still finding its feet. The analyst house said there is little agreement on what constitutes professionalism. This means hiring decisions are complicated by a lack of consensus on the skills needed and, as a result, many security problems will remain unsolved until specialists pool their knowledge and experience, Gartner said in a briefing note.
  The 7 myths about protecting your web applications
  15th, March, 2006

Web applications are currently proving to be one of the most powerful communication and business tool. But they also come with weaknesses and potential risks that network security devices are simply not designed to protect.
  Basketball Social Engineering
  15th, March, 2006

On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win. Enter "Victoria." Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For the previous week, "she" had been chatting with Gabe Pruitt, USC's starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends.
  Study Says RFID Tags Are Vulnerable To Viruses
  15th, March, 2006

A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented Wednesday at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information.
  LAMP lights the way in open-source security
  16th, March, 2006

The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible. The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.
  Top 50 malicious code samples reveals secrets
  16th, March, 2006

While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said. In its previous report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second half of 2005.
  BS7799 Ver 3 Security Standard Published
  17th, March, 2006

The new security standard from BSI, BS7799 3, has been published today. This is titled "Guidelines for Information Security Risk Management", and supports the more general security management standard, ISO27001, which was published last year.
  Report: 80 percent of emails out to manipulate
  14th, March, 2006

Four out of five inbound emails are designed to deceive the recipient, according to a new report studying the scope of abusive online messages. The Messaging Anti-Abuse Working Group's (MAAWG) Email Metric Report, which analyzed data from more than 127 million mailboxes during last year's fourth quarter, found that more than 142 billion emails either were tagged or blocked before they reached the end user. Another 61.3 billion emails were the victims of dropped connections, the study showed. Nearly 37 billion emails were unaltered before reaching their destination.
  Human Rights and Wrongs Online
  14th, March, 2006

A government's position on censorship used to protect its citizenry is dictated by who they are. The well-popularized censorship of Internet content in China by Google and other big players, and criticism of this by the U.S. government, is really just the tip of the iceburg. On Febrary 15, the United States Congress held hearings on the role of U.S. Internet companies like Google, Microsoft, Yahoo and Cisco in suppressing free expression and therefore encouraging repressive tactics by countries like China. The hearings explored the role and the responsibility of these companies for deliberately filtering communications, assisting in the interception of citizen's communications, and using technology to restrict access by citizens to information.
  Search firms surveyed on privacy
  15th, March, 2006

We asked the same seven questions of each company. Their answers are reproduced below, with the responses sorted by the companies' names in alphabetical order. What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)? Weinstein: Any time a search is done on the AOL service or, the left rail on the results page offers a list of the most recent searches conducted by that user.
  Federal Budget For 2007 To Boost Cybersecurity
  11th, March, 2006

Although President Bush's proposed budget for fiscal 2007 (starting Oct. 1, 2006) increases spending for key cybersecurity programs, it is not clear how that money would be spent, raising concerns in the information security industry. One of the biggest security-related boosts would be a $35 million infusion to the "critical infrastructure outreach and partnerships" initiative within the Department of Homeland Security. The goal of that effort is to increase cooperation and information sharing among DHS, state and local governments and infrastructure providers. Thirty million dollars of that allocation would go toward implementing partnership plans for private industry verticals like information technology, finance and electrical utilities.
  How To Legislate Against Hackers
  16th, March, 2006

Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act.
  NIST sets FISMA Standards For Federal IT Systems
  17th, March, 2006

The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls.
  Linux Zero IP ID Vulnerability?
  15th, March, 2006

I've recently stumbled upon an interesting behaviour of some Linux kernels that may be exploited by a remote attacker to abuse the ID field of IP packets, effectively bypassing the zero IP ID in DF packets countermeasure implemented since 2.4.8 (IIRC).
  Trojan Cryzip Extorts Decryption Fee
  18th, March, 2006

A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.
  Wi-Fi Security's Personal Problems
  13th, March, 2006

With security such an important concern for wireless networks, most new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2), the latest standard for encrypting data sent over the air. As of this month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2 compatibility a mandatory part of its interoperability tests. But there are two kinds of WPA2, and most Wi-Fi phones and many other gadgets support only the lesser version, which was originally designed for home networks.
  ISO Rejects China's WAPI Wireless Security Protocol
  16th, March, 2006

The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.