Linux Security Week: March 20th 2006

Excerpt: This chapter discusses how cryptography can address the concerns raised in the previous chapter. After explaining what cryptography is and providing a general idea of how it works, we dig into the various types of cryptographic algorithms and see where the strengths and weaknesses of each lie.

news/cryptography/cryptography-in-the-database-the-last-line-of-defense

Phil Zimmermann thinks Zfone is better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world.

news/cryptography/philip-zimmermann-releases-zfone-for-linux

Elliptic Curve Cryptography (ECC) has been gaining momentum as a replacement for RSA public key cryptography largely based on its efficiency, but also because the US National Security Agency (NSA) included it, while excluding RSA, from its Suite B cryptography recommendations. Suite B is a set of algorithms that the NSA recommends for use in protecting both classified and unclassified US government information and systems. Public key cryptography is the basis for tools like ssh as well as Secure Sockets Layer (SSL) for encrypting web traffic. For readers who would like more information, a nice introduction to public key cryptography and the RSA algorithm can be found on Wikipedia.

news/cryptography/an-introduction-to-elliptic-curve-cryptography

(SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways.

It's about time I summarize all my February's Security Streams, you can of course go through my January's Security Streams as well, in case you're interested in what was inspiring me to blog during January.

As the global chief security officer at a leading multinational insurance company, Thomas Dunbar has a lot of data to protect, a range of regulations with which to comply and a huge number of employees whose access to corporate IT assets he must manage. The efforts he undertakes on a daily basis to achieve these and other mandates are the primary reasons why the SC Magazine Awards U.S. for 2006 saw him walk away with the title of CSO of the Year.

The newest contender on the block of course is BackTrack, which we have spoken about previously. An innovative merge between WHax and Auditor (WHax formely WHoppix). BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions Whax and Auditor, combining the best features from both distributions, and paying special attention to small details, this is probably the best version of either distributions to ever come out.

"US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under Library, there is a link titled "NEW >> Open Source Quality Report".

Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain. FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service).

The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program.

A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive. How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building?

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.

A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country. The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security. Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security.

news/network-security/kids-learn-about-cyber-security

Although cost savings and improved communications are luring enterprises to Skype, the popular voice over IP service may violate security policies, industry experts have warned. Burton Group recommended enterprises assess the risks vs. rewards of Skype as the simplest solution for evaluating its use.

news/network-security/skype-branded-danger-to-enterprise-it-security

Employees are now regarded as a greater danger to workplace cyber security than the gangs of hackers and virus writers launching targeted attacks from outside the firewall. That is the perception of 75 per cent of Australian information technology managers who took part in an international IBM security survey.

news/network-security/the-enemy-within-the-firewall

There are many uses for RFID such as supply chain management, but access control is one of the most relevant applications for personal use. Many people use RFID access cards to get into buildings, use elevators, or even open the doors to those special penthouse type hotel suites. Setting up your own front door (or any door for that matter) with an RFID enabled access mechanism is pretty easy.

news/security-projects/how-to-create-rfid-access-for-your-front-door

We discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts.

We at PaulDotCom security weekly listen to many podcasts in an attempt to assimilate as much information as possible. Each podcast we listen to has its own strengths, and there are few on this list that I would dismiss altogether, but I'll let you be the judge. There have been a few other blog postings related to security podcasts.

With its comprehensive suite of powerful digital imaging products, Adobe software provides the solutions law enforcement agencies need to conduct enhanced forensic investigations. With its unmatched set of image management tools, Adobe Photoshop software is widely used by law enforcement agencies to make digital phtots of suspects and crime scenes clearer for positive identification.

An Israeli couple has been charged with corporate espionage after the two were discovered engineering and distributing a Trojan horse application found to be responsible for several cases of data theft. The Tel Aviv District Attorney filed the 65-page indictment Sunday and announced that prosecutors had entered into a plea bargain agreement with the two defendants. The couple, formerly residents of London, were extradited to Israel.

Prosecutors consider Ruth Haephrati, 29, the ringleader and principal party responsible for the couple's criminal enterprise. According to the indictment, Haephrati was the one who sought out new clients to increase business.

The term 'infosec professional' is almost a contradiction in terms, according to analyst group Gartner, which warns the field of IT security is still finding its feet. The analyst house said there is little agreement on what constitutes professionalism. This means hiring decisions are complicated by a lack of consensus on the skills needed and, as a result, many security problems will remain unsolved until specialists pool their knowledge and experience, Gartner said in a briefing note.

Web applications are currently proving to be one of the most powerful communication and business tool. But they also come with weaknesses and potential risks that network security devices are simply not designed to protect.

On March 4, University of California Berkeley (Cal) played a basketball game against the University of Southern California (USC). With Cal in contention for the PAC-10 title and the NCAA tournament at stake, the game was a must-win. Enter "Victoria." Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For the previous week, "she" had been chatting with Gabe Pruitt, USC's starting guard, over AOL Instant Messenger. It got serious. Pruitt and several of his teammates made plans to go to Westwood after the game so that they could party with Victoria and her friends.

A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications. In a paper to be presented Wednesday at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chip, which can hold as little as 128 characters of information.

The most popular open-source software is also the most free of bugs, according to the first results of a U.S. government-sponsored effort to help make such software as secure as possible. The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday.

news/server-security/lamp-lights-the-way-in-open-source-security

While past attacks were designed to destroy data, today's attacks are increasingly designed to silently steal data for profit without doing noticeable damage that would alert a user to its presence, the company said. In its previous report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second half of 2005.

The new security standard from BSI, BS7799 3, has been published today. This is titled "Guidelines for Information Security Risk Management", and supports the more general security management standard, ISO27001, which was published last year.

Four out of five inbound emails are designed to deceive the recipient, according to a new report studying the scope of abusive online messages. The Messaging Anti-Abuse Working Group's (MAAWG) Email Metric Report, which analyzed data from more than 127 million mailboxes during last year's fourth quarter, found that more than 142 billion emails either were tagged or blocked before they reached the end user. Another 61.3 billion emails were the victims of dropped connections, the study showed. Nearly 37 billion emails were unaltered before reaching their destination.

news/privacy/report-80-percent-of-emails-out-to-manipulate

A government's position on censorship used to protect its citizenry is dictated by who they are. The well-popularized censorship of Internet content in China by Google and other big players, and criticism of this by the U.S. government, is really just the tip of the iceburg. On Febrary 15, the United States Congress held hearings on the role of U.S. Internet companies like Google, Microsoft, Yahoo and Cisco in suppressing free expression and therefore encouraging repressive tactics by countries like China. The hearings explored the role and the responsibility of these companies for deliberately filtering communications, assisting in the interception of citizen's communications, and using technology to restrict access by citizens to information.

news/privacy/human-rights-and-wrongs-online

We asked the same seven questions of each company. Their answers are reproduced below, with the responses sorted by the companies' names in alphabetical order. What information do you record about searches? Do you store IP addresses linked to search terms and types of searches (image vs. Web)? Weinstein: Any time a search is done on the AOL service or AOL.com, the left rail on the results page offers a list of the most recent searches conducted by that user.

news/privacy/search-firms-surveyed-on-privacy

Although President Bush's proposed budget for fiscal 2007 (starting Oct. 1, 2006) increases spending for key cybersecurity programs, it is not clear how that money would be spent, raising concerns in the information security industry. One of the biggest security-related boosts would be a $35 million infusion to the "critical infrastructure outreach and partnerships" initiative within the Department of Homeland Security. The goal of that effort is to increase cooperation and information sharing among DHS, state and local governments and infrastructure providers. Thirty million dollars of that allocation would go toward implementing partnership plans for private industry verticals like information technology, finance and electrical utilities.

news/government/federal-budget-for-2007-to-boost-cybersecurity

Everyone is in favour of sending hackers to prison for longer, but technology commentator Bill Thompson wonders if our MPs are competent to make good cyber-laws. If all goes to plan and the fuss over ID cards and school governance does not derail the parliamentary timetable, then we will soon have a new Police and Justice Act.

news/government/how-to-legislate-against-hackers

The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act. Federal Information Processing Standard 200 [1] sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls.

news/government/nist-sets-fisma-standards-for-federal-it-systems

I've recently stumbled upon an interesting behaviour of some Linux kernels that may be exploited by a remote attacker to abuse the ID field of IP packets, effectively bypassing the zero IP ID in DF packets countermeasure implemented since 2.4.8 (IIRC).

news/hackscracks/linux-zero-ip-id-vulnerability

A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.

news/hackscracks/trojan-cryzip-extorts-decryption-fee

With security such an important concern for wireless networks, most new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2), the latest standard for encrypting data sent over the air. As of this month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2 compatibility a mandatory part of its interoperability tests. But there are two kinds of WPA2, and most Wi-Fi phones and many other gadgets support only the lesser version, which was originally designed for home networks.

The International Standards Organization (ISO) last week rejected a security protocol that was backed by some Chinese representatives as an amendment to the group's wireless LAN standard. The ISO turned down the Chinese technology, called the WLAN Authentication and Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i security specification that was developed by the Institute of Electrical and Electronics Engineers Inc., according to a member of the IEEE 802.11 Working Group who asked not to be named because of working group rules.