Linux Security Week: April 10th 2006

BART officials promised Thursday to thoroughly investigate why technicians risked working on computers that control trains while the transit system was running, work that crashed BART's main computer, stalled 50 to 60 trains, and stranded 35,000 passengers for more than an hour at the peak of the Wednesday evening commute. "The bottom line is we shouldn't have worked on it (during service hours)," BART spokesman Linton Johnson said. "We shouldn't have been working on it while trains were running."

How easy is it for the average internet user to make a phone call secure enough to frustrate the NSA's extrajudicial surveillance program? Wired News took Phil Zimmermann's newest encryption software, Zfone, for a test drive and found it's actually quite easy, even if the program is still in beta. Zimmermann, the man who released the PGP e-mail encryption program to the world in 1991 -- only to face an abortive criminal prosecution from the government -- has been trying for 10 years to give the world easy-to-use software to cloak internet phone calls.

news/cryptography/a-pretty-good-way-to-foil-the-nsa

This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force "key-search" attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a "lucky guess".

news/cryptography/password-recovery-speeds

One of the best ways to protect the privacy of email communications is to use PGP (pretty good privacy) and the Open Source GPG. Unfortunately, even hardcore geeks sometimes find PGP difficult to set up, configure, use, and troubleshoot. Recognizing this problem, No Starch Press has published a simple guide to using PGP and GPG. In "PGP & GPG: Email for the Practical Paranoid" (No Starch Press, April 2006), author Michael Lucas offers an easy-to-read, informal tutorial for communicating securely with PGP.

news/cryptography/how-to-encrypt-email-with-pgp-or-gpg

It's as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you're vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there's a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software. Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes. This chapter contains a series of attacks dealing with the concept of state, or the ability to remember information as a user travels from page to page within a site.

How often do we have to read about someone losing a laptop with a bunch of client data? I've included some links to recent stories: Stolen Fidelity Laptop Exposes HP Workers and Lost Fidelity Laptop Stirs Fear of ID Theft. Stop and think for a second. You are a high-powered road warrior jetting around the world making lots of complex but incredibly lucrative financial deals. You lose your laptop with all that important information. You have to call your boss back at the home office. Your next job involves asking customers if they want the large or the super-jumbo Slurpee.

Employee turnover in most organizations runs high. So unless you run a small shop with a stable user base, you need to learn how to clean up after an employee leaves. Too many so-called system administrators do not understand the stakes involved when they manage users. Disgruntled former employees can often cause significant trouble for a company by gaining access to the network.

This paper examines the dramatic visual fingerprints left by a wide variety of popular network attack tools in order to better understand the specific methodologies used by attackers as well as the identifiable characteristics of the tools themselves. The techniques used are entirely passive in nature and virtually undetectable by the attackers. While much work has been done on active and passive operating systems detection, little has been done on fingerprinting the specific tools used by attackers. This research explores the application of several visualization techniques and their usefulness toward identification of attack tools, without the typical automated intrusion detection system’s signatures and statistical anomalies. These visualizations were tested using a wide range of popular network security tools and the results show that in many cases, the specific tool can be identified and provides intuition that many classes of zero-day attacks can be rapidly detected and analyzed using similar techniques.

news/network-security/passive-visual-fingerprinting-of-network-attack-tools

Organisations today invest millions of dollars and thousands of man-hours in building out their IP based infrastructure. However, the question one is often left with is: "Is Denial of Service or Network Disruption something that my enterprise should be concerned with?" Help Net Security has an article that contains a brief self-test that should help you to consider the reality of the threat and how seriously it ought to be pursued.

news/network-security/network-disruption-and-denial-of-service

To study the proceedings and attacks from hackers, Honeypots are used. The idea thereby is, to put one or more special servers in a network . An aggressor; who cannot differentiate between genuine server/services and honeypots; sooner or later will be taken up the services offered by a Honeypot by his search for a safety gap. All his activities on the honeypot are loged thereby.

I recently ran into the problem of not having enough hard drive space on my slackware linux laptop, but was lucky enough to have a much bigger drive sitting around from before and wanted a way to perform a hassle free seamless upgrade. i had this idea and it worked pretty well so i thought i would share it since i think it's pretty cool and only requires the use of two tools that should be included with all distributions. sometimes you won't find netcat (known as nc, or ncat as it is sometimes named) and if bash incorporated my server redirections patch that i posted before you wouldn't need it at all, but for now it's required to listen for the incoming connections over the net.

news/server-security/how-to-backup-your-linux-system-using-bash-tar-and-netcat

A MySQL installation should be made as secure as possible to protect databases and other information maintained by the MySQL server from unauthorized access. This article describes potential problem areas about which you should be concerned as a MySQL administrator, and provides guidelines for dealing with them. The issues covered here fall into the following broad categories, which include both local and remote exploits.

news/server-security/securing-your-mysql-installation

Web servers are frequently attacked more than any other host on an organization’s network. In this paper, I will review the current challenges businesses face when hosting a public web site. I will address the various risks that are associated with web servers as well as the most effective methods of mitigating those risks through the design, implementation, and administration of public web sites.

news/server-security/securing-a-web-site

Internet Message Access Protocol (IMAP) servers such as Courier-IMAP and Cyrus IMAP may work well, but they’re complicated to install and configure. I'll show you how to set up your mail server quickly and securely using Dovecot, an open source IMAP and Post Office Protocol version 3 (POP3) server for Unix-like operating systems.

news/server-security/set-up-a-secure-imappop3-server-with-dovecot

As the Linux operating system makes ever-deeper inroads into government data centers, agencies need to feel comfortable that the open-source computing infrastructures they're rolling out are indeed secure. In general, firewalls protect enterprise networks from intruders. But enterprises also require other types of protection in case a hacker gets past the firewall. Traditional Unix vendors have always provided added security at the operating-system level, including so-called "trusted" versions designed to provide data centers and security operations with machine-level security. These trusted versions defend against unauthorized access to data and applications.

news/server-security/what-does-it-mean-to-build-secure-linux

Pete Herzog, founder of ISECOM and creator of the Open Source Security Testing Methodology Manual (OSSTMM) talks with Federico Biancuzzi about the upcoming revision 3.0 of the OSSTMM. I'm Pete Herzog, managing director of ISECOM. I live in a small town in Catalonia just outside of Barcelona. It's also where I work part of the year. The other part of the year I work in the US. ISECOM is a non-profit, registered both here and in New York State, USA, with the aggressive mission to "make security make sense".

news/security-projects/the-man-behind-osstmm

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software. Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes. This chapter contains a series of attacks dealing with the concept of state, or the ability to remember information as a user travels from page to page within a site.

or a full day, I would immerse myself in the tricks of the computer hacking trade, getting hands-on training in how scam artists construct the code that wreaks havoc on the world's computers. The key distinction: This is "ethical" hacker boot camp, put on by a company called TechTrain, which hosts about 24 of these intensive training sessions each year.

My drill instructor (read: teacher) is Andrew Whitaker, TechTrain's director of enterprise security, who's had stints protecting online banks, and teaching other financial institutions what's wrong with their security systems, over the last ten years. Before class, he gives me the rundown of what we'll learn: how to use viruses, how to compromise wireless networks and how to evade firewalls.

It goes without saying that most people, in business at least, only admit a mistake for one reason – because they realise they're going to get caught anyway. Nowhere is this more clear than with the issue of disclosing data loss. In California all companies are required by law to inform their customers when data has been breached or lost. Now the whole of the US is looking to introduce such a law and we can only hope the UK and the rest of Europe follow in step.

There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems?

A relatively unknown worm has spread moderately successfully without exploiting any flaws in the Windows operating system, according to data collected by Microsoft's software for removing malicious code. The virus--known as Alcra or Alcan--spreads through popular peer-to-peer file-sharing systems by offering itself up using the names of popular files on program cracking sites. The social engineering has been quite successful: During February, about 250,000 machines had been infected by the program, according to data collected by Microsoft's Malicious Software Removal Tool.

The Home Office identity cards team has reported progress in improving verification by iris scans, but problems with other biometrics apparently persist. In response to questions from Government Computing News, the Home Office has claimed that the technology for iris scanning has improved. It has not, however, made any claims for fingerprints and facial recognition.

I sat in my office for about thirty minutes trying to decide if I was going to write this article. I finally came to the conclusion that I would since this information is already freely available on the Internet, and in fact, was posted as part of a government article.

It was almost two years ago now that I wrote the SecurityFocus article on TCP/IP skills required for security analysts. That article offered advice on how one can seek employment in the security field through education, training, and a strong focus on TCP/IP. The idea came about from all of the questions this author has been asked on the subject.

Here is something you don't hear often: ten years after I started my career as a UNIX System Administrator, I still enjoy the work. I do think of it as a career, and a potentially rewarding one -- not a stepping-stone to something greater, as many seem to think. There are layers and layers to this work, and it would take a lifetime to learn all that there is to know about the subject. During these years I have developed an understanding of systems that has become like second nature; I have a mental catalog of best practices that came from basic curiosity, experimentation, study, constant usage, and access to the opinions and research of some of the best minds in the field.

A novel tactic to defeat phishers is being employed by Cyota staff: flooding phishing sites with fake bank details to make the real information harder to find. RSA's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want â€