EnGarde Secure Linux is a Linux server distribution that is geared toward providing
a open source platform that is highly secure by default as well as easy to administer.
EnGarde Secure Linux includes a select group of open source packages configured
to provide maximum security for tasks such as serving dynamic websites, high
availability mail transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source, and online
security and application updates are also freely available with GDSN registration.
EnGarde
Secure Community 3.0.5 Released - Guardian Digital is happy to announce
the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, and several new packages available
for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
PKI Doesn't Have To Be Perfect To Be
Worthwhile
26th, April, 2006
Nobody ever said implementing a public-key infrastructure would be easy, but a pair of experts at the 2006 International Conference on Network Security said last week that using PKI is often harder than it needs to be. “We haven’t been as successful as I wish we had been,� said Bill Burr of the National Institute of Standards and Technology. “But I think we’ve been more successful than we get credit for.�
In my opinion they did some things good and some things bad. BAD teaching people to type their password into a website is not a good idea. It violates most corporation's security policies. GOOD it's a java applet that appears to run locally so your password is never sent over the internet. This could change at anytime so I would not recommend you type your password into it.
In the practice of security we have accumulated a number of “rules of thumb� that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.
Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.
Looking to deploy a security information management solution? Before sending out an RFP or RFI, experts say you should consider the following: Begin with the end in mind. Ask yourself what you want to achieve with a SIM system, regardless of how you get there. Pay special attention to the workflow between your security and operations teams, and the reporting requirements of federal regulators such as the Homeland Security Department’s US-CERT. Business process, not network architecture, is what really drives a SIM system.
Many companies are using standards and frameworks to deal with certain aspects of information security. These models can help protect systems and data, but each plays a very different role in an overall security plan. Some of the most popular ones, including the Control Objectives for Information and Related Technology (Cobit), ISO 27001, the IT Infrastructure Library (ITIL) and Statement on Auditing Standards (SAS) No. 70, offer guidelines for improving some elements of security. But experts say these models are more like pieces of a puzzle than comprehensive security standards.
The Critical First Steps in a Successful Incident Response Program
26th, April, 2006
The beginning of an incident can be as subtle as a user making a call to the help desk to report a “sluggishness� that cannot be explained on his or her computer or it can be as chaotic as every alarm and pager in the Information Technology department sounding at once. Whether it is noticed by a user or by a detection system, the steps that lead to a successful investigation, containment and resolution to an incident remain the same. The incidents themselves may be as versatile as missing files or a network coming to a crawling stop whether by a deliberate outside influence or a mistake made on the inside of the network. It is an all too common scenario that either has or will face all Information Technology (IT) departments; Incidents will happen, but it is the steps that are taken before an incident occurs that will determine whether a successful and quick resolution take place or a slow and costly battle.
The National Cyber Security Alliance (NCSA) today unveiled the latest initiative in its on-going campaign to educate small businesses about cyber-security issues. Ron Teixeira, executive director of the NCSA, warned that as small businesses continue to rapidly adopt networking, wireless and internet technologies, the lack of security controls within these organizations is becoming more apparent. According to Symantec's 2005 Small Business Information Security Readiness Report, 56 percent of small businesses have experienced at least one security incident in the past year, yet only 30 percent have increased spending on information security solutions.
ITL BULLETIN FOR APRIL 2006: PROTECTING SENSITIVE INFORMATION TRANSMITTED IN PUBLIC NETWORKS
28th, April, 2006
The protection of sensitive information that is transmitted across
interconnected networks is critical to the overall security of an
organization's information and information systems. The Information
Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) recently issued guidance to assist organizations in
strengthening their network security and in lessening the risks
associated with the transmission of sensitive information across
networks. The publication offers practical guidance on implementing
security services based on Internet Protocol Security (IPsec).
Last Thursday, the U.S. Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue--which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records--was reported to SecurityFocus last June. An article was published after the university was notified of the issue and fixed the vulnerable Web application.
E-crime Experts Warn Of ‘Enemy Within’
27th, April, 2006
A new survey revealed today that almost half of global e-crime experts believe the biggest threat to organizations’ data comes from “the enemy within," rather than external hackers. Only 11 percent of the IT security professionals from 20 countries who were polled at the recent E-Crime Congress in London argued that external threats, such as hackers and organized cyber-crime, pose a bigger issue. Despite the consensus that employees posed the highest security risk, only ten percent of respondents thought that employees were responsible for a web-security breach. The majority, 74 percent, felt the board of directors was ultimately accountable, while 21 percent felt the responsibility lay within the IT department.
Social Engineering: The Biggest Risk to Internet Security
28th, April, 2006
The unfortunate bottom line of networking security problems is that hacking happens because it is allowed to happen. Most cases of fraud could have been prevented if people had just adhered to sensible protocols and properly implemented available security solutions. It cannot be stressed enough that the big problem with IT security is people - you, me, and the vast majority of people in the world who interface with IT systems. It is far easier to get vital information from a person than it is to extract it from a well organized and protected computer system. That's seems like a fantastic statement, but it is absolutely true.
Security breaches from computer viruses, spyware, hacker attacks and equipment theft are costing British business billions of pounds a year, according to a survey released Tuesday.
The estimated loss of $18 billion (10 billion pounds) is 50 percent higher than the level calculated two years ago, according to the survey that consultancy PricewaterhouseCoopers conducted for the U.K. Department of Trade and Industry.
The rise comes despite the fact that companies are increasing their spending on information security controls to an average 4 percent or 5 percent of their IT budget, compared with 3 percent in 2004.
So what’s all the fuss? Just install the security patches and you’re safe, right? Unfortunately, no. As IT professionals will attest, it can be extremely difficult to test and apply the necessary patches to every vulnerable computer within an enterprise before exploits become public. Compounding the matter, some patches can actually interfere with, or “break� existing software applications, adding to the time it takes to determine which patches can be applied and which need to be tested within a given organization’s network.
A Survey of DNS Security: Most Vulnerable and Valuable Assets
27th, April, 2006
We collected 593160 unique webserver names from the Yahoo! and DMOZ.org web directories. Since the names were extracted from web directories instead of being generated automatically, they have been filtered through a preliminary level of human scrutiny. Though it is clear that the level of scrutiny is not extremely high (i.e. there are some spam hostnames in the survey), we believe that these names are representative of the sites people actually care about.
We then queried the legacy DNS for these names and recorded the chain of nameservers that are involved in their resolution. We thus obtained a snapshot of the dependencies in the DNS system. A total of 166771 nameservers were discovered in this process. The survey was performed on July 22, 2004.
Ideal Intrusion Defense Combines Processes And People
25th, April, 2006
A global IT service provider with 39,000 employees and thousands of computing devices is sure to be a tempting target for digital desperados. But which attack scenarios are most likely to keep the security chief up at night? Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, lists three:
# Spyware;
# Stolen or misplaced laptops with passwords that can be unlocked within minutes using any number of online tools; and
# Employees who load sensitive files onto USB keys and then lose them.
Michael Osborne has been getting a lot of vendor calls lately pitching a new breed of products, typically called electronic data discovery (EDD) tools. These tools promise to investigate historical data to uncover security breaches, compliance failures and plain old errors in transactions across various enterprise systems, from network administration to accounting. Driven by compliance requirements such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, these tools focus on user activities, such as who accessed a database or updated a customer account.
Open Source Intrusion Detection and Prevention: Tools for Today's Corporate Market
27th, April, 2006
There are literally hundreds of reported network attacks each day. Our systems are being compromised by persons trying to intrude, stop, obtain or destroy our precious data. The ability to detect intruders and monitor the network systems that you operate is not just an option. The Sarbanes Oxley Act is a warning to our publicly traded companies that we are not going to be allowed to sit idle as corporate leaders or IT professionals while there might be huge gaps in our network defenses. Network tools for monitoring intrusion and tools to prevent intrusion can be completely cost inhibitive to a company that has not prepared to budget for their implementation or has little exposure to their use. This paper discusses two open source tools, Snort and Bro that are either no cost or low cost that you can obtain and train to use. These tools are designed to monitor traffic, analyze protocols, capture packets, map networks, port scan and prevent intrusion. Whether the attack is from the outside of your LAN or from the inside, do you have the tools and training to meet the demands of securing your network data?
Network admin Doug Porter has conducted enough budget presentations to know that upper management types tune out when it comes to slides about spyware scanners, content filters and the growing sophistication of online criminals. His chances of getting badly needed intrusion defense resources always improve, however, when he talks to the top brass about inconveniences, like the spam clogging their e-mail queues.
Online bank customers may want to pay a little more attention to their browsers the next time they log in. Johannes Ullrich, chief research officer of the prestigious SANS institute said that many of the most popular banking sites may be needlessly placing their customers at risk. At issue are the user login areas that can be found on banking sites such as Chase.com and Americanexpress.com, which ask users to submit their user ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Ullrich.
Apache has overtaken Microsoft as the leading developer of secure web servers. Apache now runs on 44.0% of secure web sites, compared to 43.8% for Microsoft. As the original developers of the SSL protocol, Netscape started out with a lead in the SSL server market. But they were soon overtaken by Microsoft's Internet Information Server, which within a few years held a steady 40-50% of the SSL server market.
This article looks at five common Web application attacks, primarily for PHP applications, and then presents a case study of a vulnerable Website that was found through Google and easily exploited. Each of the attacks we'll cover are part of a wide field of study, and readers are advised to follow the references listed in each section for further reading. It is important for Web developers and administrators to have a thorough knowledge of these attacks. It should also be noted that that Web applications can be subjected to many more attacks than just those listed here.
A startup funded by the U.S. government's Defense Advanced Research Projects Agency is ready to emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits. Komoku, of College Park, Md., plans to ship in the summer a beta of Gamma, a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity. Rootkits modify the flow of the kernel to hide the presence of an attack or compromise on a machine. This gives a hacker remote user access to a compromised system while avoiding detection by anti-virus scanners.
The Cell Broadband Engine Processor Security Architecture
27th, April, 2006
As computers and consumer electronics devices become more connected, platform security becomes increasingly important for everyone from consumers to businesses. For consumers, privacy of data such as credit card numbers and social security numbers have always been of concern, but now new technologies such as voice-over-IP and personal video blogs bring new privacy concerns. And for entertainment content owners, piracy is a major concern as they move toward a virtual form of TV and movie content delivery (see Resources).
PHP HoP is an open source project for:
* Application-based low-level interaction honeypot
* Dealing with web threats
PHP HoP has already been used to :
* Fool different kind of web attackers (audit tools, manual hax0rs...)
* Create real statistics about the first top10 commands used by an intruder .
* Steal malware (PHP, C, Perl) that attackers wanted to upload
* Identify evil behaviours and learn about current web threats http://www.linuxsecurity.com/content/view/122554
Digital forensics - efficient data acquisition devices
24th, April, 2006
Digital forensics have always been a hot market segment, whereas the need for a reliable network based forensics model given main Internet's insecurities such as source address spoofing and the lack of commonly accepted security events reporting practices is constantly growing as well. Information acqusition, analysis and interpretation in the most reliable and efficient way is often among the desired outcome -- and of course figure out what has been happenning at a given historical moment in time or in real-time if applicable.
The anti virus industry's panacea - a virus recovery button
24th, April, 2006
Just when I thought I've seen everything when it comes to malware, I was wrong as a PC vendor is trying to desperately position itself as one offering a feeling of security with the idea to strip its product and lower the customer price. The other day I came across to a fancy ad featuring Lenovo's ThinkVantage Virus Recovery Button, and promoting its usefulness even when there's no AV solution in place.
A host of software companies, security firms and Internet service providers met in Chicago on Wednesday to urge corporations and bulk message senders to adopt e-mail authentication technologies. The technologies, known as Sender ID and DomainKeys, aim to allow e-mail recipients to positively identify the sender of an e-mail message and hold the promise of giving service providers the tools they need to effectively end spam and phishing attacks.
Wall streeters say Duco Cement is the preferred glue for permanently shutting down a USB, serial or any other laptop port that needs to be shut down. I spoke with Ben Campbell, vice president for sales at Safend, about some of the more brute-force methods used to shut off port access, following an investigative article that appeared in the Los Angeles Times, in which Campbell provided the Duco endorsement.
The article(s) then went on to look at the prevention of unauthorised access to data. However, any casual reading of fraud reports in the news media will quickly reveal that a significant proportion of fraud (not to mention sabotage by disgruntled employees) is committed by authorised rather than unauthorised personnel. And if someone is authorised to read, write or update data, then how do you prevent, or at least detect (at the earliest possible stage) any unauthorised activity?
Compliance ... zero-day vulnerabilities ... the business case for security ... policy, policy and more policy! You can't turn around without bumping into one of these topics. They're important issues, but they're not the best drivers for security-related deployments.
Let's face it: There are few business cases for security other than avoidance--specifically risk, attack and litigation avoidance. You need processes and products that solve the problems you face every day. Security budgets aren't growing by leaps and bounds. In fact, many organizations' compliance dollars are going for audits, re-engineering projects and consultants.
Every networked device has to have its operating system kept up to date with security patches - Windows 95 is not allowed unless you buy a separate firewall device and stick it in front of [Windows 95]. There are microscopes controlled by old operating systems - [the owners] have to put a firewall in front of them. We have software that people can use for free - they don't have to buy their own firewall or anti-virus software.
Having a policy only goes so far. McAfee's Foundstone scanner allows us to scan the network continuously for vulnerabilities. [If something is found] we tell [the device owners] to fix it or we turn off their access. Departments can log in and scan their own nets.
Is your boss or even some coworker secretly reading your email ? Are the Federal agencies snooping your email messages ? Following are two simple techniques that can help you confirm your suspicion - it detects snoopers and can track the address of the computer that is watching your email.
Remember that for steps 3 & 4, you can create a free account on geocities.com, create a dummy HTML file that contains Statcounter or Google Analytics tracking script.
In the practice of security we have accumulated a number of “rules of thumb� that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effective…or possibly even dangerous.
Policies requiring regular password changes (e.g., monthly) are an example of exactly this form of infosec folk wisdom.
Using Virtual Machines to Provide a Secure Teaching Lab Environment
30th, April, 2006
Alarms at the university’s IT security center light up – pagers go off, phone calls are made, network traffic is captured and analyzed. Penetration scans are being run on a number of critical infrastructure servers, and evidence shows that it is originating from on-campus. Patterns are tracked to a classroom where Professor Packetslinger is running his Computer Security class, and students are working on an assignment to evaluate system security. This event, while providing several interesting examples of the ethics of computer security, illustrates one of the major problems with teaching computer security: methods learned in the classroom can easily overstep boundaries and harm real production systems.
In Between The Lines Of Personal And Sensitive Information
26th, April, 2006
In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article: "At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."
Phishing attacks are increasingly using offline components to appear more trustworthy, according to security firms. This week, security firm Cloudmark warned that two customers had been targeted with phishing attacks that used real phone numbers to collect personal information from the victims. The e-mail message alerts users to a fictitious security incident and asks them to call their bank at a certain phone number to verify their account number and PIN code. The fraudsters appear to have cloned the real banks automated telephone system to make the attack appear more real.
A new study on "US and European Corporate Privacy Practices" was released two days ago, and as I constantly monitor the topic knowing EU's stricter information sharing and privacy violations laws comparing to the U.S, thought you might find this useful. To sum up the findings: "European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice." still at the "sharing sensitive information is bad" promotional stage, I feel the research reasonable points out the lack of a systematic technical approach, bureaucracy can also be an issue, but with so many CERTs in Europe there's potential for lots of developments I think. Established in 2004, ENISA is the current body overseeing and guiding the Community towards data protection practices -- slowly, but steadily gaining grounds.
A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony. In the U.S. television show "Medium," Patricia Arquette's character uses her "special psychic skills" to help solve crimes. If a new law passed by the Georgia legislature but not yet signed by the Governor goes into effect, not only could Miss Arquette's character face legal troubles, but thousands of computer security consultants would face the very real threat of jail time - simply for plying their trade.
The Bush administration has drafted a federal plan to improve cybersecurity research and development. Yesterday, the National Science and Technology Council, a Cabinet-level body that coordinates governmentwide science and technology policies, issued a preprint release of the “Federal Plan for Cyber Security and Information Assurance Research and Development.�
Security deperimeterisation is at the heart of plans that underpin the Cabinet Office's high-profile transformational government programme, delegates at the Infosecurity Conference will be told today.
Increasing demands for public sector bodies to exchange information and share IT services will mean that traditional approaches to security will no longer be appropriate, the Cabinet Office's security adviser will say.
Steve Marsh, director of the Central Sponsor for Information Assurance, said that a new security architecture would play a key role in the transformational government plan.
The number of stealth techniques found in malicious software surged 600 percent in the past three years, according to data published last week by McAfee. And the pace of change is accelerating, driven by developer interest and online forums, say experts.
Rootkit.com has more than 42,000 members and active forums that are pushing the evolution of rootkits, according to Jamie Butler, CTO of security firm Komoku, who helped create rootkit.com.
The last day of Infosec brought nostalgia for the old days of hacking. Robert Schifreen, the ex-hacker and author famous for breaking into Prince Phillips' Prestel account 20 odd years ago, recalled a more innocent age during his stint chairing a hackers panel.
"You didn't have flat rate hacking before the internet. It was all dial-up and hacking attacks tending to occur after 6pm when cheap rate began. At that time, admins were back watching Neighbours or the Magic Roundabout."
Potential Security Vulnerabilities of a Wireless Network in a Military Healthcare Facility
28th, April, 2006
The adaptation of wireless technology into the healthcare practitioner’s daily activities is changing the face of patient care every day. Doctors can now review any pertinent patient data from digital x-rays as they are taken, lab results as they are coded into the system and live patient vital statistic monitoring from their mobile PDA's and Tablet PC's at the point of care. Wireless technology adaptation has other benefits such as lowering long term cost of infrastructure maintenance and upgrades, and allowing for rapid changes to the network infrastructure versus wired technology.
Will Cell Phones be Responsible for the Next Internet Worm?
30th, April, 2006
If you have been following the news lately, chances are you are aware of the latest round of cellular phone viruses. Redbrowser , Brador, and Cabir are a few examples of new viruses and worms that compromise so-called "smart phones"�phones that running a handheld operating system such as Palm OS, Symbian, or Microsoft’s Mobile 5�in much the same way as e-mail worms have worked in an increasingly destructive and costly fashion over the past decade. The smart cell phones at the center of this growing problem are just one member of a larger family of mobile computing devices that share the same vulnerability potential. Palm Pilots, Pocket PCs, and RIM devices all share the same wireless data capabilities and provide a significant amount of computing power to boot. You might think, "So what?" It’s just a cell phone, right? Well, that cell phone might just be responsible for the next major Internet worm.
