Linux Security Week: May 15th 2006

Hacker Adrian Lamo is in trouble again, this time for failing to give the federal government his DNA. On Tuesday, federal probation officer Michael Sipe filed a notice of violation in a Northern California court accusing Lamo of refusing to submit a blood sample, in violation of Sipe's instructions and a 2-year-old federal law. "He reported to the probation office as instructed; however, he refused to provide a blood sample for DNA testing, in violation of the general condition of supervision requiring compliance with federal law," the filing reads.

Cryptology is everywhere these days. Most users make good use of it even if they do not know they are using cryptographic primitives from day to day. This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part one introduces the concepts behind cryptovirology and offers examples of malicious potential with the SuckIt rookit and a possible SSH worm. It then introduces armored viruses that use shape shifting (polymorphism and metamorphism) to avoid detection.

news/cryptography/malicious-cryptography

PGP, or Pretty Good Privacy, is a security program that allows users to encrypt and decrypt e-mail, as well as incorporating the added protection of digital signatures for user verification. OpenPGP builds upon PGP with enhanced PGP standards, military-grade security and an increased number of encryption algorithms. Michael W. Lucas, author of PGP & GPG: E-mail for the Practical Paranoid recommends that IT managers take advantage of easy-to-use OpenPGP to add an extra layer of internal security that can prevent tampering from within an organization. The most difficult part is not installation or using OpenPGP but educating users.

news/cryptography/it-managers-pgp-is-easy

So... What in the hell is a root kit ??? A root kit is a collection of programs that intruders often install after they have compromised the root account of a system. These programs will help the intruders clean up their tracks, as well as provide access back into the system. Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge!

When investigating free and open source software (FOSS) development and implementation in developing countries, you're likely to run into Ken Wong and Phet Sayo's FOSS primer, published by the International Open Source Network. What makes this primer so special, and so widely known? To find out, we interviewed the authors.

NewsForge: There are a number of FOSS primers available on the Internet. What motivated you to write yours, and what makes it different from the others?

One of the fastest growing areas in network security, and certainly an area that generates much discussion, is that of ethical hacking. The purpose of this study is to examine the literature regarding how private sectors and educational institutions are addressing the growing demand for ethical hacking instruction. The study will also examine the opportunity for community colleges in providing this type of instruction. The discussion will conclude with a proposed model of ethical hacking instruction that will be used to teach a course in the summer semester of 2006 through the continuing education department at Caldwell Community College and Technical Institute within the North Carolina Community College System.

I have been discussing Linux's security at a more profound level, and I would like any security expert's input on the discussion. I have never had a discussion like this before, as it deals more with reference monitors, SELinux's implementation, LIDS, and other features, rather than practical security like IDSs, firewalls, etc. If you would like to take a look, please click on the following link - and feel free to post something if you have a comment. I would greatly appreciate any positive contributions to this discussion, as it has really got me thinking! In fact, most of it is beyond my level of expertise.

When birds migrate, they expend a huge amount of energy winging their way from one place to another, depending on sheer endurance to complete the journey safely. And so, it seems, it goes with with security managers faced with swapping out their gateway firewalls. Firewall migration for mid- to large-sized enterprises in particular appears to be a lengthy project indeed when organizations migrate from one vendor's firewall to another since by all accounts, firewall product design differs substantially. Our story this week looks at the topic.

news/firewall/firewall-migration

Recently, I wrote an article about "How to scan your Linux-Distro for Root Kits". Now that the machine is... clean! I think, a good thing TO-DO, is to test my Firewall (AGAIN!) The good news are that we can use the free tool FTester. The bad news are that FTester needs to be configured right...So...Let's get to work!

news/firewall/how-to-test-your-linux-distro-firewall

When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer. You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.

When it comes to software security, the general perception is that including technologies such as firewalls, intrusion prevention systems, and malware protection throughout the software development life cycle is all that's needed to keep information secure in the end product. However, these technologies are mostly reactive in nature and don't prevent the vulnerabilities in the first place. Also, at the development level, there's a lot of talk about testing for buffer overruns, validating user input, using the principle of least privilege, and so on. These are certainly solid practices, but there's still a considerable gap when it comes to getting to the root of software flaws – the development process itself.

A feature called System Management Mode included in modern x86 cpus opens the way to the land of kernel space and the quest for ring zero. We start with a relevant quote from JRR Tolkien's Lord of the Rings trilogy: "One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them." I am a security engineer and researcher for the scientific division of the French National Security Agency, namely the Central Directorate for Information Systems Security in Paris. I am also a 2nd-year Phd student in Paris XI University. My research work is mostly focused on the security aspects of interactions between hardware components and software.

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows. This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.

Spyware staged a significant counterattack during the first quarter of 2006, according to latest State of Spyware report issued today by Webroot Software. A dramatic rise in the prevalence of adware combined with a significant increase in the most malicious types of Trojans and system monitors resulted in the highest consumer infections rates since the first quarter of 2005. According to the report, the first quarter of 2006 saw a 15 percentage point jump in the share of consumer PCs infected with spyware: from 72 percent in Q4 2005 to 87 percent in Q1 2006. The average instances of spyware on infected machines increased 18 percent over the previous quarter to an average of 29.5 instances of spyware per infected PC, up from 24.9 instances in Q4 2005.

Do anti-phishing toolbars in web browsers stop phishing attacks? No. Can they reduce them, even for savvy users? Yes. Are they all equally effective? No. MIT researchers found that users are highly likely to ignore anti-phishing toolbars... especially those designed to verify SSL certificates. The researchers installed browser toolbars without training the subjects in their proper use. Then subjects were asked to do various tasks requiring a username and password, like adding to a Wish List. The subjects incorrectly divulged usernames and passwords to the phishing sites 52% of the time. After users were dragged through a tutorial, successful Neutral Info toolbar spoofs dropped to 28% while spoofs of those using System Decision toolbars plummeted to 15%. SSL-verification users were fooled 35% of the time.

Spyware researchers at Webroot Software. have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery. The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, social security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot.

news/network-security/webroot-uncovers-thousands-of-stolen-identities

For the fourth time in the past 30 months, Wells Fargo & Co. has begun notifying customers about the potential compromise of confidential information following the theft of a company computer containing data on mortgage customers and prospective clients. The San Francisco-based bank on Friday posted a statement on its Web site saying that a computer belonging to its mortgage group had been reported as missing while being transported between Wells Fargo facilities by a global express shipping company.

news/server-security/deja-vu-for-wells-fargo-bank-loses-computer-with-confidential-data

In a recent study spanning from February 2005 to March 2006, SecureWorks saw 67% more Internet attacks attempted against its credit union clients than its banking clients. SecureWorks' credit union clients range from large ($500 million to billions in assets) to smaller organizations (under $500 million in assets). On average, SecureWorks blocks 767 attacks per day per credit union client. SecureWorks CTO Jon Ramsey theorizes that their credit union clients are experiencing more Internet attacks than their banking clients because hackers assume that credit unions' networks are less protected than banks.

news/server-security/credit-unions-attacked-by-hackers-more-than-banks

As far as software goes, Sendmail is ancient, dating all the way back to 1981. Sendmail 8 itself is well over 10 years-old. To put it nicely, its security track record is less than stellar. However, the last big show stoppers in Sendmail were found about three years ago – Zalewski's prescan() bugs reported in September and March of 2003, and crackaddr(), also in March of 2003. The crackaddr() bug was also discovered by Mark Dowd.

news/server-security/sendmail-and-secure-design-12002

SecureDVD is a live DVD collection*) featuring the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) as per Darknet (see article here) on one single DVD.

news/vendors-products/secure-dvd-live-dvd-collection

Recognised certifications are vital to get your foot on the IT security ladder, and it can be well worth the effort as demand for specialists pushes up salaries. People trying to get into the booming world of IT security need to spend their time studying for some qualifications – and get a paper shredder, if those who recruit ... security specialists are to be believed. “If you do not have qualifications, you are not coming in,â€