EnGarde Secure Linux is a Linux server distribution that is geared toward providing
a open source platform that is highly secure by default as well as easy to administer.
EnGarde Secure Linux includes a select group of open source packages configured
to provide maximum security for tasks such as serving dynamic websites, high
availability mail transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source, and online
security and application updates are also freely available with GDSN registration.
EnGarde
Secure Linux v3.0.6 Now Available - Guardian Digital is happy to
announce the release of EnGarde Secure Community 3.0.6 (Version 3.0, Release
6). This release includes several bug fixes and feature enhancements to the
Guardian Digital WebTool and the SELinux policy, several updated packages,
and a couple of new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Feds Want Hacker's Genetic Code
13th, May, 2006
Hacker Adrian Lamo is in trouble again, this time for failing to give the federal government his DNA. On Tuesday, federal probation officer Michael Sipe filed a notice of violation in a Northern California court accusing Lamo of refusing to submit a blood sample, in violation of Sipe's instructions and a 2-year-old federal law. "He reported to the probation office as instructed; however, he refused to provide a blood sample for DNA testing, in violation of the general condition of supervision requiring compliance with federal law," the filing reads.
Cryptology is everywhere these days. Most users make good use of it
even if they do not know they are using cryptographic primitives from
day to day. This two-part article series looks at how cryptography is
a double-edged sword: it is used to make us safer, but it is also
being used for malicious purposes within sophisticated viruses.
Part one introduces the concepts behind cryptovirology and offers
examples of malicious potential with the SuckIt rookit and a possible
SSH worm. It then introduces armored viruses that use shape shifting
(polymorphism and metamorphism) to avoid detection.
PGP, or Pretty Good Privacy, is a security program that allows users to encrypt and decrypt e-mail, as well as incorporating the added protection of digital signatures for user verification. OpenPGP builds upon PGP with enhanced PGP standards, military-grade security and an increased number of encryption algorithms. Michael W. Lucas, author of PGP & GPG: E-mail for the Practical Paranoid recommends that IT managers take advantage of easy-to-use OpenPGP to add an extra layer of internal security that can prevent tampering from within an organization. The most difficult part is not installation or using OpenPGP but educating users.
So... What in the hell is a root kit ??? A root kit is a collection of programs that intruders often install after they have compromised the root account of a system. These programs will help the intruders clean up their tracks, as well as provide access back into the system. Root kits will sometimes leave processes running so that the intruder can come back easily and without the system administrator's knowledge!
When investigating free and open source software (FOSS) development and implementation in developing countries, you're likely to run into Ken Wong and Phet Sayo's FOSS primer, published by the International Open Source Network. What makes this primer so special, and so widely known? To find out, we interviewed the authors.
NewsForge: There are a number of FOSS primers available on the Internet. What motivated you to write yours, and what makes it different from the others?
One of the fastest growing areas in network security, and certainly an area that generates much discussion, is that of ethical hacking. The purpose of this study is to examine the literature regarding how private sectors and educational institutions are addressing the growing demand for ethical hacking instruction. The study will also examine the opportunity for community colleges in providing this type of instruction. The discussion will conclude with a proposed model of ethical hacking instruction that will be used to teach a course in the summer semester of 2006 through the continuing education department at Caldwell Community College and Technical Institute within the North Carolina Community College System.
A Profound Compelling Viewpoint Of Linux and Security
12th, May, 2006
I have been discussing Linux's security at a more profound level, and I would like any security expert's input on the discussion. I have never had a discussion like this before, as it deals more with reference monitors, SELinux's implementation, LIDS, and other features, rather than practical security like IDSs, firewalls, etc. If you would like to take a look, please click on the following link - and feel free to post something if you have a comment. I would greatly appreciate any positive contributions to this discussion, as it has really got me thinking! In fact, most of it is beyond my level of expertise.
When birds migrate, they expend a huge amount of energy winging their
way from one place to another, depending on sheer endurance to
complete the journey safely. And so, it seems, it goes with with
security managers faced with swapping out their gateway firewalls.
Firewall migration for mid- to large-sized enterprises in particular
appears to be a lengthy project indeed when organizations migrate from
one vendor's firewall to another since by all accounts, firewall
product design differs substantially. Our story this week looks at the
topic.
Recently, I wrote an article about "How to scan your Linux-Distro for Root Kits". Now that the machine is... clean! I think, a good thing TO-DO, is to test my Firewall (AGAIN!) The good news are that we can use the free tool FTester. The bad news are that FTester needs to be configured right...So...Let's get to work!
When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer. You own your computer, of course. You bought it. You paid for it. But how much control do you really have over what happens on your machine? Technically you might have bought the hardware and software, but you have less control over what it's doing behind the scenes.
When it comes to software security, the general perception is that including technologies such as firewalls, intrusion prevention systems, and malware protection throughout the software development life cycle is all that's needed to keep information secure in the end product. However, these technologies are mostly reactive in nature and don't prevent the vulnerabilities in the first place. Also, at the development level, there's a lot of talk about testing for buffer overruns, validating user input, using the principle of least privilege, and so on. These are certainly solid practices, but there's still a considerable gap when it comes to getting to the root of software flaws – the development process itself.
A feature called System Management Mode included in modern x86 cpus opens the way to the land of kernel space and the quest for ring zero. We start with a relevant quote from JRR Tolkien's Lord of the Rings trilogy: "One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them." I am a security engineer and researcher for the scientific division of the French National Security Agency, namely the Central Directorate for Information Systems Security in Paris. I am also a 2nd-year Phd student in Paris XI University. My research work is mostly focused on the security aspects of interactions between hardware components and software.
OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.
This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.
Dramatic Rise in Adware, Malicious Trojans and Spyware
12th, May, 2006
Spyware staged a significant counterattack during the first quarter of 2006, according to latest State of Spyware report issued today by Webroot Software. A dramatic rise in the prevalence of adware combined with a significant increase in the most malicious types of Trojans and system monitors resulted in the highest consumer infections rates since the first quarter of 2005.
According to the report, the first quarter of 2006 saw a 15 percentage point jump in the share of consumer PCs infected with spyware: from 72 percent in Q4 2005 to 87 percent in Q1 2006. The average instances of spyware on infected machines increased 18 percent over the previous quarter to an average of 29.5 instances of spyware per infected PC, up from 24.9 instances in Q4 2005.
Do anti-phishing toolbars in web browsers stop phishing attacks? No. Can they reduce them, even for savvy users? Yes. Are they all equally effective? No. MIT researchers found that users are highly likely to ignore anti-phishing toolbars... especially those designed to verify SSL certificates. The researchers installed browser toolbars without training the subjects in their proper use. Then subjects were asked to do various tasks requiring a username and password, like adding to a Wish List. The subjects incorrectly divulged usernames and passwords to the phishing sites 52% of the time. After users were dragged through a tutorial, successful Neutral Info toolbar spoofs dropped to 28% while spoofs of those using System Decision toolbars plummeted to 15%. SSL-verification users were fooled 35% of the time.
Spyware researchers at Webroot Software. have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery. The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, social security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot.
Deja vu for Wells Fargo: Bank loses computer with confidential data
9th, May, 2006
For the fourth time in the past 30 months, Wells Fargo & Co. has begun notifying customers about the potential compromise of confidential information following the theft of a company computer containing data on mortgage customers and prospective clients.
The San Francisco-based bank on Friday posted a statement on its Web site saying that a computer belonging to its mortgage group had been reported as missing while being transported between Wells Fargo facilities by a global express shipping company.
In a recent study spanning from February 2005 to March 2006, SecureWorks saw 67% more Internet attacks attempted against its credit union clients than its banking clients. SecureWorks' credit union clients range from large ($500 million to billions in assets) to smaller organizations (under $500 million in assets). On average, SecureWorks blocks 767 attacks per day per credit union client.
SecureWorks CTO Jon Ramsey theorizes that their credit union clients are experiencing more Internet attacks than their banking clients because hackers assume that credit unions' networks are less protected than banks.
As far as software goes, Sendmail is ancient, dating all the way back to 1981. Sendmail 8 itself is well over 10 years-old. To put it nicely, its security track record is less than stellar. However, the last big show stoppers in Sendmail were found about three years ago – Zalewski's prescan() bugs reported in September and March of 2003, and crackaddr(), also in March of 2003. The crackaddr() bug was also discovered by Mark Dowd.
SecureDVD is a live DVD collection*) featuring the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) as per Darknet (see article here) on one single DVD.
http://www.linuxsecurity.com/content/view/122724
Study Can Unlock Door To IT Security Riches
7th, May, 2006
Recognised certifications are vital to get your foot on the IT security ladder, and it can be well worth the effort as demand for specialists pushes up salaries. People trying to get into the booming world of IT security need to spend their time studying for some qualifications – and get a paper shredder, if those who recruit ... security specialists are to be believed. “If you do not have qualifications, you are not coming in,� said Lewis Honour, security practice manager at systems company Logicalis Network Solutions. Honour describes himself as someone who “eats, sleeps, lives and breathes security�.
Recognised certifications are vital to get your foot on the IT security ladder, and it can be well worth the effort as demand for specialists pushes up salaries
People trying to get into the booming world of IT security need to spend their time studying for some qualifications – and get a paper shredder, if those who recruit security specialists are to be believed.
"If you do not have qualifications, you are not coming in," said Lewis Honour, security practice manager at systems company Logicalis Network Solutions. Honour describes himself as someone who "eats, sleeps, lives and breathes security".
Security and validation are critical issues in computing, and the next fifty years will be harder than the last. There are a number of proven programming techniques and design approaches which are already helping to harden our modern systems, but each of these must be carefully balanced with usability in order to be effective. In this talk, Alan Cox, fellow at Red Hat Linux, explores the future of what may be the biggest threat facing software engineers, the unverified user.
How Companies Can Manage Strong Authentication Intelligently
10th, May, 2006
According to the latest figures from the Department of Trade & Industry, eight out of ten UK firms offer its employees the option of working from home for at least part of their working day. As the UK heads towards a more mobile workforce, this number bodes well for the economy’s ability to integrate a more diverse range of people whose personal circumstances mean they may otherwise be left out. Moreover, the penetration of key technologies in the UK means working from home is now more feasible than ever before. Over 27 million people have access to the Internet in the UK while, according to BT, there are 9.8 million broadband subscribers.
Despite the domain being on sale for over a week, there has been no news or discussion on the apparent end to the once all-powerful BitTorrent site, Suprnova.org. Nobody even noticed, and if they did, they decided the news was not worthy or reporting to the world. It was not always this way, once upon a time SuprNova was as much part of BitTorrent as the client itself, serving up torrents to 420,000 unique visitors a day. Without question, the site revolutionised the dynamics of internet traffic.
The first project in my book RFID Toys shows how to build an RFID enabled front door access control system. That project uses a PC to do the processing and included enhanced features such as timed access control, which only allowed access for certain tags during certain times. Readers can download source code from www.rfidtoys.net and modify it to add other features like email access alerts.
The crumbling of network boundaries and the rapid growth in mobile computing has brought with it some serious questions of security and of control. In many cases, existing security programmes just cannot cope with the way mobile computing has developed. It presents a whole new set of security issues.
A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities.
On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers.
Identity management lies at the heart of creating a secure environment for employees and customers to access companies' systems. Analyst the Burton Group has already identified the area as one of the key security trends for 2007. It says companies are turning to role-based access control and fine-grained authorisation to enforce data and application restrictions and comply with a variety of regulations.
Identity management is not a product as such but a combination of different technologies. The building blocks are authentication, authorisation, provisioning, user management, audit and federation. Because deploying identity management requires organisations to map their business processes into a system, it also often requires extensive consultancy.
Universities Given security Guidelines For Foreign Students
11th, May, 2006
The Departments of Defence and Foreign Affairs want academics to report foreign students enrolled in particular subjects. The Government also want to broaden export controls, forcing lecturers to apply for licences if they're going to share their knowledge abroad. Sabra Lane reports. It's not a so much a crackdown on students recruiting for extremist causes, rather an attempt to detect spies in our midst and stop them from getting their hands on research at conferences.
Gone is the sharp-suited, debonair, sliver-tongued fraudster who'd charm his way to a personal fortune.
In his place: countless thousands hunched over computers, stealing bank details and exploiting technological weakness - without witnesses, and often for hire.
"There's none of what we used to call conmen these days," says Frank Abagnale. "There's no need for that any more."
Spam email is the plague of the 21st century; SpamBayes is its cure. This client-side application analyzes all incoming email messages and automatically sorts out those that are unwanted. SpamBayes digests the contents of email messages and counts how often certain words -- e.g. Viagra -- occur in spam (bad) or ham (good) messages. Based on these word patterns, it calculates an overall score that rates a message as spam, ham, or unknown. You can manually classify unknown mail as spam or ham and SpamBayes will learn accordingly.
Researcher: Digital Signatures Can Lie To Linux, OSX and Windows Users
8th, May, 2006
Digital signatures were designed to allow secure, confidential communication between two parties. As Wikipedia describes it: "A user may digitally sign messages using his private key, and another user can check that signature (using the public key contained in that user's certificate issued by a certificate authority). This enables two (or more) communicating parties to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance."
Malicious software coded by cyber criminals for financial gain accounted for some 70 percent of all malware detected during the first quarter of 2006, according to a report released today.
According to a new study from anti-virus developer Panda Software, the new malware dynamic saw financial profit become malicious software creators' top priority. Of all malware detected by the company's free online scanner, about 40 percent was spyware. Some 17 percent of the total was made up by trojans, including banker trojans that steal confidential data related to bank services and "droppers" or "downloaders" that download malicious applications onto systems.
LOS ANGELES (Reuters) - A 20-year-old who prosecutors say highjacked computers to damage computer networks and send waves of spam across the Internet was sentenced on Monday to nearly five years in prison.
Jeanson James Ancheta, a well-known member of the "Botmaster Underground" who pleaded guilty in January to federal charges of conspiracy, fraud and damaging U.S. government computers, was given the longest sentence for spreading computer viruses, federal prosecutors said.
To her fellow students, Hu Yingying appears to be a typical undergraduate, plain of dress, quick with a smile and perhaps possessed of a little extra spring in her step, but otherwise decidedly ordinary.
And for Hu, in her second year at Shanghai Normal University, coming across as ordinary is just fine, given the parallel life she leads. For several hours each week she repairs to a little-known on-campus office crammed with computers, where she logs on, unsuspected by other students, to help police her university's Internet forums.
Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines.
The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.
WASHINGTON D.C. -- The push for a national network of electronic medical records poses significant privacy risks at the same time that it promises to save lives, said members of a panel here at the Computer, Freedom and Privacy Conference on Wednesday.
Democratic and Republican politicians on Thursday both promised to enact new federal laws by the end of the year that would restrict some commercial uses of Social Security numbers, which are often implicated in identity fraud cases. "Whether Social Security numbers should be sold by Internet data brokers to anyone willing to pay, indistinguishable from sports scores or stock quotes... to me, that's a no-brainer," Texas Republican Joe Barton, chairman of the U.S. House of Representatives Energy and Commerce Committee, said at a hearing. Such a practice should not be allowed, he said, "period, end of debate."
It's cold and gloomy outdoors. I'm feeling pretty faded (errr, jaded) right about now. I'm sure all you corporate hangers-on have seen the Big-whatever companies come in with their pen-testing or audit teams. Some of them call themselves pen-testing, some Tiger, some white-hat hacker, whatever. They should just state that they are inept p0sers. But, that gets me thinking (on just such a day) what it would take to get hired at one of these Big-whatever companies.
If you ask any stranger on the street what they think about hackers,
you will probably get a surly look followed by a negative comment. The
reason for this is simple � over 80% of computer users have been
affected by a "hacking" incident. Whether it is a stolen credit card
or virus attacks, the media has labeled the people behind such
activity with the term "hacker." I am not going to bore you with the
semantics of hacker, cracker, whitehat, and blackhat, because you can
look those terms all over the internet. The point is that not all
hackers are bad. In fact, most hackers stay on the legitimate side of
the law and use their talents to create new technologies that you
benefit from. For example, Steve Wozniak and Steve Jobs, the founders
of Apple, are often labeled as hackers.
Researchers have developed technology designed to enable neighbors to pool their Wi-Fi Internet access to deliver better performance and exploit bandwidth that would otherwise sit idle. Haiyun Luo, an assistant professor of computer science at the University of Illinois at Urbana-Champaign, says that the technology he created with graduate student Nathanael Thompson would encourage people to share their bandwidth without having to worry about security or privacy issues.
Encryption is the most important part in computer security mechanisms and protocols: he who can bypass cryptographic protection, gains total control over the security. Password management, secure network transmission protocol, wireless protocol (Wep, WPA, Bluetooth, GSM), integrity checking (e.g. in antivirus software), data protection, login authentication are well-known examples whose security heavily relies on cryptographic mechanisms. One well illustrative example, among many others, is the Bluetooth protocol used for wireless communications between mobile devices: laptops, PDA, cell phones, printers, cars... This protocol embeds cryptographic multi-level security.
