EnGarde Secure Linux is a Linux server distribution that is geared toward providing
a open source platform that is highly secure by default as well as easy to administer.
EnGarde Secure Linux includes a select group of open source packages configured
to provide maximum security for tasks such as serving dynamic websites, high
availability mail transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source, and online
security and application updates are also freely available with GDSN registration.
EnGarde
Secure Linux v3.0.6 Now Available - Guardian Digital is happy to
announce the release of EnGarde Secure Community 3.0.6 (Version 3.0, Release
6). This release includes several bug fixes and feature enhancements to the
Guardian Digital WebTool and the SELinux policy, several updated packages,
and a couple of new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Feds Want Hacker's Genetic Code
13th, May, 2006
Hacker Adrian Lamo is in trouble again, this time for failing to give the federal government his DNA. On Tuesday, federal probation officer Michael Sipe filed a notice of violation in a Northern California court accusing Lamo of refusing to submit a blood sample, in violation of Sipe's instructions and a 2-year-old federal law. "He reported to the probation office as instructed; however, he refused to provide a blood sample for DNA testing, in violation of the general condition of supervision requiring compliance with federal law," the filing reads.
I was at CardTech/SecurTech 2006 recently and had a meeting with Cryptography Research, a company focused on securing smartcards. I spoke to Kit Rodgers, VP, and Ken Warren, Manager, about smartcard tamper resistance with differential power analysis countermeasures. Listen to the interview with Cryptography Research Listen Nowhttp://www.linuxsecurity.com/content/view/122765
Malicious cryptography, Part Two
17th, May, 2006
This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses. Part two continues the discussion of armored viruses and then looks at a Bradley worm - a worm that uses cryptography in such a way that it cannot be analyzed. Then it is shown how Skype can be used for malicious purposes, with a crypto-virus that is very difficult to detect.
Total Computer Security Could Result from Unbreakable Optical Code
17th, May, 2006
Researchers at Mitsubishi Electric, NEC and the University of Tokyo claim to have made a breakthrough in a new technique for very secure data communications. The parties have implemented a technique known as quantum cryptography, which codes the data optically and have for the first time transmitted information between systems uses this technique.
SELinux is a mandatory access control (MAC) system available in Linux kernels as of version 2.6. Of the Linux Security Modules available, it is the most comprehensive and well tested, and is founded on 20 years of MAC research. SELinux combines a type-enforcement server with either multi-level security or an optional multi-category policy, and a notion of role-based access control. See the Resources section later in this article for links to more information about these topics.
Most people who have used SELinux have done so by using an SELinux-ready distribution such as Fedora, Red Hat Enterprise Linux (RHEL), Debian, or hardened Gentoo. These enable SELinux in the kernel, offer a customizable security policy, and patch a great number of user-land libraries and utilities to make them SELinux aware.
(Editorial comment: EnGarde Secure Linux is an SELinux-ready distibution)
It's a dangerous world. Every day, thousands of attacks that threaten to corrupt key systems, steal customer data, and otherwise abuse information-technology assets assault U.S. businesses.
The SANS Institute, which provides computer security education and training, estimates that the average Internet network address experiences an attack every 24 minutes. In most cases, it's an unscrupulous hacker trying to infect corporate computers with viruses, worms and Trojans-commonly dubbed "malware."
Imagine how useful it would be to have an online knowledge base that can easily be updated created by key people within your organization. That's the promise of a wiki -- a Web application that "allows users to easily add, remove, or otherwise edit all content, very quickly and easily," as Wikipedia, perhaps the best-known wiki, puts it. Why not bring the benefits of a wiki to your organization?
If you're sold on the concept, the first thing you need to do is to pick the software that you're going to use for your wiki. If you want hunt around to find out what's out there, a good place to start is Wikipedia's wiki software wiki. If you say, "I'll use whatever Wikipedia is using," that'll be MediaWiki.
Welcome to the first Help Net Security Podcast. We are going to be focusing on the enterprise and informing you on new products and technologies. While at the Infosecurity show in London we met up with Shirley O'Sullivan, the Security Leader EMEA at Nortel. In this podcast you can listen to her discuss their approach to security.
Techno Imperialism and the Effect of Cyberterrorism
18th, May, 2006
It's been a while since I've last blogged about Cyberterrorism, and while many did mentioned the topic in between the recent DRDoS attacks, Cyberterrorism is so much more than simply shutting down the Internet, namely the ability to communicate, research, recruit and use propaganda to achieve goals based on ideological beliefs, or the convergence of Terrorism and the Internet. Can we argue that cyberterrorism is the direct effect of techno imperialism, or let's use a more friendly word such as IT-dependent society and information infrastructure?
It's foolish to care if CISSP skills are being taught in colleges. Why? It's a moot point. But it does bring to light another, more serious issue, that of who really is an information security professional, and who may simply be masquerading as one.
While some may worry that future employers of young potential CISSPs will be fooled by the lack of experience that these recent graduates will carry to their jobs, I say companies should know better. [Editor's note: Regardless of coursework or exam passage, prospective CISSPs are unable to obtain the certification without four years experience in the field, or three years with a college degree or equivalent life experience.] Unless a firm is making its first security hire, then it should easily be able to identify those who have what it takes to make it in the field versus those attempting to fool potential employers with mere "knowledge certifications."
Do anti-phishing toolbars in web browsers stop phishing attacks? No. Can they reduce them, even for savvy users? Yes. Are they all equally effective? No. MIT researchers found that users are highly likely to ignore anti-phishing toolbars... especially those designed to verify SSL certificates. The researchers installed browser toolbars without training the subjects in their proper use. Then subjects were asked to do various tasks requiring a username and password, like adding to a Wish List. The subjects incorrectly divulged usernames and passwords to the phishing sites 52% of the time. After users were dragged through a tutorial, successful Neutral Info toolbar spoofs dropped to 28% while spoofs of those using System Decision toolbars plummeted to 15%. SSL-verification users were fooled 35% of the time.
Can We Make Operating Systems Reliable and Secure?
16th, May, 2006
When was the last time your TV set crashed or implored you to download some emergency software update from the Web? After all, unless it is an ancient set, it is just a computer with a CPU, a big monitor, some analog electronics for decoding radio signals, a couple of peculiar I/O devices�a remote control, a built-in VCR or DVD drive�and a boatload of software in ROM.
A "highly critical" flaw in RealVNC's virtual network computing software could allow malicious hackers to access a remote system without a password, according to a published advisory. RealVNC, the Cambridge, U.K.-based company that invented the open-source software, has acknowledged the flaw and posted patches for all affected versions.
The perennial problem of password management is still proving a major headache for end users and the problems are only getting more complex - especially as companies start to weigh up the pros and cons of updating systems to work with newer forms of authentication. Phil Young, head of IT operations, Amtrak Express Parcels, told silicon.com password management remains a "nightmare" issue for many businesses. And he said it's "a very big issue and becoming bigger by the year", branding human-error activities such as writing down passwords as "a recipe for disaster".
Password Hell (Part 2): Companies Must Get It Right...Now
16th, May, 2006
Failure to properly instil a culture of effective password management in a company could land its directors in jail, while wading through alternatives to "fatally flawed" passwords is a process mired in "fear, uncertainty and doubt" according to experts on all sides of the debate. The only given is that the need to get it right is now more pressing than ever, according to one top lawyer. David Naylor, partner at law firm Field Fisher Waterhouse, said companies need to ensure they have strict policies in place regarding password management and said best practice would be to incorporate these as requirements in the company's contractual arrangements with employees and third-parties with access to the company systems.
Network administrators face many threats from both inside and outside the walls of their infrastructure. This paper discusses the risks that everyone faces along with ways to mitigate the exposure and resulting damage from such an attack. It will also focus on new devices being produced to provide increased security. Despite their slipping market share in router sales to Juniper, Cisco remains the largest provider of Routers, which are used to provide the backbone for the majority of companies today [10]. Because of the large role Cisco routers play in the infrastructure of the internet and the nature of the protocols these routers use; it has placed a large target on them from hackers wanting to exploit these vulnerabilities.
The equipment that technician Mark Klein learned was installed in the National Security Agency's "secret room" inside AT&T's San Francisco switching office isn't some sinister Big Brother box designed solely to help governments eavesdrop on citizens' internet communications. Rather, it's a powerful commercial network-analysis product with all sorts of valuable uses for network operators. It just happens to be capable of doing things that make it one of the best internet spy tools around.
Protocol abuse targets vulnerabilities in many types of devices and applications, from firewalls, VoIP controllers and VPN gateways to intrusion-prevention systems and other perimeter defense. Despite the considerable investments made in security infrastructure, many vulnerabilities remain undetected. To alleviate protocol abuse, a new class of product - the security analyzer - can help IT departments assess the security of IP-based products, service or applications. A security analyzer utilizes a rigorous process, complete with an audit trail and remediation scripts, to find and fix vulnerabilities before deploying systems and software into production networks.
Passwords are fatally flawed, it's true, but for now they are the best option for many companies. But almost everybody could be managing them more effectively.
In all likelihood passwords will remain a problem until the very day they are replaced by technologies such as biometrics, which is the direction the industry appears to be heading. However, until that day comes, below are some tips for fostering a culture of secure and more effective password management.
"From an attacker's viewpoint, a Web application is an interesting target for several reasons. First, the quality of the source code as related to security is often rather poor, as numerous bug reports show... Another factor is the applications' complex setup." [Holz06]
Recent years have seen a substantial rise in the number of attacks directed against web applications, such as SQL injection, cross-site scripting attacks (XSS) and other input validation problems such as remote file includes in some PHP applications, command injection in the XML-RPC library and in the awstats[Aws06] package. Partly this is because a great deal of application level code has been written, and some of it without much regard to security issues.
Learning lessons from incidents is a very important part of incident handling. Yet with targeted attacks it is very hard as you need to have a case before you can learn. So learning from others is even more important in this case.
Michael reported on an unnamed organization being hit by a limited, targeted attack.
Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn't completely right.
Portland, Oregon is the unlikely capital of a global software revolution. The revolution is called Open Source. And its leader? Linus Torvalds, the reclusive founder of Linux.
Linux is the free software code developed by a global community of programmers. It's also the world's fastest growing operating system and number two behind Microsoft.
Trusted operating systems have been used for some time to lock down the most sensitive of information in the most sensitive of organizations. But with security concerns rising and changing by the hour, it's now a matter of trust for any organization looking to tighten its computing ship. Several vendors, including Red Hat, Sun Microsystems and Novell, are responding by adding and/or improving trusted elements in their operating system offerings.
Panda Software has launched a new beta version of Panda DesktopSecure for Linux. The Panda Software solution for protecting workstations in Linux environments includes notable improvements, for example, in the generation of reports on the detection of malicious code. Similarly, it is now compatible with more kernels in the Linux distributions supported by DesktopSecure for Linux.
A digital photo-sharing service run by Eastman Kodak Co. settled charges it sent e-mails to 2 million recipients and failed to give them a way to opt out of future messages, the Federal Trade Commission said Thursday.
Kodak Imaging Network, previously known as Ofoto Inc., agreed to pay a $26,331 penalty for violating a U.S. law aimed at curbing spam.
Ask Google anything--what's happening to GE's stock price, how to get to 881 Seventh Ave. in New York, where Mission Impossible 3 is showing, whatever happened to Brian W. after he moved away in the ninth grade--and you'll get an answer. That's the power of this $6 billion search engine sensation, which is so good at what it does that the company name became a verb.
That kind of power keeps Google on the front page of the news--and sometimes under unfavorable scrutiny, as demonstrated by Google's recent clashes with the U.S. Department of Justice and also with critics displeased by the search giant's stance on Chinese government censorship.
Security Feature in Microsoft's New Windows Could Drive Users Nuts
16th, May, 2006
An annoying surprise awaits 2 million consumers expected to enthusiastically step forward in the next few weeks to help Microsoft test its new Windows Vista PC operating system.
Volunteers will test Vista Beta 2, a near-final version of the much-hyped upgrade of Windows. The testing is the last step leading up to Vista's broad consumer release, scheduled for January.
Chase Phillips used to spend up to 100 hours a week writing code for the Firefox browser. Bruce Momjian, a former teacher, manages the E-mail list for contributors to the PostgreSQL database. Brian McCallister spends evenings and weekends working on projects for the Apache Software Foundation. Swedish engineer Peter Lundblad labors over Subversion, a change management system for distributed development, at night "when the children are sleeping and my wife watches TV."
This spirit of volunteerism is alive and well in the world of open source software. Thousands of people donate their time and expertise to the benefit of all. But not everyone is giving as much as they're getting. Large companies, those with the greatest wherewithal to help, are surprisingly minor players in the roll-up-your-sleeves work of open source development.
Blue Security Calls It Quits After Attack By Renegade Spammer
18th, May, 2006
Anti-spam firm Blue Security is to scrap its spam-fighting effort after deciding its escalating conflict with a renegade spammer was placing the internet as a whole in jeopardy. Blue Security established a ‘Do Not Intrude Registry’ (akin to the Do Not Call Registry for telemarketing) with around 450,000 members. Participants downloaded a small tool, called Blue Frog, which systematically floods the websites of spammers with opt-out messages. Depending on your point of view, this initiative can either be viewed as community action or vigilantism.
VeriSign has announced plans to acquire GeoTrust, its largest SSL certificate rival, for approximately $125m in cash. The deal, announced on Wednesday, is expected to close in the second half of this year, subject to regulatory approval.
his new paper which is about to appear later this month (May, 2006) on the IEEE security and privacy conference describes holes in Linux's random number generator, as well as a clear description of the Linux /dev/random. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers, and file system and email encryption.
Although the generator is part of an open source project, its source code (about $2500$ lines of code) is poorly documented, and patched with hundreds of code patches.
Is the CISSP going the way of the Dodo? Or at least going down the same path of devaluation that has haunted the MCSE for some time? I don't think so, but Sean Walberg seems to think so. The ISC2 is working on a program that will allow colleges to teach the 10 domains that are covered by the CISSP exam. The students will be allowed to take the CISSP exam and if they pass they will become Associate CISSP's with 5 years to accumulate the experience necessary to be full-fledged CISSP's. I think Sean is 100% wrong on this subject and that these courses will actually strengthen the CISSP certification.
GE security exec shares tips for reducing security risks
16th, May, 2006
When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy. "Have a public hanging… they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says.
A government-backed IT security network that brings together specialists from business, universities and government aims to identify and plug the gaps in information security technology and practice.
The Cyber Security Knowledge Transfer Network, launched last week, will fund research programmes into priority areas of security. Its director, Sadie Creese, said, "The network is going to identify solutions and strategies; new ways of solving problems. We are going to be roadmapping, horizon scanning, investigating threats."
In February of this year, a student from the University of Utrecht in the Netherlands reports a flaw in the UPnP protocol to Linksys. In January he had told Microsoft about the bug and Broadcom was informed in March 2006. Microsoft’s response to him was that the bug only exists if a router was configured incorrectly. Broadcom didn’t respond to him until he wrote his Proof of Concept paper in April. Recently he was informed that Linksys made a new firmware available for some their devices, but not all of them, that corrects this problem.
Valuing Security and Prioritizing Your Expenditures
19th, May, 2006
I often blog on various market trends related to information security and try to provide an in-depth coverage of emerging or current trends -- in between active comments. In previous posts "FBI's 2005 Computer Crime Survey - what's to consider?", "Spotting valuable investments in the information security market", "Why we cannot measure the real cost of cybercrime?", "Personal Data Security Breaches - 2000/2005" and, "To report, or not to report?" I emphasized on the following key points in respect to data security breaches and security investments :
- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world
- companies and data brokers/aggregators are often reluctant to report security breaches even
when they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting
Security experts fear that the UK government is on track to outlaw the supply of network security tools, and even scripting languages such as Perl. IT and security professionals who make network monitoring tools publicly available or disclose details of unpatched vulnerabilities could be convicted under a proposed UK law, experts have warned.
HIDDEN FOLDERS, "DELETED" FILES AND INTERNET CACHES HIDE CLUES CRIMINALS NEVER KNEW THEY LEFT BEHIND
15th, May, 2006
The night Cindy M.* disappeared, she ate dinner with her parents and older brother in the family’s two-story suburban Pittsburgh home, then went to her room and promised to come back for apple-walnut pie. The pretty 13-year-old with dark blond hair and blue-green eyes never returned. When her parents checked her room, they found neither a note nor a sign of forced entry. It was New Year’s Day, 2002, and their daughter was simply gone. Pittsburgh police spent almost two days interviewing Cindy’s friends and family, while neighbors scoured nearby fields and gullies, but everyone came up empty.
A Home Office department is fingerprinting under-fives, and may include babies, in a biometrics ID scheme. The trial ends the department’s technological taboo on enrolling very young children in identity checks.
Details of the scheme emerged after the Home Office released an internal report under the Freedom of Information Act, which contained a section on fingerprinting under-fives.
The UK could be one of the first countries to fingerprint under-fives – and possibly the first. When Malaysian police last year proposed fingerprinting of babies there were strong protests from civil liberties groups in the country.
The number of companies reporting a spyware infestation has increased by almost half in the past 12 months, according to a new survey. In addition, 17 percent of companies with more than 100 employees have spyware such as a keylogger on their networks, said the authors of the annual Websense Web@Work survey, published on Tuesday. "This is almost 50 percent growth in the instances of keyloggers that organizations are reporting back," said Joel Camissar, a manager for Internet security specialist Websense.
The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"
Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.
Imagine being the head of a major telecommunications company in the United States. You and your lawyers have developed a carefully worded privacy policy to conform with the law. In it you tell your customers that you do not share information about your customers' use of your services except for particular business purposes, and to ensure that the calls get through. You also tell your customers that you, of course, give information in response to lawful subpoenas or lawful mandates of law enforcement agencies. And that's about it.
Open Source stacks shake up government security certifications
17th, May, 2006
Open-source stacks are poised to shake up the world of government security certifications, such as the National Institute of Standards and Technology's Federal Information Processing Standard 140-2 and the National Information Assurance Partnership's Common Criteria ratings.
Agencies that must buy software to meet these standards are finding that an open-source, modular approach can provide new choices on the marketplace.
Businesses and individuals may soon have to release their encryption keys to the police or face imprisonment, when Part 3 of the RIP Act comes into effect. The UK Government is preparing to give the police the authority to force organisations and individuals to disclose encryption keys, a move which has outraged some security and civil rights experts.
The Commerce Department has awarded a task order to the International Information Systems Security Certification Consortium, or (ISC)2, to provide an expanded information security education program for the department’s information security employees.
The State Department, reacting to security concerns after its purchase of computers from a Chinese company, will not use the equipment for classified information, an aide to Virginia Republican Rep. Frank Wolf said on Thursday.
As a white-hat hacker for a big audit firm I spent days and nights in our “lab� launching scans and scripted attacks against client networks. Other than the possession of a “get-out-of-jail-free card�, a signed agreement from the customer, our methodologies were the same as any hacker’s. Eventually I developed the following slide to better describe the anatomy of a hack.
"Black hat hackers" are the enemy of the computer network field, breaking into computer systems of different companies and groups and reeking havoc.
Two groups of area high school students -- one each from City High and West High -- are working to become "white hat hackers," preventing such attacks through network security.
The two schools will be among 12 high schools from across Iowa who will compete Friday and Saturday in the Iowa High School Cyber Defense Competition at Iowa State University in Ames. In the contest, the teams will spend 15 hours running a computer security network for a fictional dot-com company and ensuring no unauthorized users, from ISU computer science students and a "supercomputer" designed to look for holes in the protection, enter the system, said Dominic Audia, City High's Cisco Network Academy instructor and a West High biology teacher who is overseeing the Iowa City high school teams.
PandaLabs has detected a network of computers infected with the bot Clickbot.A, which is being used to defraud ‘pay per click’ systems, registering clicks automatically and providing lucrative returns for the creators. According to the data collected so far, the scam is exploiting a global network comprising more than 34,000 zombie computers (those infected by the bot).
The Biggest Hacking Incident In The Web-hosting History
19th, May, 2006
Yesterday the Turkish cracker going by the handle "Iskorpitx", succesfully hacked 21,549 websites in one shot (plus 17,000 as our last update) and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it) and reporting: HACKED BY iSKORPiTX (TURKISH HACKER) ..."
Dimitry Ivanovich Golubov doesn't look like an arch criminal. A baby-faced 22-year-old Ukrainian, he is described by his lawyer as an unassuming part-time student at Mechnikov University in Odessa.
WiFi startup Airmagnet wants you all to know that it offers more than just wireless security. Yep, the company also does scintillating stuff like network performance analysis and 802.11 VOIP testing, and has overhauled its Website and marketing message to reflect this.
