The computer scientist credited with inventing the World Wide Web on Tuesday strongly condemned moves by U.S. broadband providers to control their subscribers’ content, saying it threatens the Internet’s greatest strength: openness.

http://www.linuxsecurity.com/content/view/122857

Defeated antispam vendor Blue Security may be no more, but that's not the case for its technology and its spam-fighting hubris. A new independent group called Okopipi intends to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends "unsubscribe" messages to spammers and/or reports them to the proper authorities.

http://www.linuxsecurity.com/content/view/122890

A lawsuit filed Wednesday accuses the Motion Picture Association of America of hiring a hacker to steal information from a company that the MPAA has accused of helping copyright violators.

http://www.linuxsecurity.com/content/view/122906

Studying cryptanalysis is difficult because there is no standard textbook, and no way of knowing which cryptanalytic problems are suitable for different levels of students. This paper attempts to organize the existing literature of block-cipher cryptanalysis in a way that students can use to learn cryptanalytic techniques and ways to break new algorithms.

http://www.linuxsecurity.com/content/view/122866

The use of strong public encryption has always been popular among geeks. Perhaps the most commonly used and most beloved encryption for e-mail is Pretty Good Privacy (PGP); started as a free method for protecting emails or other sensitive information, later turned into a cornerstone for a large company. As PGP became more corporate, costly and used patented algorithms, another project, GnuPG, sprung up to continue to offer strong encryption to the masses.

http://www.linuxsecurity.com/content/view/122868

There are various types and methods of data encryption. Some of the most popular forms of data encryption include single file encryption, folder encryption, volume encryption, whole disk encryption, and of course email encryption. The Windows XP operating system has the ability to perform file and folder encryption.

http://www.linuxsecurity.com/content/view/122884

The University of Washington Computer Science department has made CSEP 590 cryptography lectures available in PDF, PPT, video, and audio format. Those interested in learning more about cryptography from an academic perspective will surely find this interesting.

http://www.linuxsecurity.com/content/view/122885

In this article I'm going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I've been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords

http://www.linuxsecurity.com/content/view/122924

Imagine how useful it would be to have an online knowledge base that can easily be updated created by key people within your organization. That's the promise of a wiki -- a Web application that "allows users to easily add, remove, or otherwise edit all content, very quickly and easily," as Wikipedia, perhaps the best-known wiki, puts it. Why not bring the benefits of a wiki to your organization? If you're sold on the concept, the first thing you need to do is to pick the software that you're going to use for your wiki. If you want hunt around to find out what's out there, a good place to start is Wikipedia's wiki software wiki. If you say, "I'll use whatever Wikipedia is using," that'll be MediaWiki.

http://www.linuxsecurity.com/content/view/122819

In late 2004 Z4CK - meaning Zaurus-ACK, a novel about a hacker who creates the ultimate hacking tool was released in PDF and paperback formats. The novel was well received by the Linux, PDA and Security communities. In Z4CK Duncan Steele creates the ultimate hacking tool, which goverment agencies and criminals alike are desperate to obtain, so much so that the main character finds himself framed by the government for a murder he did not commit. Unlike films such as 'The Net' and 'Swordfish' real world hacking techniques are used.

http://www.linuxsecurity.com/content/view/122886

Spamcop is a service which provides RBLs for mailservers in order to reject incoming mail from spammers. Their philosophy is to process possible spam complaints from users. When they receive a certain amount of complaints during a time-period then they will blacklist the offender. This system is dependant on spam reporting from users. However, their submission process is not very user-friendly.

http://www.linuxsecurity.com/content/view/122923

Scandoo.com is the first secure search service available free to anyone on the web. Currently in initial beta testing, Scandoo.com provides an early warning system to help users search the web safely and securely and avoid the risk of clicking on unknown web sites. The simple, intuitive service guides web users through searches, allowing them to detect and avoid malware, including spyware, adware and viruses, as well as harmful, offensive or illegal content, such as pornography, gambling, hatred and phishing sites.

http://www.linuxsecurity.com/content/view/122854

IptablesWeb is a free software (under GPL licence): it allows to inspect iptables logs, to receive e-mails and alerts using a web browser; it's a plugin-based multilanguage and multiuser software written in PHP.

http://www.linuxsecurity.com/content/view/122865

Would you like to have a Linux-based router capable of doing tasks such as stateful firewall inspection, virtual private networking, and traffic shaping, in addition to packet routing? Tired of having to do administration from the command line but want to be able to administer your box from a Windows-based client PC? MikroTik's RouterOS may what you need. You can boot RouterOS via diskette, CD, or over the network via PXE or Etherboot-enabled network interface card. You can find a full list of RouterOS technical specifications at the homepage.

http://www.linuxsecurity.com/content/view/122852

MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal. eConceal is a comprehensive network firewall developed to prevent unauthorized access to a computer or network connected to the Internet. It enforces a boundary between two or more networks by implementing default or user-defined Access Control Policies or Rules. These rules function as filters by analyzing data packets to see if they fulfill the filter criteria and then allow or block the traffic accordingly.

http://www.linuxsecurity.com/content/view/122910

Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

http://www.linuxsecurity.com/content/view/122917

With so much attention paid to malicious attacks by hackers, worms and viruses, it's a common misconception that outside forces pose the greatest danger to a company's data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters.

http://www.linuxsecurity.com/content/view/122922

As hackers and cyber-thieves become increasingly sophisticated, I often wonder why some organizations still think it's a good idea to bypass expert help and develop their own (vulnerable) systems.

http://www.linuxsecurity.com/content/view/122873

This technical note describes a detection/prevention technique that works in many cases both with HTTP Response Splitting and with HTTP Request Smuggling. This technique makes use of implicit information found in the TCP stream, namely the segmentation into packets and the TCP PSH bit.

In HTTP Response Splitting, the proposed technique needs to be applied at the proxy server, the one closest to the web server, and to the response stream. In HTTP Request Smuggling, this technique needs to be applied at the entity closest to the attacked proxy server/device (i.e. implemented in another proxy server, or the web server itself), and to the request stream (note, however, that this second server may be off the premises of the organization wherein the web server is, see also "Can HTTP Request Smuggling be blocked by Web Application Firewalls?".

http://www.linuxsecurity.com/content/view/122900

Managing network security gets harder every day as the number and types of threats multiply. Security is also a double-edged sword, and an incorrectly implemented or mismanaged security policy can prevent network commerce and stand in the way of the mission of the enterprise.

http://www.linuxsecurity.com/content/view/122911

Yesterday I got chance to play with Squid and iptables. The job was to setup Squid proxy as a transparent server. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

http://www.linuxsecurity.com/content/view/122925

Hardly a day goes by that we don't hear new information about some company getting themselves hacked. Sure they all have firewalls, but HOW are the hackers getting in? I was hired to perform an application security audit for a local university. They wanted to make sure that they didn't become part of the growing statistics.

http://www.linuxsecurity.com/content/view/122926

A new documet, titled "Log analysis for Intrusion Detection", is available. It shows how some threats can be detected by correlating specific patterns on web logs, proxy logs and authentication logs..

"Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an anti-virus, companies with multiple firewalls and even simple end-users buying the latest security related tools. However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs?"

http://www.linuxsecurity.com/content/view/122853

Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools.

However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs.

We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential.

http://www.linuxsecurity.com/content/view/122919

Blue Security may have been forced to close because of denial of service attacks from spammers, but the internet community is determined to carry on its work.

http://www.linuxsecurity.com/content/view/122872

SSL is a wonderful protocol, but it is frequently used badly. This note is intended to point out some of the more common errors made by applications using SSL. This checklist should be useful for application developers, system administrators, and the occasional penetration tester. This note assumes you have at least a casual knowledge of SSL, but is not a paper about cryptography. If you know enough to write an SSL library, you will know every single one of the mistakes I mention below, plus a few more. Still, I hope that those of you who are writing SSL toolkits will consider why these mistakes are made. Perhaps it will help you design your toolkits so that novices use them correctly.

http://www.linuxsecurity.com/content/view/122840

When the Indiana Department of Education rolled out PCs running Linux to schools last year, it installed open source Latest News about open source antivirus software on the servers connected to the desktop systems to scan incoming e-mail. However, it didn't bother to put antivirus tools on the PCs themselves. "I hate to admit this, but I wasn't worried," said Forrest Gaston, a consultant who is managing the project for the Indianapolis-based agency. And despite heavy Internet usage by students, Gaston's optimism has been borne out thus far. Desktop security "hasn't been an issue," he said.

http://www.linuxsecurity.com/content/view/122908

Skype is advising users to upgrade to a more recent version of its voice-over-IP software to fix a security bug reported late last week by a security researcher in New Zealand. The bug affects several versions of the Skype client for Windows and could allow an attacker to download a file from an affected PC without permission. Skype rated the vulnerability "medium risk."

http://www.linuxsecurity.com/content/view/122850

iamjoltman writes "I've been looking to replace the McAfee anti-virus on my parent's XP machine. So, I've been looking at the three free anti-virus choices, AVG Free Edition, avast! Home Edition and AntiVir Personal Edition. I know there are other options, but I believe any others are only on-demand scanners, and that's not an option. So, what does the Slashdot crowd think is the best of these choices? Keep in mind, I'm only looking in anti-virus, I'll go elsewhere for firewall or malware protection."

http://www.linuxsecurity.com/content/view/122859

Mozilla, maker of the open source Firefox web browser and Thunderbird email client, says a reliance on proprietary technologies is still an obstacle for IT directors looking to deploy open source in the enterprise. Mozilla Corporation CEO Mitchell Baker readily admitted to silicon.com that the enterprise is "not our sweet spot" but said the organisation offers an enterprise customisation kit created by an IBM developer and said it's interested in working with partners to address the needs of corporate IT.

http://www.linuxsecurity.com/content/view/122876

Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said Thursday at the W3C conference in Edinburgh, Scotland.

http://www.linuxsecurity.com/content/view/122889

ArcSight this week announced it would acquire NAC vendor Enira Technologies to augment ArcSight's security information management software with Enira's automated network response technology.

http://www.linuxsecurity.com/content/view/122894

John the Ripper 1.7.2 (a "development" version) adds bitslice DES assembly code for x86-64 making use of the 64-bit mode extended SSE2 with 16 XMM registers. You can download it at the usual location: http://www.openwall.com/john/.

http://www.linuxsecurity.com/content/view/122844

Businesses have blindly joined in the reactive post-and-patch game of AV updates and application vulnerability patching, without fully understanding that it will inevitably lead them to a never-ending spiral of security updates. This would seem not to be the most effective way of keeping your endpoints free from infiltration, and yet the industry as a whole has stumbled onward, quite happily playing this reactive game for some time.

http://www.linuxsecurity.com/content/view/122839

Only about half of the vulnerabilities (technical vulnerabilities) in web applications can be scanned for. The other half (logical vulnerabilities) must be tested for by an experienced expert. WhiteHat Security founder and CTO, Jeremiah Grossman, explains differences between the two issues and the fundamentals reasons why technology alone cannot solve the problem.

http://www.linuxsecurity.com/content/view/122867

The Information Security Breaches Survey 2006 highlights the fact that most businesses are a long way from having a security aware culture. Although three quarters of UK businesses rate IT Security as a high priority, with protecting customer information becoming increasingly important, worryingly just 1 firm in 8 has IT security qualified staff to put procedures in place. Businesses that rely on online interaction with their customers are advised to get a handle on Identity Management to counteract the growing threat of identity theft and fraudulent attacks.

http://www.linuxsecurity.com/content/view/122858

When it comes to software security, the general perception is that including technologies such as firewalls, intrusion prevention systems, and malware protection throughout the software development life cycle is all that’s needed to keep information secure in the end product. However, these technologies are mostly reactive in nature and don’t prevent the vulnerabilities in the first place. Also, at the development level, there’s a lot of talk about testing for buffer overruns, validating user input, using the principle of least privilege, and so on. These are certainly solid practices, but there’s still a considerable gap when it comes to getting to the root of software flaws – the development process itself.

http://www.linuxsecurity.com/content/view/122860

StopBadware.org, the organization dedicated to highlighting software that consumers might prefer to avoid, Wednesday added another round of software programs to its "Badware Watch List." The latest inductees into this hall of software shame include four programs: FunCade, a gaming application that comes bundled with BullsEye and NaviSearch; Team Taylor Made's "Jessica Simpson Screensaver"; a scanner called "UnSpyPC; and WinFixer 2005 and 2006. Each was cited by StopBadware.org for specific reasons that relate to deceptive installation, causing harm to other computers, modifying other software or transmitting user data, interfering with computer use or being difficult to uninstall completely.

http://www.linuxsecurity.com/content/view/122892

Has it really come to this? Researchers are now so wary of reporting security vulnerabilities that some infosec experts in academia are advising their student charges to walk away from problems. Pascal Meunier, author of the Cassandra system, and a researcher at the Centre for Education and Research in Information and Assurance (CERIAS) at Purdue University, reckons it has become too risky to report security flaws in websites to their administrators. His opinion was formed after reporting a vulnerability in custom software on a production website discovered by one of his students.

http://www.linuxsecurity.com/content/view/122895

Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said Thursday at the W3C conference in Edinburgh, Scotland.

If civil engineers built bridges in the same fashion in which software developers write code, people would face the "blue bridge of death" every morning going to work, Davidson said. Software developers, she noted, tend to laugh nervously when they hear the analogy -- an insider reference to what programmers call the blank, "blue screen of death" on a PC display when Windows fails.

http://www.linuxsecurity.com/content/view/122899

The IT world has a reputation of being extremely fast-paced. And it is: an accounting program in the ’80s would have been written in COBOL. In the ’90s it would have been written with a RAD (Rapid Application Developer) environment such as Delphi or Visual Basic. In the... ’00s (noughties?), today, the same application would probably be written as a web system, possibly using all of the “Web 2.0� technologies to make it responsive and highly usable.

http://www.linuxsecurity.com/content/view/122909

With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand.

http://www.linuxsecurity.com/content/view/122920

Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers." Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said.

http://www.linuxsecurity.com/content/view/122921

Philip R. Zimmermann wants to protect online privacy. Who could object to that? He has found out once already. Trained as a computer scientist, he developed a program in 1991 called Pretty Good Privacy, or PGP, for scrambling and unscrambling e-mail messages. It won a following among privacy rights advocates and human rights groups working overseas � and a three-year federal criminal investigation into whether he had violated export restrictions on cryptographic software. The case was dropped in 1996, and Mr. Zimmermann, who lives in Menlo Park, Calif., started PGP Inc. to sell his software commercially.

http://www.linuxsecurity.com/content/view/122842

BellSouth is demanding that USA Today retract a story claiming it and two other carriers were under contract to the National Security Agency to surrender call records for a domestic anti-terrorism surveillance program. BellSouth claims the story's assertion that it was under contract to provide massive call record data to the NSA is untrue.

http://www.linuxsecurity.com/content/view/122847

The Veterans Affairs Department announced today that a computer containing personal, identifying data for as many as 26 million American veterans has been stolen from a VA employee's home. A VA employee took files home as part of department work. Subsequently, someone broke into the employee’s home and stole the computer containing the files. Officials said the employee was not authorized to take the files home.

http://www.linuxsecurity.com/content/view/122848

Mark Diamond, consultant with Contoural Inc., said a survey of clients showed 29% found email archiving for the long term less risky, in terms of compliance, than attempting to reduce data, while 21% thought deleting data on a regular basis was less risky. Forty-two percent answered that they are not sure. A convincing case for long-term retention, however, was found when Diamond offered insight into the inner workings of a lawyers mind in a presentation to Chicago's storage networking user group Wednesday morning.

http://www.linuxsecurity.com/content/view/122877

The U.S. public wants stronger federal data security legislation as its confidence wanes in current laws intended to protect them on the Internet, according to a new survey the Cybersecurity Industry Alliance released today. The April survey of 1,150 adults found that only 18 percent – less than one in five – believe that existing laws are sufficient to protect them on the Internet.

http://www.linuxsecurity.com/content/view/122888

This month USA Today reported that the National Security Agency has been compiling and searching a massive database of Americans' telephone call records and data mining it for suspicious patterns. NPR reported that this activity was part of the same eavesdropping program The New York Times revealed in April.

http://www.linuxsecurity.com/content/view/122891

Internet crime often starts with phishing, the practice of duping a user into revealing bank account or log-in credentials via a fraudulent Web site. Phishers send out reams of e-mail bait that say users' account information has expired or needs updating. The e-mail includes links to a site that may look very similar to their bank Web site, but isn't. Once those credentials are obtained, criminals use the information in a variety of creative and costly scams.

http://www.linuxsecurity.com/content/view/122902

The State Department, reacting to security concerns after its purchase of computers from a Chinese company, will not use the equipment for classified information, an aide to Virginia Republican Rep. Frank Wolf said on Thursday.

http://www.linuxsecurity.com/content/view/122826

The Office of Management and Budget has directed agencies’ senior privacy officials to review and correct any policies and processes to ensure that they protect against misuse of or unauthorized access to personally identifiable information.

http://www.linuxsecurity.com/content/view/122856

The intelligence community is turning to Defense services and agencies, as well as representatives from industry and academia, to help them overhaul their outdated and ineffective certification and accreditation processes. This month, personnel will begin receiving invitations to participate in one of two teams�a green team and a gold team�that will ultimately make suggestions on how to improve certification and accreditation processes across the intelligence community.

http://www.linuxsecurity.com/content/view/122904

An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university's computer services department. Bill Sams, Ohio University's chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers.

http://www.linuxsecurity.com/content/view/122841

An 18-year-old student is accused of hacking into the Wayne-Westland school district's computer network -- crashing 5,000 computers in 29 buildings and forcing thousands of dollars in repairs, police said. Wayne-Westland school officials confirmed "dozens" of computer system crashes between March 6 and May 8, but they don't believe the hacker obtained any personal or sensitive information, police Sgt. David Heater said.

http://www.linuxsecurity.com/content/view/122843

Use Microsoft Word in safe mode to protect against targeted zero-day attacks. That's the advice from Microsoft's security response team to counter known attacks against a serious code execution vulnerability in the widely used word processing program.

http://www.linuxsecurity.com/content/view/122871

A former employee with the American Red Cross’ St. Louis chapter – who had access to the Social Security numbers of 1 million people – has been indicted by a federal grand jury.

http://www.linuxsecurity.com/content/view/122887

RFID chips are everywhere - companies and labs use them as access keys, Prius owners use them to start their cars, and retail giants like Wal-Mart have deployed them as inventory tracking devices. Drug manufacturers like Pfizer rely on chips to track pharmaceuticals. The tags are also about to get a lot more personal: Next-gen US passports and credit cards will contain RFIDs, and the medical industry is exploring the use of implantable chips to manage patients. According to the RFID market analysis firm IDTechEx, the push for digital inventory tracking and personal ID systems will expand the current annual market for RFIDs from $2.7 billion to as much as $26 billion by 2016.

http://www.linuxsecurity.com/content/view/122893

A flaw has been found in Symantec's latest antivirus software that allows hackers to exploit a PC without the user having to open anything. The problem was first discovered by eEye Digital Security, which reported it as a 'high level' threat.

http://www.linuxsecurity.com/content/view/122901

If the phishers don't get you the pharmers will, police have warned. People are now getting wary of the scam called phishing - where people are sent emails claiming to be from their bank asking them to "confirm" their account details and passwords.

http://www.linuxsecurity.com/content/view/122918

Privacy advocates and activists for digital inclusion were set to raise alarms about San Francisco’s proposed wireless broadband service at a hearing Friday afternoon before a city oversight body.

http://www.linuxsecurity.com/content/view/122849

Wireless metro-mesh technology promises a new era in anytime, anywhere public access Internet for the masses. So-called mesh technology -- in case you've been living under a rock for the last year -- allows 802.11 wireless access points to pass data amongst themselves over the air, removing the need for multiple wired connections back to the Internet. Proponents of the technology, which has been taken up in cities such as Philadelphia and San Francisco over the past year, say that it will enable low-cost metropolitan WiFi access as well other services such as VOIP.

http://www.linuxsecurity.com/content/view/122875