In this article I'm going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I've been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords

http://www.linuxsecurity.com/content/view/122924

Last month I reviewed Voltage Security's secure email product, a worthy exercise since email is the most common method of transmitting documents from one department to another.

http://www.linuxsecurity.com/content/view/122982

Spamcop is a service which provides RBLs for mailservers in order to reject incoming mail from spammers. Their philosophy is to process possible spam complaints from users. When they receive a certain amount of complaints during a time-period then they will blacklist the offender. This system is dependant on spam reporting from users. However, their submission process is not very user-friendly.

http://www.linuxsecurity.com/content/view/122923

When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems. All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England.

http://www.linuxsecurity.com/content/view/122979

MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal. eConceal is a comprehensive network firewall developed to prevent unauthorized access to a computer or network connected to the Internet. It enforces a boundary between two or more networks by implementing default or user-defined Access Control Policies or Rules. These rules function as filters by analyzing data packets to see if they fulfill the filter criteria and then allow or block the traffic accordingly.

http://www.linuxsecurity.com/content/view/122910

Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

http://www.linuxsecurity.com/content/view/122917

With so much attention paid to malicious attacks by hackers, worms and viruses, it's a common misconception that outside forces pose the greatest danger to a company's data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters.

http://www.linuxsecurity.com/content/view/122922

Will biometrics be a factor in our future? Of course it will, at least to the extent that it has been in our past history. We as citizens must decide upon the best methods to use and the best way to utilize this technology. Biometrics can be defined in several ways such as the study of measurable biological characteristics. In reference to Information Security it specifically applies to the automated use of physiological or behavioral characteristics to determine or verify identity.

http://www.linuxsecurity.com/content/view/122958

Managing network security gets harder every day as the number and types of threats multiply. Security is also a double-edged sword, and an incorrectly implemented or mismanaged security policy can prevent network commerce and stand in the way of the mission of the enterprise.

http://www.linuxsecurity.com/content/view/122911

Yesterday I got chance to play with Squid and iptables. The job was to setup Squid proxy as a transparent server. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

http://www.linuxsecurity.com/content/view/122925

Hardly a day goes by that we don't hear new information about some company getting themselves hacked. Sure they all have firewalls, but HOW are the hackers getting in? I was hired to perform an application security audit for a local university. They wanted to make sure that they didn't become part of the growing statistics.

http://www.linuxsecurity.com/content/view/122926

What do you do when the auditors are breathing down your neck, wanting to see an exhaustive report on the Windows network security of a 2,000-user network across eight sites? That's easy. Break out a text editor and start writing some Perl. That's what my colleague Matt Prigge and I did when we were tasked with locating every share available on a network and documenting who had access to their files. At first blush, it was a Herculean effort. When we started coding and the pieces began to fall into place, however, it became much simpler.

http://www.linuxsecurity.com/content/view/122930

When it comes to protecting corporate assets there seems to be little security managers don't worry about. That the impression of security executives attending this week's Converge '06 conference - also known as security vendor Courion's annual customer meeting.

http://www.linuxsecurity.com/content/view/122935

What do you see as the top three information security threats that are most likely to hit U.S.-based multinationals?

One of the biggest threats we have right now is deployment of resources intended either to save on cost or enhance features without thinking through the consequences. VoIP and wireless fall in this category. They have failure modes that are very different than what they are replacing and are not well understood. Perceived cost advantages are driving these technologies, but that is overcoming the caution that should be in place. That's a threat not in the sense of a particular attack, but it is a systemic problem that leads to weakness in security posture and therefore may lead to attacks.

http://www.linuxsecurity.com/content/view/122942

Despite the enormous success of SSL for securing web traffic, there has been little technical change in the way that SSL is used for secure HTTP in the ten years since SSL version 3 was introduced. Although it has been around since 1996, most browsers have continued to make connections compatible with the older SSL version 2 protocol. But now the major browser developers are aiming to drop SSL v2 completely; export-grade encryption ciphers are also to be dropped.

SSL version 2 was supported by Netscape 1.0, back in 1994, and it was made obsolete by SSL version 3, published in 1996. But while SSL version 3 was soon widely supported � and over 97% of HTTPS sites also support its successor, TLS � most browsers have continued to make SSL-v2-compatible connections, in order to stay compatible.

http://www.linuxsecurity.com/content/view/122972

This clash has nothing to do with the simulated battles on Gindis, Eternal Duel, Mobstar or any of the more hip gaming sites. No, this one's for real. The villains in this combat are criminal hackers and phishing scammers, and their targets: unsuspecting on-line gamers. And while the battlefield may be cyber space, there's nothing virtual about the damage wrought by these scams. The "loot" is lucrative game points that hackers steal and then sell at a profit.

http://www.linuxsecurity.com/content/view/122975

Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools.

However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs.

We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential.

http://www.linuxsecurity.com/content/view/122919

It has all the makings of a B-movie plot: A corporate network targeted by hackers and a half dozen high-school students as the company's only defense. Click here for Core!! Yet, teams of students from ten different Iowa high schools faced exactly that scenario during a single night in late May in the High School Cyber Defense Competition. The contest tasked the teenagers with building a network in the three weeks leading up to the competition with only their teachers, and mentoring volunteers from local technology firms, as their guides.

http://www.linuxsecurity.com/content/view/122961

When the Indiana Department of Education rolled out PCs running Linux to schools last year, it installed open source Latest News about open source antivirus software on the servers connected to the desktop systems to scan incoming e-mail. However, it didn't bother to put antivirus tools on the PCs themselves. "I hate to admit this, but I wasn't worried," said Forrest Gaston, a consultant who is managing the project for the Indianapolis-based agency. And despite heavy Internet usage by students, Gaston's optimism has been borne out thus far. Desktop security "hasn't been an issue," he said.

http://www.linuxsecurity.com/content/view/122908

It's easy to understand that software security starts with writing secure code. Keep the flaws out from the beginning and you've bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task. At first glance, it might seem that selling software security to developers would require the same approach as getting buy-in from executive management and the average user. It's not quite that simple.

http://www.linuxsecurity.com/content/view/122976

An unknown virus writer has created the first macro virus that targets computers running the alternative word processors OpenOffice and StarOffice, antivirus firm Kaspersky Labs said on Tuesday.

http://www.linuxsecurity.com/content/view/122937

Sun is officially giving customers a wider choice on its SPARC servers with the announcement that it will support Linux on its new multicore UltraSPARC T1 systems.

http://www.linuxsecurity.com/content/view/122951

Mozilla has reached the latest development milestone for its next-generation Firefox 2.0 "Bon Echo" browser with a little anti-phishing help from Google.

http://www.linuxsecurity.com/content/view/122953

Red Hat has released development tools to the open source community, which are designed to make it easier for enterprises and developers to quickly test and integrate new applications with Red Hat Linux and other Linux distributions.

http://www.linuxsecurity.com/content/view/122965

A Vulnerability Intelligence program should be a key component of any sound network security strategy. It should dovetail with a Vulnerability Assessment process and a patching/remediation process. While a Vulnerability Assessment process will tell you what needs to be patched, Vulnerability Intelligence should tell you what needs to be patched first and what new patches need to be evaluated.

http://www.linuxsecurity.com/content/view/122929

The Finnish security vendor said the services are for small to midsize ISPs and their private customers. The services are PC Protection, which includes virus and spyware detection and a firewall, and PC Protection Plus, which adds a parental and spam control features.

http://www.linuxsecurity.com/content/view/122938

This is to announce three things at once: 1) I have started making and maintaining commercial releases of John the Ripper password cracker, known as John the Ripper Pro. 2) A new version of the tiny POP3 server, popa3d 1.0.2, has been released adding a couple of minor optimizations specific to x86-64 to the included MD5 routines. 3) A new version of the password hashing package (for use in C/C++ applications and libraries), crypt_blowfish 1.0.2, has been released adding a minor optimization specific to x86-64.

http://www.linuxsecurity.com/content/view/122939

The IT world has a reputation of being extremely fast-paced. And it is: an accounting program in the ’80s would have been written in COBOL. In the ’90s it would have been written with a RAD (Rapid Application Developer) environment such as Delphi or Visual Basic. In the... ’00s (noughties?), today, the same application would probably be written as a web system, possibly using all of the “Web 2.0� technologies to make it responsive and highly usable.

http://www.linuxsecurity.com/content/view/122909

With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand.

http://www.linuxsecurity.com/content/view/122920

Oracle's security chief says the software industry is so riddled with buggy product makers that "you wouldn't get on a plane built by software developers." Chief Security Officer Mary Ann Davidson has hit out at an industry in which "most software people are not trained to think in terms of safety, security and reliability." Instead, they are wedded to a culture of "patch, patch, patch," at a cost to businesses of $59 billion, she said.

http://www.linuxsecurity.com/content/view/122921

With the advent of the inexpensive and powerful personal computer, networks have evolved and are now implemented exclusively using small computers connected among themselves and to the Internet. Don't get me wrong, though -- the mainframe isn't dead yet. In fact, Gartner estimates that more than 80% of business applications are written in Cobol, one of the earliest high-level programming languages. But the truth is that, although still alive and kicking, the mainframe has nevertheless lost ground in our current environment, which is focused on PCs and distributed server architectures.

http://www.linuxsecurity.com/content/view/122934

It’s 5 p.m. on a Friday, and you’re the lead security engineer for the headquarters site of a major corporation. Just as you’re getting ready to ease out the door for the weekend, the phone rings and there’s a frantic voice on the other end of the line. It’s one of the managers from your financial department, and it seems that someone has accessed the payroll records of a number of higher-ranking executives within the company and attempted changes to their salaries and monthly paychecks.

http://www.linuxsecurity.com/content/view/122946

Imagine a world where no Web site or hyperlink can be trusted, and a simple click on a hyperlink could slam your computer with a malicious driveby download. Sound far-fetched? It's not. Today, trusted Web sites can no longer be trusted. Those of us who collectively click on the billions of hyperlinks generated each day by search engines, blogs and e-mail are playing Russian roulette with our computers.

http://www.linuxsecurity.com/content/view/122952

A reader asked me months ago to talk about the threat of 'Google Hacking' to an organization, and asked if I used 'Google Hacking' in any of my risk assessments. In short: hell yes. If you're not attempting to do any type of reconnaissance with Google on your organization or clients, you're setting yourself up for a very unwelcome surprise down the road.

http://www.linuxsecurity.com/content/view/122957

Lingering concern about the overall state of the economy has many CIOs forecasting a slowdown in IT spending in 2007, according to a new survey from analyst firm Merrill Lynch. But compliance concerns and the looming threat of organized crime online mean that security spending remains healthy. The survey of 75 U.S. and 25 European CIOs reveals that users expect 5.2 percent spending growth in 2006 and 4.8 percent in 2007. American execs predict only 4.4 percent spending growth over the coming 12 months, compared to their more bullish international counterparts who expect 6.1 percent growth.

http://www.linuxsecurity.com/content/view/122978

Increasing numbers of university systems are becoming targets for hackers. The recent incident involves the Fairfield, Connecticut-based Sacred Heart University. The university's system containing information on 135,000 individuals was hacked recently and data consisting of personal information like names, addresses, and Social Security numbers were stolen.

http://www.linuxsecurity.com/content/view/122945

So what does the rewritten law now say? The section as amended reads like this: "Whoever...utilizes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet... without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person...who receives the communications...shall be fined under title 18 or imprisoned not more than two years, or both."

http://www.linuxsecurity.com/content/view/122959

The European Commission today issued a report that calls for greater education on IT security, and the creation of a common framework for collecting incident data. In its report, the EC states that European spending on IT security "represents only around 5 to 13 percent of IT expenditure, which is alarmingly low." The commission calls for a cross-border effort to educate users about security and to unify disjointed national efforts to track exploits.

http://www.linuxsecurity.com/content/view/122963

A study on workplace privacy found that less than half of the people surveyed believe their employers are doing a good job protecting the privacy of their personal information.

The independent study, "Americans' Perceptions about Workplace Privacy," was conducted by Elk Rapids, Mich.-based Ponemon Institute LLC, which looks at information and privacy management practices in business and government. The report, which was released yesterday, is based on 945 responses from adults across the U.S. who work for companies with at least 1,000 employees.

http://www.linuxsecurity.com/content/view/122973

The Y-M-C-A of Greater Providence is reporting that one of its two missing laptop computers contains members information. The non-profit organization that provides a range of educational, social and recreational services says it discovered last week that the computers were missing.

http://www.linuxsecurity.com/content/view/122974

Identity management is a security issue which is becoming increasingly challenging as the perimeter of the network crumbles. This is well illustrated by the DTI Information Security Breaches Survey of 2006, which shows that one in five larger businesses had a security breach associated with weaknesses in their identity management, with the number of incidents being less for smaller companies.

http://www.linuxsecurity.com/content/view/122981

The U.S. House of Representatives Judiciary Committee today approved a bill that would significantly strengthen existing federal cybercrime law and provide law enforcement with increased enforcement tools.

The bill also offers authorities greater enforcement powers and resources. Included is a section that provides an additional $10 million annually to the Secret Service, FBI and Department of Justice to investigate and prosecute cybercrimes. The bill makes failing to report breaches to the FBI or Secret Service than involve at least 5,000 customers a crime punishable by up to five years in prison.

http://www.linuxsecurity.com/content/view/122941

The government has outlined its first steps for coordinating and expanding federal research and development efforts aimed at improving cybersecurity. The new Federal Plan for Cyber Security and Information Assurance Research and Development, issued in April and now available online, lays the groundwork for developing an R&D agenda that will help address critical gaps in current technologies and capabilities.

http://www.linuxsecurity.com/content/view/122980

If the phishers don't get you the pharmers will, police have warned. People are now getting wary of the scam called phishing - where people are sent emails claiming to be from their bank asking them to "confirm" their account details and passwords.

http://www.linuxsecurity.com/content/view/122918

Family photos and other priceless content stored in your home computer could one day be held hostage by a new breed of security threat called "ransomware". Ransomware typically takes the form of a trojan horse that holds personal computer files "hostage" and then then demands a ransom for their safe return.

http://www.linuxsecurity.com/content/view/122933

Joel over at appiant.net has posted a great video of how he used SQL injection to bypass security controls on a college website. While his methods may seem 1-2-3 to web application security testers, they are a great example of just how simple this type of attack is, and a reminder that you MUST perform this same type of testing on EVERY web application you deploy, period.

http://www.linuxsecurity.com/content/view/122943

Two Sony websites were hacked yesterday by a Turkish hacker (thanks to Roberto Preatoni of Zone-H.org for heads up and explanation). The two site URLs are: http://sonymusic.it/index.php and http://sonymusicstudios.co.uk/

http://www.linuxsecurity.com/content/view/122944

A woman from Greater Manchester has become a victim of an internet scam in which hackers hijack computer files and blackmail owners to get them back. Helen Barrow, a 40-year-old nurse from Rochdale, is believed to be one of the first victims of the con in the UK. Criminals encrypt files with complex passwords, leaving a ransom note telling victims not to contact police.

http://www.linuxsecurity.com/content/view/122962

The Web site of Sweden's national police was shut down after a hacker attack that investigators on Friday said could be a retaliation for a crackdown on a popular file-sharing site called The Pirate Bay.

http://www.linuxsecurity.com/content/view/122977

After a Manchester woman was held to ransom by hackers, experts and senior police officers have voiced concern that such cases are falling between the cracks. Greater Manchester Police (GMP) will not be pursuing the criminals who used a Trojan horse program to lock a Manchester woman's files and demanded a ransom to release them.

http://www.linuxsecurity.com/content/view/122983

Although wireless access points use encryption to secure network traffic, access to the WLan is open to anyone with a valid log-in. Foundry Networks aims to control this access based on the physical location of the end-user. The technology uses triangulation between three access points to determine the location of a WLan user to within five metres, said the company.

http://www.linuxsecurity.com/content/view/122931

As is the case with any valuable resource, there must be limitations on who can access and use your wireless medium. In some situations, such as when offering wireless access to attract customers, these limitations will be minimal. In others, we want the greatest possible protection available. Controlling access to computer resources is best illustrated in the AAA framework: Authentication, Authorization, and Accounting.

http://www.linuxsecurity.com/content/view/122964