Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
The security experts at Guardian Digital fortify every download of EnGarde
Secure Linux with eight essential types of open source packages. Then we configure
those packages to provide maximum security for tasks such as serving dynamic
websites, high availability mail, transport, network intrusion detection, and
more. The result for you is high security, easy administration, and automatic
updates.
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce
the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Cleaning up data breach costs 15x more than encryption
7th, June, 2006
Protecting customer records is a magnitude less expensive than paying for cleanup after a data breach or massive records loss, a research company said Tuesday. Gartner analyst Avivah Litan said in a research note that data protection is cheaper than a data breach. She recently testified on identity theft at a Senate hearing held after the Department of Veterans Affairs lost 26.5 million vet identities.
During its development history, the communities of researchers, developers, implementers and users of the DARPA/DoD TCP/IP protocol suite have experimented with a wide range of protocols in a variety of different networking environments. The Internet has grown, especially in the last few years, as a result of the widespread availability of software and hardware supporting this system. The scaling of the size and scope of the Internet and increased use of its technology in commercial applications has underscored for researchers, developers and vendors the need for a common network management framework within which TCP/IP products can be made to work.
When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems. All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England.
Here's May's summary of all the security streams during the month. This is perhaps among the few posts in which I can actually say something about the blog, the individual behind it, and its purpose, which is to - question, provoke, and inform on the big picture. After all, "I want to know God's thoughts... all the rest are details", one of my favorite Albert Einstein's quotes. The way we often talk about a false feeling of security, we can easily talk about a false feeling of blogging, and false feeling of existence altogether. It is often assumed that the more you talk, the more you know, which is exactly the opposite, those that talk know nothing, those that don't, they do. There's nothing wrong with that of refering to yourself, as enriching yourself through past experience helps you preserve your own unique existence, and go further. Awakening the full potential within a living entity is a milestone, while self preservation may limit the very development of a spirit -- or too much techno thrillers recently? :)
(IN)SECURE Magazine is a free digital security magazine in PDF format. In this issue you can read about SSH port forwarding, server monitoring with munin and monit, compliance vs. awareness, and much more. Get your copy today!
http://www.linuxsecurity.com/content/view/123055
Abandon E-mail!
5th, June, 2006
Back in 1972, by some accounts, a new form of communication known as e-mail was born. It was a practical implementation of electronic messaging that was first seen on local timeshare computers in the 1960s. I can only imagine how much fun and revolutionary it must have been to use e-mail in those early years, to have been at the bleeding edge of the curve. Almost ten years later, in November 1981, Jonathan Postel published RFC 788 (later deprecated by RFC 821, also by Postel, and RFC 822 by David Crocker), thereby inventing the foundations of the Simple Mail Transport Protocol (SMTP) - a proposal that would revolutionize e-mail again. Since that time, e-mail has become as important an invention to the world as the telegraph and the telephone, and it has long been synonymous with the Internet itself.
Building a heterogeneous home network for Linux and Mac OS X
8th, June, 2006
You can find plenty of information online about building heterogeneous networks involving Windows, but relatively little about connecting Macs with Linux PCs in a home or small office network. Mac OS X's Unix base, however, means there are plenty of good options for networking a Mac with a Linux PC, despite the relative lack of documentation. In this article, I'll discuss how to set up Mac-Linux printer and file sharing using NFS and SSH.
For years, infosec experts have called the firewall a critical ingredient to security, whether it's in a large enterprise or on a home PC. But the San Diego Supercomputer Center (SDSC) has defied that logic with what some would consider surprising success. Abe Singer, computer security manager for the SDSC's Security Technologies Group, explained how companies can maintain strong firewall-free security at the 2006 USENIX Annual Technical Conference Thursday. He has also produced a presentation (.pdf) on the subject.
The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events. The purpose of this article is to discuss the need for a desktop firewall policy within an organization, determine how it should be formed, and provide an example of one along with the security benefits it provides an organization.
Security vendors have warned of a flaw that affects an unusually broad cross-section of browsers -- Internet Explorer, Firefox and the Mozilla suite on Windows, Linux and Mac OS X -- and could be used to hoover up files from vulnerable systems.
The problem is in the way the browsers implement scripting -- JavaScript in Firefox and Active Scripting in IE. Both browsers have a design error in which a script can cancel certain keystroke events when users are entering text.
UTM - Preparing for New Generation of Security Threats
6th, June, 2006
Securing networks has rapidly taken center stage among most enterprises as the threat from increasingly sophisticated attacks becomes more complex and costly to manage. According to the research group IDC, enterprises worldwide spent an estimated $32.6Bn in 2005 on network security but are still faced with an ever-changing landscape of new security threats. Traditional network defense solutions such as firewalls and intrusion prevention devices must be supplemented by secure content management devices in order to block the full range of sophisticated attacks including viruses, spyware, spam and phishing.
We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees. The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans. Several other clients have raised the same concern, yet few have done much to protect themselves from a rogue USB drive plugging into their network. I wanted to see if we could tempt someone into plugging one into their employer's network.
The reverse engineer--better known amongst security researchers by his nom de plume, Halvar Flake-- created an automated system for classifying software into groups, a process he believes for which machines are much better suited. Research using the system has underscore the sometimes-arbitrary decisions humans make in classifying malicious programs, he said.
The term "spoofing" is generally regarded as slang, but refers to the act of fooling -- that is, presenting a false truth in a credible way. There are several different types of spoofing that occur, but most relevant to networking is the IP spoof. Most types of spoofing have a common theme: a nefarious user transmits packets with an IP address, indicating that the packets are originating from another trusted machine.
HijackThis is a free tool developed by Merijn Bellekom, a student in The Netherlands. Spyware removal software such as Adaware or Spybot S&D do a good job of detecting and removing most spyware programs, but some spyware and browser hijackers are too insidious for even these great anti-spyware utilities.
HijackThis is written specifically to detect and remove browser hijacks, or software that takes over your web browser, alters your defaut home page and search engine and other malicious things.
Bad things happen. If you've ever worried that the over caffeinated tech might spill his latte down your web server, then today's How-To will help you out. Forgetting to back up your blog (or your website) is something that isn't a big deal until you need it -- like backing up anything, really. But your blog's files and databased aren't really so simply accessible as the files on your PC, so today we're showing you how to automatically back up your blog (or website) with some freely available tools that will use a minimum amount of your precious bandwidth.
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, several updated packages, and several new packages available for installation.
Symantec to Port Veritas Storage Software to IBM Linux Platform
8th, June, 2006
Software security and storage specialist Symantec June 7 announced an agreement with IBM to port its Veritas Cluster Server, Veritas Storage Foundation family and NetBackup recovery technology to IBM's Linux on POWER platform, opening a new door to the open-source enterprise storage market.
We are all familiar with the use of firewall logs, intrusion detection alerts, antivirus warnings, and watching for "funny" entries in our system logs as ways to indicate that somebody on the Internet is up to no good. But those traditional detection systems don't do any good against attacks that are not oriented on one of the traditional seven layers of the OSI model.
On February 14, 2006, many Google e-mail users received an unexpected Valentine's Day present. When they logged in to their accounts, there it was: instant messaging, fully integrated with their e-mail system. Gmail users could now chat in the same browser window as their inbox. Just as with e-mail, the system would save a transcript of every chat and, better yet, the text of archived transcripts would be searchable. There was nothing to download, nothing to install.
Spyware programs are increasing in number and growing in sophistication to avoid detection, making it harder to guard against infections and more costly to repair their damage, according to a security expert whose company tracks them on a regular basis.
The Open Web Application Security Project (OWASP) has announced the availability of a process guide that it hopes will help a broad range of developers incorporate security into the software application development lifecycle (SDLC).
One of the most fundamental principles of information security is that it’s all about the data. Data in transit or at rest is the primary focus of administrative, physical, and technical safeguards. Security professionals are doing better every day when it comes to protecting information in static production environments. But what happens when magnetic, optical, or semiconductor media is repurposed or retired? In this paper, I define media sanitation and how it fits into an overall security program. Next, I examine how attackers can extract information from electronic media�even after it’s been overwritten. Finally, I explore ways you can protect your organization from attacks�both casual and highly motivated.
How to win friends and influence people with IT security certifications
7th, June, 2006
The public and private sectors put IT Security on top of their agenda these days, and, as a result, the IT and Information Security job market is growing. At some point though, the market will saturate as businesses seek to curb their investments, security services become more standardized and IT as a whole moves to a more service-oriented business model. Is your career strategy ready?
A Continuing Work in Progress: The State of Linux 2006
7th, June, 2006
To label Linux a purely enthusiast or hobbyist operating system is overly facile; such a stance also categorically denies that Linux has any real industry presence. On the contrary, prominent top-tier manufacturers such as Dell, IBM, Sun Microsystems, and Hewlett-Packard all openly support Linux in select product lines, and many lower-tier manufacturers have adopting this platform to establish cost-effective price points in various highly competitive marketplaces. Government support for Linux also comes in a variety of forms. Most notably, this includes the NSA-sponsored Security Enhanced Linux (SELinux) policy extensions adopted into the mainstream by Red Hat starting with Fedora Core 2 (the current version is Fedora Core 5). SELinux extends basic security functionality to the Linux platform, and makes it easier to create a hardened installation. These are only a few examples of where Linux is actively developed by high-visibility organizations, all of which take this platform very seriously.
JavaScript security threat to Internet Explorer and Firefox
7th, June, 2006
A JavaScript security bug has been discovered in both the Internet Explorer and Firefox browsers. The threat covers the Windows, Linux, and Mac operating systems, say internet security software companies.
Cybercrime Spurs College Courses In Digital Forensics
7th, June, 2006
One of the hottest new courses on U.S. college campuses is a direct result of cybercrime. Classes in digital forensics - the collection, examination and presentation of digitally stored evidence in criminal and civil investigations - are cropping up as fast as the hackers and viruses that spawn them. About 100 colleges and universities offer undergraduate and graduate
courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful.
Criminal gangs are increasingly using the internet as a tool to extort money from businesses. Thousands of distributed denial of service attacks (DDoS) are occurring globally every day and it is vital that senior management wakes up to the very real risk of such an assault.
Every time I go on line, I usually am up to no good. My intentions are often never hostile, but I do take part in the shady business of password cracking. Meaning I actively use unorthodox methodology, that I know for a fact the FBI frowns down upon, to obtain hashes. Once obtained I usually spend a few hours cracking these hashes via good old fashion bruteforcing. Now, bruteforcing is the most reliable method of password cracking in existence today.
In the past six months a disturbing trend has emerged involving the theft of laptops containing sensitive personal information -- most recently from the home of a U.S. Department of Veterans Affairs data analyst.
One of the hottest new courses on U.S. college campuses is a direct result of cybercrime.
Classes in digital forensics -- the collection, examination and presentation of digitally stored evidence in criminal and civil investigations -- are cropping up as fast as the hackers and viruses that spawn them.
About 100 colleges and universities offer undergraduate and graduate courses in digital forensics, with a few offering majors. There are programs at Purdue University, Johns Hopkins University, the University of Tulsa, Carnegie Mellon University and the University of Central Florida. Five years ago, there were only a handful.
The British Library is adopting a new data security system that will enable it to safely store web publishing content.
The library has selected nCipher to protect the integrity of its National Digital Library.
This library will contain everything from digitised versions of centuries-old manuscripts to digital journals and web archives, and is expected to amass up to 300 terabytes of content over the next five years.
NCipher’s DSE200 document sealing engine has been deployed to time-stamp and digitally sign every item stored in the library.
This will ensure that electronic documents and other materials are authentic and that they have not been modified from the original.
Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail. Take Arnold Rothstein, for instance. One of the kingpins of organized crime in New York City during Prohibition and before, the "Great Brain," as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favor of the Cincinnati Reds. He is also widely credited with inventing the floating crap game immortalized in Guys and Dolls. Like some character out of a Damon Runyon story, Rothstein's "office" was outside of Lindy's Restaurant, at Broadway and 49th Street, and he associated with gangsters whose names still trip off the tongue three-quarters of a century later: Meyer Lansky, Legs Diamond, Lucky Luciano, Dutch Schultz. When it comes to colorful, clever criminals, Rothstein is at the top of the heap. And then, on the other end of the scale, today we have the phishers. Scumbags of the Web, phishers vomit out emails to as many millions of people as they can possibly reach, hoping that a tiny few will respond to their fraudulent request to update their account information at PayPal, eBay, or CitiBank (or just about any other bank you can imagine). This is an enormous problem, and it's not getting any better. I recently read a fascinating study that shows just why that's the case.
The dueling needs for privacy and data sharing played out here at the annual SID (Society of Information Display) International Symposium. Vendors showed new technologies that can keep neighbors on a flight from getting a glimpse of the corporate secrets on a laptop screen and new ways to share video on an iPod or handheld.
The recent theft of data on 26.5 million veterans sends agencies a chilling message: Lock down your own data security and privacy policies immediately or you might wind up with confidential data walking out your own door. The Veterans Affairs Department probably is not the only agency whose security and privacy policies have gaping holes, government and industry experts agree.
The IRS said that one of its laptops containing data about 291 IRS employees and job applicants went missing in early May when it was lost in transit to an agency event. The information contained on the laptop included fingerprints, names, dates of birth and Social Security numbers for the 291 individuals.
Clark Ervin was strolling down a Manhattan street in April 2005 when the red light on his BlackBerry indicated he had a message. The former inspector general of the Homeland Security Department looked at the device and saw that the Associated Press had reported the results of the latest IG investigation on airport security. Those results showed no improvement in screeners’ abilities to detect deadly weapons, compared with the results of similar investigations done in 2001 and 2003. “It was far easier than it should have been even after the [Sept. 11, 2001] attacks for government investigators to sneak these weapons through,� said Ervin, who served as the department’s first IG for about two years. He recounted the story in his keynote speech today at the 26th Annual Management of Change Conference sponsored by the American Council for Technology and by the Industry Advisory Council, to illustrate an important point.
The U.S. House of Representatives definitively rejected the concept of Net neutrality on Thursday, dealing a bitter blow to Internet companies like Amazon.com, eBay and Google that had engaged in a last-minute lobbying campaign to support it.
After a Manchester woman was held to ransom by hackers, experts and senior police officers have voiced concern that such cases are falling between the cracks. Greater Manchester Police (GMP) will not be pursuing the criminals who used a Trojan horse program to lock a Manchester woman's files and demanded a ransom to release them.
The University of Advancing Technology (UAT) in Phoenix, Ariz., is marketing its new Network Security program as a way to get a degree in hacking. The school is drawing the interest of geeks who use Windows, Linux, and Macintosh, according to UAT's IT manager Raymond Todd Blackwood, and even a few who want to go to the dark side of network security. Hackerdegree.com's Web page looks like a non-Windows desktop with a few terminals open, inviting the curious to learn more about fighting "cybercrime," "cybertheft," and even "cyberterrorism."
For more and more websites you need to register or pay to have full access. The odd thing is that Google has the complete and full index of the website. So what's going on here? Why must regular users pay or register to have access when the google search engine bot has full access?. The reason is simple; every site wants to use the benefits of the wonderful world of Google, for webmasters free advertising is always welcome. But there is a simple way to be the Google (search)Bot. In this little article i will try to explain it.
A Miami man was charged Wednesday with stealing more than 10 million minutes of VOIP (Voice over Internet Protocol) telephone service and then selling them to unsuspecting customers for as little as US$0.004 per minute.
If you happened to fly through Milan's Malpensa Airport last March, your mobile phone may have been scanned by the BlueBag. Billed as a research lab on wheels, BlueBag was created by Milan's Secure Network SRL to study how malicious software might be able to spread among devices that use the Bluetooth wireless standard.
