Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
The security experts at Guardian Digital fortify every download of EnGarde
Secure Linux with eight essential types of open source packages. Then we configure
those packages to provide maximum security for tasks such as serving dynamic
websites, high availability mail, transport, network intrusion detection, and
more. The result for you is high security, easy administration, and automatic
updates.
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce
the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Motorola and others launch mobile Linux group
15th, June, 2006
A group of top mobile phone makers and operators are launching a foundation to create an open Linux-based software platform for mobile devices, they said on Thursday. The companies, including Motorola, Vodafone Group, NTT DoCoMo, Samsung Electronics, NEC, and Panasonic Mobile Communications, plan to focus on the development and marketing of an API (application programming interface) specification, architecture, and source reference.
Seagate Technology is about to release a HDD with hardware based encryption. These Full Disc Encryption (FDE) drives use 3DES algorithm in EDE (encrypt-decrypt-encrypt) mode using 3 different 64 bit keys. The effective key-length is 192 bit. Before the operating system boots, the user will be prompted to enter a password that will unlock the drive. You can always use 2-factor authentication instead of static password. Seagate's FDE drives can use biometric, RSA token, or smartcards. This was demo at CeBIT using TiDoCoMi from Secude.
ext2hide is a proof-of-concept program that seeks to magically hide confidential data and files where nobody will look for them. It accomplishes its magic by making use of otherwise abandoned space in the superblocks in ext2/ext3 filesystems. Even though Jason McManus, the author of the code, has been testing and using ext2hide on his own machines without catastrophic results, I urge you to use the utmost caution both in testing and using it. If you don't grok superblocks and filesystems, you probably should not experiment with ext2hide, at least until it's out of beta testing.
An international dispute over a wireless computing standard took a bitter turn this past week with the Chinese delegation walking out of a global meeting to discuss the technology.
Secure your email communication with free software
13th, June, 2006
In this article, you'll learn how to install, setup, and use the Mozilla Thunderbird email client for secure, encrypted email using GnuPG and the Enigmail Mozilla Thunderbird extension. The examples in this article are based on Ubuntu 5.10, but any GNU/Linux-based operating system can be used. You’ll also get to tackle the basics of using GnuPG with Enigmail�just enough to get you started, as GnuPG is a very powerful suite that can extend to other applications. If you'd like to learn more about cryptography using GnuPG, the man pages are a good place to start. Don’t worry though, GnuPG is very well documented and you'll be presented with some links online at the end of this article to get you started.
This tutorial shows how to install and use suPHP with PHP4 and PHP5. suPHP is a tool for executing PHP scripts with the permissions of their owners instead of the Apache user. With the help of suPHP you can also have PHP4 and PHP5 installed at the same time which I will describe at the end of this article. suPHP integrates into Apache2 as a module. At the time of this writing it does work with Apache2 prior to version 2.2. Version 2.2 is not supported yet.
Information Security Handbook: A Guide for Managers
15th, June, 2006
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics.
Draft Special Publication 800-100: Information Security Handbook: A Guide for Managers
16th, June, 2006
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics. NIST requests public comments on the draft until August 07, 2006; comments may be sent to handbk-100@nist.gov .
http://www.linuxsecurity.com/content/view/123181
Interview with Kenny Paterson, Professor of Information Security
13th, June, 2006
The Information Security Group at Royal Holloway is one of the world's largest academic research groups in information security, with about 15 permanent academic staff, 50 PhD students and a thriving masters programme. They carry out research in many areas of the subject, including network security. That is one of Kenny Paterson's areas of specialism, and he teaches their masters course on the topic, and carries out research in the area.
It is our hope that an online message board will make it easier for the
community to not only obtain support and guidance for EnGarde, but also
to share experiences and suggestions for improvement.
Every now and then, someone comes up with a fun title. 'Linux Annoyances for Geeks' is a definitely fun - and accurate - title for this book. While some people have been fiddling with Linux since it first came out, the majority of Linux users haven't been.
Ten years ago, there wasn't much of a World Wide Web to exploit, but there were still hackers--or, more accurately, crackers.
Without the current glut of naive Web users to exploit, would-be cyberthieves and vandals had to be somewhat more creative, and one of the most creative and infamous was Kevin Mitnick.
Arrested by the FBI in 1995 and convicted of breaking into the systems of Fujitsu Siemens, Nokia and Sun Microsystems, Mitnick served five years in prison--eight months of it in solitary confinement.
Our concerns about data privacy have evolved beyond the theoretical. AT&T's sale of Internet traffic to the NSA, the Veteran's Administration's loss of 26.5 Million identities, and the hacking theft of 1500 identities along with clearance codes from the Department of Energy's Nuclear Security Administration all scream that mundane practices don't even come close to averting privacy risks today.
PHP and the OWASP Top Ten Security Vulnerabilities
15th, June, 2006
Most importantly, turn off register_globals. This configuration setting defaults to off in PHP 4.2.0 and later. Access values from URLs, forms, and cookies through the superglobal arrays $_GET, $_POST, and $_COOKIE.
Before you use values from the superglobal arrays, validate them to make sure they don't contain unexpected input. If you know what type of value you are expecting, make sure what you've got conforms to an expected format. For example, if you're expecting a US ZIP Code, make sure your value is either five digits or five digits, a hyphen, and four more digits (ZIP+4).
Interview with Kenny Paterson, Professor of Information Security at Royal Holloway, University of Lo
14th, June, 2006
The Information Security Group at Royal Holloway is one of the world's largest academic research groups in information security, with about 15 permanent academic staff, 50 PhD students and a thriving masters programme. They carry out research in many areas of the subject, including network security. That is one of Kenny Paterson's areas of specialism, and he teaches their masters course on the topic, and carries out research in the area.
It's become a familiar pattern in online security. A groundbreaking way to communicate emerges, spreads like wildfire, and then hackers find a way to use it to their advantage. Security companies react�but not before the problem has succeeded in wreaking havoc. It happened with e-mail and is happening now with instant messaging and mobile devices.
Survey on inadequate storage of administrative passwords
15th, June, 2006
Cyber-Ark revealed the results of their annual survey which illuminates the industry-wide struggle to safely and easily share and manage administrative passwords. The survey shows that the majority of IT professionals mismanage the storage of passwords by keeping them in inaccessible or unsecured locations.
10 ways to protect yourself with 'pragmatic network security'
16th, June, 2006
In the increasingly federated, network-based IT environment, perimeter security is important but not sufficient by itself to protect a company's secrets, warns Mike Rothman, president and principal analyst of Security Incite and former Meta Group Inc. security analyst.
In today’s world we are constantly reminded of the day to day dangers that exist in our society. According to statistics people are becoming the victims of Identity Theft at an alarming rate, it is estimated that 246,570 people had their identities stolen in 2004 alone. Businesses are taking every precaution imaginable to protect the privacy of their consumers. We live in an electronic age, things like paying bills, shopping, ordering clothing, and banking are done online. Yes; it is a very convenient way to do business! It is also very dangerous!
Spyware and Trojan threats are rising dramatically, now accounting for the majority of the online attacks, a new report reveals. Webroot's latest report shows that during the first quarter of 2006 the number of spyware infections jumped to 87 per cent from 72 per cent in the same period in 2005; a rise of 15 percent.
The bad blood between Cisco Systems Inc. and organizers of the Black Hat conference appears to be a thing of the past. One year after suing the hacker conference for allowing security researcher Michael Lynn to disclose a security vulnerability, Cisco is returning to Black Hat -- this time as one of the show's top sponsors. Black Hat USA will be July 29 to Aug. 3 in Las Vegas.
Securtex International is shipping a line of Linux-powered DVRs (digital video recorders) for security and surveillance applications. The Network Advanced Video Surveillance - Embedded (NAVS-E) DVRs support 4, 8, or 16 cameras, and offer simultaneous remote recording/playback/monitoring through Windows client and management software. In addition to its "NAVS-E" products based on embedded Linux, Securtex offers a line of Windows-based "NAVS" products capable of integrating with cash registers, as shown in the photo at right.
During last month's JavaOne Conference in San Francisco, Fortify Software convened a panel to discuss the role of application developers in software security and the need for appropriate development technology, without which genuine security is impossible to achieve.
Protecting Sensitive Data: Researchers Develop Fail-Safe Techniques for Erasing Magnetic Storage
14th, June, 2006
After a U.S. intelligence-gathering aircraft was involved in a mid-air collision off the coast of China four years ago, the crew was unable to erase sensitive information from magnetic data storage systems before making an emergency landing in Chinese territory. That event underscored the need for simple techniques to provide fail-safe destruction of sensitive data aboard such aircraft. Working with defense contractor L-3 Communications Corp., scientists at the Georgia Tech Research Institute (GTRI) have developed a series of prototype systems that use special high-strength permanent magnets to quickly erase a wide variety of storage media.
The practices of public surveillance, which include the monitoring of individuals in public through a variety of media (e.g., video, data, online), are among the least understood and controversial challenges to privacy in an age of information technologies. The fragmentary nature of privacy policy in the United States reflects not only the oppositional pulls of diverse vested interests, but also the ambivalence of unsettled intuitions on mundane phenomena such as shopper cards, closed-circuit television, and biometrics. This Article, which extends earlier work on the problem of privacy in public, explains why some of the prominent theoretical approaches to privacy, which were developed over time to meet traditional privacy challenges, yield unsatisfactory conclusions in the case of public surveillance.
Do smartphones pose a danger to corporate security and well-being? To believe some recent analysts and commentators, smartphones carry an unseen threat of chaos, disruption, and financial loss into any company naive enough to tolerate their employees using them. Allegedly, smartphones can be the vehicle for viruses and other malware to penetrate corporate defences.
Investigating why people misuse computers and how to stop them
13th, June, 2006
Why individuals commit computer misuse and the way in which they relate to the virtual world is to be raised by Stefan Fafinski, a Fellow of the British Computer Society, when he gives the Joseph Lister Lecture at the British Association for the Advancement of Science Festival of Science this year.
As governments around the world grapple with IT security, the US National Association of State Chief Information Officers (NASCIO) has released a brief on making the business case for sustainable IT security funding.
Adoption of instant messaging (IM) as a mainstream business communications platform is moving at breakneck speed. IDC estimates that one billion IM messages are being sent daily by business users and consumers, and according to the Gartner Group, IM usage will surpass email usage by 2006.
It's well known that digital photos, like PDF files and Word docs, can contain meta data that leak information the publisher didn't intend to reveal. Less acknowledged is that some cameras also embed a small thumbnail image of the original photo that can survive subsequent tinkering and cropping -- allowing a before-and-after comparison. Hacker Tonu Samuel has put together a nifty demonstration of this on his Estonia-based website. He's written a web crawler that's scouring the internet for images with hidden thumbnails, and displaying both the final image and the uncensored thumbnail to a waiting world.
Since September 11 2001 security has been in the forefront of American concerns. Granted, the general population is most concerned with personal physical security, which basically translates to physical security at the work place. We all hear of the horrible stories of disgruntled employees who bring a gun to work to kill fellow coworkers. That is not to mention the dangerous world we live in this day and time with terrorism. I think biometrics will be the biggest security tool used in the 21st century to protect the physical attributes of a company or it's assets. I have decided to write my paper on this intriguing subject and how it relates to security of information networks.
While many headlines spell doom and gloom when it comes to computer-related misdeeds, the average losses at businesses due to cybercrime continue to drop, according to a new survey. For the fourth straight year, the financial losses incurred by businesses due to incidents such as computer break-ins have fallen, according to the 2006 annual survey by the Computer Security Institute and the FBI. Robert Richardson, editorial director at the CSI, discussed the survey's findings in a presentation at the CSI NetSec conference here Wednesday.
Security Implications of Applying the Communications Assistance to Law Enforcement Act to VoIP
16th, June, 2006
For many people, VoIP looks like a nimble way to using a computer to make phone calls. Download the software, pick an identifier and then whenever there is an internet connect, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with the telephone system -- sch as E911 and the graceful accomodation of wiretapping -- should be able to be done readily with VoIP as well.
A Russian and Chinese-led bloc of Asian states said Thursday it plans to set up an expert group to boost computer security and help guard against threats to their regimes from the Internet.
Can you imagine getting your identity stolen because of information left behind on a hard drive? It doesn't take that much to completely wipe a hard drive. There are several Linux Live CDs that have the tools to perform a military-grade wipe of your hard drive. They overwrite the whole thing in random 1's and 0's enough times that it would require an electron microscope to recover any of the data.
Industry analysts estimate that spam currently accounts for close to 80 percent of email messages sent and causes close to £5 billion in economic losses annually. The problem with spam is very similar to that of pollution: spammers profit from their activity at the expense of the rest of the population, just like polluters of the environment profit while annoying or endangering others.
This document is intended to provide a comprehensive introduction to the behavior of email headers. It is primarily intended to help victims of unsolicited email ("email spam") attempting to determine the real source of the (generally forged) email that plagues them; it should also help in attempts to understand any other forged email. It may also be beneficial to readers interested in a general-purpose introduction to mail transfer on the Internet.
Although the document intentionally avoids "how-to-forge" discussions, some of the information contained in it might be turned to that purpose by a sufficiently determined mind. The author explicitly does not endorse malicious or deceptive falsification of email, of course, and any use for such purposes of the information contained in this document is contrary to its purpose.
More of your information than you think might be online
14th, June, 2006
If you are worried about a thief stealing your identity, it's not your wallet that needs guarding - it's your state and local governments. That's the alarm Betty "BJ" Ostergren, the self-proclaimed Virginia Watchdog, has been sounding for the past four years from her rural Virginia home.
When you use the Internet, a certain record of your activities is invariably created and - at least for a short time - retained by your Internet Service Provider. For example, when you establish an account with your ISP - whether it is AOL, Comcast, Verizon, Time-Warner, or any of thousands of ISPs you generally provide the ISP with your name, address, telephone number, and if it is a paid service, some form of payment - credit card, bank account, etc. The ISP will typically retain this account information, and will also keep records that associate this account information with any accounts that you create. Thus, while you think you are so clever creating the online persona "cyber-stud" the ISP knows that you are really a twenty nine year old permanent undergraduate engineering student living at home in your mother's basement.
Hackers armed with little more than a laptop computer could conjure up phantom planes on the screens of Australia's air traffic controllers using new radar technology, Dick Smith haswarned.
The prominent businessman and aviator claims to have found another security flaw in the new software being introduced in the air traffic control system.
He has challenged Transport Minister Warren Truss to allow him to set up a demonstration of the problem at a test of the technology in Queensland to show how hackers could exploit the automatic dependent surveillance broadcasting (ASD-B) system to create false readings on an air traffic controller's screen.
http://www.linuxsecurity.com/content/view/123080
Hackers: A Terrible Resource to Waste
13th, June, 2006
I'm not apologizing for hackers who break the law, get caught and get punished. But I do wonder why some obviously smart young men disdain the idea of college, and even quit high school, and apply their skills to computer crime. Teachers and corporate technology managers should connect with these kids before they connect to computers to commit crimes.
U3 is a platform for developing applications that install to and execute from USB flash drives. It provides these applications a means to execute, read, write and clean up after themselves once the drive is removed. I haven't actually used any U3 apps yet, but having bought a "U3 Smart" drive at OfficeMax (the SanDisk Cruzer Micro 512M), I became interested in the unique way these U3 drives present themselves as two separate disks, so that the U3 software is write-protect and can auto-run on Windows machines. This page documents my attempts at changing the U3 drive to modify the write-protected partition and control the autorun feature.
More Information On The Hackers Reselling VoIP Service
16th, June, 2006
The two hackers who were reselling VoIP service have been all over the news this week. Details have been scarce, but after looking at VoIPSA, I saw that someone had posted the link to the US DoJ site where the criminal complaints can be found. Both PDFs have interesting details, such as the email addresses and handles used by both individuals. One thing I was interested in finding out, was the name of the company Pena had set up. Apparently, Pena used "Fortes Telecom, Inc." and "Miami Tech & Consulting, Inc." for his operations.
The Institute of Electrical and Electronics Engineers' 802.11i wireless security standard, released almost two years ago, is a whopping 174 pages long (not counting acknowledgements, etc.).
Security Analysis of Wireless Modulation Techniques
12th, June, 2006
The world of computer networking has forever been impacted by the infiltration of wireless technologies. From simple home networks utilizing a single wireless router or access point to an extravagant wide area network composing of thousands of servers and associated supporting hardware and software, wireless technologies exist in almost every facet imaginable. Some are simple exploitations of wireless technology, such as a wireless mouse, while others, like the wireless router, use the latest techniques wireless has to offer.
