Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
The security experts at Guardian Digital fortify every download of EnGarde
Secure Linux with eight essential types of open source packages. Then we configure
those packages to provide maximum security for tasks such as serving dynamic
websites, high availability mail, transport, network intrusion detection, and
more. The result for you is high security, easy administration, and automatic
updates.
The Community edition of EnGarde Secure Linux is completely free and open source.
Updates are also freely available when you register with the Guardian Digital
Secure Network.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce
the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Equifax Says Laptop with Employee Data Was Stolen
20th, June, 2006
Equifax Inc., one of the three major U.S. credit reporting bureaus, on Tuesday said a laptop computer containing employee names and Social Security numbers was stolen from a worker traveling on a British commuter train.
Naked Payments I - New ISO standard for payments security - the Emperor's new clothes?
23rd, June, 2006
ISO 21188:2006, 'Public Key Infrastructure for financial services - practices and policy framework', offers a set of guidelines to assist risk managers, business managers and analysts, technical designers and implementers and operational management and auditors in the financial services industry.
Federico Biancuzzi interviews Rachna Dhamija, co-author of the paper "Why Phishing Works" and creator of Dynamic Security Skins. They discuss the human factor, how easy it is to recreate a credible browser window made with images, some new anti-phishing features included in the upcoming version of some popular browsers, and the power of letting a user personalize his interface: I'm a Postdoctoral Fellow at the Center for Research on Computation and Society at Harvard University. I teach a computer science course on Privacy and Security Usability, which tackles one of the most challenging problems in computer security: the human factor. Before that I was a Ph.D. student at U.C. Berkeley, and before that I worked on electronic commerce privacy and security at CyberCash.
In this episode of the Silver Bullet Security Podcast, Gary chats with Dan Geer, Chief Scientist at Verdasys. Dan has a Ph.D. in biostatistics from Harvard. He and Gary discuss the need to understand both technology and business in order to be a good security practitioner, Dan’s paper Cyber Insecurity, his work on Project Athena, and livestock.
In issue 81 of Linux format, on the newsstands now, we have an interview with kernel coding guru Greg Kroah-Hartman. Famous for his work on drivers and the Linux USB subsystem, Greg now works for Novell doing what he loves -- hacking the kernel.
Playing nice just doesn't get corporations to encrypt data, keep personal information off laptops and keep tabs on who has access to what data. Enterprises that don't protect customers' personal information should be hit in their wallets. Maybe then, lax corporate security practices will improve. How these penalties get levied will be subject to debate, but it's becoming apparent that something dramatic needs to happen, and money talks.
Ajax technologies have been very visible on the web over the past year, due to their interactive nature. Google Suggest and Google Maps [ref 1] are some of the notable early adopters of Ajax. Companies are now thinking of how they too can leverage it, web developers are trying to learn it, security professionals are thinking of how to secure it, and penetration testers are thinking of how to hack it. Any technology that can improve the throughput of servers, produce more fluid page transitions, and make web application even richer for the end user is bound to find a place in the industry.
Reports of data theft often conjure up images of malicious hackers breaking into remote databases to filch Social Security numbers, credit card records and other personal information. But a lot of the time, the scenario is much simpler: A careless worker at company or agency with weak security policies falls prey to a low-tech street thug who runs off with a laptop loaded with private data. In the biggest case, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee.
What do you do when the auditors are breathing down your neck, wanting to see an exhaustive report on the Windows network security of a 2000-user network across eight sites? That's easy. Break out a text editor and start writing some Perl. That's what my colleague Matt Prigge and I did when we were tasked with locating every share available on a network and documenting who had access to their files. At first blush, it was a Herculean effort. When we started coding and the pieces began to fall into place, however, it became much simpler.
Security is more than just passwords on your desktop. Every agency knows physical security is just as important. However, within a department there is normally not much to protect documents from users already in the building. And that can cause trouble.
When monitoring the availability of services between networked clients and servers, it is important to ensure a correct and timely response between those devices, for example to meet service level agreements (SLAs). This is often referred to as end-to-end service management and encompasses the need to monitor applications, servers and interconnecting networks.
Zfone: A New Approach for Securing VoIP Communication
20th, June, 2006
This paper reviews some security challenges currently faced by VoIP systems as well as their potential solutions. Particularly, it focuses on Zfone, a vendor-neutral security solution developed by PGP’s creator, Phil Zimmermann. Zfone is based on the Z Real-time Transport Protocol (ZRTP), which is an extension of the Real-time Transport Protocol (RTP). ZRTP offers a very simple and robust approach to providing protection against the most common type of VoIP threats. Basically, the protocol offers a mechanism to guarantee high entropy in a Diffie-Hellman key exchange by using a session key that is computed through the hashing several secrets, including a short authentication string that is read aloud by callers. The common shared secret is calculated and used only for one session at a time. However, the protocol allows for a part of the shared secret to be cached for future sessions. The mechanism provides for protection for man-in-the-middle, call hijack, spoofing, and other common types of attacks. Also, this paper explores the fact that VoIP security is a very complicated issue and that the technology is far from being inherently insecure as many people usually claim.
Network security will be one of the next areas for virtualisation, reckons Scott Lucas, the director of product marketing at Extreme Networks. The aim, he says, is to move away from applying security at specific places in the network, and instead make it available throughout.
After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also will be pointing newbies to this site whenever they write me saying “I don't know where to start”.
10 things you should do to protect your network against wireless devices
21st, June, 2006
There's no shortage of information explaining how to create a secure wireless network. But what about securing your network FROM wireless devices? This list of pointers from Dr. Thomas Shinder will help you reduce the risk.
A reader alerted us today about yet another web server compromise, affecting a large number of domains. In this particular case, the server was hosted with iPowerWeb, a provider of low cost web space on shared servers.
Space on a shared server is ok for personal use. But you should think twice before using it for commercial, in particular business critical use. Your web sites security will depend on a few hundred other users on the same system doing the right thing. A bad php script on one virtual server could lead to a compromisse of all web sites hosted on the same system.
This Linux Security HOWTO is intended for a technical audience, Linux system administrators, and security people in corporations and organizations that have to use commercial Linux distributions for their production environment. If you are a Linux expert you may not find lots of new stuff here but you will have a difficult time to find documentation on various things like restricting su access to system and shared accounts which is covered in this article, see Restricting su Access to System and Shared Accounts.
If your laptop is stolen, with your confidential data, several companies will help you get it back -- or else disable it. In May, the U.S. Department of Veterans Affairs learned the hard way that laptop computers are easy targets for theft: burglars struck the home of a department analyst who'd taken his laptop home without authorization, and made off with social-security numbers, birth dates, and other personal information for more than 26 million veterans and spouses, as well as 2 million active military, National Guard, and Reserves personnel.
Depending on how you feel about Microsoft, its new Windows Live OneCare security service either amounts to a welcome helping hand or a particularly sleazy protection racket.
If you place yourself in the latter group -- if you think nothing justifies paying Microsoft to fix its own mistakes -- you might as well stop reading now. (But then you should rethink using Microsoft software at all if you trust the company that little; Linux isn't that hard, and a Mac isn't that expensive.)
The concept of a firewall still brings to mind the picture of an impenetrable brick wall, the unsurpassable magic protector of all that is good. The bold statements made by today's security vendors only emphasize this, with claims of complete and automatic security, with a wall able to block all perils dead in their tracks using logic that perhaps didn't exist two years ago. But what if in reality the wall of the firewall is made of straw?
Fooling the firewall: LSP Trojan over port 80.Let's look at one case where a personal firewall's functionality can be circumvented. By inserting a malicious LSP (Layered Service Provider) into the protocol stack, a malicious application could effectively become a part of the protocol stack itself, able to borrow valid connections made by valid processes and ride on top of them, altering outgoing or incoming data at will. What a better way for an attacker to send commands to his Trojan, and receive its output, than simply opening a valid and legitimate connection to, say, a valid public HTTP server running on the target machine?
13 Ways to Get Your Developers on Board with Software Security
21st, June, 2006
It’s easy to understand that software security starts with writing secure code. Keep the flaws out from the beginning and you’ve bought yourself several pounds of prevention. Baking security in up front is logical and makes good technical and business sense; however, getting your developers on board with security training is not necessarily going to be an easy task. At first glance, it might seem that selling software security to developers would require the same approach as getting buy-in from executive management and the average user. It’s not quite that simple.
UBS Trial: Parts of Attack Code Found At Defendant's Home
21st, June, 2006
Efforts by the defense in the UBS PaineWebber computer sabotage trial to foist blame elsewhere, took a hit Friday, after testimony from a U.S. Secret Service agent revealed that parts of the code used to bring down the UBS network four years ago, was found on two of the defendant's home computers, as well as in a hardcopy printout lying on top of his bedroom dresser. The Secret Service testimony ended what had been a week of contentious arguments on a strong note for the prosecution. Secret Service agents executed a warrant and searched the Bogota, N.J. home of Roger Duronio, on March 21, 2002 -- 17 days after the
financial giant was hit by what prosecutors are calling a logic bomb. The segment of coding found in his home was part of the 50 to 70 lines of malicious code that was used to take down about 2,000 servers, including UBS' main host server in its Weehawkin, N.J. data center, along with branch servers in about 370 offices around the country in the March 4, 2002 incident.
Duronio, 63, is facing four federal criminal charges, including computer sabotage, securities fraud and mail fraud. The government contends he crippled the company's network in a vengeful plot aimed at making money by buying stock options that would pay off if the company's stock dropped " something he allegedly tried to make happen by shutting down UBS' ability to do business for anywhere between a day and several weeks, depending on the location.
Governments and businesses must do more to improve IT security if the European Union (EU) is to achieve its goal of becoming the world’s leading knowledge economy by 2010.
The advent of enterprise-wide controls and enormous potential economies of scale have produced an IT environment in which fewer systems and people control larger and higher-value information assets. Risk mitigation should be standard practice in any enterprise. Simply accepting ever higher aggregations of risk is imprudent without evaluating the options. Strategies must address availability, integrity, confidentiality and use-control, but along with the benefits there are associated trade-offs.
Organizations considering the use of Asynchronous JavaScript and XML (AJAX) technologies to create more dynamic Web sites need to ensure they are not inadvertently opening doors into otherwise secure applications, analysts warned. While AJAX by itself doesn't create new security risks, it has a tendency to amplify the seriousness of several well-understood threats, including SQL injections, cross-site scripting and denial-of-service attacks, they said.
...the reality is - it is the simple things that are the biggest problem. Most times, internal network compromise is the result of one or more of the following: The installation of a web support application that has little to no security features to begin with; The installation of support software that has a well-known default password for the admin account. And, the person installing the software never bothers to change the password; Improperly configured communications devices such as routers and switches; Important, and sometimes critical documents left on web servers. Information that only internal or technical people should have access to; Poor password and authentication policy. Users using weak passwords to access accounts, especially remote access devices that are present on the Internet; Test servers that the have been forgotten about and are still present on the Internet; Poor network border architecture. For instance; installing a firewall and forgetting that there are other networks that need to be protected or should be placed behind the firewall.
Police and government officals in the U.S. have been bypassing the need for subpoenas and warrants by gathering personal information made available through private data brokers. The data brokers, which advertise heavily on the Internet, have at times admitted to using deception and illegal practices themselves, according to a new report by the Associated Press. Law enforcement agencies including the FBI, the Department of Homeland Security, the U.S. Justice Department, the U.S. Marshal's Service, and local police in various states have been using data brokers to obtain detailed personal phone records, credit histories, and other information on their suspects. The records are often obtained much faster and more easily than using the standard subpoena and warrant process - often taking hours rather than days or weeks. While the data brokers normally charge customers for the information, it is believe that law enforcement agencies are rarely charged for this service.
How to Build a Low-Cost, Extended-Range RFID Skimmer
21st, June, 2006
Radio-Frequency Identifier (RFID) technology, using the ISO-14443 standard, is becoming increasingly popular, with applications like credit-cards, national-ID cards, E-passports, and physical access control. The security of such applications is clearly critical. A key feature of RFID-based systems is their very short range: Typical systems are designed to operate at a range of 5-10cm. Despite this very short nominal range, Kfir and Wool predicted that a rogue device can communicate with an ISO-14443 RFID tag from a distance of 40-50cm, based on modeling and simulations. Moreover, they claimed that such a device can be made portable, with low power requirements, and can be built very cheaply. Such a device can be used as a stand-alone RFID skimmer, to surreptitiously read the contents of simple RFID tags. The same device can be as the ``leech'' part of a relay-attack system, by which an attacker can make purchases using a victim's RFID-enhanced credit card--despite any cryptographic protocols that may be used.
AT&T has issued an updated privacy policy that takes effect Friday. The changes are significant because they appear to give the telecom giant more latitude when it comes to sharing customers' personal data with government officials.
Skype plans to address the concerns of some IT managers by improving its identity authentication process. Part of Skype's "wish list" for further expansion into the business market is to enhance username authentication for business customers, the voice over Internet Protocol company said Wednesday. "There's a lot of leverage space in the identity segment," Kurt Sauer, chief security officer for Skype, told ZDNet UK.
EFF and Government Face Off Over 'State Secrets' in San Francisco Courtroom
23rd, June, 2006
On Friday, June 23, at 9:30 a.m., a federal judge in San Francisco will hear oral arguments on the U.S. government's motion to dismiss the Electronic Frontier Foundation's (EFF's) class-action lawsuit against AT&T. EFF's suit accuses the telecom giant of collaborating with the National Security Agency (NSA) in illegal spying on millions of ordinary Americans. The government contends that even if the NSA program is illegal, the lawsuit should not go forward because it might expose state secrets.
Brian Nguyen has a GPS tracker on his cell phone in case he needs help, but he always turns it off. "If I want the government to know where I am, I'll let them know," he says.
The U.S. Federal Trade Commission is notifying 110 people that two laptop computers containing their personal data were stolen from a locked vehicle.
The information includes individuals' names, addresses, Social Security numbers, birth dates and "in some cases, financial account numbers," the regulatory agency said yesterday. The laptops are password-protected, and the FTC said it had no reason to think the data on the laptops, rather than the laptops themselves, was the target of theft.
A Scottish university has become the first in the UK to offer a degree course in what it describes as "ethical hacking". The University of Abertay, based in Dundee, will offer the 3-year course from this September with the aim of turning out "white hat" experts to help companies protect themselves from computer security risks.
The course will be thoroughly vetted, with the background of each applicant being studied by The UK Home Office to stop the possibility of criminals signing up.
In a dimly lit room on the outskirts of this bustling city, 11 budding hackers are working intently on breaking into the files of a large corporation, having already hacked into the company's main computer server.
Google Inc.'s Web site hosting service is apparently being used by hackers to try to steal money using a malicious program, a security company said.Security vendor Websense Inc. warned on Friday that a Trojan horse is being hosted on a site with the same IP address as the main Google Pages Web site, at http://googlepages.com.
Do you have a wireless network? Do you have a cordless phone? Do you own a microwave? Most likely your answer to these questions is yes, which means you probably have interference. The issue at hand is not whether you have interference, but whether its effects are felt. Although most wireless boxes are able to push through the lower amounts of interference, some people, such as those living in apartments or otherwise deluged with many wireless signals may have problems. It is with this dilemma in mind that the people at MetaGeek created the Wi-Spy spectrum analyzer.
Oliver Tsai sees it every quarter. Fresh-faced medical students, new to Sunnybrook and Women's College Health Sciences Centre and armed with the latest Wi-Fi-enabled laptops, see no reason why they shouldn't be able to hop right onto Sunnybrook's wireless network with those shiny new laptops they just bought.
The same scenario plays out with doctors and office managers and anyone else whose new gadget automatically sniffs the airwaves and picks up signals from Tsai's wireless LAN, or WLAN. "They can see what's available, but because of the security, they can't access the network until the device is properly configured," says Tsai, the director of IT at the academic health sciences center in Toronto. It's a look-but-don't-touch situation that can frustrate users—but, Tsai says, it's a necessary, if temporary, frustration.
The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California.
Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview.
Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver.The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems Inc. and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California.
