Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce
the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Naked Payments I - New ISO standard for payments security - the Emperor's new clothes?
24th, June, 2006
ISO 21188:2006, 'Public Key Infrastructure for financial services - practices and policy framework', offers a set of guidelines to assist risk managers, business managers and analysts, technical designers and implementers and operational management and auditors in the financial services industry.
Innocent Code: A Security Wake-up Call for Web Programmers
26th, June, 2006
Finally, an entertaining programmer's book on security! Innocent Code will show you how common programming errors make a web site open to attacks, even with both firewalls and encryption in place. You, the programmer, play a major role when it comes to the security of a web site. With lots of real-life examples, this book will show you why.
When Mark Russinovich last October revealed how Sony BMG Music Entertainment was secretly using a rootkit aimed at copyright protection for its CDs, the public took Sony to task - and to court - and Russinovich gained some unexpected fame. The Sony case has been settled, but experts say the rootkit threat is growing. Network World Senior Editor Ellen Messmer recently spoke with Russinovich, co-founder of Winternals Software, about where the rootkit situation stands today.
Virtual private networks (VPNs) are a means for connecting to a remote network and making it look like a local one. This means you can connect to your work location and have full access to resources (if so configured on the work side), such as shared printers, work files, etc.
There are a number of VPN products freely available; some are kernel-level like openswan and can be fairly difficult to configure. OpenVPN, available at http://openvpn.net/, doesn't require patching the kernel and can be extremely straightforward. Configuration is more difficult if you want to use a lot of its features, but for a quick client/server VPN, you can be up and running in minutes.
The scenario is you are without Internet connectivity anywhere. You have found either an open wireless access pointed or perhaps you're staying in a hotel which permits rented Internet via services like Spectrum Interactive [1] (previously known as UKExplorer). You make the connection, whether its physically connecting the Ethernet cables, or instructing you're wireless adapter to lock onto the radio signal. You are prompted with some sort of authorization page when you open a browser. You don't have access to it, so what do you do?
Striking the Balance Between Storage Security and Availability
26th, June, 2006
Every business owner knows that information is much more than one of an organization’s strategic resources. In a very real way, information is the organization. For IT professionals, there is no shortage of challenges when it comes to protecting and efficiently managing such a vital asset. The year 2005 was proof that loss of information can be detrimental to any organization. Almost every week another organization was involved in a security breach involving valuable corporate data or customer information, several of which involved stolen or lost backup tapes. As a result, high-profile organizations are scrambling to ensure more effective storage security and data protection, while concerns surrounding identity theft continue to mount among consumers. Adding to storage professionals’ anxiety is the amount of data that can be compromised on a single backup tape. Because of the concentrated pool of data they contain, a single tape can compromise more personal information than many of this year’s online break-ins.
I’ve been in the web application security business for many many years now, and have worked with tons of e-commerce applications in regards to security. However regarldess of if I am working with a tiny open source php script, or someone as large as amazon, I have found security vulnerabilities to be consistently present and ignored. Its disgusting the sort of disregard some companies have towards security and how easy it is for a security vulnerability to fall through the cracks and be forgotten about before it reaches the right person to be fixed.
DNS is mostly a directory service. Millions of people and computers use one or more directories every day. Currently, so many directories exist in our world that they have become almost transparent to casual observers. You could say it's a directory kind of world out there and DNS remains a big part of it for people who use the Internet regardless of the device.
In the old days, people often referred to directories as databases and technically they were right. Directories and databases share many characteristics such as the storing of information and the ability to rapidly search through that data. Think of how many times you use your cell phone as a database for personal contacts. In fact, your cell uses its address book as a directory to rapidly find and dial people's telephone numbers.
According to the OWASP Guide, unvalidated input is the most common weakness found in web applications. Tainted input leads to almost all other vulnerabilities in these environments (OWASP, 2005). Before we look at how to prevent this weakness from spreading throughout your web solutions, let’s examine the potential threats to your business when tainted input is allowed to reach your processing components.
Ian Wrigley and Simon Brock discuss how to keep your systems safe and secure from attacks
Hackers are a fact of life these days. Anyone who's managed a server will know that the box will inevitably be probed, and logins attempted, on a daily basis. For example, on just one server we manage - which sits behind a firewall with only a very limited number of ports open - we've seen dozens of different login attempts from unauthorised sources over the last couple of days alone, including one sustained attempt to log in via SSH more than 2,500 times, and this is absolutely typical. So much so that these days we don't even bother notifying the system administrator of the machine from which the logins were attempted. Gone are those days when we'd email administrators to warn them that their own machines may be compromised.
BSD users can improve system security with that operating system's jail mechanism, which creates a partition of resources, thereby creating a logical barrier between services running inside different such jails. Under Linux, an application called Linux-VServer implements pretty much the same functionality. It partitions a system's resources -- namely CPU, memory, hard disk, and network -- so that processes inside of the partitions are limited to their context, which makes denial of service attacks less likely to succeed. This is one reason why many hosting companies use virtual servers.
"The Harvard Law Review has published a student-written article that argues that hackers, worms, and viruses are good for network security and that the law and public policy should encourage 'beneficial' hacking. From the article: 'Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack -- one that would threaten national or even global security [...] Current federal law, however, does not properly value such strategic goals.'"
Before Stephen Baird interviewed for the position of VP of corporate security for United Rentals in 2004, he did his homework. Sure, he checked out its financial filings and the stability of the executive suite, and he networked with a few peers. But Baird also went a step further. He visited a branch office to see what customers experience. “I learned how to rent a piece of equipment, and I basically hung around watching and listening,” he says. During the interview, when the CFO asked how Baird saw security playing into revenue generation, he had a ready answer. "I told him, 'I will never make security a revenue generator, but it can contribute to cost savings and increased efficiencies,'" he says. Baird then explained how he had watched customers renting equipment and noticed that although they were offered the option to buy insurance on the equipment, there were no security products available onsite. He talked about products United could offer, like security locks for Bobcats that cut down on damage and theft of rented equipment. "The CFO [who would also be his new boss] just sat back and smiled," Baird recalls.
The US is insufficiently prepared for a “cyber catastrophe” that brings down large parts of the internet, big business leaders have warned.
A report from the Business Roundtable, a group of 160 chief executives of major corporations, warns that measures needed to deal with a major attack, software incident or natural disaster that disrupts the Internet are not in place.
The report – Essential Steps Toward Strengthening America’s Cyber Terrorism Preparedness – draws comparisons between the lack of preparation for a cyber disaster and the chaotic response to Hurricane Katrina last year.
It highlights three key gaps in response plans designed to restore the internet.
In a recent test of a credit union's network security, consultants working for East Syracuse, N.Y.-based security audit firm Secure Network Technologies scattered twenty USB flash drives around the financial group's building. Each memory fob held a program--disguised as an image file--that would collect passwords, user names and information about the user's system. Fifteen of USB drives were picked up by employees, and surprisingly, all fifteen drives were subsequently plugged into credit union computers. The test confirmed that employees play a key role in a company's security and that many workers still do not understand the danger of USB drives, said Steve Stasiukonis, vice president and founder of Secure Network Technologies.
June 26, 2006 (IDG News Service) -- A free Web browser that bills itself as a tool for privacy protection is, in fact, a click-fraud engine for pornographic Web sites, security vendor Panda Software SL warned Friday.
Browsezilla, whose name and Lizard-like mascot are reminiscent of the open-source Mozilla browser products, claims to help surfers cover their tracks when visiting pornographic sites. It does not use browser history or save data to a cache, and it allows users to save their bookmarks on a remote server, according to the product's Web site.
Businesses should adopt management tools to keep control over handheld devices in the way they would for desktop PCs, analysts have urged.
In a report on handset management, wireless analyst Unstrung argues that few IT chiefs would accept a PC environment where they could not remotely configure, police or troubleshoot computers, yet "many don't think twice about tolerating precisely that situation with employee handsets".
IT managers should consider tools that provide remote control over handheld devices in order to boost productivity and reduce security risks, the report says.
Spam is again on the rise, led by a flood of junk images that spammers have crafted over the past few months to trick e-mail filters, according to security vendors.
It's an iPod world, and that makes Apple's popular music player a target for thieves. Police departments around the country have reported a surge in thefts of iPods and other portable music players, and the New York Police Department says iPod robberies have helped push up crime statistics in the subway.
Making Your Linux Installation (more) Malware-proof
29th, June, 2006
Windows XP, left unpatched, is vulnerable to malware that can make it shrivel up and die within a few minutes of being connected to the Internet. Even after patching, Windows is still subject to virus and spyware attacks that make third-party security tools a must. Linux, on the other hand, has a reputation for being relatively impervious to attack via the Net. But is it really immune to the threats that stalk Windows?
Being a CSO is rather like being a soccer manager. Both have to make the best use of limited resources to deliver the results demanded of them. A CSO has only a limited headcount, budget and IT resources available, yet has to manage all of these strategically and squeeze out the best value – irrespective of conditions or external factors.
At first glance, a soccer manager seems to have many more resources at his disposal, from the players to coaching staff, assistants and luxuries such as in-depth TV and video analysis of games.
In a deal that marries one of the IT industry's biggest data storage vendors and one of its best-known security companies, EMC Corp. today unveiled plans to acquire RSA Security Inc.
Service Providers Must Protect Customers from DDoS
30th, June, 2006
The recent case of Blue Security, where the reverberations of attacks from criminal spammers brought down hundreds of ordinary web users and small internet companies, has highlighted the vulnerabilities within major internet services. Many service providers have not been fully equipped to deal with the high-level DDoS and DNS amplification attacks that are increasingly occurring.
ATMs Linked to IP Networks Vulnerable to Threats, security firm says
2nd, July, 2006
A continuing trend by banks to take automated teller machines off proprietary networks and put them on the banks’ own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment.
The Internet, data systems and growing computer networks provide many opportunities for computer crimes. Computers are increasingly used to commit, enable or support crimes perpetrated against business, people and property. Computers can be used to commit the crime, may contain evidence from a crime and could be targets of crime. Understanding the role and nature of evidence that might be found, how to process a crime scene containing potential forensic evidence, and how an agency might respond to such experiences of the law enforcement community, the public sector, and the private sector in the recognition, collection and preservation of computer forensic evidence in a variety of crime scenes will be defined in the following paragraphs.
There is no doubt that the rise of the Internet has added a new dimension to our lives and made drastic changes to some activities. Going to a movie tonight? Check the listings on the web, it's quicker than finding it in the newspaper. Who was the actress who played Mindy on that TV show? Hit the Internet Movie Database web site (http://www.imdb.com) and see the career history of Pam Dawber. Notice that line of filled grocery carts waiting by the door at the supermarket? Those are for folks who did their grocery shopping on the web and just have time to run by and pick them up. Uncle Albert's birthday is TODAY? Send him a cute card through email and he'll never know you forgot. Need the fourth book of the Earthsea Trilogy? Check a dozen online booksellers without driving anywhere. Did your kid mess up in school today? Look for the teacher's email.
The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities.
“ The guys who are setting up these systems are not security professionals. And many of the systems that are running SCADA applications were not designed to be secure--it's a hacker's playground. ”
Jonathan Pollet, vice president and founder, PlantData Technologies, a division of Verano
Criminals have launched a blended attack which attempts to lure users to a malicious Web site via text message. IT managers have been warned to alert their staff to the attack, which uses social engineering techniques to try to trick users to the phishing site, according to security vendor Websense. Users are sent an SMS text message to their mobile phone, thanking them for subscribing to a fictitious dating service. The message states that they will be automatically charged a subscription fee of $2.00 per day, which will be added to their phone bill, until their subscription is cancelled at the online site.
Cyber-criminals Use P2P Tools for Identity Theft, Security Analyst Warns
26th, June, 2006
Cyber-criminals are multiplying quickly and becoming more sophisticated in the ways in which they take advantage of unwitting Internet individual users and companies, a nationally recognized cyber-security specialist told an SD Forum seminar audience June 22. And peer-to-peer networks such as Limewire, Kazaa, Grokster and others aren't helping to quell the increase in crimes committed via the Internet, he said. "It used to be only burglaries from people's homes and businesses," said Howard Schmidt, a former cyber-security adviser to the Bush administration, former chief information security officer at Microsoft and eBay, and now a principal in R&H Security Consulting in Issaquah, Wash.
I don't need to tell you that e-mail has changed the way the world communicates. I get more e-mails by far than I do letters delivered the old-fashioned way. That said, there's one aspect of e-mail that many of us overlook at our peril, and that's the information we put in our messages.
In this article will we first look at some of the existing methods to identify an email as a spam? We look at the pros and cons of the existing methods and what are the current challenges in this domain. This article also needs a special mention to Paul Graham, for his wok in this field and putting up perhaps the most comprehensive tutorials in this domain on his homepage. I am sure that each one of us has faced this problem of spamming. Every morning when I open my inbox I spend most of the time either deleting the junk emails or reporting them as spam.
It's not surprising that an expert hired by EFF should produce an analysis that supports the group's case against AT&T. But last week's public court filing of a redacted statement by J. Scott Marcus is still worth reading for the obvious expertise of its author, and the cunning insights he draws from the AT&T spy documents.
An internet pioneer and former FCC advisor who held a Top Secret security clearance, Marcus applies a Sherlock Holmes level of reasoning to his dissection of the evidence in the case: 120-pages of AT&T manuals that EFF filed under seal, and whistleblower Mark Klein's observations inside the company's San Francisco switching center.
Utica College and Lexis-Nexis announced on Wednesday that they had teamed up with the FBI and the U.S. Secret Service as well as other universities to establish a center for researching identity theft and developing measures to protect consumer data. Utica College promised that the research hub, dubbed the Center for Identity Management and Information Protection (CIMIP), will bring together experts, allow access to sensitive data and produce actionable strategies for combating identity fraud. Other founding members include the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, Indiana University, Syracuse University, and IBM.
June 23, 2006 (IDG News Service) -- Users of peer-to-peer file-sharing services may be sharing more than they bargained for, a former White House cybersecurity adviser warned Thursday.
Security researchers have found thousands of files with sensitive information by searching through file-sharing networks, said Howard Schmidt, CEO of R&H Security Consulting LLC. Schmidt, who has also worked as chief security officer for Microsoft Corp., made the comments during an SDForum seminar in Palo Alto, Calif., on Thursday.
ith the National Security Agency (NSA) monitoring our phone calls, now might be a good time to think seriously about the security of our email as well. In particular, you might want to think about encrypting your email, and about whether it's safe in the hands of third-party providers like Yahoo!, Google, and Microsoft.
A bill introduced yesterday by Sen. Bob Bennett (R-Utah) and Sen. Tom Carper (D-Del.) both of whom serve on the Senate Banking Committee, joins a growing list of data security measures now pending before Congress.
The proposed Data Security Act of 2006 seeks to create a national data protection and breach notification standard.
The Bush Administration is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication. The memo follows a wave of high profile data thefts and major security breeches involving remote access or the theft of government laptop computers containing sensitive personal information. The official memo (PDF) from the executive office of the U.S. president stipulates that all mobile devices containing sensitive information must have their data encrypted.
"The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed.
The Ten Most Critical Wireless and Mobile Security Vulnerabilities
29th, June, 2006
Inspired by the SANS Top 20, this list is a consensus of industry experts on wireless and mobile vulnerabilities that require immediate remediation. It is offered as a public service by the Mobile Antivirus Researcher’s Association. MARA membership is diverse. The spectrum of MARA members ranges from individuals such as authors, researchers and university professors, all the way to antivirus vendors, military experts, and publicly-traded, multi-billion dollar security corporations.
People 'just don't care' about Wi-Fi security according to researchers, but some senior security experts argue there's no need to secure networks at all
A large percentage of Wi-Fi networks are "horribly insecure", according to researchers at Indiana University.
In a study of almost 2,500 access points in Indianapolis, presented at the Workshop on the Economics of Information Security at the University of Cambridge on Monday, researchers found that 46 percent were not running any form of encryption.
"People just really don't care about Wi-Fi security, and open Wi-Fi at home is a nice big target," said Matthew Hottell, lecturer in informatics at Indiana University. "Defaults [settings] are king," added Hottell.
