Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
EnGarde
Secure Linux v3.0.7 Now Available - Guardian Digital is happy to announce
the release of EnGarde Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Malicious Cryptography, part one
3rd, July, 2006
Cryptology is everywhere these days. Most users make good use of it even if they do not know they are using cryptographic primitives from day to day. This two-part article series looks at how cryptography is a double-edged sword: it is used to make us safer, but it is also being used for malicious purposes within sophisticated viruses.
In part one of this article series, the concepts behind crytovirology were discussed. Two examples of malicious cryptography were used, involving weaknesses in the SuckIt rootkit and the potential for someone to design an effective SSH worm. The concept of armored viruses were also introduced.
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
5th, July, 2006
This document describes a method of verifying Secure Shell (SSH) host keys using Domain Name System Security (DNSSEC). The document defines a new DNS resource record that contains a standard SSH key fingerprint.
I had yet another computer journalist call me to ask if Vendor X's security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they've read the vendor's own PR, another newspaper article, or even my own column touting a particular product. The typical conversation goes something like this:
Journalist: "Hey, do you think Product A from Vendor X will solve all our security problems?" (I'm not making up this question, either -- I hear a version of it 99 percent of the time.)
When I think about our security strategy, I have to ask myself if we've done enough. Have we covered all the bases? If we haven't, do we have a work-around or some other risk-mitigation plan in place? The best security approach is applied in layers. You can apply the layers from the inside out or the outside in, but most companies start from the outside, putting firewalls at every entry point to the network. At my state agency, though, we work from the inside out. State systems are sprawling. When I came to work at this agency, the state-level WAN guys assured me that they had adequately protected the state network, including my agency. But when you realize how vast the network is, stretching to every state government office and university classroom, you wonder how secure it can be without assistance from the various agencies. And so we have taken responsibility for the agency's security, working from the inside out.
Ubuntu's desktop install provides a bunch of useful software for desktop users, but it doesn't install a firewall by default. Luckily, it's really simple to get a firewall up and running on Ubuntu.
Frankly, I'm glad that the default install doesn't set up a firewall. Most of my computers live behind a firewall at all times anyway, and I've always been annoyed by installers that demand I deal with firewall questions when I've already got the situation well in hand. If I want a firewall on a machine, I can set one up on my own. Since Ubuntu is, in part, aimed at corporate desktops, a firewall is unnecessary for many installations.
Limiting Vulnerability Exposure Through Effective Patch Management
4th, July, 2006
This paper aims to provide a complete discussion on vulnerability and patch management.It looks first at the trends relating to vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and vulnerability management.
SSH (secure shell) is a program enabling secure access to remote filesystems. Not everyone is aware of other powerful SSH capabilities, such as passwordless login, automatic execution of commands on a remote system or even mounting a remote folder using SSH! In this article we’ll cover these features and much more. SSH works in a client-server mode. It means that there must be an SSH daemon running on the server we want to connect to from our workstation. The SSH server is usually installed by default in modern Linux distributions. The server is started with a command like /etc/init.d/ssh start. It uses the communication port 22 by default, so if we have an active firewall, the port needs to be opened. After installing and starting the SSH server, we should be able to access it remotely.
A few years ago, mentioning the phrase SQL Injection to developers or asking to adopt a defense-in-depth strategy would probably get you a blank stare for a reply. These days, more people have heard of SQL Injection attacks and are aware of the potential danger these attacks present, but most developers’ knowledge of how to prevent SQL Injection is still inadequate.
BIOS passwords can be add extra layer of security for desktop and laptop computers, and are used to either prevent a user from changing the BIOS settings or to prevent the PC from booting without a password. BIOS passwords can also be a liability if a user forgot their passwords, or if a malicious user changes the password. Sending the unit back to the manufacturer to have the BIOS reset can be expensive and is usually not covered in an a typical warranty. However, there are a few known backdoors and other tricks of the trade that can be used to bypass or reset the BIOS password on most systems.
The scenario is you are without Internet connectivity anywhere. You have found either an open wireless access pointed or perhaps you're staying in a hotel which permits rented Internet via services like Spectrum Interactive [1] (previously known as UKExplorer). You make the connection, whether its physically connecting the Ethernet cables, or instructing you're wireless adapter to lock onto the radio signal. You are prompted with some sort of authorization page when you open a browser. You don't have access to it, so what do you do?
IPAudit is a handy tool that will allow you to analyze all packets entering and leaving your network. It listens to a network device in promiscuous mode, just as an IDS sensor would, and provides details on hosts, ports, and protocols. It can be used to monitor bandwidth, connection pairs, detect compromises, discover botnets, and see whos scanning your network. When compared to similar tools, such as Cisco System's Netflow it has many advantages (see the SecurityFocus articles on Netflow, part 1 and part 2). It is easier to setup than Netflow, and if you install it on your existing IDS sensors, there is no extra hardware to purchase. Since it captures traffic from a span port, it does not require that you modify the configuration of your networking equipment, or poke holes in firewalls for Netflow data.
HP is to launch a penetration-testing service for businesses in October, but has denied reports that it will unleash worms on its customers.
The company said on Tuesday it would use the same techniques as hackers to gain access to its customers' machines. However, the exploit code it will use will be controlled and will not propagate itself, HP said.
"We use hacking techniques to gain access to the system, but once we have control we make the system safe," said Richard Brown, threat management department manager, HP Labs. "We don't unleash a worm — we don't use worm-propagation techniques," Brown told ZDNet UK.
Spam is again on the rise, led by a flood of junk images that spammers have crafted over the past few months to trick e-mail filters, according to security vendors.
Called "image-based" spam, these junk images typically do not contain any text, making it harder for filters that look for known URLs or suspicious words to block them.
The purpose of this introductory article is to take a basic look at the journey of a packet across the Internet, from packet creation to switches, routers, NAT, and the packet's traverse across the Internet. This topic is recommended for those who are new to the networking and security field and may not have a basic understanding of the underlying process.
Previous articles by this author have looked at the importance of two key areas of computer security for new users: programming and networking. While they are different disciplines, both networking and programming should largely be viewed as complimentary. If it were it not for the early programming of networking protocols there would be no network. That said, does one have to be a programmer in order to fully grasp networking concepts and theory at a low level? In many cases, you do not. However, a reader's natural curiosity will likely lead him toward programming at some point, in order to further experiment with various protocols and networking theory.
I've noticed recently that more and more of my clients and friends are having drive failures.
Now I don't know if it's the recent heat waves, global warming, or the fact that most of the drives that are in play right now were purchased quite some time ago and have just run their spindles out, but at least once a week for the past two months I've heard about a full on drive failure or seen a drive showing the signs of impending doom.
Since we're at the halfway mark for the year I'm suggesting that we all take a look at our backup solution and make sure that the whole end to end backup process is working.
When you need a new network border appliance you owe it to yourself to give serious consideration to the do-it-yourself option. You'll save a lot of money and have complete control, which are always good things when it comes to your network security. There are no shortage of DIY choices in the Free/Open Source software world; today we'll take a look at Pyramid Linux on small form-factor hardware.
Pyramid Linux is designed for embedded wireless devices, but it lends itself quite nicely to ordinary wired networking as well. Based on Ubuntu Breezy, it weighs in under 64 MB. It installs read-only, making it perfect for Compact Flash devices because you don't want unnecessary writes on CF cards.
When you type in a hostname like www.example.com, your computer's resolver looks in its local cache and uses the information found there, then it sends the query to a name server that it has defined. That DNS server is then responsible for resolving the name and sending the response to your computer. If the DNS server doesn't have the name in the local cache, then it starts at one of the root servers and works its way down to a so-called authoritative name server for that host name. Pretty straightforward -- and, as a distributed database, the DNS (I use "the DNS" to mean "the distributed name service" in general, not a specific DNS server) is pretty effective. But as security wonks, we care about the veracity of the data, and as DNS is deployed today, we can't even begin to verify DNS data.
ATMs Linked to IP Networks Vulnerable to Threats, security firm says
2nd, July, 2006
A continuing trend by banks to take automated teller machines off proprietary networks and put them on the banks’ own TCP/IP networks is introducing new vulnerabilities in the ATM transaction environment.
The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities.
“ The guys who are setting up these systems are not security professionals. And many of the systems that are running SCADA applications were not designed to be secure--it's a hacker's playground. ”
Jonathan Pollet, vice president and founder, PlantData Technologies, a division of Verano
SOME companies are taking drastic action - including supergluing computer connections - in a bid to stop data theft.
A rise in the level of corporate data theft has spurred some companies to take measures to stop rogue employees sneaking corporate data out of the workplace on memory sticks, iPods and mobile phones, The Australian Financial Review reported.
As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said.
Users of Yahoo's e-mail service, Google, Orkut social networking site and eBay's PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.
Linux Australia's battle against proposed copyright laws had the Attorney General's Department a tad confused yesterday.
The open source group issued an open letter to the Attorney General Philip Ruddock attacking anti-circumvention laws.
But when contacted by Computerworld the Attorney General's office was yet to receive the letter.
Linux Australia had sent the letter by post on Monday and it hadn't arrived late yesterday.
However, the Attorney General's media spokesperson said the department was certainly aware of the open source industry's views.
Sophos: because of malware home users should switch to Macs
5th, July, 2006
Sophos has published new research into the past six months of cyber crime. The Sophos Security Threat Management Report Update reveals that while there has been a vast drop in new viruses and worms, this has been over-compensated by increases in other types of malware, as cyber criminals turn their attention to stealing information and money.
You want to pay up your credit card account immediately, as you just remembered that today is the due date. After getting on to your bank’s website by carefully typing in the URL, you put in your account number and password, go to the credit card payment section and perform the transaction. Satisfied with completing a task in time, you move onto other chores, till you find out that the website you visited and punched in confidential financial information was in fact a fake one!
http://www.linuxsecurity.com/content/view/123455
It's the Economy, Stupid
6th, July, 2006
I'm sitting in a conference room at Cambridge University, trying to simultaneously finish this article for Wired News and pay attention to the presenter onstage. I'm in this awkward situation because 1) this article is due tomorrow, and 2) I'm attending the fifth Workshop on the Economics of Information Security, or WEIS: to my mind, the most interesting computer security conference of the year. The idea that economics has anything to do with computer security is relatively new. Ross Anderson and I seem to have stumbled upon the idea independently. He, in his brilliant article from 2001, "Why Information Security Is Hard -- An Economic Perspective" (.pdf), and me in various essays and presentations from that same period.
Spammers are profiting from share manipulation by coaxing victims into investing in junk bonds.
The spammers purchase cheap shares (which artificially raises the stock price) and sell them off as victim investment raises their value further.
If you build security in from the get-go, will the malware still come? Of course. But proponents of secure software coding say attacks and exploits won't be as widespread or prevalent if developers build security into their operating systems, applications, and network device software from the ground up. Applications are increasingly becoming the targets of attacks and often represent the weakest link in the security chain. It gets dicier when these apps are as prevalent as systems management agent software, for instance, which Matasano Security's recent research has shown to be a security nightmare. (See Demons Lurk in Management Software.)
Security researchers at software maker MessageLabs contend that malware writers, hackers and other cyber-criminals are combining multiple forms of IT threats in an attempt to amplify their efforts.
CA has announced a security survey of 642 large North American organisations which shows that more than 84% experienced a security incident over the past 12 months, and that the number of breaches continues to rise.
ith the National Security Agency (NSA) monitoring our phone calls, now might be a good time to think seriously about the security of our email as well. In particular, you might want to think about encrypting your email, and about whether it's safe in the hands of third-party providers like Yahoo!, Google, and Microsoft.
In March 1990, when few people had even heard of the internet, U.S. Secret Service agents raided the Texas offices of a small board-game maker, seizing computer equipment and reading customers' e-mail stored on one machine. A group of online pioneers already worried about how the nation's laws were being applied to new technologies became even more fearful and decided to intervene.
And thus the Electronic Frontier Foundation was born -- 16 years ago this Monday -- taking on the Secret Service as its first case, one the EFF ultimately won when a judge agreed that the government had no right to read the e-mails or keep the equipment.
Note: free registration required to access this page
By the time of Shiva Brent Sharma's third arrest for identity theft, at the age of 20, he had taken in well over $150,000 in cash and merchandise in his brief career. After a certain point, investigators stopped counting.
Fears about new Radio Frequency Identification technology (RFID), have prompted the EU to open a public consultation process.
The commission has been holding discussions with government agencies and the private sector since March based on general themes of standardising RFID frequencies and formats across Europe, but now the emphasis has changed slightly to inform citizens on how the technology can improve quality of life without encroaching on individual privacy issues. With this in mind, the commission has initiated an online public consultation on its 'Your Voice in Europe' website.
Concerns About Fraud Potential Continue to Plague Users of Electronic Voting Machines
4th, July, 2006
Electronic voting machines will be vulnerable to fraud this election season unless countermeasures are taken, according to a report issued last week by the New York University School of Law.
E-voting devices, such as touch-screen or optical scan systems, are becoming more prevalent nationwide, and most of them are vulnerable to external attack, according to the report compiled by the school's Brennan Center for Justice.
Hacker attacks hitting Pentagon: But NSA's methods for safeguarding data are growing obsolete
3rd, July, 2006
(Baltimore Sun, The (KRT) Via Thomson Dialog NewsEdge) Jul. 2--WASHINGTON -- The number of reported attempts to penetrate Pentagon computer networks rose sharply in the past decade, from fewer than 800 in 1996 to more than 160,000 last year - thousands of them successful. At the same time, the nation's ability to safeguard sensitive data in those and other government computer systems is becoming obsolete as efforts to make improvements have faltered and stalled.
It's a start. On June 23, the Office of Management and Budget announced that federal agencies have 45 days to put new data-protection measures in place. The new requirements (technically, they're "recommendations," but the OMB appears serious about this anyway) include encryption for all sensitive data on mobile devices, logging of all extracts from databases containing sensitive information and verification that the downloaded sensitive data is deleted after 90 days.
The Bush Administration is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication.
Hong Kong is readying its first anti-spam laws, promising fines and long prison terms for serious offenders. The Chinese territory currently has no laws specifically outlawing junk email, and recent surveys looking at the sources of spam have included Hong Kong and China among the worst in the world.
In 2002, Gary McKinnon was arrested by the UK's national high-tech crime unit, after being accused of hacking into Nasa and the US military computer networks.He says he spent two years looking for photographic evidence of alien spacecraft and advanced power technology. America now wants to put him on trial, and if tried there he could face 60 years behind bars.
http://www.linuxsecurity.com/content/view/123439
Cross Site Scripting Vulnerability in Google
6th, July, 2006
Google is vulnerable to cross site scripting. While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however if you input a valid URL (like my RSS feed) it will return with a JavaScript function containing the URL.
Reid agrees British hacker can be deported for US trial
9th, July, 2006
A Briton accused of hacking into the Pentagon's computers is to be extradited to the US, the Home Office has confirmed. Gary McKinnon, from north London, stands accused of what American prosecutors call the "biggest military hack of all time", and potentially faces a sentence of 70 years if found guilty.
The rapid growth of wireless, remote and mobile computing is creating a significant increase in the risks that organisations face. All the indications are that this growth will continue, and indeed accelerate. It is clearly time to review what actions are required to manage access risks from these forms of computing. Fortunately, there are some quick fixes that are available.
This post should enable anyone to get Linux up and running and crack a WEP key. It took me about 2 days and myriad tutorials to finally get this to work, and now that I have I feel that I should share it with everyone. I am by no means a Linux expert, but this works regardless. All you need is a old laptop with a wireless card and a copy of Ubuntu Linux, currently one of the most popular and easily installed distributions of linux. If you haven’t already bought a wireless card, you should select one from this list to save yourself some trouble.
Wardriving is fun. Going around the neighborhood and mapping all the wireless networks may be nothing more than a geeky hobby but it can sure teach you alot. And viewing the results in Google Earth is icing on the cake. I’ve used NetStumbler on windows and this works great but since my computers at home are now nearly Microsoft-free, I had to relearn the process on Linux. It breaks down into a few easy steps:
This is the main web site of several proof-of-concept tools using IEEE 802.11 raw injection. These tools are provided as-is and thus cannot be considered as a complete and functional tool set.
These programs are basic proof-of-concept code, so please, do not blame me for ugly coding style! They were coded for testing wireless IDS stuff but also for fun!
Wireless security firm Network Chemistry recently released a cross-platform, free software security tool called RogueScanner in conjunction with its wireless network protection package RFprotect. RogueScanner, licensed under the GPL and the latest of three free software security modules available from Network Chemistry, allows you to monitor your network for rogue wireless devices. Release 1.0 comes in both Windows and Linux versions.
