The big fear of offshore outsourcing customers has become a reality: a major bombing attack in an outsourcing hub.

http://www.linuxsecurity.com/content/view/123599

The Linuxsecurity team has been busy lately enhancing the planet's premier Open Source security site. The most conspicuous improvement is our new "ShoutBox" that lets visitors exchange their views on security and other matters in real time, so give us a "shout" and let us hear what you think.

http://www.linuxsecurity.com/content/view/123639

This page contains my godzilla crypto tutorial, totalling 509 slides in 8 parts, of which the first 7 are the tutorial itself and the 8th is extra material which covers crypto politics. Part 8 isn't officially part of the technical tutorial itself. The tutorial is done at a reasonably high level, there are about two dozen books which cover things like DES encryption done at the bit-flipping level so I haven't bothered going down to this level. Instead I cover encryption protocols, weaknesses, applications, and other crypto security-related information. Since the slides are accompanying material for a proper tutorial, there's a lot of extra context which isn't available just by reading the slides. Bear in mind that some of the claims and comments on the slides need to be taken in the context of the full tutorial. Accompanying the slides are about 150 images, unfortunately I can't make these available for copyright reasons.

http://www.linuxsecurity.com/content/view/123672

Backup and recovery operations are the focus of business continuity and data protection plans and often the main source of anxiety for IT departments. Few businesses are fully satisfied with their backup and recovery solutions. Not only must data be protected from complete site failures, such as those resulting from natural disasters, data must also be protected from corruption or data loss, such as that resulting from a computer virus or human error.

http://www.linuxsecurity.com/content/view/123675

Access control (n.) In physical security, the portion of the budget dedicated to replacing lost plastic swipe cards. Active X (n.) A technology for making Web vulnerabilities more engaging and fun. Black hat (n.) A bad guy doing bad things with software. Blog (n.) A diary desired by no one and available to everyone.

http://www.linuxsecurity.com/content/view/123646

I've long been hostile to certifications -- I've met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I've come to believe that, while certifications aren't perfect, they're a decent way for a security professional to learn some of the things he's going to know, and a potential employer to assess whether a job candidate has the security expertise he's going to need to k

http://www.linuxsecurity.com/content/view/123679

Today I was travelling in the Netherlands by train. One of the great things is that major stations have their own wi-fi access. When we stopped at a station, as usual I wanted to check my emails while waiting for the train to move on. Once I established a connection with the access point and opened my web browser to log on I immediately noticed something suspicious. Instead of getting an HTTPS site I was being directed to an HTTP site.

http://www.linuxsecurity.com/content/view/123693

"Packet-Filtering Concepts," covers the background ideas and concepts behind a packet-filtering firewall. Each built-in rule chain has its own default policy. Each rule can apply not only to an individual chain, but also to a specific network interface, message protocol type (such as TCP, UDP, or ICMP), and service port or ICMP message type number. Individual acceptance, denial, and rejection rules are defined for the INPUT chain and the OUTPUT chain, as well as for the FORWARD chain, which you'll learn about at the end of this chapter and in Chapter 6, "Packet Forwarding." The next chapter pulls those ideas together to demonstrate how to build a simple, single-system, custom-designed firewall for your site.

http://www.linuxsecurity.com/content/view/123664

Today there is a growing concern for the security of confidential electronic patient health information in the health care organization. The health care network administrator is usually responsible for implementing information security in the health care organization. The problems faced by the health care organization are the following: third party access to confidential electronic medical records, limited IT budgets and resources, noncompliance and the Health Insurance Portability and Accountability Act, security attacks, resting databases in clear text, attainable security policies and educating users on the confidentiality and the security of electronic patient health information. Third party access is a concern because only physicians were responsible for managing the patient’s electronic health information.

http://www.linuxsecurity.com/content/view/123673

As information systems in hospitals continue to advance and evolve, so do the threats to those systems. In today’s healthcare environment, Patient Health Information (PHI) is no more than a few clicks away. The ease of access helps healthcare providers be more efficient and provide better patient care. This same access introduces risks that must be addressed to ensure that this information is protected. Not only is this protection of PHI the right thing to do, legislation such as the Health Insurance Portability and Accountability Act (HIPPA) make it mandatory.

http://www.linuxsecurity.com/content/view/123674

The National Institute of Standards and Technology has revoked certification of the open-source encryption tool OpenSSL under the Federal Information Processing Standard. OpenSSL in January became one of the first open-source software products to be validated under NIST’s Computer Module Validation Program for FIPS-140-2. The certificate apparently was suspended in June when questions were raised about the validated module’s interaction with outside software elements.

http://www.linuxsecurity.com/content/view/123626

This month’s Black Hat USA 2006 conference will again expose security vulnerabilities in some of the world’s biggest network and IT suppliers’ products. Serious flaws are set to be demonstrated in various technologies by security researchers at the Las Vegas hacking gathering.

http://www.linuxsecurity.com/content/view/123676

Open Source Development Labs (OSDL) is planning to host the first-ever Healthcare Day at LinuxWorld San Francisco on August 15, the Beaverton, Ore.-based firm announced this week.

http://www.linuxsecurity.com/content/view/123685

Every sysadmin will try its best to secure the system/s he is managing. Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. Working on several projects to restore a compromised Linux system for various clients, I have developed a set of rules that others might find useful in similar situations. The type of hacks encountered can be very variate and you might see very different ones than the one I will present, or I have seen live, but even so, this rules might be used as a starting point to develop your own recovery plan.

http://www.linuxsecurity.com/content/view/123622

OpenDNS is a new start up that wants users to redirect web traffic through its DNS nameservers, where an unusually large cache and an aggregated list of sites deemed guilty of phishing will make our web surfing faster and safer. It’s free and as simple as changing your DNS address from your ISP and to OpenDNS, but a number of serious concerns about the service have already been raised. The San Francisco company is headed by CEO David Ulevitch and former CNet head of product development and business operations John Roberts. It’s been funded by CNET founder Halsey Minor’s fund Minor Ventures. The revenue model is advertising on search pages offered when a misspelling or otherwise unrecognizable URL is entered by users. The company says it will offer additional services on top of its enhanced DNS service as well - suspicious users would probably like to know what those will be before engaging with OpenDNS.

http://www.linuxsecurity.com/content/view/123651

A flaw in the Asterisk IP PBX platform reported last week could result in a denial-of-service attack that would disrupt a business' VoIP or VoIP-to-PSTN gateway service.

http://www.linuxsecurity.com/content/view/123627

Professional networking sites are unwittingly providing hackers with the possible means to carry out sophisticated social engineering scams, a UK security consultancy warns.

http://www.linuxsecurity.com/content/view/123583

Spammers are increasingly turning to mobile text-messaging, Web-based instant messaging, blogs and social-networking communities such as MySpace.com, according to mail services company MessageLabs.

http://www.linuxsecurity.com/content/view/123578

As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals. However, his latest endeavor--releasing a browser bug every day during the month of July--has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.

http://www.linuxsecurity.com/content/view/123580

The Computer Crime and Security Survey is conducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. The survey is now in its 11th year and is, we believe, the longestrunning continuous survey in the information security field. This year’s survey results are based on the responses of 616 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.

http://www.linuxsecurity.com/content/view/123596

What's worse than losing a $2,500 laptop you just bought a couple of months back? It's losing the data inside, which is usually more valuable than the hardware itself. It's not uncommon for laptop users to consider the contents of their computers as priceless, regardless of what these are. For business users, these can be important company documents or sensitive, confidential communications. For individuals, these can be personal files like family pictures or other such multimedia documents that are likewise valuable and irreplaceable.

http://www.linuxsecurity.com/content/view/123597

Scammers have found a way around new token-based authentication systems that have been adopted by some banks.

http://www.linuxsecurity.com/content/view/123600

... But security, reliability and performance are Achilles' heels. As for security, AJAX Web applications are as insecure as traditional Web applications. Both are far too trusting of user inputs. SQL injection or other data-manipulation attacks that are just as possible in poorly coded AJAX applications as traditional Web applications, and maybe more so because there is a greater reliance on client activity. This presents new opportunities to poison payloads that get executed client side. Inspecting returned AJAX payloads for correct format and checksums to reduce tampering would seem appropriate, but they are not commonplace yet.

http://www.linuxsecurity.com/content/view/123623

For instance, one of the president's priorities was attracting top-notch professors. Gatewood made sure that his department's initiatives echoed that same goal. "If you step forward and say, ‘I need $50,000 for a firewall to protect the research cluster,' that's not enough," Gatewood says. Instead, he positioned his objectives in terms of how they would meet the university's overarching strategy and goals. "I would say, How can you attract a professor to do advanced research if the technology that he or she is going to be using is not trusted?" he says. Sometimes a semantic change can make all the difference.

http://www.linuxsecurity.com/content/view/123647

SecureWorks announced that it has seen a dramatic increase in the number of hacker attacks attempted against its banking, credit union and utility clients in the past three months using SQL Injection. "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day," said SecureWorks CTO Jon Ramsey. "As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," said Ramsey.

http://www.linuxsecurity.com/content/view/123648

A well-known security researcher has released code that can be used to mine Google Inc.'s database for malicious software.

http://www.linuxsecurity.com/content/view/123649

Alstom Transport is not exactly a household name. But its products are well-known, particularly among travelers. They include the French TGV high-speed trains and the Euro Star high-speed train that travels the Chunnel under the English Channel, new high-speed Amtrak passenger trains in California and new metro trains in Singapore.

http://www.linuxsecurity.com/content/view/123662

It would seem that security remains too intangible for some businesses to give it the attention it deserves. Perhaps it is only those organisations that have suffered major losses or reputational damage on the back of security lapses which are prepared to invest adequately to head off future problems.

Smaller businesses, in particular, are having to face up to the fact that their under-investment in security may one day come at a price. The DTI Security Breaches Survey highlighted the fact that small businesses are being disproportionately hit by computer crime, which is costing UK businesses an estimated 10bn a year – an increase of 50% in the past two years.

http://www.linuxsecurity.com/content/view/123665

A joint U.S. and Canadian organization that certifies encryption tools for use by federal government agencies has suspended its validation of OpenSSL cryptographic technology for the second time in less than six months.

http://www.linuxsecurity.com/content/view/123666

Spammers are profiting from share manipulation by coaxing victims into investing in junk bonds.The spammers purchase cheap shares (which artificially raises the stock price) and sell them off as victim investment raises their value further.

http://www.linuxsecurity.com/content/view/123684

In an effort to prevent data theft, several Canadian firms have banned employees from taking mp3 players and flash drives to work. In a countrywide survey of 259 companies conducted by Ipsos-Reid Corp., as many as 30 per cent of the respondents said they have prohibited staff from bringing mp3 players such as Apple Computer Inc.'s iPod to work.

http://www.linuxsecurity.com/content/view/123686

Antivirus applications from Symantec, McAfee or Trend Micro -- the three leading AV vendors in 2005 -- are far less likely to detect new viruses and Trojans than the least popular brands. This has nothing to do with the quality of the software or how long it takes the respective firms to update their clients with signatures and other malware countermeasures.

http://www.linuxsecurity.com/content/view/123688

I was recently contacted by the company that manages my stock to open up a new Web site log-on account. During new account creation, it asked me to input a secure password. So, I put in my normal password that is 21 characters long followed by 10 characters that are unique per Web site, but only uses lowercase letters. The length of the base password prevents basic password cracking and guessing, while the additional characters make the overall password (or pass phrase) unique so that no two resources ever have the same password.

http://www.linuxsecurity.com/content/view/123696

VOIP's anonymous nature may be convenient, but it can also be used against you. Secure Computing today warned of a new phishing exploit on the loose -- dubbed "vishing" -- that uses voice-over-IP and good old-fashioned social engineering.

http://www.linuxsecurity.com/content/view/123625

Some years ago, Scott McNealy quipped that electronic privacy is dead and that we need to get over it.[1] Like many good one-liners, the assertion is an over-simplification but has enough piercing truth to it, to get heads nodding.

http://www.linuxsecurity.com/content/view/123683

A federal district court judge refused a motion by the U.S. government to stop a lawsuit against AT&T for its alleged cooperation with the controversial domestic surveillance program run by the National Security Agency.

http://www.linuxsecurity.com/content/view/123691

One of the FBI's leading agents in the field of computer crime has warned that industrial espionage and targeted data theft are on the increase.

http://www.linuxsecurity.com/content/view/123692

On the surface, the results of the 11th annual CSI/FBI Computer Crime and Security Survey are positive, with fewer companies reporting financial loss from data breaches compared to last year. But a majority of companies are still reluctant to report security breaches to law enforcement, suggesting that the survey isn't capturing the full extent of the problem.

http://www.linuxsecurity.com/content/view/123581

The lack of an automated refund fraud detection system that would have allowed the U.S. Internal Revenue System to screen 2006 tax returns could cost the agency between $200 million and $300 million, the IRS told the U.S. Senate Finance Committee last week.

http://www.linuxsecurity.com/content/view/123636

The White House's Office of Management and Budget instructed U.S. federal agencies to alert the US-CERT within one hour to any breach involving personally identifiable information, even if the possibility of a breach is only suspected. The memo (PDF), dated last week, is the fourth letter regarding information-security policy sent to government agencies in the past two months. Another memo (PDF), dated Monday, required that government agencies report any computer systems missing from their inventory and outline the results of an investigation into handling of personally identifiable information within their agency. An earlier memo mandated that agencies use encryption to protect sensitive data on laptops.

http://www.linuxsecurity.com/content/view/123652

Note: This article originally appeared in the New York Times

If credit card companies can reassign new numbers, so should the government

http://www.linuxsecurity.com/content/view/123690

Analyst firm Gartner has dismissed a tightening of security rules for US government agencies as a mere "public relations response" to recent high-profile incidents.

http://www.linuxsecurity.com/content/view/123695

Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data

http://www.linuxsecurity.com/content/view/123533

Western Illinois University is notifying more than 180,000 people that their personal data is at risk after hackers entered its networks.

http://www.linuxsecurity.com/content/view/123579

Hackers are taking a page from the open-source playbook, using the same techniques that made Linux and Apache successes to improve their malicious software, according to McAfee Inc.

http://www.linuxsecurity.com/content/view/123598

eEye Digital Security has reported a vulnerability in various D-Link routers, which can be exploited by malicious people to compromise a vulnerable network device.

http://www.linuxsecurity.com/content/view/123601

A worm is targeting MySpace users, compromising their "About me" pages and infecting visitors to them, Symantec has warned.

http://www.linuxsecurity.com/content/view/123650

Wi-Fi Protected Access version 2 (WPA2) is becoming the de facto standard for securing wireless networks, and a mandatory feature for all new Wi-Fi products certified by the Wi-Fi Alliance. We all know the security weaknesses of its predecessor, WEP; this time they got it right. Here's how to implement the WPA2 protocol on a Linux host and create a secure wireless access point (WAP) for your network.

http://www.linuxsecurity.com/content/view/123663

So, why write an article called "Cool and Illegal Wireless Hacks" that details how to perform hotspot hacks? Some would say it is irresponsible and enables those with ill intent to hack unsuspecting victim's machines. It really depends which way you look at it. Would you rather be left in the dark on what types of attacks can occur, how they are performed and not know how to protect yourself against them? Doing so would not make the threats go away; in part, you would simply be denying that they exist. Surely, it is safer to be open and honest about the threats, understand how they can occur then become educated on and implement the appropriate countermeasures. In large part, that is why my articles always detail not only how to perform the hacks, but really focus on how to protect against them. The purpose is not to teach people how to hack, but rather to educate on how to prevent systems from being exploited.

http://www.linuxsecurity.com/content/view/123687