EnGarde Secure Community 3.0.8 Released
- Guardian Digital is happy to announce the release of EnGarde Secure Community
3.0.8 (Version 3.0, Release 8). This release includes several bug fixes and
feature enhancements to the Guardian Digital WebTool, several updated packages,
and several new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.8 Released
1st, August, 2006
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.8 (Version 3.0, Release 8). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, several updated packages, and several new packages available for installation.
LogError writes: A virtual ID card designed to improve children's net safety has been launched in the UK, US, Canada and Australia. Parents and children can apply for the card using credit card details and a form countersigned by a professional who knows the child concerned. Tom Newton from SmoothWall, said: “The new child online safety card has been over-hyped and could end up causing more harm than good. Of course, it is a worthy idea and will certainly be a blueprint for future similar schemes, but this initial effort has some serious flaws."
The LinuxSecurity.com team has been working hard to bring you a new version of the site. Many improvements have been made for the upcoming version, which is anticipated to be implemented on August 14th, 2006.
Sorting data and investigative evidence has traditionally been documented on paper. However, the latest trend of computer technology is where damage or manipulation of significant evidence could be jeopardized. Important files and data, which should be able to be easily accessed, can suddenly vanish or be mysteriously doctored by someone. Investigators strive to uncover what happened, only to discover there is not a trace. This discovery could create a nightmare for investigators, accountants, auditors, or legal professionals needing the evidence in court. Enter the world of computer forensics.
Will You Pay Google's Bandwidth Bills For The Rest Of This Year?
1st, August, 2006
We've already covered how much dishonesty there is in the network neutrality debate -- often involving editorial pieces in major newspapers penned by lobbyists. In almost every case, those editorials aren't just misleading, they include flat out lies.
In America's old West of the late 1800s, there were no laws. Folks did what they could with a gun and a rope, but in a territory so large, with so few sheriffs, there just was no good way to enforce them. It was a great place to spin a yarn, but I wouldn't want to live there. Because without laws and policies, things would be, well, a lot like today's wireless and portable storage environments. Yesterday, we published the results of our reader survey on mobile and portable security, and the results were both surprising and exasperating. (See No Wires & No Policies.) One of the key findings is that nearly half of enterprises still don't have a security policy for using portable storage devices. About one third of readers don't have a clearly-stated policy for the use of mobile and wireless devices.
Computer researchers in Europe are developing a new prototype architecture for halting distributed denial-of-service (DDOS) attacks, where a barrage of traffic is directed at a Web site or server to shut it down.The Diadem Firewall deploys both hardware and software on the edge of a provider's network rather than within, said Georg Carle, chair of the computing and Internet department at the University of Tübingen in Germany.
EU funding of 2 million Euros has been announced for a major new three-year project to develop a re-configurable photonic 'firewall on a chip'. Called WISDOM, (WIrespeed Security Domains Using Optical Monitoring), the new system will plug a major gap in the global data network security armoury - the lack of tools to implement security checks and algorithms directly at high optical data communications rates.
The report, compiled from Sophos's global network of monitoring stations, reveals that while the Netsky-P worm, first seen in March 2004, remains the most widespread piece of malware travelling via email, the actual proportion of infected email has dropped to a low of just one in 222 (0.45 percent). This compares to the first six months of 2006 when, on average, one in 91 emails (1.1 percent) carried malicious attachments.
Researchers at the University of Maryland have developed a digital fingerprinting technology that they say can better protect multimedia content from unauthorized copying and distribution. Researchers at the University of Maryland have developed a digital fingerprinting technology that they say can better protect multimedia content from unauthorized copying and distribution.
Easy, fast and convenient: these are attributes commonly associated with mobile computing. All too frequently, however, they disguise the many dangers created by this common practice. Performing seemingly simple tasks from a remote device, such as checking email, working on business documents, or even discussing sensitive issues via VOIP (Voice Over Internet Protocol), can enable attackers to monitor and access everything accessed, if the mobile computing device and the remote systems are not properly secured. This can enable almost anyone: business competitors, restrictive governments, hackers, and others, to build a profile of the user's activities, and possibly even their identities. Alternatively, attackers can perform DOS (Denial Of Service) attacks, in an effort to disconnect legitimate users from working remotely altogether.
Black Hat: Hit spyware by punishing purveyors, experts say
3rd, August, 2006
With spyware a continuing plague for many computer users, some experts and IT workers are calling for stiffer penalties -- including jail time -- for convicted spyware purveyors.
You might just call it the Windows factor. The more widespread the technology, the higher-value target it becomes to crackers, hackers and attackers. But network and personal computing safety go beyond the operating system you're running. Even Linux and Macs have seen their share of security issues. Maybe your databases aren't up to code in order to thwart a SQL injection attack that could bypass your firewall.
Enterprise security executives need to make practices such as safe USB use and discreet handling of patient or customer data as commonplace as not accepting luggage from strangers in airports or wearing a seat belt when driving.
Most of the papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves. Honeypots are a hot topic in the security research community right now. It seems everyone is starting up their own honeypot system. Most of the papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves.
Most honeypots as deployed as just an extra box someone has lying around. They slapped an OS on it, checksummed all the files, installed an IDS, and set about waiting for the hackers to arrive. Those kinds of honeypots ignore some of the most interesting parts of what a honeypot can do. Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network.
Even with the renewed scrutiny being given to government IT systems in light of the recent laptop theft at the Department of Veterans Affairs, officials working with the Environmental Protection Agency say the organization has significantly improved its security operations.
Storage formats such as tape have enjoyed year upon year of being in pole position as the format of choice for secondary backup, though in recent years hard disk technologies have caught up with the aging medium. One fundamental challenge for hard disk technology is to prove its ability to provide cost effective off-site security, something of a hardship for a fixed disk technology. Unlike tape, disk technologies are traditionally not as removable and have to be handled carefully due to the drive mechanics being transported with the media. Off-site security, therefore can be a difficult, cumbersome job.
Web 2.0 is causing a splash as it stretches the boundaries of what Web sites can do. But in the rush to add features, security has become an afterthought, experts say. The buzz around the new technology echoes the '90s Internet boom--complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the early days of desktop software, they say, the development momentum is all about features--and protections are being neglected.
Linux 101: Best practice techniques for security integrity auditing and recovery
1st, August, 2006
Two critical security considerations that are closely related to one another are ignored all too often: integrity auditing and recovery. This document is an overview of good security integrity auditing and recovery practices using a Linux operating system.
Too often, a system administrator will get all the basic security measures in place, set up a well-secured system, and figure his job is done unless something goes horribly and obviously wrong. It is important, though, to regularly check the systems in your area of responsibility to make sure they haven't been compromised, and to know what to do if they have. Two critical security considerations that are closely related to one another are ignored: integrity auditing and recovery. This download gives you an overview of good security integrity auditing and recovery practices using a Linux operating system.
The current state of Intrusion Detection Systems(IDS) would have to be considered fairly mature. The market for IDS and Intrusion Prevention Systems (IPS) is a large percentage of the $14 billion security software[1] industry with dozens of vendors and service providers worldwide.
One new feature of "Web 2.0", the movement to build a more responsive
Web, is the utilization of XML content feeds which use the RSS and Atom
standards. These feeds allow both users and Web sites to obtain content
headlines and body text without needing to visit the site in question,
basically providing users with a summary of that sites content. Unfortunately,
many of the applications that receive this data do not consider the security
implications of using content from third parties and unknowingly make
themselves and their attached systems susceptible to various forms of
attack.
Yahoo Inc., in partnership with Symantec Corp., launched an Internet security software suite dubbed Norton Internet Security and designed to protect online users from threats like viruses and spyware, the companies said Tuesday.
Security Company sponsors Open Source security software contest
1st, August, 2006
Hurricane Labs, an Enterprise Open Source Security Company is sponsoring an Open Source Security Software contest. Information and prizes are listed at . If you're a primary developer on a security project please check it out and submit your project.
People trying to communicate across oppressive national firewalls could be interested in ScatterChat, a secure IM (instant messaging) application developed by an international group of hackers, human rights activists, lawyers and security experts.
The recent promulgation of the Electronic Communications (EC) Act will see more and more security and storage companies banding together, says Rob Watson, head of security business development at StorTech.
Security is both easier and harder in Europe—and that's OK.
1st, August, 2006
Whenever I'm on the phone with my friends back in the States, the inevitable question comes up: "What's it like working in Europe?" It's a good question that deserves a good answer.
The primary difference is that in Europe the workers have more rights than in America. For example, American workers often have contracts that state the employer can terminate the employee at any time without having to show cause. In Europe, this would not be possible because of strong labor laws that protect the rights of workers and give them the right of appeal to labor arbitration boards. In addition, unions play a positive role helping protect workers who are involved in disputes with management.
he evolution of the Internet has seen many twists and turns. For every twist a new opportunity or risk presented itself. Security professionals seem to always be one step behind the bad guys. This point cannot be better illustrated than end point security, e.g. desktop, PDA or laptop security. Over the years little emphasis has been put on end point security, other than the mandatory antivirus package. The early security and network architects tried to deliver a centralized, one size fits all network with security included. This network typically had a router and a firewall. The firewall may or may not have been configured with multiple interfaces. The point is the firewall acted like a choke point restricting all but the permitted traffic. This was a solution that provided management with a level of comfort and security allowing them to sleep at night.
IT staff are in the unique position that if they are nosy, immoral, greedy or corrupt that can get at what they want within their company at the touch of a button. The corporate crown jewels are usually left open and unexposed to the IT guys. So how do you protect your corporate crown jewels from staff that can so easily be bribed to steal them and hand them over to a competitor?
If your VoIP phone starts ringing off the hook, it might not denote a surge in your popularity--just that someone is trying one of 13 newly released security tools.
Researchers at the Black Hat security conference here released the tools on Wednesday. The programs are meant to test the security of increasingly popular voice over Internet Protocol telephony systems, Dave Endler, director of security research at TippingPoint, said in an interview. TippingPoint is part of 3Com, which sells VoIP products.
I have been looking into metro Ethernet lately and talking with a number of Ethernet service providers about their services, and I was reminded of the confusing use of virtual private network and secure WAN pipes.
KLA-Tencor isn't taking any chances with its intellectual property -- nor that of its semiconductor clients -– slipping out the door in an email message. With a recently installed analysis appliance, the company has automated email discovery to better secure its sensitive data.
"There are reasons that there are such strong First Amendment protections on the Internet," says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "People should be given wide latitude to express their opinions, even if others feel it's offensive or constitutes libel."
Let's suppose you are an employer. You have a well-written and well distributed policy on privacy in the workplace. You expressly state that employees have NO expectation of privacy in ANYTHING they do. You own the hardware, you own the software, you own the network. You reserve the right to monitor every keystroke, every website, every e-mail, every IM session, every chat discussion, and even monitor the lyrics to any song they happen to be listening to on their iPods (sounds like a fun place to work, doesn't it?). You have your employees acknowledge that you have the right to do such monitoring, and they even swear that they consent to such monitoring.
The House of Lords Science and Technology Committee is to investigate personal internet security. They are calling on members of the public with direct experience to get in touch.
Worst Ever Security Flaw in Diebold Voting Machine
31st, July, 2006
“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.
The FBI's point man for Internet crime wants hackers to join the fight against international gangs of Web mobsters. Dan Larkin, unit chief of the FBI's Internet Crime Complaint Center, used the spotlight of the Black Hat security conference here to call for a new level of trust and cooperation between security researchers and law enforcement, warning that online crime is being controlled by "very sophisticated, very organized" attackers.
A lawsuit has grown out of alleged breaches in security procedures around electronic voting machines in San Diego County after a hotly contested congressional election, throwing a spotlight on the reliability of the machines themselves.
The middle-aged G-men who wear crisp suits and consort with teenage hackers sporting purple hair can make the two conferences that will converge in Las Vegas this week look like a scene from a science-fiction movie.
In fact, the gatherings are the most important in the world of computer security, drawing a "who's who" list of leaders from companies such as Microsoft Corp. and Cisco Systems Inc., government agencies including the FBI and underground groups that act as a neighborhood watch for the Internet.
The motley band of researchers, federal agents and cyberhobbyists come to learn how to fortify networks against the latest attacks, share research on new vulnerabilities and recruit people in a field where competition for talent is growing increasingly fierce.
A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
3rd, August, 2006
Imagine if you just graduated with an IS degree and landed a job at a small business as their only IT staffer. You know your way around an operating system and understand some of the protocols and programs that keep data flowing, but for the most part your skills are untested in the real world. Regardless, you are the only thing separating the company's users and data from downtime. Sound like a tough situation? Oh, I forgot to mention there are four of the best hackers in the world trying to get into your digital domain and steal anything of value, including a database of 10,000 credit card numbers. This isn't something seasoned administrators would want to face, much less fresh graduates.
Exploiting a lack of security checks in browsers and Web servers, Web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned on Thursday.
Businesses who switch over to internet telephony systems in a bid to slash telephony costs have been warned to guard against hacking attacks. The latest VoIP security threats and countermeasures were outlined at a presentation at the Black Hat security conference in Las Vegas on Wednesday. The talk, by security experts from SecureLogix and 3Com's Tipping Point security appliance division, was accompanied by the release of 13 new security tools.
In the past, the only way to connect computers together for the purpose of sharing information and/or resources was to connect them via cables. This can be not only cumbersome to set up, but it can get messy real quick. Bluetooth provides a solution to this problem by providing a cable-free environment. According to the official Bluetooth website, www.bluetooth.com, Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/ore fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.
