EnGarde Secure Community 3.0.8 Released
- Guardian Digital is happy to announce the release of EnGarde Secure Community
3.0.8 (Version 3.0, Release 8). This release includes several bug fixes and
feature enhancements to the Guardian Digital WebTool, several updated packages,
and several new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
New Identity Theft and Online Fraud Techniques
8th, August, 2006
Authors of computer viruses and threats -including phishing scams- are looking for direct financial profit from cybercrime. For this reason, they are using more innovative and diversified techniques to, above all, steal users’ identities or obtain bank details to commit fraud.
C0D3 CR4CK3D: Means and Methods to Compromise Common Hash Algorithms
7th, August, 2006
Hashing has long been used as a means to verify data elements. Parity bits were originally used to confirm that a data transmission was received correctly and helped to detect any single-bit errors. However, parity didn’t add any value if multiple bits in the data had errors. As a result, a second trend then came about called CRC – Cyclic Redundancy Checks. These CRCs, based on polynomials, were used to detect errors in the data elements via a hash. Although this approach is more robust than parity bits, weaknesses in this algorithm also came to pass. A user could modify a file and easily sculpt the file’s contents to create the same CRC as the original file [5]. As such, we needed another way to verify our data files.
To Iraq and back: Soldier uses Linux in war and peace
10th, August, 2006
In 2003 and 2004, Jeff Schroeder served in the Iraq war, flying a tiny remote control spy plane and servicing Unix and Linux systems on the battlefield. Schroeder learned a lot of technology in the desert, and now that his time in the Army is over, he's busy working as a Web administrator for Comair Airlines, and writing utility scripts for Ubuntu, his favorite distribution. He believes Linux is going to "take over the world."
IT people love to complain about their end users. They tell funny stories about boneheaded employees who leave their passwords stuck to their computers. They grit their teeth when users click on email attachments from strangers. End users, they say, are too damn trusting, not to mention forgetful. Up until now, I've always felt that this righteous indignation was justified. I mean, IT people are smart about security, and they don't trust anybody, right? But this week, I wrote a story that burst my bubble.
I’ve been reading a lot about undetectable malware—“rootkits” and the like—recently. Without a doubt, these attack tools have been iteratively improving over the years. Like most such security “nasties,” however, a bit of safe computing goes a long way. Let’s explore a bit.
Log Error writes: XOFTspy Portable Anti-spyware is the first portable anti-spyware product operating directly from U3 smart drives. Built on its popular anti-spyware application XoftSpySE, the portable product is licensed for use on multiple computers and is built to protect roaming users accessing any PC they touch.
Enterprise security executives need to make practices such as safe USB use and discreet handling of patient or customer data as commonplace as not accepting luggage from strangers in airports or wearing a seat belt when driving.
Virtual Private Networks, or VPNs, extend the reach of local-area networks without requiring owned or leased private lines. Businesses can use VPNs to give remote and mobile users network access, connect geographically separated branches into a unified network and enable the remote use of applications that rely on internal servers.
VPNs can use one or both of two mechanisms. One is to use private circuits leased from a trusted communications provider: alone, this is called a trusted VPN. The other is to send encrypted traffic over the public Internet: alone, this is called a secure VPN. Using a secure VPN over a trusted VPN is called a hybrid VPN. Combining two kinds of secure VPN into one gateway, for instance IPsec and SSL, is also called a hybrid VPN.
With an ever increasing amount of information in hospitals transmitted electronically, it is important that security be considered in every phase of network design and maintenance. Although much emphasis has been placed on such things as wireless networks and remote access, it is imperative that the core network not be overlooked. Because the wired network is the “nervous system” of a hospital’s Information Systems, great care must be taken to properly secure it. Also, with legislation such as the Health Insurance Portability and Accountability Act (HIPAA) requiring security measures in healthcare environments, securing the network infrastructure has become mandatory to ensure compliance.
If you're using MySQL, there are some easy things you can do to secure your systems and significantly reduce the risk of unauthorised access to your sensitive data.
The most valuable asset for technology-based organisations is usually the customer or product information in their databases. And so, a critical part of database administration in such organisations consists of securing these databases against outside attack and hardware/software failures.
In most cases, hardware and software failures are handled through a data backup regimen. Most databases come with built-in tools to automate the entire process, making this aspect of the job relatively painless and error-free. What's not so simple, however, is the second half of the puzzle: making sure that outside hackers can't get into the system and either steal or damage the information contained therein. And unfortunately, there usually isn't an automated way to solve this problem; rather, it requires you, the administrator, to manually put in place roadblocks and obstacles to trip up would-be hackers and to ensure that your company's data stays secure.
LinuxWorld Experts: Securing Web-based Applications On Linux
9th, August, 2006
This is the first in a series of newsletters, where we talk with Linux experts who will be speaking at the LinuxWorld Conference and Expo, which runs Aug. 14-17 at the Moscone Convention Center in San Francisco. PHP, PERL and other languages are useful and easy to learn tools that can be used to build some pretty functional Web-based applications. They can also be the bane of a system administrator's existence, especially when slapped together and used to publish Web apps accessible to the outside world.
As recent lapses have shown, sending critical backup data to a storage facility isn't as simple as placing a package on a truck. Here are four points to consider when you're securing the chain of custody for your backup data. When Bank of America disclosed in February that its courier service had lost backup tapes containing data on about 1.2 million federal employees—including names and Social Security numbers—consumers, senators and even some industry peers asked how there could have been such a lapse in security. No escort for the air transport? No encryption of the tapes?
Attackers are using increasingly sophisticated methods to stay ahead of security incident response teams, says Kevin Mandia, security consultancy. In the never-ending cat-and-mouse game between hackers and those charged with stopping them, it's pretty clear who's winning--and it's not the cat. Speaking at the Black Hat conference in Las Vegas last week, Kevin Mandia, president of Mandiant, an Alexandria, Va.-based security consultancy, said attackers are using increasingly sophisticated methods to evade detection and make life difficult for security incident response teams.
DesktopSecure for Linux for Ubuntu 6.06 LTS available
9th, August, 2006
Log Error writes: Following the launch of Ubuntu 6.06 LTS earlier this month, Canonical made Panda Software DesktopSecure for Linux available to all users of Ubuntu 6.06. Combining the security and manageability of Panda's latest security suite and Ubuntu's easy to use interface gives all users the opportunity to safely and easily browse, shop and interact over the web.
... technology is available that would allow "laptop" and "security" to be spoken in the same breath without triggering gales of cynical laughter. Such systems generally depend on either Internet tracking, "kill switches," or encryption - or, more commonly, a combination of the
Want to protect your SOHO machine or LAN from rootkits and malware, but want something a little more real-time than simply running Chkrootkit or another rootkit detector after the fact? Consider OSSEC-HIDS, an open source host intrusion detection system.
Developing and Implementing an Operating Systems Security course with Labs
10th, August, 2006
A core component of any curriculum in modern information security is the security of the operating systems that reside on the workstations and servers of a network. Effective information security depends on addressing all facets of how information is stored, moved, and modified. Since the operating system of a computer is the primary means of implementing the security of the information on that computer, it must be configured to minimize the risks of losing or compromising the data being processed.
"Linux Netwosix was originally created with the goal of providing a security environment for building and creating new security-related solutions. With the passing of time I realized that the project has failed to achieve its goals within 3 years of hard work. This, among many reasons, is the most important because I never received help from anyone. Regardless of the fact that Netwosix has been downloaded by more than 60,000 users all around the world, I'm here to announce the shutting down of my dear project. Day after day I understand that I can't create a 'valid security-oriented product' alone..."
LogError writes: By designing the solution, regardless of the storage vendor, IT managers can resume control over their SAN, break the storage vendor lock-in and save a large part of their budget. Using the available storage management services can therefore provide excellent solutions for painful problems.
Well-funded groups in China are gathering sensitive
information by breaking into U.S. government networks. The extent of these intrusions and the natureof data
exposed are not fully known, and are raising national security
concerns. Atthe same time, well-organized criminals are
targeting credit card numbers and other sensitive data via the
Internet, creating major security and privacy concerns. For
instance, in 2005, intruders gained unauthorized access to 40 million credit
card numbers from CardSystems. The increase in organized criminals,
foreign governments, and non-state actors1 breaking into computer systems is
raising the stakes of computer crime, and is compelling organizations to treat
security breaches more seriously.
Brief: IBM looks to RFID to fight counterfeit drugs
8th, August, 2006
BM Corp. today unveiled a new radio frequency identification (RFID) system today designed to stamp out counterfeit products from the national supply of pharmaceutical drugs.
More than 270 years ago, Carolus Linnaeus in his book Systema Naturae, attempted to categorize all biology on the Earth into a series of kingdoms. Web application security vendor Fortify thinks that the same kingdom approach can be taken to classify Web vulnerabilities.
Business continuity plans should be part of a wider security strategy that is closely aligned with business needs and accounts for everyday threats as well as major disasters.
The Buncefield oil depot blast last year sounded a very loud warning to us all. Disasters do occur and IT directors need to establish a business continuity strategy to ensure access to business critical systems are maintained.
And it is not just the big bang events that we need to prepare for. Every day, businesses are under attack from viruses, worms and hacking attempts. And end-users and IT staff are making decisions that could inadvertently cause the corporate network to fail.
Log Error writes: The proliferation of laptops, PDAs, smartphones and USB sticks means that corporate data is no longer confined to the office. Without a joined-up policy on mobile security, protecting and keeping track of it becomes impossible. Without the necessary procedures and technical restrictions in place, companies can easily lose track of their sensitive data. Just how many files have been copied in this way? Where are they all now?
Some years back, the place I worked went through significant changes that caused great upheaval and stress throughout the workforce. Most people accepted the changes and dealt with them professionally. A few people didn’t have the necessary coping skills, and they acted out. One way of acting out came in the form of anonymous letters sent to the board of directors, executive management and a few senior people in some of our sales offices. The letters were not complimentary of the corporate leadership, and a disruptive buzz began around the company.
Management wanted to locate the source and choke it off, and that was where I came in. I was asked to do some sleuthing and figure out who was behind the letters.
Security professionals have questioned reports of a 'serious flaw' in HSBC's online banking system. Researchers at Cardiff University claim to have discovered the flaw which, according to The Guardian, over two years left 3.1 million customers exposed due to a defect in how people access their online accounts.
Public exposure of private data is becoming a regular occurrence, but the majority of these incidents can be prevented if companies implement the proper security best practices, according to Gartner, whose analysts have identified the top 5 steps to prevent data loss and information leaks.
AOL's publication of the search histories of more than 650,000 of its users should reinforce an important point: What you type in online may not be as private as you think. Search engines place a multibillion-dollar infrastructure at the hands of any random user who stops by their Web site. The price you pay, however, is that the company may hold on to your search queries--which can provide a glimpse into your life--forever. To offer some suggestions about preserving your privacy while using search engines, CNET News.com has prepared the following list of frequently asked questions.
Is your bank responsible for protecting you from key loggers?
11th, August, 2006
Where does your bank's responsibility to protect you and your online transactions end? Apparently the HSBC bank of Great Britain knew for 2 years that they had a vulnerability and did nothing about it. There are very few details about the vulnerability, but one thing is known -- an attacker would already have to have a key logger on the customer's system to take advantage of the vulnerability. Maybe I'm being naive, but if an attacker has a key logger on the system, I figure your online banking credentials being stolen is just the start of your worries.
A fifth of secondhand PCs finding their way onto the resale market still contain sensitive data on their hard discs. Research by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia, has found that while 41% of the disks were unreadable, 20% contained sufficient information to identify individuals. The research, based on the acquisition of 300 PCs from auctions, computer fairs and on-line purchases, also found that 5% of the machines held commercial information on organisations, and that 5% held “illicit data”.
BLACK HAT - FBI: Cybercriminals Taking Cues From Mafia
7th, August, 2006
The Web site offered to sell stolen credit card information for US$100, but it was the title of the poster that caught FBI agent Thomas X Grasso Jr.'s attention. The cybercriminal identified himself as a "Capo di capo" -- a boss of bosses, in Mafia parlance. As money has become the driving force behind online threats, cyber criminals have been taking a page from organized crime, adopting the same kind of organizational structures as these older crime groups, Grasso told an audience Friday at the Defcon hacker conference. Defcon immediately follows Black Hat, its sister show.
The U.S. Senate Friday ratified an international treaty designed to ease investigation of cybercrime, but U.S. civil liberties groups say that signing the pact is a big mistake. The Council of Europe's Convention on Cybercrime, which began circulating in 2001, has been adopted by 41 other countries, including most of Europe as well as Canada and Japan. It is designed to harmonize laws on computer crime, which differ from country to country. Countries that sign the treaty agree to establish some common laws against criminal behavior online, such as attacks on computer networks, terrorist tactics, and exploitation of children. The language of the treaty is very broad and doesn't require the U.S. to write any new cybercrime laws.
Despite improvements, the Homeland Security Department continues to display significant information security weaknesses that jeopardize the integrity and privacy of department IT programs, according to a new report released by DHS Inspector General Richard Skinner.
GAO: Passenger screening program not ready to take off
9th, August, 2006
he Transportation Security Administration (TSA) needs to address security and privacy concerns before rolling out its Secure Flight program, according to the Government Accountability Office (GAO)
Businesses who switch over to internet telephony systems in a bid to slash telephony costs have been warned to guard against hacking attacks. The latest VoIP security threats and countermeasures were outlined at a presentation at the Black Hat security conference in Las Vegas on Wednesday. The talk, by security experts from SecureLogix and 3Com's Tipping Point security appliance division, was accompanied by the release of 13 new security tools.
Your browser's cache may be helping hackers to help themselves to your information. During a Black Hat conference discussion on the topic, Corey Benninger, a senior consultant at McAfee's Foundstone division, described cached browser information as a ticket for instant hacker gratification.
More than 6,000 hackers and other attendees gathered in Las Vegas this weekend to party and compete at Defcon, the world's largest hacker convention.
Here, teams battle it out in the confab's Capture the Flag game, organized by a group called Kenshoto. In this computer security war game, the goal is to attack rivals' networks while simultaneously defending one's own.
To participate, would-be entrants must score well in a prequalifying round by answering questions ranging from hacker trivia to computer forensics to Web server administration.
You've probably heard of full disclosure, the security philosophy that calls for making public all details of vulnerabilities. It has been the subject of debates among researchers, vendors, and security firms. But the story that grabbed most of the headlines at the Black Hat Briefings in Las Vegas last week was based on a different type of disclosure. For lack of a better name, I'll call it faux disclosure. Here's why.
In the annals of computer "(in)security," few groups are as well known as the Cult of the Dead Cow (cDc). They are now adding a new chapter to their infamous history with the release of a new malware search engine that enables researchers to analyze over 31,000 "hostile" files. It's all part of an effort the cDc calls "offensive computing." Originally founded in 1984, cDc and its members are well known for a number of their efforts over the past 22 years.
Imagine for a moment that our central defense against bank robbers was a technology that recognized criminals based largely upon their physical appearance. Now imagine that the bad guys had figured out a way to rapidly and automatically change not only their facial structure, but their height, weight, clothing and method of attack. The net result those attacks would ultimately be more successful and profitable bank robberies, encouraging the bad guys to step up the frequency and brazenness of their attacks.
Some of the underlying 802.11 security issues revealed at the recent Black Hat security show have led some experts to recommend that users turn off their WiFi radios when not in use.
