EnGarde Secure Community 3.0.8 Released
- Guardian Digital is happy to announce the release of EnGarde Secure Community
3.0.8 (Version 3.0, Release 8). This release includes several bug fixes and
feature enhancements to the Guardian Digital WebTool, several updated packages,
and several new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Security measures seen doing more harm than good
18th, September, 2006
Many of the security measures put in place after the Sept. 11, 2001, attacks on the World Trade Center in New York are doing more harm than good, said two speakers scheduled to present at the Hack In The Box Security Conference (HITB) this week.
The effect of many security measures put in place by governments after Sept. 11 has been to strengthen control over their citizens and erode democratic freedoms, said Roberto Preatoni, a security consultant who works in Italy. "The Internet allows you to do more effective things regarding controlling the population," he said.
Security advances not keeping pace with technology
19th, September, 2006
Trying to lock down your company's applications and protect your systems from attack? If so, security scanners and source-code analysis tools are not up to the job -- despite vendor claims to the contrary.
"There's an awful lot of marketing spiel, people introducing technology tools that are sold as silver bullets," said Mark Curphey, vice president of professional services at McAfee's Foundstone division, in an interview. "The reality is, in a large enterprise, those things generally don't work."
If you were to line up a hub, a switch and a router next to one another, at first glance you might think they look pretty much the same. While they do have some basic functionality in common, they are in fact very different beasts. If you can't tell your routers from your hubs, please read on -- this column is for you.
Pro PHP Security by Chris Snyder and Michael Southwell
21st, September, 2006
Good security is the basis of any viable website. With the internet being the most public of places, broken systems cost—money, reputations and possibly customer identities are the currency. Pro PHP Security, published by Apress and written by Chris Snyder and Michael Southwell, is a detailed and authoritive account of the security details that effect a successful deployment of a PHP website. The book ranges from the almost theoretical to the highly practical such as SQL injection attack hardening and validating user input. If you are a newbie programmer or a serious practitioner, you may still find highly relevant comfort and detail in the book. There may be monsters waiting in the dark.
Having firewall is one of the steps you can take to make sure that you machine is a little bit secure. This is achieved by opening access only to application or ports that you explicitly allow, and blocking the rest. This for me is a good practice, although some people might argue otherwise. For my Linux machines, I prefer to use FireHOL. FireHOL is not a firewall on its own, but a shell wrapper for Linux iptables firewall. It allows you to configure iptables rules in a descriptive, easy to understand language.
This is the second part of the introduction to FireHOL article . It covers more advanced topics that you might find useful, such as defining new services, selective filtering, and NAT. I suggest you read the first part of the article if you haven’t done so. FireHOL by default comes with a large number of predefined services, including http, https, dhcp, icmp, samba, snmp, syslog, telnet, ssh, and so on. A complete list can be found here. However, if run application that does not exists in FireHOL service list, it’s very easy to add one.
The open source software movement has come a long way. A decade ago, nobody but the actual participants in open source projects and other IT enthusiasts gave the movement much chance of succeeding, but today, it's tough to deny the success of open source products. However, when it comes to security tools and antivirus software--the thin blue line separating our computers from certain infection on the Internet--there is less agreement that open source can secure as well as traditionally developed, closed-source products.
There is no denying the huge impact that open source development has had, and continues to have, on the IT industry. Indeed, one only has to look as far as Linux, which is the second-most popular operating system (to Windows), and the fastest growing operating system in terms of usage. Apache remains, by far, the most popular HTTP server on the Net, and the Eclipse Java framework is rapidly gaining market and mind-share, and is now a real threat to Microsoft in development tool supremacy.
Less rigor in Web programming, an increasing variety of software, and restrictions on Web security testing have combined to make flaws in Web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project.
A draft report on the latest numbers from the vulnerability database found that 4,375 security issues had so far been cataloged in the first nine months of 2006, just shy of the 4,538 issues documented last year.
Recovery Management: a new approach to data protection and management
19th, September, 2006
In the struggle to ensure data protection, reduce backup windows, and manage costs – both capital and operational – IT managers face increasing challenges. Continual data growth, spurred by an increase in business data from databases, email systems, file shares and other sources, is only one aspect of the problem. Adding to the burden on IT management is the need to retain data of all sorts for longer periods due to changes in how businesses operate, and evolving regulatory demands.
Web administrators beware: cross-site scripting vulnerabilities are now far more attractive targets than more notorious bugs such as buffer overflows, according to new figures from Mitre, a U.S. government-funded research organization. Buffer overflows have long been one of the most common types of bugs attacked by malware, with Intel and Advanced Micro Devices (AMD) even building in hardware support for an anti-buffer overflow technology called NX (No Execute) or XD (Execution Disable).
Microsoft gives away a security firewall with its latest operating system. Many high-speed Internet service providers offer free anti-virus protection for subscribers. And several Web sites distribute free toolbars to warn of Web scams. AOL even recently made a package of basic security tools — anti-virus, anti-spyware and firewall programs — available for free to anyone, not just paying subscribers. Despite all the free protection, primarily for Windows computers, leading security vendors are moving forward with plans to start selling their annual slate of security products this fall.
Mozilla on Sept. 14 reissued the popular open-source Firefox Web browser, and its email counterpart, Thunderbird, with new security and stability fixes. Each of the open-source apps rolls to version 1.5.0.7.
Firefox 1.5.0.7 comes with fixes for half-a-dozen minor security vulnerabilities. The first of these is a patch that will prevent possible attacks from opening a previously blocked popup that was using an XSS (cross-site scripting) attack.
Mozilla Corp. has hired a former Microsoft security strategist to help secure its open-source software, particularly its Firefox browser.
Window Snyder, whose hiring was announced last week, takes the title of "Chief Security Something" -- that's a working title, and not all that unusual for a company headed by someone who once held the title of "Chief Lizard Wrangler" -- said she has big plans for the group's development efforts.
Securely access a remote Linux Desktop using FreeNX
17th, September, 2006
NX short form for NoMachine's X protocol is a compression technology developed by NoMachine which allows one to run complete remote desktop sessions (be it Linux or Windows) even at dial up internet connection speeds. One of the advantages of using NX technology over VNC is that NX uses SSH on port 22 for connection between the client and the server. Which means all the communication takes place encrypted through industry standard SSL public key cryptography.
The Invisible Internet Project (I2P) is a work in progress whose aim is to provide a secure version of the IP protocol that addresses threats common to the standard TCP/IP networking infrastructure -- most importantly, the effortless identification and tracking of participating peers.
In I2P, each participating peer keeps a secret pool of inbound, or data-receiving, and outbound, or data-transmitting, tunnels it chooses itself. A tunnel consists of a configurable number of routers in sequence, where longer tunnels mean more anonymity, at the expense of performance.
Multi-layered strategies for securing storage networks
16th, September, 2006
The community of enterprises running sophisticated storage networking services has grown significantly more diverse over the last four years. Government regulations and competitive pressures have made implementing capabilities such as disaster recovery, business continuity and, now, even continuous data protection (CDP) more of a business imperative. Innovations in Wavelength Division Multiplexing (WDM) and optical networking have made it more cost-effective.
Since the economics aspects of network attacks seem to be of interest to some people (eWEEK and /.) I blog more about it... But at first, let me thank Jens Hektor and Jan Göbel who analyzed the incident and provided me with further data - without them, I could not blog about this :-)
Recently there was a malware incident within the network of my old university in Aachen: Blast-o-Mat, a custom IDS system, picked up an infected machine and redirected it to a quarantine webserver. This way, the user is instantly noticed that something went wrong and he can download patches and AV engines at that web site. A closer examination revealed that the infected machine also did some strange web requests. It tried to post data to a PHP script located at a remote server. It turned out that this machine was infected with Haxdoor (F-Secure report), one of the most advanced Trojans out there nowadays. Haxdoor (AKA Goldun) is - among other things - capable of collecting private data like username/password combinations entered within Internet Explorer and has also some rootkit capabilities
Research analysts at Gartner are predicting a sticky web of security hazards for IT professionals over the next two years, ranging from targeted financial attacks to spyware to rootkits.
Gartner released the list of threats on Monday during its IT Security Summit in London, part of the company's "hype cycle" reports that track technology trends. The threats, Gartner said, have a "potential to inflict significant damage" on businesses.
Ask Google anything - what's happening to GE's stock price, how to get to 881 Seventh Ave. in New York, where Mission Impossible 3 is showing, whatever happened to Brian Smith after he moved away in the ninth grade - and you'll get an answer. That's the power of this $US6 billion search engine sensation, which is so good at what it does that the company name became a verb. That kind of power keeps Google on the front page of the news - and sometimes under unfavourable scrutiny, as demonstrated by Google's recent clashes with the US Department of Justice and also with critics displeased by the search giant's stance on Chinese government censorship.
The balance between security and productivity is a delicate one in any organisation so IT pros need to be vigilant, enforcing appropriate controls to reduce risk. Security is not an area newly arisen in the wake of the 9/11 tragedy. There have always been reasons to be concerned: conflicting priorities, business environmental factors, information sensitivity, lack of controls on the Internet, ethical lapses, criminal activity, carelessness and higher levels of connectivity and vulnerability. It's a trade-off between limiting danger versus affecting productivity: 100 percent security equals 0 percent productivity, but 0 percent security doesn't equal 100 percent productivity.
'Dust for prints' after a security crisis, warn experts
19th, September, 2006
Businesses have been told they must gain an understanding of computer forensics if they are to keep pace with the growing level of threat from within the enterprise.
Bruce Nikkel, head of the IT investigation and forensics department at UBS, said areas such as the military or law enforcement have been using forensics for some time but he urged big business to get up to speed and understand the challenges.
Most of us don’t want to be famous, even if it brings great wealth. We want to be admired. Being admired is not the same as having strangers hate you just because you were on TV, or because you wrote a piece of software that made some money.
Real fame is having people write computer viruses specifically targeting your company. Against this sort of customised attack, it’s hard to see what anybody can do. Anti-virus and anti-spyware software is generic, to counter mass-market attacks.
Perspective: Going after the bigger insider threats
21st, September, 2006
New research from the Ponemon Institute finds that 78 percent of IT professionals in the United States claim that their companies have suffered unreported insider-related security breaches.
In other words, we still do not know the full extent of the problem posed by data security.
Insider threats include the misuse or destruction of sensitive or confidential information, as well as damage to the IT machinery where the data is stored. This can come about because of anything from simple mistakes or negligence to reckless behavior and even corporate sabotage. But what are the causes of insider threats, and how can IT professionals respond in time?
New legislation proposed by the German government aims to make computer hacking a punishable crime. The draft law, announced Wednesday, defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing data. As part of the draft, groups that intentionally create, spread or purchase hacker tools designed for illegal purposes could be punished by law, the Federal Ministry of Justice said in a statement. Other punishable cybercrimes include denial-of-service attacks and computer sabotage attack on individuals, which would extend the existing law that limited sabotage to businesses and public authorities. Offenders could face up to 10 years in prison for major offenses.
Pod Slurping – An Easy Technique for Stealing Data
22nd, September, 2006
Our dependency on technology has never ceased to grow. Increased portability, ease of use, stylish looks and a good dose of marketing hype are the perfect cocktail to entice the population at large! Suppliers of consumer electronics are registering an ever increasing demand for portable consumer electronics. Apple's iPod launch in 2001, Apple have sold almost 60 million units (CNNMoney.com, 2006). iPod has become a universally appealing source of audio entertainment - the eponym for MP3 players. Projections show that the demand for iPods and other MP3 flash-memory music players continue on a positive trend and will surge to nearly 124 million units in 2009 (Kevorkian, 2005).
The U.S. Department of Homeland Security released an overview this week of its cyberattack exercise which simulated the government's response to a large-scale disruption of the critical infrastructure and the Internet. More than 100 organizations in over 60 locations and five countries participated in the exercise in February of this year. According to a previously published presentation (PDF) outlining the scenario, the exercise pitted the responders against a mish-mash of anti-globalization cyberattackers.
The Department of Homeland Security has picked a new cyber-security czar. After a yearlong search, the federal government named former ITAA (Information Technology Association of America) vice president Gregory Garcia to be its overseer for cyber-security in the United States.
According to a statement released Sept. 18 by DHS secretary Michael Chertoff, Garcia will brings the "right mix of experience in government and the private sector" to succeed in the role of Assistant Secretary for Cyber Security and Telecommunications.
Chertoff said on Monday that Gregory Garcia, who has been working at a Washington-area trade association, would become the department's first assistant secretary for cybersecurity, with responsibility for advising agencies and the private sector.
The announcement ends a vacancy at Homeland Security that lasted more than 14 months and a wait that drew criticism from members of Congress, who it said demonstrated that Chertoff has not taken the topic seriously.
http://www.linuxsecurity.com/content/view/125024
States Strive For Robust IT Security
22nd, September, 2006
A survey by the National Association of State Chief Information Officers shows that state governments are paying more attention to information security, hiring chief information security officers and giving them defined budgets and enforcement authority. “Security is a hot topic in all the states, we’re all dealing with it,” said Nebraska CIO Brenda Decker in a conference call announcing the survey results.
Like other types of information technology, wireless networks offer a mix of benefits and security threats. While the potential threats are enough to make security officers cringe, the user benefits are enough to make them lay out their own cash to set up access. Like it or not, agencies had better be prepared to install and secure a wireless LAN or people will start looking to deploy one of their own. “You are battling the fact that people can purchase and deploy a wireless network easily,” said Stan Gatewood, information security officer for the University of Georgia at Athens. “They can go downtown and buy an access point for under $50.”
Imagine your agency’s wired network infrastructure. Now imagine it again without wires. A wireless LAN comprises many parts, but when they work together they create a communications infrastructure as secure as your traditional LAN. Building a secure wireless network requires attention to detail. Here’s a partial list of questions you should ask when requesting proposals for your agency’s WLAN.
Since our talks at Black Hat Vegas and DEFCON, Jon Ellch and I have been peppered with questions regarding how to find vulnerabilities in wireless device drivers and the specific techniques that were employed. Rather than answer these questions one at a time, an article seemed a better course of action. In this first article, we will discuss how to build an auditing environment, how to construct fuzzing tools and, finally, how to interpret the results.
Although our previous talks have focused primarily on 802.11-based protocols, these same auditing methods can be applied to almost any type of device, including Bluetooth and infrared, with successful results. This article is designed as a beginner's guide to fuzzing wireless device drivers. To get the most out of it you should already be familiar with exploit development and debugging, as the article does not cover either of those topics in depth.
