EnGarde Secure Community 3.0.8 Released
- Guardian Digital is happy to announce the release of EnGarde Secure Community
3.0.8 (Version 3.0, Release 8). This release includes several bug fixes and
feature enhancements to the Guardian Digital WebTool, several updated packages,
and several new packages available for installation.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
How to Cheat at Managing Information Security
28th, September, 2006
Mark Osborne doesn't like auditors. In fact, after reading this book, one gets the feeling he despises them. Perhaps he should have titled this book 'How I learned to stop worrying and hate auditors'. Of course, that is not the main theme of How to Cheat at Managing Information Security, but Osborne never hides his feeling about auditors, which is not necessarily a bad thing. In fact, the auditor jokes start in the preface, and continue throughout the book.
The subtitle of the book is 'Straight talk from the loud-fat-bloke who protected Buckingham Palace and ran KPMG's security practice'. Essentially, the book is Osborne's reminiscence of his years in information security; including the good, the bad, and more often then not, the ugly.
The Metasploit Project is one of the most popular penetration testing suites available. If you're responsible for the security of networked systems, you'll want to become familiar with Metasploit Framework, so you can test your client PCs before someone with malicious intent does it for you. I'll walk you through an example exploit of a Windows XP system to show you how effortlessly Metasploit can penetrate remote systems. I used the version 2.6, the current stable version. Grab the stable tarball for Linux, unpack it, enter the just created framework-2.6 subdirectory, and take a look around.
This is the ninth in a series of tips on how to use Nmap in an enterprise network environment.
For a security tool to be useful you have to be able to understand what it's telling you about the setup, security, or weak points of your system or network. With Nmap you can run very comprehensive tests. To analyze the results it is often best to have the output recorded in XML format so that it can be easily imported into a database or converted into HTML for analysis and human consumption.
SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.
Users can now be granted access to their files, intranet applications and email from virtually any location with an internet connection. Using SSL-Explorer you can quickly and simply provide full extranet access to key strategic business partners and external consultants. Similarly, your network support staff are also now free to remotely manage servers, routers and other network hardware securely using industry standard encryption technologies to protect key information assets.
ATA over Ethernet (AoE) is an open standards based protocol which allows direct network access to disk drives by client hosts. AoE has been incorporated into the mainstream Linux kernel, recently been the subject of a Slashdot article, and it appears that it is a SAN technology which is here to stay. This paper investigates the insecurities present in the AoE protocol and suggests how you can deploy AoE infrastructure without worrying about a wide scale compromise.
For those who are not experts in computer security, here are the top 5 tips to a safer online experience (in addition to having firewalls, anti-virus, and patching diligently).
http://www.linuxsecurity.com/content/view/125069
Understanding SQL Injection
27th, September, 2006
SQL injection is a technique used by a malicious user to gain illegal access on the remote machines through the web applications vulnerability. The basic idea behind this technique is to run the sql query which was not intended to run by a programmer. This technique is heavily relay on the logical operations like AND, OR.UNION etc. if this technique is used properly a malicious user can get complete access on a web server. If the application is creating SQL strings naively on the fly (dynamic queries) and then running them, it can create some real surprises as we see later on.
If you are developing a password-protected web site, you have to make a decision about how to store user password information securely. What is "secure," anyway? Realize that the data in your database is not safe. What if the password to the database is compromised? Then your entire user password database will be compromised as well. Even if you are quite certain of the security of your database, your users' passwords are still accessible to all administrators who work at the Web hosting company where your database is hosted. Scrambling the passwords using some home-brewed algorithm may add some obscurity but not true "security." Another approach would be to encrypt all passwords in your database using some industry-standard cipher, such as the Message-Digest Algorithm 5 (MD5).
There are many web applications which are designed to permit the input of html tags for displaying the html formatted data. these tags can be used by malicious users to attack other users by inserting scripts or malicious applets etc.this called cross site scripting or XSS. such attacks are result of poor input validations. it uses the combination of html and scripting languages. with the proper combination of html and java script a intruder can misguide the client and perform various attack from DOS(by opening enormous amount of window on client side) or By embedding malicious FORM tags at the right place, an mailicious user may be able to trick users into revealing sensitive information by modifying the behavior of an existing form or by embedding scripts, an intruder can cause various problems. This is by no means a complete list of problems, but hopefully this is enough to convince you that this is a serious problem.
It must say something about our times that Bruce Schneier, a geeky computer encryption expert turned all-purpose security guru, occasionally gets recognized in public. "My life is just plain surreal," he says.
Schneier, 43, has made it so by popping up whenever technology and regular life intersect, weighing in on everything from the uselessness of post-Sept. 11 airport security measures to the perils of electronic voting machines and new passports with radio chips.
He does it by writing books, essays, a frequently updated Web log and an e-mail newsletter with 125,000 subscribers. It helps that he has never met a reporter whose phone calls he will not return. "I'm a media slut," he admits.
Biometrics has long been one of the solutions touted by security vendors to meet multi-factor authentication objectives. However, user acceptance and cost issues often prevent organizations from adopting biometrics as a solution. This isn’t to say that other multi-factor solutions are any less cost prohibitive. The capital expenditure and on-going maintenance costs of token-based systems are often higher than those for biometrics. Solutions based on keystroke dynamics might help meet these business challenges.
"Dark Reading and SC Magazine covered a story about hackers posting cross-site scripting (XSS) vulnerabilies en mass on dozens of high profile websites including Dell, MSN, HP, Apple, Myspace, YouTube, MSN, Cingular, etc. The media coverage drew the hacker's attention to the publication's websites where they got a taste first-hand. On message board wall-of-shame is PC World, MacWorld, Fox News, the Independent, and ZDNet UK. "...not only did we get the "scoop" on the XSS site problems, but we also got the message loud and clear: Don't assume you're immune to XSS vulnerabilities. They're everywhere."
The information security industry doesn't go more than a couple of weeks between the releases of surveys, most of which exist for marketing purposes rather than as reportage of major discoveries. Though venerable, the annual CSI/FBI Computer Crime & Security Survey is no exception -- and some of the claims it makes would, or should, stop a reasonable security pro in his tracks.
The survey is run by the San Francisco-based Computer Security Institute, which was founded in 1974. The survey began in the mid-1990s. In its early days, CSI got the FBI's Computer Intrusion Squad to co-sponsor its survey, providing a certain name cachet to a study by an organization with which few people were otherwise familiar.
Here's a cautionary tale for would-be penetration testers: get permission from a bank before you try to bill them for helping to identify and fix the security short-comings of their services. New Zealander Gerasimos Macridis, 39, learnt that lesson the hard way after his attempts to help the country's Reserve Bank in improving its telephone banking systems resulted in a court appearance.
It could be the basis of a new reality show: IT administrators battle unsecured devices accessing their networks while willful executives resist their security measures.
There are a lot of things IT people must focus on to make networks secure. At the same time, they must allow businesses and organizations to focus on their overall mission.
For some administrators, the issues that top their security to-do list include insisting that executive BlackBerrys are password-protected and making sure the devices stay uncontaminated from viruses, worms or worse.
Audrey Pantas, Xerox Corp.'s chief information security officer, insisted repeatedly that executives at her company secure their BlackBerrys with passwords. In the end, she won her case, but not without a lot of resistance.
Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but companies still object to hiring former, or even reformed, black hats. According to Paul Ducklin, chief technical officer at Sophos, a good antivirus researcher or someone who works to weed out malicious code would need "far greater" skills than a black hat--a hacker who exploits IT security flaws for the primary purpose of inflicting damage. Unlike security professionals, black hats "don't have to support their product [or] be absolutely reliable", Ducklin told ZDNet Asia during a recent visit to Singapore. "They don't have to worry about whether they meet any particular deadlines, and they don't have to worry about everyone else's malicious code."
The role of ISPs in security is one of the great neglected topics in our industry, and one of my favorite subjects back to the time before I started focusing on security. Back, I believe, in 1999, I wrote an article predicting (because it made perfect sense) that the future of security for consumers was through the ISP. Anti-virus, Anti-spam, perhaps even network security like firewalls could be implemented by the ISP. Of course this wouldn't preclude the need for client-side protection, but just imagine if ISPs had been offering serious security for the last few years.
Does Your Web Browsing Create a Unique 'Clickprint'?
27th, September, 2006
Time Warner's America Online revealed that it had severed ties with its chief technology officer after the online service released three months of search queries from 658,000 subscribers which, although "anonymized" by removing user account details, still contained enough data to possibly identify some of the users. The privacy breach underscored the perils of supposedly "anonymous" Internet profiling and raised the hackles of privacy advocates such as the Electronic Frontier Foundation. The EFF, a week earlier, had urged the Federal Trade Commission to investigate AOL and force the company to change its privacy practices.
Does Your Web Browsing Create a Unique 'Clickprint'?
28th, September, 2006
On August 21, 2006, Time Warner's America Online revealed that it had severed ties with its chief technology officer after the online service released three months of search queries from 658,000 subscribers which, although "anonymized" by removing user account details, still contained enough data to possibly identify some of the users. The privacy breach underscored the perils of supposedly "anonymous" Internet profiling and raised the hackles of privacy advocates such as the Electronic Frontier Foundation. The EFF, a week earlier, had urged the Federal Trade Commission to investigate AOL and force the company to change its privacy practices.
Cybersecurity Chief Quits After Unusual Contract Expires
27th, September, 2006
The Bush administration's cybersecurity chief, who worked under an unusual agreement with a private university that does extensive business with the office he manages, is leaving his job. Donald ``Andy'' Purdy Jr. will step down as acting director of the National Cyber Security Division, part of the Department of Homeland Security. A government spokesman, Jarrod Agen, declined to comment on Purdy's plans, but colleagues circulated an invitation to his farewell party next week. Purdy worked at Homeland Security under a two-year contract with Carnegie Mellon University that expires Oct. 3. Under the contract, the government paid Purdy $245,481 in salary and benefits each year, not including travel reimbursements; Carnegie Mellon paid him an additional $43,320 a year.
See how far you can hack your way up the ladder! Can you make it through all the challenges? This game goes from simple JavaScript all the way up to Cryptography. Good luck.
http://www.linuxsecurity.com/content/view/125072
Only registered users can write comments. Please login or register.
