RFID with
Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification. The
fingerprint verification has to be executed on central host server for security
purposes. Protocol designed allows controlling entire parameters of smart
security controller like PIN options, Reader delay, real-time clock, alarm
option and cardholder access conditions.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Google Thanks Bug Hunters
2nd, November, 2006
A new page, quietly added to Google's corporate Web site last month, gives information on the security and safety of the company's Web properties. It also includes a list of people and organizations that Google wishes to thank for reporting security vulnerabilities to it. That's a first among major Web companies, security researchers say. "We want to thank those people for doing the right thing. I wanted to make sure we gave them lots of public 'geek cred,'" Douglas Merrill, vice president of engineering at Google, said in an interview. "The security researchers I know are partially in it for the geek credibility of it--the 'Hey! Look what I did. I am cool.'"
Something -- maybe a lot of things -- is wrong with how America conducts its elections. As you might have heard, there were a few problems down in Florida back in 2000, and more recently in the Maryland primary. No doubt, voting and vote-counting can be messy, complicated and subject to potentially outcome-shifting flaws. With that as backdrop and five days before Election Day, HBO weighs in tonight with "Hacking Democracy," a somewhat torpid documentary that is itself complicated, flawed and messy.
Thirty years on, cryptography still too hard to use?
31st, October, 2006
US government controls held back cryptography in the past, but today, it's usability that blocks adoption, a panel of experts said on Thursday.
At an event in Mountain View, California, celebrating 30 years of public key cryptography, several top minds in the field gathered for a trip down memory lane. Over the years, public key cryptography has grown from an idea in a paper published by Whitfield Diffie and Martin Hellman, both present at the event, to technology used in everyday transactions on the web.
Malicious Code Injection: It’s Not Just for SQL Anymore
3rd, November, 2006
More and more, developers are becoming aware of the threats posed by malicious code, and SQL injection in particular, and by leaving code vulnerable to such attacks. However, while SQL is the most popular type of code injection attack, there are several others that can be just as dangerous to your applications and your data, including LDAP injection and XPath injection. While these may not be as well-known to developers, they are already in the hands of hackers, and they should be of concern.
Are You Sure You're As Prepared As You Think You Are
28th, October, 2006
Recently, the area I live in experianced a power outage due to a surprise storm that came through and snapped trees like they were matchsticks. When those trees broke, they took thousands of power lines with them. At one point, there were nearly 500,000 households and businesses without electricity - including of course, my employer. There are quite a few things we've learned as a result of this, so I'm going to point them out as the story moves along. As in many companies, our first line of defense is a UPS. On any normal day according to the display on the unit we should have about 45 minutes of runtime available at full capacity.
All ports were open to the world and practically every application had holes in it. It was like the Wild West. Eventually application security became a big deal as more serious issues were uncovered and more commerce depended upon secure platforms. Network security was next on the scene. It made sense to build a single choke point for all security needs. It was slick because it could see all the packets in transit to and from your servers, and turn off all access to anything that had a known hole in it. Those were the good times. Times have since changed.
I often surf the web and see blatant design errors that make me shake my head. Without even investigating the security of a site, I know without a doubt that the site will be chock full of vulnerabilities. How can I be so sure? I see programming mistakes that illustrate an utter lack of concern for security. They are ugly mistakes that are far too prevalent. If you have any of the issues mentioned below in your own web application, it's time to sit down with your developers and have a chat. If these mistakes are being made, dig deeper. You may not like what you see, but its better that you uncover the problems than leave them to be discovered by someone else. For each of the signs listed below, take a look at the included examples for public evidence of just how wide spread the problem is.
The Supervisory Control and Data Acquisition
(SCADA) system of a natural
gas utility was compromised resulting
in a reduction of operation. The
breach was discovered when operator interfaces
became unresponsive and the system
was no longer acquiring data. As a result,
the system was disconnected from the network
and a combination of manual operation
overrides and limited fail-over to a backup
server went into effect until the environment
could be restored. Technicians troubleshooting
the incident identified the deletion
of several core application files on the primary
control server as the source of the
problem.
Since it’s inception in 1995, SSH has become the most widespread remote login protocol for Linux boxes, with some estimates saying that there were at least 2 million SSH users at the end of 2000. Gone are the days of telnet sending your data in plaintext over untrusted networks. Now you can type with a reasonable amount of confidence that your data is encrypted and secure. But, as Uncle Ben said, with great power comes great responsibility! By its very nature, an improperly configured ssh daemon can be a network liability rather than a asset. If you have a Linux box that is accessible via the Internet, it pays to know what you are doing. Therefore, here are five things you can do to lock down your server and make ssh more secure…
You might remember my previous posting on websites that insist on sending your username and password credentials over the internet in plain text (in other words, anyone in between you and the destination web server can 'sniff' these credentials if they know what they are doing). This article created a substantial amount of feedback from both users and website owners. Some agreed to modify their authentication methods, some accused me working for their competition. No, I'm not making that up.
Beyond displaying an extensive slate of existing Linux products, vendors at this week's InfoSecurity show pointed to possible future offerings ranging from a Linux client for a CD-ROM encryption system to a Linux-enabled all-in-one device for securing both physical access and video surveillance.
In a sign of the growing convergence between information security and physical security, the InfoSecurity conference was combined this year with the East coast edition of the ISC show, another perennial event at New York City's Javits Center.
Conference sessions tended to skirt matters specific to OS and interoperability, focusing instead on convergence issues such as organizational restructurings and information sharing, as well as on what general types of tools to deploy against the latest nuances in bots, pharming, and other cyberattacks.
Seagate Debuts New Hard Drives with Built-In Encryption
30th, October, 2006
Seagate Technology will soon begin shipping its first hard drives with special encryption chips that will make it impossible to read data off the disk -- or even boot up a PC -- without some form of authentication Relevant Products/Services. The world's largest hard drive maker said its new DriveTrust Technology, which is designed to encrypt data stored on the hard drive automatically, will require users to have a key, or password, before being able to access the drive. The new Momentus 5400 FDE.2 (Full Disk Encryption 2), geared to notebook Relevant Products/Services computers, will come in several capacities, including 80 GB, 120 GB, and 160 GB. Seagate said it expects to ship the drives early next year.
Ultra Secure Biometric USB 2.0 Flash Drive Released
3rd, November, 2006
The Kanguru Bio Slider II is a USB 2.0 secure flash drive made complete with the most up-to-date biometric fingerprint technology. The drive offers a low maintenance, effortless approach to protecting and storing your data.
In the weird world of quantum computing, the state of computer systems networked together is so fragile that a read access to a single quantum bit, or qubit, on one machine would require a network-wide reset. It's no wonder, then, that two researchers who are working on ways of defending against the future possibility of malicious attack assume that any unauthorized access to a quantum computer constitutes a catastrophic failure.
Asymmetric warfare is hell. Sure, you may have night-vision goggles, body armor, and air support, but you're also working for a bureaucratic organization built to fight a war that doesn't look much like the one you're in. Your adversary, on the other hand, is poorly equipped, yet nimble, resourceful, and adept at spotting and exploiting the slightest weakness. So much so, you may not even know you're under attack.
Take the U.S. Department of Commerce's Bureau of Industry and Security, which just this month confirmed that intruders, traced to servers in China, had spread a massive rootkit infection that will result in the replacement of hundreds of desktop computers. The attack, first discovered in July, eventually forced the Department of Commerce to suspend employee Internet access. A Department of Commerce spokesman admitted that, at first, the Department didn't recognize the extent of the problem.
On The Privacy Risks of Publishing Anonymized IP Network Traces
1st, November, 2006
Networking researchers and engineers rely on network packet traces for understanding network behavior, developing models, and evaluating network performance. Although the bulk of published packet traces implement a form of address anonymization to hide sensitive in-
formation, it has been unclear if such anonymization techniques are sufficient to address the privacy concerns of users and organizations. In this paper we attempt to quantify the risks of publishing anonymized packet traces. In particular, we examine whether statistical identification techniques can be used to uncover the identities of users and their surfing activities from anonymized packet traces. Our results show that such techniques can be used by any Web server that is itself present in the packet trace and has sufficient resources to map out and keep track of the content of popular Web sites to obtain information on the network-wide browsing behavior of its clients. Furthermore, we discuss how scan sequences identified in the trace can easily reveal the mapping from anonymized to real IP addresses.
UK citizens will be tracked by RFID tags embedded in their clothes and have their movements monitored by unmanned "flying eyes in the sky" using facial recognition systems within 10 years, the nation's data protection watchdog has claimed.
In a new report entitled A Surveillance Society, information commissioner Richard Thomas predicts a world in 2016 where technology is extensively and routinely used to track and record people's activities and movements.
Tech presents legal system with 'tremendous curves'
30th, October, 2006
A legal system rife with outdated laws never designed to cope with such new technologies as VOIP is just one of the worries facing Stephen Treglia, chief of the technology crime unit in the district attorney's office of New York's Nassau County.
You might remember my previous posting on websites that insist on sending your username and password credentials over the internet in plain text (in other words, anyone in between you and the destination web server can 'sniff' these credentials if they know what they are doing).
This article created a substantial amount of feedback from both users and website owners. Some agreed to modify their authentication methods, some accused me working for their competition. No, I'm not making that up.
