RFID with
Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification. The
fingerprint verification has to be executed on central host server for security
purposes. Protocol designed allows controlling entire parameters of smart
security controller like PIN options, Reader delay, real-time clock, alarm
option and cardholder access conditions.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.11 Now Available
11th, December, 2006
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.11 (Version 3.0, Release 11). This release includes
several bug fixes and feature enhancements to the SELinux policy and
several updated packages.
Stefan Esser, PHP security specialist and member of the official PHP Security Response Team has, he says, had enough - in his blog he has announced his immediate resignation from the PHP Security Response Team. He states that he has various reasons for doing so, the most important of which is that his attempt to make PHP safer "from the inside" is futile. According to Esser, as soon as you try to criticise PHP security, you become persona-non-grata in the security team. In addition many of his suggestions were ignored because the developers considered Esser's choice of words, too abrasive. He says that he had stopped counting the number of times he was called a traitor when he published a bug report on a vulnerability in PHP.
Organizations saw an increase in targeted attacks in 2006 and a new survey shows the majority of IT professionals expect even more zero-day threats in 2007. PatchLink Corporation announced findings from a comprehensive customer survey addressing network attacks, Microsoft Vista and security plans for 2007. The survey was completed by more than 200 CIOs, CSOs, IT managers and network administrators across Europe, Asia Pacific and the United States.
Cryptography has a long and fascinating history. The most complete non-technical account
of the subject is Kahn’s The Codebreakers. This book traces cryptography from its initial
and limited use by the Egyptians some 4000 years ago, to the twentieth century where it
played a crucial role in the outcome of both world wars. Completed in 1963, Kahn’s book
covers those aspects of the historywhichwere most significant (up to that time) to the development
of the subject. The predominant practitioners of the art were those associated with
the military, the diplomatic service and government in general. Cryptography was used as
a tool to protect national secrets and strategies.
Set Up Ubuntu-Server 6.06 LTS As A Firewall/Gateway For Your Small Business Environment
10th, December, 2006
Needs very little maintenance and is extendable beyond your wildest imagination. All depending on the hardware used, of course. This is just a COPY&PASTE howto. For more info use the net. I did... However, contributions and suggestions are allways welcome! I know this can be done better, so feel free. I should have based this tuto on 6.06 LTS right away, because of the LTS. Sorry for that. Due to some minor but important changes needed to make this work with Ubuntu 6.06 LTS, I wrote it again.
This article addresses the role information security plays in an organization. Historically, organizations have deemed information security to be an information technology issue, one that the business as a whole did not need to address. Organizations have also treated information security as an add-on feature, almost an afterthought. Information security must become ingrained into the culture of the organization to ensure security compliance in all facets of the company. Organizations that are beginning to mature with information security may choose to investigate and implement established systems that support information systems.
There's no dearth of Linux distributions to choose from. With so many to choose from, one might think it's as easy as picking up the Linux kernel, throwing in a few applications, setting up respositories, making ISOs and you've got a shiny new Linux distro. Well, there's more to a Linux distro than assembling applications and making sure everything works. A lot of time and effort, at least for major distros, is spent on making the distribution secure and getting updates out in a timely fashion. To start with, all major distributions have security teams that collaborate with the main release team to ensure no vulnerable packages make their way into the final release.
Information Security – Whose Responsibility is It?
11th, December, 2006
Consumers of the global service we call the “Internet” are largely illiterate in the area of information security. The new order of global economy, open access to the Internet and a growing number of terrorist activities leaves us all open to a new kind of threat. The threat increases as more consumers gain access to the Internet and the number of radical groups with network security knowledge continues to grow. Consumer reactions to the gamut of activities that ranges from the invasion of privacy to information espionage has resulted in the passing of thousands of legislative laws which have been largely ineffective in deterring those who know how to get around security controls and cause harm.
Password Management Concerns with IE and Firefox, part one
13th, December, 2006
Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively. Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.
Password Management Concerns with IE and Firefox, part two
13th, December, 2006
Part one of this article concluded just after discussing two JavaScript attacks against web browsers. Readers should review part one before continuing on with this article. We now continue the discussed by looking at more attacks on Password Managers. The author will then address the remaining goals of the article - in particular, how the use of password managers give users a false sense of security, usability issues, and important mitigation and countermeasures. To maintain consistency, section numbers (5.1, 5.2, etc.) now continue from where part one left off.
SCALE 5X, the 2007 Southern California Linux Expo has opened for attendee registration. Early bird registration runs through January 24th. Join us for over 40 seminars and tutorials. Presentations from Chris Dibona, Ted Haeger, Don Marti, and more! Expo floor will include exhibits by IBM, Dell, Google, Krugle, Ingres, Trolltech, and others. SCALE 5x will be held in Los Angeles, CA on Feb 10-11, 2007.
Websites are as vulnerable as ever, according to a survey of Web application security professionals who test sites for security holes. The survey, conducted by researcher Jeremiah Grossman on his blogsite, polled more than 60 security pros, 63 percent who work for vendors or consultants, 23 percent for enterprises, 5 percent for government, and 10 percent for other types of organizations. These are the guys in the trenches who hammer on Websites regularly -- 53 percent said all or almost all of their job is dedicated to Web app security (versus development, general security, and incident response); 28 percent said about half; and 20 percent said "some."
Code auditing firm Fortify Software announced on Monday that the company is teaming up with quality-testing project FindBugs to offer a free scanning service to any Java programmer aimed at automatically detecting quality defects and security bugs. The project, dubbed Java Open Review, will allow any project written in Java to be submitted by a contributor to be scanned using both Fortify's auditing tool and the FindBugs engine. The two organizations have already scanned ten open-source projects written in Java, including the Azureus Bittorrent application, the Zimbra Web e-mail server, and the Apache Tomcat Java server.
Eliminating Bugs and Security Vulnerabilities In Open Source Software
12th, December, 2006
The Java Open Review Project invites the open source software community to submit their Java software projects for a quality and security review. The efforts are being led by qualified volunteers using Fortify Source Code Analysis, the world's most proven and widely used source code security analysis solution, and FindBugs, which is used by nearly 300,000 developers at hundreds of leading global companies to find bugs in Java code.
Many firms still lag on disaster plans, BSI reveals
12th, December, 2006
Businesses have improved their disaster planning over the past year, but many are still putting themselves at risk unnecessarily, research by BSI British Standards has revealed.
The survey of 100 FTSE 250 organisations, released on the anniversary of the Buncefield oil depot disaster, found that only 20% of companies. believe they could survive more than a week without serious disruption to their business following a disaster.
An OSINT conducted, a tax payer's buck saved somewhere. Last week, the mainstream media was abuzz with the release of the first jihadist e-zine discussing hacking, information hiding, of course in between the lines of radical propaganda, whereas no one was providing more information on the exact nature of the articles, but the SITE institute. So I decided to take a peek at the Technical Mujahid for myself, in order to break through the FUD, or not see the "threat sliced on pieces" by different news sources.
Very good article on various geopolitical issues related to the Middle East vs the West, and most importantly an overview of the current state of online jihad. Excluding webcasts, video howto's, and video games as a commodity in the big picture, what's left at the bottom line is easily accessible open source intelligence, and tactical warfare practices such as this one: "Some of the techniques of evasion are disarmingly simple. Rather than send emails, some jihadists simply write and save draft emails, storing them in an account with a password that's known to other members of the cell. Because they are never actually sent, they can't be detected by intelligence agencies."
PCI Data Security Standard calls for next-generation network security
14th, December, 2006
With the increased use of credit cards comes the increased risk of fraud through credit card information theft and misuse. Stolen credit card data now has a monetary value on the street, and determined thieves have capitalized on failures to protect the data networks of businesses that process credit card transactions.
Years of abuse and misuse of privileges by staff, particularly in IT eventually catches up with you and it’s impossible to hide the tell tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you don’t take steps to control things you will be caught out. Like a bad nose job, or the untrimmed nostril, you will get caught out.
"The first problem will come from AJAX's power to allow developers to create rich multimedia Web sites and applications. During 2007, developers will go so far overboard with AJAX sites that the entire World Wide Web will be forced to its knees. Sites will be overwhelmed with over-the-top advertisements, videos and GUI-like menus and windows. The headaches, frustrations and fits caused by all these flashing AJAX-enabled sites will drive users from the Web. You must warn Web developers to tone it down when it comes to adding AJAX capabilities to their Web sites."
PCI Data Security Standard Calls for Next-Generation Network Security
16th, December, 2006
The widespread use of credit cards for virtually all of our financial transactions has increased exponentially with the rapid adoption of e-commerce throughout the worldwide economy. With the increased use of credit cards comes the increased risk of fraud through credit card information theft and misuse. Stolen credit card data now has a monetary value on the street, and determined thieves have capitalized on failures to protect the data networks of businesses that process credit card transactions. The need to secure credit card transaction data at every level of business has never been greater, and a new set of security and privacy requirements, known as the Payment Card Industry (PCI) Data Security Standard, has created a compliance challenge for all companies that accept credit cards.
As a fifty something male, personal grooming takes on whole new meaning. You realize that when you start typing "Botox" on Google that things are getting serious. Bottom line how can I cover up the cracks brought upon by years of abuse and misuse? And it’s pretty much the same in most organisations. Years of abuse and misuse of privileges by staff, particularly in IT eventually catches up with you and it’s impossible to hide the tell tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you don’t take steps to control things you will be caught out. Like a bad nose job, or the untrimmed nostril, you will get caught out.
Agencies Waiting On Vendors For IPv6 Security Products
16th, December, 2006
With the deadline to move their network backbone to Internet Protocol Version 6 still about 18 months away, agencies’ biggest concern is whether the security industry will have enough products to support them. Three agency officials who are leading efforts to move to IPv6 today expressed concern over the lack of support from security vendors so far, and said federal agencies, such as the National Institute of Standards and Technology and the Defense Advanced Research Projects Agency, will have to provide seed money to move products along. “Security has not received the same focus as, say, routers,” said John McManus, Commerce Department deputy CIO and co-chairman of the IPv6 working group. “The Office of Management and Budget’s memo said the security must be at least the same, if not higher. If you can’t secure your network, you will not bring it online.”
Once again it is time to take note of those security blunders from the past year that have given us so many opportunities to learn from our mistakes. It has been a year rich in opportunity, with one lesson in particular being repeatedly hammered home. So the second annual Bonehead Award for Notable Failures in IT Security goes to all of those people who think it is productive to carry around sensitive data on portable devices.
"Hackers" are identified as a specific subgroup of computer workers. The history of the hacker community is told. The explicit and implicit ideologies expressed through hacking is analyzed and presented. Computer artifacts of origin both inside and outside the hacker community are compared and the embedded properties of the resulting artifacts are inferred. Hacking is discussed in the context of being a method for system development. Finally, it is argued that this system development method under certain circumstances may yield superior software artifacts.
The University of California, Los Angeles, said yesterday that hackers had gained access to a restricted university database, exposing the private information of 800,000 current and former faculty, staff and students.
U.C.L.A. said there was no evidence that any of the data had been misused, but it has contacted the Federal Bureau of Investigation, which is conducting an inquiry.
At the brand-new Hacker Academy, here in the Windy City, students learn about phishing schemes and ping sweeps, malware, firewall breaches, and the sort of advanced Google tricks that can quickly unearth classified documents.
But it's not nearly as shady as it sounds.
The academy doesn't teach people to be hackers, but to "think like hackers" — and perhaps to stay one step ahead of them. Students here graduate with certificates in "ethical hacking."
It sounds like something the MythBusters "Build Team" could have busted or confirmed in a couple of hours. Holiday decorations... Christmas lights, garland, those big blow-up snowmen... they're all putting the hurt on WiFi?
That's the word from AirMagnet, Inc., a company that develops and sells WiFi networking analysis and troubleshooting tools. The company says that it monitored office WiFi health before and after holiday decorations were deployed, and their survey found that Old Saint Nick has some splainin' to do.
