RFID with
Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification. The
fingerprint verification has to be executed on central host server for security
purposes. Protocol designed allows controlling entire parameters of smart
security controller like PIN options, Reader delay, real-time clock, alarm
option and cardholder access conditions.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Employers To Seek More Security Talent In '07
22nd, December, 2006
Information security will never go out of style. As long as companies have computing infrastructure, security professionals will be needed to ward off dangers. But like all other IT careers, the market demands wax and wane and the requirements change. Experts say spending on security will continue to rise – and specialization, compliance knowledge and documented work experience are in demand.
In the spirit of our past work, our commitment to science and research, and our desire to help others we have also decided to put the text of the book online for free. Addison-Wesley was also kind enough to permit us to put up our final HTML drafts that we sent to the publisher; minus the final formatting and a few minor changes these should be very close to the book version and is suitable for printing, grep'ing, and the like. We will put up the final PDF version in the future as well.
We hope you find this useful; in addition to current owners all of this might be useful for those who cannot afford the printed version, would like to check it out without taking the fiscal plunge, or are just cheap.
Can security pros become champions for trust in their organizations? A recent study conducted by Ponemon Institute and sponsored by Unisys revealed that IT security professionals -- unlike their colleagues in non-IT business functions -- believe that strengthening the security of sensitive data is critical to building trusted relationships with customers, employees, investors, and other constituents. The Trusted Enterprise Survey was conducted to understand what business leaders and IT security professionals believe are essential elements of a trusted enterprise. The survey provides an objective measure, called the Trusted Enterprise Index, on how these opinion leaders and the public view an organization’s trustworthiness for providing a safe and secure operating environment for its key constituents.
As consumers experiment with the Linux operating system and consider switching from Windows, the first carryover they expect to find is applications for virus Stop spam, spyware and viruses with Barracuda Networks' free evaluation unit. and spyware protection. However, few exist because Linux does not need them. Nearly all Linux distributions bundle a firewall package, but they don't include other intrusion protection software. That does not mean that Linux users are completely worry free about the security concerns of Windows and Mac platform users. However, the risk level from e-mail Email Marketing Software - Free Demo attachments, viruses and worms is practically nil.
Consider this scenario... Your machine running GNU/Linux has been penetrated by a hacker without your knowledge and he has swapped the passwd program which you use to change the user password with one of his own. His passwd program has the same name as the real passwd program and works flawlessly in all respects except for the fact that it will also gather data residing on your machine such as the user details each time it is run and transmit it to a remote location or it will open a back door for outsiders by providing easy root access and all the time, you will not be aware of its true intention. This is an example of your machine getting rooted - another way of saying your machine is compromised. And the passwd program which the hacker introduced into your machine is a trojaned rootkit.
Forensically Unrecoverable Hard Drive Data Destruction
23rd, December, 2006
Hard disk drives are called by that name because they are not floppy (as in floppy disk drives). They are organized as a concentric stack of disks or 'platters'. Each platter has two surfaces (although in practice the outer surfaces on the top and bottom of the stack are often unused because of physical space considerations), and each has its own read/write head (which reads and writes data magnetically on the surface). The data is stored on concentric circles on the surfaces known as tracks. Corresponding tracks on all surfaces on a drive, when taken together, make up a cylinder. Since an individual data block is one sector of a track blocks can be addressed by specifying the cylinder, head and sector numbers of the block ('CHS'). A sector is the smallest addressable unit of storage space on a hard drive which holds 512 bytes of data (Koehler, 2002).
If you're talking over your IP network right now, then voice-over-IP should be at the top of your security priorities for next year. Securing enterprise IP voice hasn't been on most organizations' radar screens, mostly because VOIP so far hasn't been a popular target of attackers or bug hunters, nor have many organizations torn out their traditional voice systems altogether, anyway. But security experts say it's time to make VOIP security a priority.
Within one week's time, we stumbled across two different sites using cookies the wrong way. While the attack vectors were a bit different, both sites trusted the cookie data to secure their users’ accounts. Therefore, this week we are going to spend some time discussing cookies, when they should be used, and what can happen if they are misused. Before a web developer can understand the dangers associated with trusting cookies to store sensitive data, it is important to recognize what they are, and what they aren't. Specifically, a cookie is just a small text file that is stored on your computer by a specific website. Cookies are not programs, they can't read your personal data, and they don't cause spam. In fact, cookies can be very helpful if used within the correct context.
When you use a system often, you tend to fall into set usage patterns. Sometimes, you do not start the habit of doing things in the best possible way. Sometimes, you even pick up bad practices that lead to clutter and clumsiness. One of the best ways to correct such inadequacies is to conscientiously pick up good habits that counteract them. This article suggests 10 UNIX command-line habits worth picking up -- good habits that help you break many common usage foibles and make you more productive at the command line in the process. Each habit is described in more detail following the list of good habits.
PCI Data Security Standard Calls for Next-Generation Network Security
16th, December, 2006
The widespread use of credit cards for virtually all of our financial transactions has increased exponentially with the rapid adoption of e-commerce throughout the worldwide economy. With the increased use of credit cards comes the increased risk of fraud through credit card information theft and misuse. Stolen credit card data now has a monetary value on the street, and determined thieves have capitalized on failures to protect the data networks of businesses that process credit card transactions. The need to secure credit card transaction data at every level of business has never been greater, and a new set of security and privacy requirements, known as the Payment Card Industry (PCI) Data Security Standard, has created a compliance challenge for all companies that accept credit cards.
As a fifty something male, personal grooming takes on whole new meaning. You realize that when you start typing "Botox" on Google that things are getting serious. Bottom line how can I cover up the cracks brought upon by years of abuse and misuse? And it’s pretty much the same in most organisations. Years of abuse and misuse of privileges by staff, particularly in IT eventually catches up with you and it’s impossible to hide the tell tale signs of wear and tear, particularly when it comes to controlling access to sensitive business assets. And the result is that eventually if you don’t take steps to control things you will be caught out. Like a bad nose job, or the untrimmed nostril, you will get caught out.
This week, an ex-employee of the financial company UBS PaineWebber was sentenced to eight years in prison and more than $3 million in restitution for planting a logic bomb in UBS's computer network in 2002. When the bomb went off, 1,000 computers lost critical files as the code started deleting data. The reportedly disgruntled employee, Roger Duronio, had counted on this causing the company's stock price to drop. He invested $23,000 in put option contracts, meaning he would've earned money from a hit to UBS stock. The stock price didn't budge after the attack. Duronio's logic bomb only earned him jail time and more money in payback than he could ever afford.
Universities have become attractive targets for hackers who are taking advantage of the openness of the schools' networks, their decentralized security and the personal information they keep on millions of young adults. A major database breach at the University of California, Los Angeles that went undetected for more than a year and a smaller breach at the University of Texas are the latest examples of how vulnerable colleges are to such attacks, security experts said.
Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications. A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005. While flaws in the language itself account for a very small percentage the total, the problems with PHP underscore the difficulty that developers--many of them amateurs--have in locking down applications written in the language, said Peter Mell, senior computer scientist for the NIST and the program manager for the National Vulnerability Database.
I discovered a URI called "data:" today which allows you to encode any amount of file data into a URL. This data could be an image, ascii text, xml data, you name it. You'll have to read the details, but you use it like this: data:image/jpeg;base64,base_64_encoded_jpeg_goes_here
Edward McNicholas, a litigator for law firm Sidley Austin, says that litigators' traditional tongue-in-cheek slogan is, "God bless the person who sues my client." Data breaches are a likely source of such blessings going into 2007. Here are three bits of privacy-related legalese that McNicholas says every business should understand.
Whether you're concerned about your employees' safety while doing business internationally, or you need to develop an effective disaster recovery strategy, we think these lists will help you. Need to know which countries have the most natural disasters? Want to know where will your employees be exposed to high risks of kidnapping? Which countries are rife with corruption? It's all here. Fourteen pages of global, security related risks with information that you need or never thought you did — until now.
Every organization sees security as an area where you can never have too much, but the cost of securing the network is effectively money lost. Security comes at a price, but the constant evolution of the threats means that both developers and end users must make major investments to keep pace.
Establish A Strategy For Security Breach Notification
21st, December, 2006
Even if your organisation takes every possible precaution to protect its data, a security breach is often inevitable. What do you do if it happens? Mike Mullins offers some pointers for notifying those affected. News broke recently about one of the largest known security breaches at a university. A database break-in at the University of California, Los Angeles has reportedly exposed the private information of about 800,000 people.
As I discussed several weeks ago, everyone's seen that there has been a massive surge in spam over the last couple of months. More researchers are weighing in on what's behind it. One point many sources make, and I made in my last column, is that there was a "Christmas Spike" last year too. Spam shot up roughly from November 2005 through January 2006 and then tailed off until the late '06 surge, yielding a bowl-shaped curve for the year.
Report: Spam, Phishing Attacks Growing More Sophisticated
19th, December, 2006
Though botnets have caused a large volume of junk email in recent months, security researchers are more alarmed at the rise in their level of sophistication, warning that targeted phishing attacks are making their way into corporate email servers. "They've reached a level of sophistication that we usually associate with commercial grade products," said Mark Sunner, chief security analyst at MessageLabs in New York. "We've seen the activity change and now botnets are spammed out in discrete chunks." In November, the global amount of spam in email traffic grew to nearly 90% of all global email traffic, according to statistics kept by MessageLabs. And that percentage is expected to hold in December. In addition, the vendor reported that 1 in 200 emails contained some type of phishing attack. MessageLabs said more than 68% of all malicious emails intercepted recently have been phishing attacks, a steady increase over the previous months.
In the information age, surveillance isn't just for the police. Marketers want to watch you, too: what you do, where you go, what you buy. Integrated Media Measurement, Inc. wants to know what you watch and what you listen to -- wherever you are.
They do this by turning traditional ratings collection on its head. Instead of a Neilsen-like system, which monitors individual televisions in an effort to figure out who's watching, IMMI measures individual people and tries to figure out what they're watching (or listening to).
A startup boasted on Tuesday that it had created a technology to recognize people's faces from photos posted online, causing a stir among some privacy advocates who worry about the implications of automated matching. The tool--from Swedish startup Polar Rose--converts two-dimensional images into three-dimensional profiles to compensate for colors and shadows and then applies a facial recognition algorithm to the result. The company is relying on its users to enter the names of known people into the database, turning a neat technological trick into valuable data.
To deal with the mounting copyright issues swirling around video and other content online, a start-up founded by some respected Silicon Valley executives is taking a novel approach: combing the entire Web for unauthorized uses. Privately held Attributor Corp. of Redwood City, Calif., has begun testing a system to scan the billions of pages on the Web for clients' audio, video, images and text -- potentially making it easier for owners to request that Web sites take content down or provide payment for its use. The start-up, which was founded last year and has been in "stealth" mode, is emerging into the public eye today, at a time when some media and entertainment companies' frustration with difficulties identifying infringing uses of their content online is increasing. The problem has intensified with the proliferation and increasing usage of sites such as Google Inc.'s YouTube, which lets consumers post video clips.
Agencies Waiting On Vendors For IPv6 Security Products
16th, December, 2006
With the deadline to move their network backbone to Internet Protocol Version 6 still about 18 months away, agencies’ biggest concern is whether the security industry will have enough products to support them. Three agency officials who are leading efforts to move to IPv6 today expressed concern over the lack of support from security vendors so far, and said federal agencies, such as the National Institute of Standards and Technology and the Defense Advanced Research Projects Agency, will have to provide seed money to move products along. “Security has not received the same focus as, say, routers,” said John McManus, Commerce Department deputy CIO and co-chairman of the IPv6 working group. “The Office of Management and Budget’s memo said the security must be at least the same, if not higher. If you can’t secure your network, you will not bring it online.”
Once again it is time to take note of those security blunders from the past year that have given us so many opportunities to learn from our mistakes. It has been a year rich in opportunity, with one lesson in particular being repeatedly hammered home. So the second annual Bonehead Award for Notable Failures in IT Security goes to all of those people who think it is productive to carry around sensitive data on portable devices.
I came across Attrition.org for the first
time. I enjoyed the site though I am not an expert
with computers. That brings me to my next point: I
need to urgently make contact with a hacker that would
be interested in doing a one-time job for me. The pay
would be good. I'm not sure what exactly the job would
entail with respect to computer jargon, but I can go
into rough detail upon making contact with a
candidate. Thanks for your help.
In the information age, surveillance isn't just for the police. Marketers want to watch you, too: what you do, where you go, what you buy. Integrated Media Measurement, Inc. wants to know what you watch and what you listen to -- wherever you are. They do this by turning traditional ratings collection on its head. Instead of a Neilsen-like system, which monitors individual televisions in an effort to figure out who's watching, IMMI measures individual people and tries to figure out what they're watching (or listening to).
