Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: December 3rd, 2007
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "Flaws found in OpenSSL encryption module," "Tips for Taming SELinux," and "Review: 7 Linux/BSD Firewalls."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Master's Student: Social Engineering is not just a definition! - We are happy to announce a new addition to the Linux Security Contributing Team: Gian G. Spicuzza. Currently a Graduate Student pursuing a Masters Degree in Computer Security (MSIA), Gian is a certified Linux/Unix administrator, the lead developer for the OSCAR-Backup System (at Sourceforge.com) and has experience in a variety of CSO, Management and consulting positions.
His first topic is a quick foray into the world and psychology of Social Engineering:
All the security in the world isn't going to stop one of your employees or coworkers from giving up information. Just how easy is it?
Craig never worked for Linda's company, nor did he call from IT. Craig was an unethical hacker who just gained unauthorized access to her account. Why? Because a phone call is simple.
Read on to see just how easy businesses can be exploited.
Review: Linux Firewalls - Security is at the forefront of everyone's mind and a firewall can be an integral part of your Linux defense. But is Michael's Rash's "Linux Firewalls," the newest release from NoStarchPress, up for the challenge? Eckie S. here at Linuxsecurity.com gives you the low-down on this newest addition to the Linux security resource library and how it's one of the best ways to crack down on attacks to your Linux network.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community v3.0.17 Now Available (Oct 9)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.17 (Version 3.0, Release 17). This release includes many updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, and a few new features.
In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and even e-commerce.
The OpenSSL library of encryption algorithms has just been patched by the OS Software Institute. This open source module has been utilized at many government agencies, and is an interesting example of two things: the effectiveness of Open Source technologies in the most demanding environments and how the kind of work that still needs to be done in the government sector regarding secure Internet infrastructure:
"For FIPS 140-2 validated software no changes are permitted without prior CMVP approval so neither of these patches can be applied to the v1.1.1 distribution for the purposes of producing a validated module," Steve Marquess of OSSI said in the announcement of the patches.
That means that for the time being federal users must continue using the flawed software or patch it and go out of compliance.
Ten Firefox Extensions to Keep Your Browsing Private and Secure (Nov 29)
Most people lock their doors and windows, use a paper shredder to protect themselves from identity theft, and install antivirus software on their computers. Yet they routinely surf the Internet without giving a second thought to whether their browser is secure and their personal information safe. Unfortunately, it's easy for someone with nefarious intentions to use a Web site to glean data from -- or introduce spyware to -- your computer. Even worse, sometimes all you have to do is randomly click on a site to have your data probed in a most unwelcome way.
Any tools which helps my security and privacy while surfing the Internet is worth looking at. There are many Firefox extensions which can improve your privacy and security on the Net. This articles talks about 10 such tools.
Matt Asay: Microsoft FUDwatch on Windows vs. Linux security (Nov 29)
Matt Asay, one of the staples of Open Source, has provided some interesting insight into a recent article my Microsoft regarding the level of security in Linux:
It's amusing to watch Microsoft attempt to claim the moral high ground with security. Pat Edmonds, Senior Product Manager for Microsoft, writes that the "many eyes makes all bugs shallow" aspect of open source doesn't work for security, and points to several studies that purportedly confirm that Windows is more secure than Linux...
Handful of Bugs Squashed in Firefox Security Fix (Nov 28)
Mozilla has released an update to its Firefox browser, fixing a widely publicized flaw in the open-source software. The 2.0.0.10 update fixes a handful of memory corruption flaws that crash Firefox, and a cross-site request forgery flaw that could give attackers a way to get unauthorized access to certain Web sites.
But the most anticipated bug fix in this release addresses a problem in the way Firefox processes files that are compressed using the .jar (Java Archive) format.
What's your opinion on how browsers like Firefox handles special Web links that are used to execute possibly harmful application? Are they doing enough to help prevent these types of attacks?
Wanted to learn a few more tips on SELinux and get a feel for what it does? Carla Schroeder chimes in again regarding SELinux as a whole and its policies:
An SELinux policy has no concept of an all-powerful superuser, but only what is allowed and what is not allowed. It takes away the destructive potential of root. A successful intrusion will be confined to the process that it compromises, and will not be able to escalate beyond it. Sounds a bit like a chroot jail, doesn't it?
Mayank Sharma, the Linux and security blogger, gives a great quick overview of things to look forward to in regards to Fedora's emphasis on security:
One security enhancements that users will run into is the all-new Firewall configuration tool (system-config-firewall). It's easier to use and has a polished interface compared to the old tool (system-config-securitylevel). You can also now securely manage your virtual machines from a remote host since the libvirt Xen and KVM management API in F8 use SSL/TLS encryption and x509 certificates for client authentication.
A new blogger to the Linux Security space (he switched months ago), the owner of Fsckin w/linux took a trip to test Firewalls and Linux. From IPCop to Smoothwall to the 8MB Monowall, he compares and contrasts the value of each platform - but with a catch.
The HP Vectratesting platform we are using today is an HP Vectra slimline PC. Considering the computer was FREE (as in beer) after a company upgraded their workstations, the specifications are nothing to scoff at.
* Pentium III 500 MHz * 192MB of RAM * 1GB Transcend disk-on-chip IDE module * Dual 100Mbps NICs
