Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: April 21st, 2008
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "Java Web Application Security Framework," "Malicious Microprocessor Opens New Doors for Attack," and "Creating a VPN with Tinc."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: The Book of Wireless - “The Book of Wireless” by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
HDIV - Java Web Application Security Framework (Apr 18)
HDIV (HTTP Data Integrity Validator) is a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).
What do you think is the state of Java Web security is. If you do any Java Web development you might want to take a look at HDIV (HTTP Data Integrity Validator). This article gives the reader information on what this Security Framework can do.
Prediction: The RSA Conference Will Shrink Like a Punctured Balloon (Apr 17)
Last week was the RSA Conference, easily the largest information security conference in the world. More than 17,000 people descended on San Francisco's Moscone Center to hear some of the more than 250 talks, attend I-didn't-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.
Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.
Schneier makes an interesting comparison of anti-lock brakes to security products near the end of the article that sheds new light on how the security industry is evolving. Do you feel this is for better or worse?
Openwall Announce Community Resources: Oss-security, oCERT, Xvendor (Apr 17)
The Solar Designer from the Openwall project announced some interesting news about their project. They are joined the oCERT project which is an important project for the Linux Security. Solar Designer is creator of the popular John the Ripper password cracker and has developed many of the Openwall projects. His is one of the key players in making open source security so successful.
We have joined the oCERT project (the Open Source Computer Emergency Response Team), in two ways: I serve on the advisory board of oCERT, and Openwall is a registered public member of oCERT such that we can be sure to receive notification of vulnerabilities pertaining to our software (and, far more likely, to third-party software that we redistribute as a part of Openwall GNU/*/Linux) that will be handled via oCERT. Other Open Source projects are welcome to register with oCERT, too. (We're also a member of oss-security and vendor-sec, and are registered with the CERT/CC.) The website for oCERT is:
Malicious Microprocessor Opens New Doors for Attack (Apr 16)
For years, hackers have focused on finding bugs in computer software that give them unauthorized access to computer systems, but now there's another way to break in: Hack the microprocessor.
On Tuesday, researchers at the University of Illinois at Urbana-Champaign demonstrated how they altered a computer chip to grant attackers back-door access to a computer. It would take a lot of work to make this attack succeed in the real world, but it would be virtually undetectable.
It's actually kind of funny that they decided to mention that this system was "running the Linux operating system". Regardless of the OS, a hardware level exploit such as this poses such a bigger threat than just OS security. Although this type of exploit is much harder to deploy rather than software, this article poses interesting situations on how exactly it can be carried out.
Perhaps someday it will be considered discrimination against a sentient, but these days a way to distinguish between programs and humans is required for many web-based applications. Keeping spambots from posting comments in weblogs or other bots from signing up for a web service are two of the most common applications for separating humans and bots. As has often been the case in the past, though, when the stakes are high enough, attackers will find ways to circumvent barriers like this.
How secure to you think Captcha on you website is? Do you think it can be improved? This article goes into detail on some of the security issues with Captcha technologies.
sqlninja 0.2.2 Released for Download - SQL Injection Tool (Apr 15)
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
With features such as evasion techniques, a more sophisticated upload module, and automatic URL-encoding, why not take a look at Sqlninja and see if your DB is secure today?
EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
In this article by David Mercer, we will look at an entirely different aspect of running a Drupal website. Once we have added the functionality to the site, we now have to give some thoughts about how this functionality is to be accessed, or by whom. As the site grows, you will most likely feel the need to delegate certain responsibilities to various people. Alternatively, you might organize a team of people to work on specific aspects of the site. Whatever is required, at some stage you will have to make decisions about who can do what, and Drupal makes sure that it is possible to do precisely this.
This article on access control in Drupal has many similarities to implementing policies in SELinux. For those of you who are new to SELinux and are unsure of how "it works", this article may provide insight through a practical example of roles and permissions in a microcosm CMS world.
With tinc you can create a virtual private network (VPN) that lets you communicate between two machines over an insecure network such as the Internet with all of your traffic encrypted between the hosts on your virtual network.
Another interesting application for tinc is connecting your laptop to a Wi-Fi router at home. You might already be using WPA2 to ensure that only valid hosts can connect and communicate with your Wi-Fi router, but you might not be able to assign a fixed address to the laptop when it is connected over Wi-Fi. So if you want to connect to an SSH daemon on the laptop itself or access an NFS share on the laptop, you have to play guessing games as to which IP address the Wi-Fi router has given the laptop this time. Running tinc on the laptop and a server at home removes the guessing game -- just connect to the laptop's VPN IP address.
This is an interesting article for anyone who is thinking about setting up an VPN. It talks about using a tool called tinc.
