Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: May 19th, 2008
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "Strong passwords no panacea as SSH Brute-Force Attacks Rise," "GPG-Based Password Wallet," and "Open Source Security Myths Dispelled."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: The Book of Wireless - “The Book of Wireless” by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
Tools circulate that crack Debian, Ubuntu keys (May 16)
A recently disclosed vulnerability in widely used Linux distributions can be exploited by attackers to guess cryptographic keys, possibly leading to the forgery of digital signatures and theft of confidential information, a noted security researcher said today.
As a tie-in to previous stories posted about Debian's SSL flaws, this article reveals reknown security expert HD Moore's views on the situation. He also provides suggestions on how to properly respond to the flaw and gives advice on whom should be concerned and what patches should be applied.
Strong passwords no panacea as SSH Brute-Force Attacks Rise (May 16)
Thanks to the end-of-term for many colleges and some K12 schools, brute-force attacks against SSH servers surged sharply this past weekend, according to the SANS Internet Storm Center. The sudden jump in SSH attacks merits a re-examination of how such servers should be properly secured. Jim Owens and Jeanna Matthews of the Department of Computer Science at Clarkson University have published a paper on the methods that such attacks frequently employ and on the best ways to defeat them.
Brute-force attacks gets a lot of attention in the press but do we really need to study it? Yes, with botnet and more powerful computers it makes brute-force attacks more affective. However, if users use strong passwords then the likely hood that they will be hacked by this type of attack goes down drastically.
I am assuming that you already know how to set up an encrypted file system using cryptsetup with luks (or something else). There are several howtos. I am also assuming that you are familiar with LVM2.
This tutorial deals only with how to add an extra encrypted physical volume to a volume group pool containing other encrypted physical volumes. This is typical scenario if, at first, you have set up your encryption at a physical partition level (/dev/sdaX where X is the a number of your partition), then you setup your LVM on top of the encrypted partition. If at some later time you want to add another partition in your volume group, you will also want to have it encrypted in order to maintain the same level of security. In order for your machine to boot, initramfs needs to be able to unlock both PVs in order to reconstruct the entire volume group where your root lv is lying.
For those of you familiar with LVM2 and looking to securely encrypt data on your logical volumes, this article provides a great step-by-step tutorial on how to do so. This implementation requires passwords to be typed for each volume - maybe you can let us know how this would be done with a keyfile?
Like many Internet addicts, I have way too many user name/password accounts to remember: accounts on social-networking sites, rarely used logins at work, on-line banking and so on. One solution to this problem is to use the same user name and password everywhere, but that's clearly not safe; if people get a hold of your account information in one place, they own all your other accounts too.
I wanted a relatively safe, flexible and easy way to store passwords and other useful confidential information. I also wanted it to be easily accessible, which meant that I'd like to get at it over a text-only SSH connection. And, I wanted it to be something that could move around from machine to machine without too much trouble.
This article looks at ways of storing passwords securely. With all those password we have to remember it's a good securely practice to store them encrypted.
Most of todays tools for fingerprinting are focusing on server-side services. Well-known and widely-accepted implementations of such utilities are available for http web services, smtp mail server, ftp servers and even telnet daemons. Of course, many attack scenarios are focusing on server-side attacks.
This implementation of client-side fingerprinting utilizes PHP to identify browsers by http requests. See how this application fares against other fingerprinting utilities that analyze header lines and values.
The decision to deploy proprietary, rather than open source security solutions (OSS), is often influenced by some commonly held perceptions.
Many IT professionals can’t seem to shake off the belief that OSS is inherently risky unreliable and complex. I am going to examine the most common of these perceptions to highlight how the facts are very often the exact opposite to what people believe.
This article looks at myths that people think about open source security. It brings up some good points. What do you think is the state of open source security?
Debian: New Openssl Packages Fix Predictable Random Number Generator (May 13)
Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.
For anyone using Debian-based systems, please read on for further information on this important matter. 'Predictable' is one word you never want to use to describe OpenSSL.
FBI Issues Warning About Vulnerability of Wi-Fi Hotspots (May 13)
The FBI issued an alert this week warning that wireless Internet networks, often called Wi-Fi hotspots, are more vulnerable to hackers than most users probably realize.
In South Florida, Wi-Fi hotspots are at airports, fast food restaurants, bookstores, coffee shops, sports bars, school campuses, malls, supermarkets -- just about everywhere. Several cities and neighborhoods in the region plan to eventually install networks for residents, too.
How secure do you think is your local hotspot? Do you trust it to do your finances or other personal tasks via a coffee shop Wi-Fi access point?
