Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: June 9th, 2009
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "Virtualisation and security – the two-edged sword," "Seven Practical Ideas for Security Awareness" and "Security and regulatory concerns slow some server virtualization efforts."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.
A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
Fedora 11: Leonidas is Hardly a Spartan Linux (Jun 9)
New Fedora release today, promoting improved desktop and server features, and better virtualization security.Frields added that Fedora 11 also includes something called sVirt which is SELinux (Security Enhanced) containment for virtual guests. SELinux is an access control technology that has its roots in the NSA (National Security Agency) and has been part of Fedora for years. By extending SELinux to virtual guests, Fedora is enhancing the security of its virtualization technologies.
Fedora 11 also includes what Frields described as better authentication for its virtualization manager software (virtmanager).
Virtualisation and security – the two-edged sword (Jun 9)
All new innovations in IT are a double-edged sword – with the benefits come challenges and unintended consequences. Not least server virtualisation, which does have a number of security advantages over running software directly on servers. While it's worth considering these, it's also worth weighing them up against the challenges, particularly given the relative immaturity of the technology.
Hacking Tool Lets A VM Break Out And Attack Its Host (Jun 8)
'Cloudburst' memory-corruption exploit released with Immunity's new version of Canvas penetration testing software. Researchers for some time have demonstrated the possibility of one of virtualization's worst nightmares -- a guest virtual machine (VM) infiltrating and hacking its host system. Now another commercial tool is offering an exploit that does exactly that.
Hacker named to Homeland Security Advisory Council (Jun 8)
Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was among 16 people sworn in on Friday to the Homeland Security Advisory Council.
The HSAC members will provide recommendations and advice directly to Secretary of Homeland Security Janet Napolitano.
Hackers claim $10,000 prize for breaking into StrongWebmail (Jun 5)
Hacking contests never seem to go well. Back in 2002, ZDNet wrote about a $100K hacking contest ends in free-for-all. Don't people remember history?Hackers love a challenge. And more than that, they love cash.
That's what Telesign found out this week. A provider of voice-based authentication software, the company challenged hackers to break into its StrongWebmail.com Web site late last week. The prize? US$10,000.
On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry.
Seven Practical Ideas for Security Awareness (Jun 5)
Here's a great general security article that reinforces a handful of helpful tips for improving security awareness. We all forget occasionally that security is pervasive and needs constant reinforcement. It is widely agreed that the single most effective security measure is staff awareness. So how does leadership create and maintain a security-conscious mindset within the organization? Constant reinforcement; remember the average person needs to hear the message seven times before it sinks in. So here are seven ideas to help you get the message integrated into the culture of your company. I could add quite a few to this list, including periodic penetration testing of your local internal network, password cracking of your NTLM and other systems, and better education of users in training classes. Do you have others?
What kind of far-reaching implications does this have? Can organization's, working with the government, really be allowed to monitor communications unencumbered? Can they watch for some sort of illegal activity, terrorist or not, and then arrest someone, without having previously had a warrant?A federal judge on Wednesday threw out 46 civil lawsuits filed against telecommunications companies for allowing the National Security Agency to probe their networks for terrorist communications without approval from a court.
Companies such as AT&T were granted immunity under the Foreign Intelligence Surveillance Act Amendments Act (FISAAA), signed into law in July 2008, ruled U.S. District Court Chief Judge Vaughn R. Walker in a 46-page opinion.
Security and regulatory concerns slow some server virtualization efforts (Jun 3)
How does your organization handle virtualization security issues? Has it been something you've thought about for your customers? Security and regulatory concerns have some users warily eyeing the move to server virtualization.
For example, during the past year, the Stanford Hospital & Clinics, part of Stanford University in Palo Alto, Calif., has shifted about half of its applications from traditional server platforms to VMware-based virtual machines (VM) -- and found it strongly impacted decision-making on security.
Thousands of Web sites stung by mass hacking attack (Jun 2)
Looks like a combination of easily avoidable attack vectors and uninformed users clicking on things they shouldn't.As many as 40,000 Web sites have been hacked to redirect unwitting victims to another Web site that tries to infect PCs with malicious software, according to security vendor Websense.
The affected sites have been hacked to host JavaScript code that directs people to a fake Google Analytics Web site, which provides data for Web site owners on a site's usage, then to another bad site, said Carl Leonard, threat research manager for Websense.
Obama Says He Will Name National Cybersecurity Adviser (Jun 1)
Interesting article. Do you agree that such a position needs to be created? Will the official have enough of a technology clue to make the right decisions?President Obama used a White House speech yesterday to try to raise national concern about threats to computer networks, drawing praise from some industry executives and lawmakers but criticism from others who said his initiatives do not go far enough.
