Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: June 29th, 2009
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "Kaminsky interview: DNSSEC addresses cross-organizational trust and security," "Adrian Lamo, the hacker philosopher," and "LJ Discusses The Risks of Not Encrypting Information."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.
A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
Kaminsky interview: DNSSEC addresses cross-organizational trust and security (Jun 26)
Network security researcher Dan Kaminsky has had a year to reflect on the impact of the cache poisoning vulnerability he discovered in the Domain Name System (DNS). Kaminsky revealed during last year's Black Hat Briefings a technique that made it relatively easy to exploit the bug and enable an attacker to redirect website requests to malicious sites. In the time since, Kaminsky has become an advocate for improving security in DNS, and ultimately, trust on the Internet. One way to do this is with the widespread use of DNSSEC (DNS Security Extensions), which essentially brings PKI to website requests. In this interview, Kaminsky talks about how the implementation of DNSSEC would enable greater security and trust on the Net and provide a platform for the development of new security products and services.
Pirate Bay retrial denied; judge declared "unbiased" (Jun 26)
After The Pirate Bay defendants lost a high-profile copyright infringement trial in Sweden, they charged that the judge belonged to pro-copyright groups and was therefore biased against them. A Court of Appeals ruling today disagrees; there will be no retrial.
TJX settles over breach with 41 states for $9.75 million (Jun 25)
In a move to close the door on the largest reported retail data breach in history, TJX announced Tuesday that it has settled with 41 states who were probing the discount merchant's data security practices.
TJX, which operates more than 2,500 outlets nationwide, agreed to pay $9.75 million to settle investigations by 41 state attorneys general, who were looking into the monster breach, announced in January 2007, that exposed as many as 94 million credit and debit card numbers.
SquirrelMail open source project's web server hacked (Jun 25)
It has just become apparent that, on June 16, attackers hacked into the web server of the SquirrelMail open source project. The operators have suspended all accounts and reset all crucial passwords. Access to the original server and to all the available plug-ins has also been disabled. The operators believe that none of the plug-ins has been compromised, but investigations are still in progress. Third party plug-ins can be used to add features to SquirrelMail.
Seven Deadly Sins of Home Office Security (Jun 24)
According to the human resources association World at Work, 17.2 million Americans worked from home or remotely at least one day per month for their employer last year (See also: 4 Telecommuting Security Mistakes). And the 2007 book 'Microtrends' estimates that 4.2 million Americans work full-time from home.
Good security is a key to good productivity. CSO spoke with two home office security experts about security mistakes home office workers often make (and how to avoid those errors).
In the third of a three-part Q&A series with hackers, Lamo, now 28, talks about his "hack value," his remorse for the trouble he caused network administrators, and how he hopes to make people smile.
Q: How did you get started hacking?
I was around computers as a very young child. I had a Commodore 64 when I was like 6 or so. And my first interest in seeing how things worked behind the scenes wasn't all about technology necessarily, and my interest in what you might call hacking isn't really primarily about technology...It's not sexy when I'm exploring less obvious aspects of the world that don't involve multibillion-dollar corporations. There's a certain amount of tunnel vision there. http://www.linuxsecurity.com/content/view/149211
DNSSEC Showing More Signs Of Progress (Jun 23)
The Domain Name System (DNS) security protocol is finally making inroads on the Internet infrastructure front, but big hurdles remain for widespread, smooth adoption. It has been more than 15 years in the making, but DNSSEC is finally gaining some traction: The .gov and .org top-level domains have begun to adopt the Domain Name Service (DNS) security protocol, and during the past few days, some commercial activity was associated with it.
Bizarre Bugs: 9 of the Strangest Software Glitches Ever (Jun 22)
Writing buggy applications is a cinch--for decades, the world's software developers have been proving that with just about every program they release. Truly interesting bugs, however, are a relatively rare breed. I'm talking about the kind that cause technology products and services to stop working for extended periods, or that prompt them to behave as if they were possessed or harbored grudges against the humans who use them. And even though the bugs themselves usually stem from mundane errors such as typos or faulty math, their symptoms are anything but boring.
LJ Discusses The Risks of Not Encrypting Information (Jun 22)
This is a good article on the risks of not encrypting information on laptops, backup tapes, and other media, and the implications of having that data stolen. It would have been nice to have some solutions to these issues too, but perhaps that's for another article. Anyone have a favorite encryption strategy? GnuPG just released a new version. Does everyone have their key?For many companies, the data is the crown jewels. Millions of bytes are circulated every day on networks that, but for a little bit of probing, are as frail as a strand of hair and less well protected. We spend millions of dollars securing and reducing the risk of penetration from the outside, yet very few companies take the basic steps to secure their data internally. There are simple things that we can all do - such as IPSec on the wire, encryption in the backend and proper security on the desktops. We must think about more than a simple username and password scheme when it comes to securing our data from the bad guys, because, quite often, the bad guys are none other than that cute redhead who just asked you to reset her password. And it wasn't for her account.
Q&A: Kevin Mitnick, from ham operator to fugitive to consultant (Jun 22)
There is no question who the most famous hacker is. One of the first computer hackers prosecuted, Kevin Mitnick was labeled a "computer terrorist" after leading the FBI on a three-year manhunt for breaking into computer networks and stealing software at Sun, Novell, and Motorola.
In the first in a three-part Q&A series with hackers, CNET News talked to Mitnick, now 45, about what got him interested in computers in the first place, the differences between hacking today and three decades ago, and whether it's wise to hire a former black hat hacker to do security work.
