Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/145668

Cryptologists have now developed even more sophisticated attacks on AES encryption systems. According to crypto expert Bruce Schneier, a team consisting of Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich and Adi Shamir have managed to crack reduced versions of AES-256 in practical length of time. Attacking nine-round AES-256 required 239 time, which is even feasible with an ordinary PC, while ten-round would require 245. The time required for eleven rounds, however, is just above practicality at 270. The attack exploits a vulnerability in the key schedule, a function AES-256 uses to derive sub-keys from the main key.

http://www.linuxsecurity.com/content/view/149594

Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.

Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates.

http://www.linuxsecurity.com/content/view/149593

On the eve of the Black Hat security conference, crackers published a comprehensive text document in the underground magazine Zero for Owned (ZF0), containing masses of emails, chat records, passwords and other private information belonging to famous members of the security industry. Evidently they captured the data by breaching the web servers of Kevin Mitnick, Dan Kaminsky and Julien Tinners. They boast of having captured 75,000 clear-text passwords this way, most of them from the databases of the forum systems running on the affected servers.

http://www.linuxsecurity.com/content/view/149582

Apple stated in its filing that by changing the BBP's code, "More pernicious forms of activity may also be enabled. For example, a local or international hacker could potentially initiate commands (such as a denial-of-service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data. In short, taking control of the BBP software would be much the equivalent of getting inside the firewall of a corporate computer--to potentially catastrophic result."

http://www.linuxsecurity.com/content/view/149568

Two researchers have separately uncovered flaws in the way domain names are verified on the Internet that could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.

http://www.linuxsecurity.com/content/view/149565

Very cool. It would be really nice to see a review of this project, and follow it as it progresses. Is anyone interested in reviewing it and letting us know how you make out?A group of developers has released open-source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.

http://www.linuxsecurity.com/content/view/149564

Security researcher Dan Kaminsky made waves last year with his dramatic DNS security flaw that could have undermined the security of the Internet.

This year at Black Hat, he's back with another critical issue affecting the security certificates that secure Web sites.

http://www.linuxsecurity.com/content/view/149561

At the Black Hat security conference in Las Vegas, Mandiant security researchers Peter Silberman and Steve Davis are releasing a new forensic framework on Wednesday that will make it possible to detect whether or not a host was hit by Metapsloit's meterpreter. The new tool could change the game when it comes to Metasploit-based attacks that previously could not be identified on the target machine.

http://www.linuxsecurity.com/content/view/149553

Spam and botnets have hit their highest levels ever, according to McAfee's second-quarter Threats Report, released Wednesday. McAfee's Avert Labs says spam recorded in the second quarter shot up 80 percent compared with the first quarter of the year.

http://www.linuxsecurity.com/content/view/149547

A vulnerability in the popular open source BIND9 name server allows attackers to remotely trigger a server crash. According to the error report, a single specially crafted "dynamic update" packet is all that is required to prevent IP addresses from being translated into server addresses. Authorised name-servers use dynamic updates to add, or remove, resource records to, or from, a zone.

http://www.linuxsecurity.com/content/view/149546

CSO Senior Editor Bill Brenner has been to enough Black Hat conferences to know it can be information overload. Here he offers a few suggestions for getting the most value out of the experience.

http://www.linuxsecurity.com/content/view/149511

Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.

http://www.linuxsecurity.com/content/view/149510

When was the last time you heard about a Linux security vulnerability that was not fixed for more than a year? This article talks about how Microsoft has ineffectively handled a significant vulnerability present in all versions of Windows, and only with Black Hat coming are they finally addressing it.On Tuesday, Microsoft will slap a permanent patch on a video streaming ActiveX control used by Internet Explorer (IE), addressing a vulnerability that it has known about, but not fixed, for more than a year. Two weeks ago, Microsoft issued a "kill bit" update that, rather than address the underlying problem, disabled the ActiveX control to stymie attacks that were already in progress. It's also slated a fix for Visual Studio, Microsoft's popular development platform.

http://www.linuxsecurity.com/content/view/149505

OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.

http://www.linuxsecurity.com/content/view/149504

Nice summary and slideshow of the top companies we should be watching for the second half of the year. Our annual look at new security companies worth keeping an eye on. Are there others worth noting? Got experience with any of these companies? Leave your thoughts in our comments section.

http://www.linuxsecurity.com/content/view/149503

The news report begins with shots of a tense space shuttle launch. Engineers hunch over computer banks and techno music pounds in the background. There is a countdown, a lift-off, and then you see a young man in a black T-shirt and sunglasses, apparently reporting from space.

http://www.linuxsecurity.com/content/view/149496