Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: August 10th, 2009
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, the most interesting articles include "Database Administrators Playing Increasingly Crucial Role In Security," "Security Cyber Czar Steps Down," and "Another New AES Attack."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.
A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
Database Administrators Playing Increasingly Crucial Role In Security (Aug 7)
In the past, database administrators weren't expected to do much with security. Their focus was on the speed, performance, and accuracy of the data. Security was a relatively low priority. Recently, however, that prioritization has begun to shift.
Developers of open source software projects should be just as concerned about security as anyone developing a proprietary app. However, the nature of the two development processes can be very different at times, and debate still rages about which is inherently more secure -- a secret code kept by a company, or a public one that all eyes can see. Just as important is how each community reacts once a problem is spotted.
Twitter DOS Attack Targeted Georgian Blogger (Aug 7)
Great coverage on the Twitter/FB DDoS on CIO. CNET also has several articlesThe denial of service (DOS) attacks which knocked Twitter offline and slowed down Facebook response times yesterday may have been designed to target just one individual.
Black Hat Wi-Fi network hit by 154 DoS attacks (Aug 6)
The Wi-Fi network at last week's Black Hat conference in Las Vegas was pummeled by multiple types of attacks -- but the network held (at least that was my experience).
Facebook, Twitter, Others Down in Possible DDoS? (Aug 6)
Twitter & Facebook, among others, appear to all be down or having access problems. It doesn't appear to be an infrastructure problem, but something more widespread, such as an ISP problem or distributed denial of attack.Twitter was inaccessible for at least a half hour on Thursday morning, followed by a period of slowness and sporadic timeouts (and more outright downtime). It's not clear what has caused this. My theory is that it was the millions of people tweeting complaints about why it can't be Friday yet.
Irresponsibility Runs Amok at Black Hat, Defcon (Aug 5)
The annual summer bug parades at Black Hat and Defcon always leave me questioning motives. This year, as in the past, we witnessed a deluge of vulnerability disclosures, and many of them seemed to me to be beyond irresponsible. They were attempts at naked glory mongering, and that just plain stinks.
Researchers: XML Security Flaws are Pervasive (Aug 5)
Security researchers today unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products.
Hacker charged with domain name theft charged (Aug 5)
A New Jersey hacker has been arrested after he broke into a site owner's account, transferred the domain name ownership to himself, and then sold it to an NBA player.
Hanging with hackers can make you paranoid (Aug 5)
When I first went to Defcon in 1995, the halls were mobbed with teenagers and attendees seemed more concerned with freeing Kevin Mitnick and seeing strippers than hacking each others' computers.
Jump forward to Defcon 17 this year, which was held over the weekend in Las Vegas, things certainly have changed. The attendees are older and wiser and employed, most of the feds aren't in stealth mode, and even the most savvy of hackers is justifiably paranoid.
Most badges from conferences and trade shows end up in the trash. Not so the badges from the Defcon security show, which are stylized, mysterious, and highly customized electronics equipment designed to be hacked.
Pirate Bay Co-Founder Steps Down as Spokesman (Aug 4)
Peter Sunde, a co-founder of the Pirate Bay, said Monday that he's resigning as the file-sharing service's spokesman.
In a blog post, Mr. Sunde cited time constraints for the departure. "I want to build something new and I want to focus my energy in a different direction. I have projects waiting to be finished, a book is waiting to be finalized and many more books are waiting to be read," he wrote. "I am simply leaving a role in order to be a person instead."
The White House's acting cybersecurity czar announced her resignation Monday, in a setback to the Obama administration's efforts to better protect the computer networks critical to national security and the global economy.
The resignation highlights the difficulty the White House has had following through on its cybersecurity effort.
Kevin Mitnick, the ex-hacker turned security consultant, is such a high-profile target himself that the Web-hosting firm he was using finally told him it wouldn't host Web pages for him anymore. "They kicked me off," Mitnick says, noting he doesn't begrudge Hostedhere.net, which he used for five years. But after a number of break-ins that targeted the former hacker, "they decided it wasn't cost-effective to keep me around," Mitnick says, adding, "I'm a target," mostly for those who want to play "king of the hill" by hacking someone once known as a notorious hacker.
The 2.8.3 security update for WordPress fixes several privilege escalation vulnerabilities, similar to the problems fixed in a previous update to version 2.8. The developers had overlooked some of the loopholes which 2.8.3 now closes.
The security service provider Core Security had warned of various security problems in WordPress before, after finding errors in processing certain URLs. For example, unprivileged, but registered users, are reportedly able to examine the configuration pages of plug-ins and to change their options.
The developers of NetBSD have announced the availability of NetBSD 5.0.1, the first "security/critical" update of the NetBSD 5.0 operating system. The update includes fixes for eleven security issues, including Denial of Service (DoS) problems with BIND and DHCP, buffer overflows in SHA2, ntp and hack, and signature verification bugs in OpenSSL. NetBSD 5.0 was released in April and featured improvements to threading and a rewritten scheduler.
Read Bruce Schneier's always on-target analysis of cryptography, this time with information on the new attack against AES.A new and very impressive attack against AES has just been announced.
Over the past couple of months, there have been two (the second blogged about here) new cryptanalysis papers on AES. The attacks presented in the paper are not practical -- they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that most implementations use -- but they are impressive pieces of work all the same.
This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256:
Pirate Bay foundering under heavy fireFile-sharing site The Pirate Bay suffered further setbacks thi (Aug 3)
File-sharing site The Pirate Bay suffered further setbacks this week, after Italian lawyers reportedly announced plans to sue the site's owners, and a court in the Netherlands ruled that the site must block all access for Dutch users within 10 days.
Cryptologists have now developed even more sophisticated attacks on AES encryption systems. According to crypto expert Bruce Schneier, a team consisting of Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich and Adi Shamir have managed to crack reduced versions of AES-256 in practical length of time. Attacking nine-round AES-256 required 239 time, which is even feasible with an ordinary PC, while ten-round would require 245. The time required for eleven rounds, however, is just above practicality at 270. The attack exploits a vulnerability in the key schedule, a function AES-256 uses to derive sub-keys from the main key.
Defcon: New Hack Hijacks Application Updates Via WiFi (Aug 2)
Researchers here tomorrow will demonstrate a way to hijack the application update process via WiFi and replace the updates with malware.
Itzik Kotler, security operation center team leader for Radware and Tomer Bitton, security researcher for Radware, say that the hack can be used against most of today's client application updates.
