Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: August 17th, 2009
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "The Cost of SELinux, Audit, & Kernel Debugging," "Local Privilege Escalation On All Linux Kernels," and "Use Wireshark to track your network behavior."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: Googling Security: How Much Does Google Know About You - If I ask "How much do you know about Google?" You may not take even a second to respond. But if I may ask "How much does Google know about you"? You may instantly reply "Wait... what!? Do they!?" The book "Googling Security: How Much Does Google Know About You" by Greg Conti (Computer Science Professor at West Point) is the first book to reveal how Google's vast information stockpiles could be used against you or your business – and what you can do to protect yourself.
A Secure Nagios Server - Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.22 Now Available! (Dec 9)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
The Cost of SELinux, Audit, & Kernel Debugging (Aug 14)
When benchmarking development releases of Fedora in particular, they often end up being much slower than the final build and perform lower when compared against some of the other leading desktop distributions. As we have mentioned in previous articles, this is generally due to the debugging support enabled within the development builds of Fedora. To see just what the performance cost is, we have compared the Fedora 11 performance of the normal kernel against the kernel-debug package. Additionally, we also compared the performance when disabling SELinux and system auditing support.
Local Privilege Escalation On All Linux Kernels (Aug 13)
Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.
Great article that talks about the effectiveness of Sender Policy Framework approach to stopping spam, and how effective it is.IT shops have thrown everything but the kitchen sink at the issue and more times than not, come up empty on long-term solutions. Lately we're hearing a good deal about Sender Policy Framework (SPF) as the answer to our SPAM woes. Is it? The Issue
WordPress issues new version, closes password flaw (Aug 13)
WordPress, the popular blogging software platform, has been updated to fix a flaw that could have enabled a hacker to change an administrator password.
The bug enables a specially crafted URL to evade a password reset security verification check, Matt Mullenweg, founding developer of WordPress, said Wednesday on the organization's blog.
As a security technologist, I worry that if we don't fully understand these technologies and the new sorts of vulnerabilities they bring, we may be trading a flawed technology for an even worse one. Electronic locks are vulnerable to attack, often in new and surprising ways.
Start with keypads, more and more common on house doors. These have the benefit that you don't have to carry a physical key around, but there's the problem that you can't give someone the key for a day and then take it away when that day is over.
Something Old, Something New: Nmap's VoIP Fingerprinting (Aug 13)
[...] I find it encouraging to revisit some of the really established tools to see what changes and improvements are in place. Nmap is without a doubt the classic security tool in every aspect, from quality, to longevity, to street credibility. Even Hollywood has clue when it comes to Nmap, as evidenced in Matrix, Bourne, and Die Hard films with Nmap showing up on someone's computer screen!
More than half of the internet's top websites use a little known capability of Adobe's Flash plugin to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies, UC Berkeley researchers reported Monday.
iPhone 3GS Hardware Encryption Easy to Circumvent (Aug 12)
A mere three days after I published an article touting the enhanced security of the iPhone 3GS - see "iPhone 3GS Offers Enterprise-Class Security for Everyone", 2009-07-20 - security researcher Jonathan Zdziarski revealed a simple, only moderately technical technique for completely circumventing the iPhone's passcode lock and encryption. As a result, the iPhone 3GS encryption can no longer be considered a security control for consumers or enterprises until Apple releases a fix.
Two convicted for refusal to decrypt data (Aug 12)
Two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. The government said today it does not know their fate.
A judge on Tuesday ordered Microsoft to stop selling Word, one of its premier products, in its current form due to patent infringement.
Judge Leonard Davis of the US District Court for the Eastern District of Texas issued a permanent injunction that "prohibits Microsoft from selling or importing to the United States any Microsoft Word products that have the capability of opening .XML, .DOCX or DOCM files (XML files) containing custom XML", according to a statement released by attorneys for the plantiff, i4i.
Use Wireshark to track your network behavior (Aug 11)
Any time I need network analysis I turn to Wireshark. Wireshark is, in my opinion, the defacto standard for network protocol analyzers . Not only is it incredibly powerful, useful, and user-friendly it is also FREE! But what exactly is Wireshark? Simple: Wireshark is a network protocol analyzer that watches and logs all incoming and outgoing traffic as defined by your needs. This tool can not only read traffic live, it can read traffic from a previous dump. And it can read files from other applications such as tcpdump and Microsoft Network Analyzer.
First reports of a vulnerability apparently discovered by Microsoft at the start of this year, appeared in mid June. The vulnerability could reportedly be used to carry out man-in-the-middle attacks on HTTPS connections. Mozilla classed the risk as high and released corresponding patches for its browser. It has now become clear that the vulnerability affects many other browsers.
Holes closed in Subversion version control system (Aug 10)
New versions of the Subversion version management system fix vulnerabilities in the client and server which could allow an attacker to gain control of a system. The cause of the problems are multiple heap overflows in the libsvn_delta library, which may occur when the library is parsing difference data streams (binary deltas).
Classic article on choosing a secure password from Bruce Schneier on Wired. It's great reading, even for those of us who have been around a while.Ever since I wrote about the 34,000 MySpace passwords I analyzed, people have been asking how to choose secure passwords.
My piece aside, there's been a lot written on this topic over the years -- both serious and humorous -- but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice.
