Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.

LinuxSecurity.com Feature Extras:

Password guessing with Medusa 2.0 - Medusa was created by the fine folks at foofus.net, in fact the much awaited Medusa 2.0 update was released in February of 2010. For a complete change log please visit

Password guessing as an attack vector - Using password guessing as an attack vector. Over the years we've been taught a strong password must be long and complex to be considered secure. Some of us have taken that notion to heart and always ensure our passwords are strong. But some don't give a second thought to the complexity or length of our password.

(Dec 21)

A new Linux iFrame attack has been spotted, this time one attempting to infect its victims with the Zeus/Zbot bank login stealer, security firm ESET has reported.
(Dec 21)

When Adrian Lamo goes online, he leaves nothing to chance.To log in to personal accounts, he uses a digital password generator -- a plastic key chain-like device that displays a new string of digits every 60 seconds.
(Dec 20)

Picking the bozos of the year is always bittersweet. It's altogether satisfying to call out the big cigars of the tech world -- and sometimes their allies in government -- who deserve to be ridiculed and brought to account. On the other hand, these bozos have caused damage to their companies, their employees, and their customers, which is no joking matter. Here are 2012's top five.
(Dec 19)

Over the weekend, Anonymous was stirred to action against an old nemesis: the Westboro Baptist Church. The most recent feud came in the wake of WBC's appalling reaction to the Sandy Hook shooting Friday in Newtown, CT.
Private Clouds, Cyber-security, Privacy: ISACA Issues Guidance (Dec 20)

ISACA, a non-profit global association of more than 100,000 IT audit, security, risk, and governance professionals, released guidance on managing three top trends expected to pose major challenges to Indian businesses in 2013: Private vs. public clouds, cyber-security threats, and data privacy.
Cisco VoIP Hacker Urges Closer Look at Firmware Security Vulnerabilities (Dec 19)

Ang Cui's "Funtenna" is just the latest eye-opener into the security of embedded networked devices such as printers, VoIP phones, routers and other core, connected infrastructure.
China Now Blocking Encryption (Dec 20)

The "Great Firewall of China" is now able to detect and block encryption: A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems.
Apache plugin turns legit sites into bank-attack platforms (Dec 21)

A malicious Apache module found operating in the wild turns sites running the Internet's most popular Web server into platforms that surreptitiously install malware on visitors' computers.
How to set up a safe and secure Web server (Dec 24)

Fifteen years ago, you weren't a participant in the digital age unless you had your own homepage. Even in the late 1990s, services abounded to make personal pages easy to build and deploy--the most famous is the now-defunct GeoCities, but there were many others (remember Angelfire and Tripod?). These were the days before the "social" Web, before MySpace and Facebook.
How Linux reads your fingerprints, helps national security (Dec 24)

Gunnar Hellekson has many awesome-sounding job titles.He's the chief technology strategist for Red Hat's US Public Sector group, where he works with government departments to show them how open source can meet their needs, and with systems integrators to show them what they can do to provide the government with what it needs.
Why SELinux is more work, but well worth the trouble (Dec 26)

Many of us got used to the simple owner, group, and other model of Unix security so long ago that we were somewhat taken back when the setfacl and getfacl commands were introduced and added complexity to file permissions. All of a sudden, users and groups could be assigned access privileges separately from these three groupings and we had to pay attention to + signs at the ends of our permissions matrices that reminded us that additional access permissions were in effect.
Hackers Use Backdoor to Break System (Dec 26)

Industrial control system comes with a backdoor: Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. "[Th]e published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login," said the memo.