Linux Security Week: April 10th 2006
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, perhaps the most interesting articles include "How to encrypt email with PGP or GPG," "How to backup your linux system using bash, tar and netcat," and "Securing Your MySQL Installation."


EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration.

http://www.engardelinux.org/modules/index/register.cgi


LinuxSecurity.com Feature Extras:

EnGarde Secure Community 3.0.5 Released - Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation.

pgp Key Signing Observations: Overlooked Social and Technical Considerations - While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


  Troubleshooting crashed system, stranded 35,000
  7th, April, 2006

BART officials promised Thursday to thoroughly investigate why technicians risked working on computers that control trains while the transit system was running, work that crashed BART's main computer, stalled 50 to 60 trains, and stranded 35,000 passengers for more than an hour at the peak of the Wednesday evening commute. "The bottom line is we shouldn't have worked on it (during service hours)," BART spokesman Linton Johnson said. "We shouldn't have been working on it while trains were running."

http://www.linuxsecurity.com/content/view/122266
 
  A Pretty Good Way to Foil the NSA
  4th, April, 2006

How easy is it for the average internet user to make a phone call secure enough to frustrate the NSA's extrajudicial surveillance program? Wired News took Phil Zimmermann's newest encryption software, Zfone, for a test drive and found it's actually quite easy, even if the program is still in beta. Zimmermann, the man who released the PGP e-mail encryption program to the world in 1991 -- only to face an abortive criminal prosecution from the government -- has been trying for 10 years to give the world easy-to-use software to cloak internet phone calls.

http://www.linuxsecurity.com/content/view/122213
 
  Password Recovery Speeds
  5th, April, 2006

This document shows the approximate amount of time required for a computer or a cluster of computers to guess various passwords. The figures shown are approximate and are the maximum time required to guess each password using a simple brute force "key-search" attack, it may (and probably will) be possible to guess correctly without trying all the combinations shown using other methods of attack or by having a "lucky guess".

http://www.linuxsecurity.com/content/view/122227
 
  How to encrypt email with PGP or GPG
  7th, April, 2006

One of the best ways to protect the privacy of email communications is to use PGP (pretty good privacy) and the Open Source GPG. Unfortunately, even hardcore geeks sometimes find PGP difficult to set up, configure, use, and troubleshoot. Recognizing this problem, No Starch Press has published a simple guide to using PGP and GPG. In "PGP & GPG: Email for the Practical Paranoid" (No Starch Press, April 2006), author Michael Lucas offers an easy-to-read, informal tutorial for communicating securely with PGP.

http://www.linuxsecurity.com/content/view/122262
 
  How To Break Web Software
  3rd, April, 2006

It's as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you're vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there's a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software. Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes. This chapter contains a series of attacks dealing with the concept of state, or the ability to remember information as a user travels from page to page within a site.

http://www.linuxsecurity.com/content/view/122187
 
  Lundquist's Guide To Not Getting Fired for Losing Your Laptop
  2nd, April, 2006

How often do we have to read about someone losing a laptop with a bunch of client data? I've included some links to recent stories: Stolen Fidelity Laptop Exposes HP Workers and Lost Fidelity Laptop Stirs Fear of ID Theft. Stop and think for a second. You are a high-powered road warrior jetting around the world making lots of complex but incredibly lucrative financial deals. You lose your laptop with all that important information. You have to call your boss back at the home office. Your next job involves asking customers if they want the large or the super-jumbo Slurpee.

http://www.linuxsecurity.com/content/view/122184
 
  Removing A User From A Linux System
  6th, April, 2006

Employee turnover in most organizations runs high. So unless you run a small shop with a stable user base, you need to learn how to clean up after an employee leaves. Too many so-called system administrators do not understand the stakes involved when they manage users. Disgruntled former employees can often cause significant trouble for a company by gaining access to the network.

http://www.linuxsecurity.com/content/view/122247
 
  Passive Visual Fingerprinting of Network Attack Tools
  3rd, April, 2006

This paper examines the dramatic visual fingerprints left by a wide variety of popular network attack tools in order to better understand the specific methodologies used by attackers as well as the identifiable characteristics of the tools themselves. The techniques used are entirely passive in nature and virtually undetectable by the attackers. While much work has been done on active and passive operating systems detection, little has been done on fingerprinting the specific tools used by attackers. This research explores the application of several visualization techniques and their usefulness toward identification of attack tools, without the typical automated intrusion detection system’s signatures and statistical anomalies. These visualizations were tested using a wide range of popular network security tools and the results show that in many cases, the specific tool can be identified and provides intuition that many classes of zero-day attacks can be rapidly detected and analyzed using similar techniques.

http://www.linuxsecurity.com/content/view/122188
 
  Network Disruption and Denial of Service
  4th, April, 2006

Organisations today invest millions of dollars and thousands of man-hours in building out their IP based infrastructure. However, the question one is often left with is: "Is Denial of Service or Network Disruption something that my enterprise should be concerned with?" Help Net Security has an article that contains a brief self-test that should help you to consider the reality of the threat and how seriously it ought to be pursued.

http://www.linuxsecurity.com/content/view/122212
 
  Honeypots - How to seek them out
  6th, April, 2006

To study the proceedings and attacks from hackers, Honeypots are used. The idea thereby is, to put one or more special servers in a network . An aggressor; who cannot differentiate between genuine server/services and honeypots; sooner or later will be taken up the services offered by a Honeypot by his search for a safety gap. All his activities on the honeypot are loged thereby.

http://www.linuxsecurity.com/content/view/122251
 
  how to backup your linux system using bash, tar and netcat
  4th, April, 2006

I recently ran into the problem of not having enough hard drive space on my slackware linux laptop, but was lucky enough to have a much bigger drive sitting around from before and wanted a way to perform a hassle free seamless upgrade. i had this idea and it worked pretty well so i thought i would share it since i think it's pretty cool and only requires the use of two tools that should be included with all distributions. sometimes you won't find netcat (known as nc, or ncat as it is sometimes named) and if bash incorporated my server redirections patch that i posted before you wouldn't need it at all, but for now it's required to listen for the incoming connections over the net.

http://www.linuxsecurity.com/content/view/122203
 
  Securing Your MySQL Installation
  5th, April, 2006

A MySQL installation should be made as secure as possible to protect databases and other information maintained by the MySQL server from unauthorized access. This article describes potential problem areas about which you should be concerned as a MySQL administrator, and provides guidelines for dealing with them. The issues covered here fall into the following broad categories, which include both local and remote exploits.

http://www.linuxsecurity.com/content/view/122226
 
  Securing a Web Site
  6th, April, 2006

Web servers are frequently attacked more than any other host on an organization’s network. In this paper, I will review the current challenges businesses face when hosting a public web site. I will address the various risks that are associated with web servers as well as the most effective methods of mitigating those risks through the design, implementation, and administration of public web sites.

http://www.linuxsecurity.com/content/view/122252
 
  Set up a secure IMAP/POP3 server with Dovecot
  7th, April, 2006

Internet Message Access Protocol (IMAP) servers such as Courier-IMAP and Cyrus IMAP may work well, but they’re complicated to install and configure. I'll show you how to set up your mail server quickly and securely using Dovecot, an open source IMAP and Post Office Protocol version 3 (POP3) server for Unix-like operating systems.

http://www.linuxsecurity.com/content/view/122265
 
  What does it mean to build secure Linux?
  7th, April, 2006

As the Linux operating system makes ever-deeper inroads into government data centers, agencies need to feel comfortable that the open-source computing infrastructures they're rolling out are indeed secure. In general, firewalls protect enterprise networks from intruders. But enterprises also require other types of protection in case a hacker gets past the firewall. Traditional Unix vendors have always provided added security at the operating-system level, including so-called "trusted" versions designed to provide data centers and security operations with machine-level security. These trusted versions defend against unauthorized access to data and applications.

http://www.linuxsecurity.com/content/view/122268
 
  The man behind OSSTMM
  4th, April, 2006

Pete Herzog, founder of ISECOM and creator of the Open Source Security Testing Methodology Manual (OSSTMM) talks with Federico Biancuzzi about the upcoming revision 3.0 of the OSSTMM. I'm Pete Herzog, managing director of ISECOM. I live in a small town in Catalonia just outside of Barcelona. It's also where I work part of the year. The other part of the year I work in the US. ISECOM is a non-profit, registered both here and in New York State, USA, with the aggressive mission to "make security make sense".

http://www.linuxsecurity.com/content/view/122215
 
  How To Break Web Software
  4th, April, 2006

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software. Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes. This chapter contains a series of attacks dealing with the concept of state, or the ability to remember information as a user travels from page to page within a site.

http://www.linuxsecurity.com/content/view/122204
 
  What I Learned at Hacker Camp
  4th, April, 2006

or a full day, I would immerse myself in the tricks of the computer hacking trade, getting hands-on training in how scam artists construct the code that wreaks havoc on the world's computers. The key distinction: This is "ethical" hacker boot camp, put on by a company called TechTrain, which hosts about 24 of these intensive training sessions each year.

My drill instructor (read: teacher) is Andrew Whitaker, TechTrain's director of enterprise security, who's had stints protecting online banks, and teaching other financial institutions what's wrong with their security systems, over the last ten years. Before class, he gives me the rundown of what we'll learn: how to use viruses, how to compromise wireless networks and how to evade firewalls.

http://www.linuxsecurity.com/content/view/122205
 
  Leader: Why we need data loss disclosure laws
  4th, April, 2006

It goes without saying that most people, in business at least, only admit a mistake for one reason – because they realise they're going to get caught anyway. Nowhere is this more clear than with the issue of disclosing data loss. In California all companies are required by law to inform their customers when data has been breached or lost. Now the whole of the US is looking to introduce such a law and we can only hope the UK and the rest of Europe follow in step.

http://www.linuxsecurity.com/content/view/122216
 
  The Six Dumbest Ideas in Computer Security
  5th, April, 2006

There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems?

http://www.linuxsecurity.com/content/view/122225
 
  Social engineering trumps flaws?
  5th, April, 2006

A relatively unknown worm has spread moderately successfully without exploiting any flaws in the Windows operating system, according to data collected by Microsoft's software for removing malicious code. The virus--known as Alcra or Alcan--spreads through popular peer-to-peer file-sharing systems by offering itself up using the names of popular files on program cracking sites. The social engineering has been quite successful: During February, about 250,000 machines had been infected by the program, according to data collected by Microsoft's Malicious Software Removal Tool.

http://www.linuxsecurity.com/content/view/122228
 
  More accurate on the eye
  5th, April, 2006

The Home Office identity cards team has reported progress in improving verification by iris scans, but problems with other biometrics apparently persist. In response to questions from Government Computing News, the Home Office has claimed that the technology for iris scanning has improved. It has not, however, made any claims for fingerprints and facial recognition.

http://www.linuxsecurity.com/content/view/122229
 
  Hacking Video - Education Or Marketing Tool?
  6th, April, 2006

I sat in my office for about thirty minutes trying to decide if I was going to write this article. I finally came to the conclusion that I would since this information is already freely available on the Internet, and in fact, was posted as part of a government article.

http://www.linuxsecurity.com/content/view/122248
 
  Learning an advanced skillset
  6th, April, 2006

It was almost two years ago now that I wrote the SecurityFocus article on TCP/IP skills required for security analysts. That article offered advice on how one can seek employment in the security field through education, training, and a strong focus on TCP/IP. The idea came about from all of the questions this author has been asked on the subject.

http://www.linuxsecurity.com/content/view/122250
 
  An Old Schooler Take On OS Security
  7th, April, 2006

Here is something you don't hear often: ten years after I started my career as a UNIX System Administrator, I still enjoy the work. I do think of it as a career, and a potentially rewarding one -- not a stepping-stone to something greater, as many seem to think. There are layers and layers to this work, and it would take a lifetime to learn all that there is to know about the subject. During these years I have developed an understanding of systems that has become like second nature; I have a mental catalog of best practices that came from basic curiosity, experimentation, study, constant usage, and access to the opinions and research of some of the best minds in the field.

http://www.linuxsecurity.com/content/view/122267
 
  RSA Looks To Drown Phishers In Data Flood
  1st, April, 2006

A novel tactic to defeat phishers is being employed by Cyota staff: flooding phishing sites with fake bank details to make the real information harder to find. RSA's Cyota division is helping fight phishing attacks by giving the online fraudsters what they want � lots of user names, passwords, online banking credentials and credit card numbers.

http://www.linuxsecurity.com/content/view/122183
 
  Nationwide data breach bill clears a hurdle
  5th, April, 2006

The Data Accountability and Trust Act (DATA) was approved by the U.S. House Energy and Commerce Committee last week and could soon be cleared by the House of Representatives. The bill, if passed, would mean all companies have to inform customers of security breaches that affect their personal data.

http://www.linuxsecurity.com/content/view/122224
 
  Are Hackers Going Beyond Zero-Day Attacks?
  4th, April, 2006

We've all, no doubt, heard about phishing attacks, but it's not as likely that most people truly understand what the real danger is. And that lies not so much in the forged emails and websites we've come to associate with phishing attacks, but in the Trojan horse software they're planting on unprotected PCs that are used to wander into these sites or open their emails. Sure, we've been hearing about Trojan horse software for years, but rest assured the stuff that's coming from the phishing crowd takes these attacks to an unprecedented level of technical capability and maliciousness.

http://www.linuxsecurity.com/content/view/122214
 
  Groups argue over merits of flaw bounties
  6th, April, 2006

Vulnerability researchers, software makers, and security companies that buy information about software flaws found little in common during a panel discussion on Wednesday debating the merits of vulnerability-purchasing programs.

The discussion, wrapping up the first day of the CanSecWest Security Conference, left software makers and the companies that run vulnerability-purchasing programs at loggerheads over whether paying for information about flaws makes sense. Such initiatives help secure the end user, argued Michael Sutton, director of the vulnerability research labs for VeriSign subsidiary iDefense, which pioneered the first permanent bounty program for security vulnerabilities.

http://www.linuxsecurity.com/content/view/122253
 
  Who Shall We Rob Today?
  7th, April, 2006

Remember those old black and white movies, the stocking masks, the pick axe handles, the sawn off shotguns and the white 2.8 Jaguar as the getaway car? Lots of action and great car chases! A far cry from today’s highly organised and sophisticated bandits, with high performance computers, network sniffers, switched on hackers, infiltrating software and highly motivated planted operatives.

http://www.linuxsecurity.com/content/view/122261
 
  Kernel Mode Ircbot
  8th, April, 2006

The world of malware and rootkits has evolved a lot over the last two years, the most significant developments have been in the sophistication of rootkits. In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the operating system, and allows the attacked to hide certain files and programs from the user. It usually will also provide a hidden backdoor into the system, and will hide network connections made through the backdoor from the user.

http://www.linuxsecurity.com/content/view/122278
 
  Are American firms ready for wireless?
  5th, April, 2006

Businesses have cited security concerns as the primary reason not to deploy wireless and remote computers, a new global survey has found. More than 60 percent of companies are leery to implement such systems because of security reasons, according to an Economist Intelligence Unit survey, which was sponsored by Symantec. Meanwhile, about 47 percent of respondents cited cost and complexity as the major barriers to deployment.

http://www.linuxsecurity.com/content/view/122230
 
  Introduction to Kismet
  6th, April, 2006

Earlier this month we looked at NetStumbler, an application for surveying wireless networks. While NetStumbler is the most popular tool of its kind for Windows machines, users of Linux, BSD and Mac OS X have Kismet, a roughly analogous – though some would say more thorough – utility for discovering wireless networks.

Kismet detects the presence of wireless networks, including those with hidden SSIDs. It can discover and report the IP range used for a particular wireless network, as well as its signal and noise levels. Kismet can also capture or “sniff� all network management data packets for an available wireless network. You can use Kismet to locate available wireless networks, troubleshoot wireless networks, optimize signal strength for access points and clients, and detect network intrusions.

http://www.linuxsecurity.com/content/view/122249
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!