Linux Security Week: December 19th 2005

Exploit code for the latest version of open-source browser Firefox was published on Wednesday, potentially putting users at risk of a denial of service (DoS) attack. The exploit code takes advantage of a bug in the recently released Firefox 1.5, running on Windows XP with Service Pack 2. Firefox, which initially debuted more than a year ago, has moved swiftly to capture eight per cent of the browser market.

This is the second article about memory management by the Linux kernel. The first article took you through the memory in the user space. This second article will explain how memory management is done inside the kernel itself. I recommend reading the first article before starting on this one. Now we know how the kernel manages memory from the first article, let’s have a look how the kernel allows you to allocate and free memory inside the kernel.

This document is intended to explain why network logging and log analysis is important, and provide instructions for people who want to do this on their Cisco equipment (especially the PIX firewall) without spending a lot of money. Although you may not get all of the spiffy features that you will find in high-end offerings from companies like Cisco, NetIQ, Symantec and others, you can get a very good security bang for the buck with simple and inexpensive systems. Although this document is specifically intended for logging on a Cisco PIX, pretty much the same commands should work for other devices such as routers. You will see different screens, and Sawmill may detect them differently, but it is essentially the same process.

news/network-security/inexpensive-cisco-network-log-analysis

Port scanning, the practice of sniffing for computers with unprotected and open ports, isn't much of a harbinger of an attack, a University of Maryland researcher said Monday. Michel Cukier, an assistant professor at the College Park, Maryland-based school, said that contrary to common thought, few port scans actually result in an attack. In fact, only about five percent of attacks are preceded by port scans alone.

news/network-security/security-expert-finds-port-scans-not-tied-to-hack-attacks

Symantec Corp. today announced Symantec Critical System Protection 5.0, a proactive behavior-based intrusion prevention solution for multi-layered protection of servers and critical clients running on Windows, UNIX and Linux platforms. Available later this month, Symantec Critical System Protection provides zero-day protection against application and operating system attacks, enhanced auditing and compliance enforcement, enterprise reporting capabilities, and improved manageability of heterogeneous environments from a single management console. Using a unique combination of signature and behavior-based detection, this enterprise class product helps prevent system downtime while protecting critical information assets.

I have attempted to uncover and explore a free and easy solution for the cost conscience small to medium size network to incorporate Intrusion Detection. The paper will focus on the aspects of free tools in relation to Intrusion Detection. I will define the tools I am using, where I will place the tools within the network, why I decided to place the tool in this particular location, and what defense mitigation the tool should assist.

Linux, like Microsoft Windows, is simply a computer operating system but Linux in itself is not a magic wand that can be waved and make all sorts of computing problems disappear. While Windows has its own set of problems, so too does Linux. There is no such thing as a perfect or completely secure computer operating system. Whether the machine will be a desktop computer or a server; purpose is a key to understanding how to initially install and configure your Linux PC.

news/server-security/securely-setting-up-a-linux-pc

Tenable Network Security, Inc., a leading developer of security management solutions and creator of the popular and award-winning Nessus vulnerability scanner, today announced the general availability of Nessus 3.0 for the Linux and FreeBSD platforms. Nessus 3.0 was developed in response to growing market demand from enterprises, government agencies and consultants for a commercially licensed version of Nessus. Nessus 3.0 users will now have access to a number of commercial support and training options from Tenable Network Security. Tenable Network Security will continue to manage, distribute and maintain the open source version, Nessus 2.x.

news/vendors-products/tenable-releases-nessus-30

When it comes to IT security, companies put products before people according to the latest research from security training company (ISC)² which shows that products and services eat up more money than spending on personnel. Organisations globally spend approximately 57 percent of their IT security budgets on security products and services. The remaining 43 percent is spent on personnel, education and training, according to the (ISC)² Global Information Security Workforce Study.

Computer security isn't a technological problem -- it's an economic one. That is the message Bruce Schneier, CTO of Counterpane Internet Security and the author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World," repeated throughout his keynote address here Thursday at the infoSecurity Conference in New York's Jacob K. Javits Center. Schneier, a security technologist, said the future of security is getting harder to predict and warned the several hundred tech professionals on hand that they must start paying attention to the economics of security if they hoped for technology to keep pace.

The SANS Institute warned that U.S. government, military contractor, and bank computer systems are facing a barrage of attacks from overseas hackers, and that network-security management lacks the training to mount an adequate defense. "American government and corporate computer systems are being riddled with online attacks," said Allan Paller, director of research at Bethesda, Maryland-based SANS. "But there is a culture of secrecy, and government departments, defense contractors, and banks are not talking about the attacks."

Security threats soared during 2005, along with the risk of financial losses, but a new report shows that companies still aren't heeding the warnings. According to the State of Information Security 2005 report from PricewaterhouseCoopers and CIO Magazine, not only are security-related events up 22.4 percent on last year's figures, but the number of organisations reporting financial losses as a result of the attacks is also surging. Twenty-two percent of companies said they had been hit financially, compared with last year's 7 per cent.

Since 1974, there has been one security attack that has been claimed to be essentially uncounterable: the "Trusting Trust" attack. In this attack, the compiler is subverted, which can then subvert everything else. In 1984, Ken Thompson demonstrated it and made it widely known. David A. Wheeler has published a paper that claims to be the antidote to the "Trusting Trust" attack. Interestingly enough, its results are far more helpful if your compiler is open source software.

The "trusting trust" attack subverts the compiler binary; if the attacker succeeds, you're doomed. Well, til now.

The SANS Institute has been granted approval by the State of Maryland to create a college and plans to begin accepting candidates for Masters of Science degrees in information security, according to a SANS statement. SANS will offer MS degrees in two subjects: Information Security Engineering and Information Security Management. Students will have to prove technical mastery of technologies and processes used by security experts, as well as management skills like communications and project management, according to a SANS statement.

When will I be secure? Nobody knows for sure, but it cannot happen before commercial security products and services possess not only enough functionality to satisfy customer's stated needs, but also sufficient assurance of quality, reliability, safety, and appropriateness for use. Such assurances are lacking in most of today's commercial security products and services. Paths to better assurance in Operating Systems, Applications, and Hardware through better development environments, requirements definition, systems engineering, quality certification, and legal constraints are discussed and examples given.

Employees sending confidential information to the outside world through email is an unseen threat to corporate security, a new business risk survey revealed. A study by Mirapoint and the Radicati Group said 6 percent of corporate employees admitted to emailing confidential information outside their company.

The crash of the trading system at the Tokyo Stock Exchange because of a software problem offers a timely reminder that disaster recovery and business continuity planning are essential not simply because of the more sensational incidents such as terrorist attacks, fires or bird flu.

While I am an analyst who focuses on information security, I am a business guy at heart. With this background, let me offer some advice to my business peers: Outsource security (or some subset thereof) in 2006!

The auction may have set a record price for a highlighter pen and an 8-by-11-inch sheet of paper. The last reported bid before the listing was deleted without ceremony was $1,200. The price might seem excessive, but the value lay in what some researchers believed was on the paper: Information about an unpatched vulnerability in Microsoft Excel.

The writing is on the wall: Organizations and individuals will be held accountable for security breaches. The rash of exposures of personally identifiable information (PII) from the likes of ChoicePoint, Lexis-Nexis, Bank of America, CardSystems and a host of other for-profit and nonprofit organizations is just the beginning. Luckily for consumers, state and federal lawmakers are introducing regulations that require exposures to be reported. Someone's head is going to roll; don't let it be yours.

The Perl Foundation has toned down a warning on a type of vulnerability commonly found in applications written in the Perl programming language. Two weeks after experts sounded an alarm on so-called "format string flaws" in Perl applications, changes have been made to Perl. These updates ensure that such flaws can't be used as a conduit to run malicious code on target systems, Andy Lester, a spokesman for the Perl Foundation and co-author of the book "Pro Perl Debugging," said on Thursday.

It seems that the online virtual world "Second Life" is no place hackers and other digital vandals should take lightly when considering who to hit with denial-of-service attacks. That much became clear this week, according to the blog Second Life Herald, when Philip Rosedale, CEO of "Second Life" publisher Linden Lab, announced during a virtual holiday party in the open-ended digital world that he had turned the perpetrators of a series of grid crashes over to the FBI.

news/government/second-life-turns-attacker-in-to-fbi

A systematic effort by hackers to penetrate US government and industry computer networks stems most likely from the Chinese military, the head of a leading security institute said.

news/hackscracks/hacker-attacks-in-us-linked-to-chinese-military

It seems we exaggerated the innovation of Com/TippingPoint’s controversial Zero Day Initiative. The scheme pays vetted researchers to report vulnerabilities to the company in a responsible way, thereby avoiding these holes getting into the public domain and being exploited by criminals and hackers before patch has been written.

news/hackscracks/found-a-security-hole-it-could-be-worth-2000

While Wi-Fi hardware makers now consider security features par for the course in their products, third-party wireless security companies are still coming up with new ways to secure the hardware of their bigger brethren. AirDefense Inc. this week will launch Version 7.0 of AirDefense Enterprise, the Alpharetta, Ga., company's signature wireless security and management software. Version 7.0 can keep track of and secure up to 300,000 wireless devices and 10,000 dedicated RF (radio frequency) sensors, officials said.

You know how insecure 802.11x wireless networks are. In this article we'll create an OpenBSD-based secure wireless access point that prevents unauthorized access and encrypts every packet using a VPN tunnel. OpenBSD is one of the most secure operating systems available, is easy to use, and includes almost everything you need for this project in the base installation.

Security solutions seem to be growing at a faster rate than the problems. How do you tell what approach to take? Be the first to comment on this article In a recent panel discussion I was on it was suggested that spending on the conventional threat mitigation aspects of security was headed for a leveling off, and that the real growth was in compliance issues.