Linux Security Week: February 6th 2006

In a bid to help U.S. federal agencies protect sensitive, but unclassified information, the National Institute of Standards and Technology (NIST) has updated guidelines for selecting and implementing cryptographic methods.

Originally published in 1999, Guideline for Implementing Cryptography in the Federal Government (NIST Special Publication 800-21-1) is intended primarily for federal employees who design computer systems and procure, install and operate security products to meet specific needs.

news/cryptography/nist-updates-cryptography-guidelines-for-us-federal-agencies

Web application IDS evasion techniques and countermeasures is a mature area of study. LibWhisker-based apps and Snort have been in a tug-of-war for years. However, the initial reconnaissance of a website or web app has been largely neglected. Its either done by hand (which is tedious) or with a traditional crawler like wget (which is very noisy). An automated crawl appears as an enormous spike in hit count and byte transfer that is well outside the bell-curve for normal users.

Alan Cox is so well-regarded in the open-source software community that he can pull in a crowd of eager techies to discuss theoretical software stability on a Sunday afternoon, as he did at last year's FOSDEM conference in Brussels.

Computer security expert Kevin Mitnick touched on a variety of computer- and security-related topics, including OS vulnerabilities and defenses, hacking, and government communication monitoring. Mitnick said all computer operating systems have flaws that can be exploited. If you're connected to the Internet, he explained, you should assume you can be attacked and ask yourself, "What can I do to limit the damage?" Mitnick suggested computer users operate behind a firewall.

In an exclusive interview on Friday, infamous hacker Kevin Mitnick told Tectonic that, given the choice between finding security vulnerabilities in closed and open source, he'd prefer to attack an open source environment.

"Open source would be easier [to hack]," admits ex-hacker turned security consultant Mitnick. "It's less work." Mitnick says that open source software is easier to analyse for security holes, since you can see the code. Proprietary software, on the other hand, requires either reverse engineering, getting your hands on illicit copies of the source code, or using a technique called "fuzzing".

There are three fairly interesting flaws in how HTTP cookies were designed and later implemented in various browsers; these shortcomings make it possible (and alarmingly easy) for malicious sites to plant spoofed cookies that will be relayed by unsuspecting visitors to legitimate, third-party servers.

Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.

news/network-security/dial-d-for-dos-voips-hidden-security-threat

Linux supporters have roundly criticized a recent report from the United States Computer Emergency Readiness Team (CERT), which reported that during 2005, Linux and Unix combined had 2,328 vulnerabilities, compared with 812 vulnerabilities for Microsoft Windows. Linux practitioners say the counts are skewed because they count the same vulnerability each time it appeared last year in any given Linux distribution. By doing this, they say, one bug could actually show up in the list dozens of times, depending on the number of Linux variants it appeared in. The CERT stats also appear to include problems with scripting languages such as PHP or even applications that are not part of the core Linux operating system but instead are used with it.

news/organizations-events/cert-stats-under-fire

Infosecurity Europe 2006 is just around the corner. Taking place at the Olympia in London 25-27 April 2006, it is the most important gathering of security professionals in Europe. At the press conference in London earlier this week, we were introduced to last year’s statistics as well as information about the 2006 conference with many presentations.

news/organizations-events/computer-security-today

NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. Each year, since 1995, we examine proposals for new principles upon which information security can be rebuilt from the ground up. We conduct extensive, highly interactive discussions of these proposals, from which we hope both the audience and the authors emerge with a better understanding of the strengths and weaknesses of what has been discussed.

news/organizations-events/cfp-new-security-paradigms-workshop

The purpose of this site is to organize a social networking event for geeks in Louisville and surrounding areas. The geek dinner concept came from listening to London Geek Dinner podcasts. London Geek Dinners have attracted crowds over 175. Hopefully we can pull strong numbers in Louisville.

Who is invited, and what does it mean to be a geek? Wikipedia defines geek as the following, "a person who is fascinated, perhaps obsessively, by obscure or very specific areas of knowledge and imagination." The simple fact is that we love technology. We need a social event where everyone speaks our language for a change. All geeks are invited. Please encourage your geek friends to Signup. The best way to ensure that you will have a good time is to invite other geeks that you know.

news/organizations-events/louisville-geek-dinner

This document describes the compromise of a Debian Linux server on an internal network. We look at how the incident first came to light, the response procedures and an analysis of the actions of the attacker. This leads us to some recommendations on how to secure systems against this kind of exploitation in future. None of this is particularly new or surprising, but hopefully will serve as a welcome reminder, or as useful material when trying to justify particular security policies.

news/server-security/ssh-password-guessing-linux-compromise-and-forensics

Technologies touted as providing a more secure computing experience are actually more likely to reinforce monopolies and lock customers in, security and free software experts have warned.The "Trusted Computing" technologies promoted by major IT companies such as Microsoft and IBM could have negative consequences for customers and rival software makers, according to security experts.

news/server-security/trusted-computing-comes-under-attack

Enterprise software vendors beware. If you have included rootkit-like technology in your products, now is the time to step forward, publicly own up to it, and get rid of it right away. Otherwise some enterprising hacker is going to do it for you.

news/server-security/got-rootkits-time-to-fess-up

his document addresses how an organization can use identity and access management solutions (IAM) such as Symark's PowerBroker and PowerPassword-UME for UNIX and Linux operating systems to meet Sarbanes-Oxley (SOX) requirements for effectiveness of internal controls for financial reporting requirements. Symark PowerBroker and PowerPassword-UME safely delegate administrative privileges (including root) and provide secure logins and strong password and user management policies, keystroke logging and indelible audit trails. This document demonstrates how Symark PowerPassword-UME and PowerBroker work in tandem to protect the integrity of data across heterogeneous UNIX/Linux systems to help bring your IT systems into compliance especially with the SOX section 404 requirements for internal IT controls.

news/server-security/bringing-unixlinux-networks-into-compliance-with-the-sarbanes-oxley-act-of-2002

Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 4.00 from https://nmap.org/ .

news/security-projects/nmap-400-released

Data broker ChoicePoint was yesterday fined $15m over a data security breach that led to at least 800 cases of identity theft. ChoicePoint agreed to pay $10m in civil penalties (a record fine) and $5m to compensate consumers as part of a settlement with US consumer watchdog the Federal Trade Commission (FTC). It also agreed to maintain a revamped security program, featuring regular third-party security audits until 2026, and promised to ensure it provides consumer reports only to legitimate businesses for lawful purposes.

The IT security industry has almost unanimously given its backing to government plans to update the Computer Misuse Act (CMA) and introduce more severe custodial sentences for cyber criminals. And many are urging the government to now 'go the distance' and ensure the bill is passed and the new laws come into effect as soon as possible - and are policed effectively.

As an IT Manager or perhaps a more specialised IT Security Officer, you have your security policy in place, your physical security, network security and application security measures are all installed and functioning. Systems are patched up to date and for that split second it would seem that security is no longer an issue. Unfortunately, a second is probably as good as it gets, as there is bound to be another threat waiting around the corner. In today’s fast paced electronic world, whilst it is not possible to maintain a totally secure environment, 98 percent secure is far better than 97 percent secure. Every bit counts, but when it comes to applying security there are many practices that are overlooked simply because we choose to ignore that certain threats exist or worse still, as this is the more likely to be the case, simply don’t even realise that some threats exist.

One of the biggest problems with cybercrime in the UK remains the law. Back in 1990, the government passed the Computer Misuse Act. Unfortunately, the government has failed to keep up with changes in cybercrime and in so doing leaves many individuals and businesses with no real legal protection to fend off many attacks. Parliament has been perusing a Police and Justice Bill, which would add too and toughen up the existing laws. The bill would make it illegal to make unauthorized modifications to computers with a penalty of ten years in prison.

Businesses have been warned to prepare themselves for an onslaught of malicious worm attacks through corporate instant messaging systems. The number of new attacks released on to instant messaging, rose 17 fold in 2005 and could double again by next year, predicts research based on an analysis of 600 companies.

SOX compliance has helped to make ethics training more common within the corporate environment. According to a 2005 survey by the Ethics Resource Center, 69 percent of employees reported that ethics training in their organizations was up, as compared to 14 percent who said so in the same survey conducted in 2003.

Merriam-Webster defines a myth as a popular belief or tradition that has grown up around something or someone but is often unverifiable. When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security.

Why do such beliefs persist? The answer is that we don't challenge new and existing ideas enough. We must test and evaluate the validity of new security concepts, so the good ones can become standards. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination.

If you've ever had the displeasure of investigating the possible downloading of child pornography by a user (or users), then I'm sure you can relate to how painful it is to recover any digital artifacts from the suspects' hard drives, portable media, etc. Some investigators say they become 'numb' to the images over time. I, for one, come close to being violently ill and wretching up my morning coffee during such artifact recoveries.

The Confederation of British Industry (CBI) has warned that small and medium-sized businesses are leaving themselves open to electronic attack through lack of planning, putting themselves and the rest of the supply chain in danger. Medium-sized firms came out particularly badly in the CBI's survey: while 60 percent of them engage with partners and clients online, more than half of these firms don't plan to put any security measures in place, the CBI said.

At the recent Infosecurity Press Conference in London, Mark Sunner, CTO of MessageLabs, presented the results of the MessageLabs Intelligence Annual Report that provides us with an insight on how cyber criminals worked during the past year.

The High Court has ordered 10 ISPs to hand over the customer details of 150 individuals accused of illegally sharing and downloading desktop software on the web. The illegal file-sharers were identified after a 12-month covert investigation by the Federation Against Software Theft (Fast), called Operation Tracker.

news/privacy/isps-ordered-to-hand-over-file-sharer-details

Reports of the unauthorized sale of personal telephone records may be sending chills up the spines of callers across the county, but the practice does not occur underground or on the black market. It occurs right out in the open, and according to regulators it's a growing problem. Numerous data broker Web sites advertise personal phone records for sale, including the numbers called, the length of calls, and sometimes the location of cell phones.

news/privacy/unauthorized-sale-of-phone-records-on-the-rise

Q: So what does the rewritten law now say? The section as amended reads like this: "Whoever...utilizes any device or software that can be used to originate telecommunications or other types of communications that are transmitted, in whole or in part, by the Internet... without disclosing his identity and with intent to annoy, abuse, threaten, or harass any person...who receives the communications...shall be fined under title 18 or imprisoned not more than two years, or both."

news/privacy/faq-the-new-annoy-law-explained

New legislation proposed by Senator Chuck Schumer (D, NY) and backed by heavyweights from both major parties, seeks to criminalize both the practitioners and the dupes of "social engineering". That's just a fancy way of smooth-talking someone out of some information they shouldn't normally impart, but it has been the most effective technique for fraudsters, hackers and private eyes over the years.

news/government/cellcos-and-senate-vs-social-engineering

A group of cyber-pirates stole copyrighted software, games and movies in what law enforcement authorities on Wednesday termed a "massive" theft for their own pleasure, not profit. The indictments were announced by U.S. Attorney Patrick Fitzgerald in Chicago against 19 members of the underground piracy group known as "RISCISO," led by Sean O'Toole, 26, of Perth, Australia. Another member of the group implicated in the FBI's investigation, dubbed "Operation Jolly Roger," was Linda Waldron, 57, of Barbados. Extradition will be sought for both.

news/government/members-of-secretive-group-indicted-in-piracy-plot

The Homeland Security Department wants public comment on two draft documents that are part of a federal program to improve software security, according to today's Federal Register.

news/government/dhs-wants-to-improve-software-security

Matthew Mellon, heir to a £6.6 billion banking and oil fortune, will appear in court next month in connection with an investigation into an alleged phone-tapping and computer hacking gang. The former husband of Tamara Mellon, who runs the Jimmy Choo shoe empire, will appear alongside 17 other defendants accused of involvement in the operation, which allegedly provided clients with confidential information about wealthy people and businesses.

news/hackscracks/millionaire-on-hacking-charge

Internet telephone applications like Skype and Vonage could become hacker hideouts, technologists and academics funded by MIT and Cambridge University say. Internet telephone applications like Skype and Vonage could become hacker hideouts, a group of technologists and academics funded by MIT and Cambridge University said Thursday. According to the Communications Research Network (CRN), voice-over-Internet (VoIP) software could give perfect cover for launching denial-of-service (DoS) attacks.

news/hackscracks/botnet-herders-hide-behind-voip

Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.

news/hackscracks/was-the-wmf-vulnerability-purchased-for-4000

Two Massachusetts papers - the Boston Globe and the Worcester Telegram & Gazette - have apologised after exposing the credit card details of up to 240,000 subscribers. Most of those affected were Globe readers. Information security breaches by major US corporations are becoming an almost weekly event but the breach involving the two papers, both part of the The New England Media Group owned by The New York Times, was especially boneheaded.

news/hackscracks/boston-globe-in-clueless-security-breach

Franck Veysset and Laurent Butti, both from France Telecom R&D, presented several proof-of-concept tools at Shmoocon that use 802.11 raw injection. The first is Raw Fake AP. The original Fake AP is a script that generates thousands of fake access points. It is easy to spot because of tell-tale signs like the BSSID showing the AP has only been up for a couple milliseconds. Raw Fake AP tries to generate legitimate access points by modifying BSSIDs and sending beacon frames at coherent time intervals.