Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
LINUX ADVISORY WATCH - This week, advisories were released for tkdiff, scponly, XnView, pineentry, KPdf, libgphoto, printer-filters-utils, nss_ldap, mdkonline, tkcvs, and ethereal. The distributors include Debian, Gentoo, and Mandriva.
LinuxSecurity.com Feature Extras:
Hacks From Pax: SELinux Administration - This week, I'll talk about how an SELinux system differs from a standard Linux system in terms of administration. Most of what you already know about Linux system administration will still apply to an SELinux system, but there are some additions and changes that are critical to understand when using SELinux.
Linux File & Directory Permissions Mistakes - One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.
Introduction: Buffer Overflow Vulnerabilities - Buffer overflows are a leading type of security vulnerability. This paper explains what a buffer overflow is, how it can be exploited, and what countermeasures can be taken to prevent the use of buffer overflow vulnerabilities.
Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Review: Advancing Firewall Protection | ||
9th, January, 2006
With more than one million users, U.K.-based SmoothWall’s Firewall may just be the most popular software firewall that has yet to become a household name. Test Center engineers recently took at look at products from SmoothWall to see what all the buzz is about and to see exactly why one million users have chosen the product. |
||
| What are Rootkits? | ||
3rd, January, 2006
Rootkits are Internet-based threats that have recently been discussed at great length, basically in the light of the fact that a large company distributed a rootkit with some of its products. |
||
| A better VNC with FreeNX for remote desktop control | ||
9th, January, 2006
VNC is well-known for allowing the remote control of another desktop machine via your own computer. For instance, using VNC you can easily control your home PC from work, and vice versa. The problem with VNC is that it's not overly secure and it can be quite slow, particularly if you have a lot of fancy graphics or backgrounds on the remote computer. Other solutions also exist for remote control of a GUI, such as running X over ssh, proprietary tools like Apple's Remote Desktop, etc., but they all tend to have the same drawbacks; they are either insecure or tend to be slow. |
||
| Registration Open for the Second Security-Enhanced Linux Symposium and Developer Summit | ||
5th, January, 2006
Registration for the Security-Enhanced Linux (SELinux) Symposium is now open at www.selinux-symposium.org. The event, scheduled for February 27-March 3, 2006 in Baltimore, Maryland, explores the emerging SELinux technology and the power of flexible mandatory access control in Linux. |
||
| Demystifying Security Enhanced Linux | ||
6th, January, 2006
In this paper I will try to explain the philosophy behind the Security Enhanced Linux (SE Linux). I will however try to explain the concept with an example but to keep the length readable I will restrain myself to go into much of implementation details for e.g. commands and similar stuff. |
||
| Security Hole Claimed for BlackBerrys | ||
3rd, January, 2006
New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail. |
||
| EnGarde Secure Community 3.0.3 Released | ||
3rd, January, 2006
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.3 (Version 3.0, Release 3). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool, the SELinux policy, and the LiveCD environment. |
||
| Linux Kernel Multiple Denial of Service and Privilege Escalation Issues | ||
4th, January, 2006
Multiple vulnerabilities were identified in Linux Kernel, which could be exploited by malicious [local] users to cause a denial of service and potentially obtain elevated privileges. |
||
| Debian developers trim platform support | ||
5th, January, 2006
Debian Etch, the next major version of the Linux distribution, will only be available on eight architectures, with four getting the boot. Steve Langasek, a release manager at Debian, said in a mailing list posting last week that the official release of Etch, which is due in December 2006, will not be ported to systems based on the ARM, Motorola 68k, IBM S/390 and Sun SPARC architectures. |
||
| McAfee Settles Fraud Charges | ||
5th, January, 2006
Security vendor McAfee agreed on Wednesday to pay a $50-million fine to the U.S. Securities and Exchange Commission to settle charges that it overstated its revenue and earnings by hundreds of millions of dollars, closing an unpleasant chapter in the company’s history. |
||
| Apache shot with security holes | ||
9th, January, 2006
Companies running Apache and a PostgreSQL database are at risk from serious Internet intrusion. Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache module that allows authentication against information in popular open-source database PostgreSQL. |
||
| Linux Netwosix Creator Discusses 2.0 Vision, Future | ||
3rd, January, 2006
The recent announcement of the 2.x branch of Linux Netwosix may prompt LinuxWorld readers to ask why there were two releases--1.3 and 2.0-rc1--of this software within a week. So we contacted its creator, 19-year-old Vincenzo Ciaglia of the University of Salerno, Italy to find the answer to this and other questions. |
||
| Network Forensic Traffic Reconstruction with Tcpxtract | ||
4th, January, 2006
Today I got a chance to try Nick Harbour's Tcpxtract program. I had heard of it several months ago, but I had trouble compiling it on FreeBSD. Just now I tried the regular ./configure, make, make install routine using version 1.0.1 and had no problems. |
||
| All the Rage: It's 2006: Do You Know Where Your Security Policies Are? | ||
2nd, January, 2006
It's the beginning of a new year--time to review your approach to security policy. If you think implementing firewalls, IDSs and antivirus/antispam products is enough, you're sorely mistaken. No matter the size of your enterprise, you must define a framework of security policies, standards and procedures for securing valuable corporate assets. If you don't, you may be leaving your company open to a variety of vulnerabilities. |
||
| Over 5,000 bugs in 2005 | ||
2nd, January, 2006
The end of an old year and beginning of a new one is always a favorite time to compile lists. One such compendium comes from the US-CERT, the US Computer Emergency Readiness Team, which has come up with a list of 5,198 software bugs that were discovered during 2005, a 38 percent increase from 2004. The bugs ran the gamut from A (Aaron Outpost ASP inline Corporate Calendar Permits Remote SQL Injection on Windows OSes) to Z (the multiplatform Zyxel Prestige 650R-31 Router Remote Denial of Service). |
||
| All the Rage: Happy Rue Year | ||
3rd, January, 2006
If 2005 seemed a particularly overwhelming year in terms of security problems, you're not imagining things. According to an annual report compiled by U.K.-based security vendor Sophos, there were about 16,000 new worms, viruses and Trojans identified during the year--48 percent more than the 10,724 detected in 2004. Some 1,940 new threats were discovered in November alone--the largest monthly increase Sophos has ever registered. |
||
| CISOs Move Beyond Tech | ||
3rd, January, 2006
Top security executives will have some of the most fluid job descriptions in the industry this year. There will be a continuing separation of operational security from policy setting and oversight, predicts Paul Stamp, an analyst at Forrester Research. |
||
| Reporter's Notebook: Security | ||
3rd, January, 2006
Compliance will dominate the security agenda for 2006. The growing number of regulations -- and the consequences of not complying with them -- have elevated security into the boardroom. CIOs will use compliance to justify most of their information security spending this year -- even for technologies IT would have implemented anyway. |
||
| Marriott loses data on 200,000 customers | ||
3rd, January, 2006
Hotel chain Marriott admitted last Tuesday that backup computer tapes containing data on approximately 206,000 customers were missing from a company office in Florida. The data, which relates to customers of its time-share division, Marriott Vacation Club International, included personal information such as the credit card details, Social Security numbers and, in a few cases, the bank details of customers. |
||
| Linux vs. Windows security | ||
3rd, January, 2006
Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior due to Linux Security Modules, SELinux, and winbind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel. |
||
| INFOSEC Assurance Capability Maturity Model | ||
4th, January, 2006
The INFOSEC Assurance - Capability Maturity Model (IA-CMM) is based on the System Security Engineering Capability Maturity Model (SSE-CMM) and modified to address the INFOSEC assurance processes. Whereas IATRP methodology training focuses on an individual's ability to conduct an INFOSEC assurance service, the IA-CMM appraisal focuses on a provider organization's capability to support INFOSEC analyst in conducting their mission objectives (i.e. to provide quality INFOSEC Assurance or Evaluation). |
||
| More IT Security Pros Filling Executive Roles | ||
4th, January, 2006
Information security professionals, already experiencing a surge in demand for their badly needed technical skills, may also get a chance this year to flex their business acumen. IT security professionals are being invited into corporate board rooms around the globe, wielding more influence and finding increased opportunities. The 2005 Global Information Security Workforce Study, sponsored by the International Information Systems Security Certification Consortium, or (ISC)2, found that more than 70 percent of respondents believe they exercised more influence on executives in 2005 than in the previous year. More than 73 percent expect their influence to continue growing. |
||
| Sad State Of Data Security | ||
4th, January, 2006
How does this keep happening? Companies have been publicly humiliated, slapped with audits, and threatened with prosecution, but sensitive personal data continues to be compromised. The U.S. Department of Justice is the latest to demonstrate its information-security incompetence. The mistake: exposing Social Security numbers on its Web site. |
||
| 2006: Year of the Hacker? | ||
5th, January, 2006
Computer hackers sought to create havoc on the Web last week by launching two attacks targeting Microsoft Windows users -- one circulating a virus disguised as the company's instant messenger client, the other exploiting a previously unknown flaw in its operating system. The attacks came as computer security Relevant Products/Services from Microsoft experts warned that following a year that saw an unprecedented 150,000 computer viruses emerge, 2006 could be the worst on record for hacker mayhem. |
||
| Massive demand for unauthorised Windows patch | ||
5th, January, 2006
Ilfak Guilfanov's personal Web site has been taken offline by his hosting provider after hordes of Microsoft users scrambled to download his unofficial patch against the Windows Metafile vulnerability. According to antivirus firm F-Secure, demand for the unauthorised Windows Meta File (WMF) patch developed by Guilfanov was so high his hosting provider temporarily shut his Web site on Wednesday morning. |
||
| The Importance of a Security, Education, Training and Awareness Program | ||
5th, January, 2006
End-user computing has emerged as a vital component of the overall information resource of the organization. [1] This emergence has made its way not only into the information resource but also in the information security of an organization. The end-user has access to the most vital information a company has and either has the knowledge in how to circumvent the systems that have been put in place to protect the organizations information, or the lack of knowledge that is needed to protect this information, as well as the well-being of the organization’s network itself. |
||
| Why Linux Is More Secure Than Ever | ||
5th, January, 2006
As Linux becomes more prevalent in today’s enterprise systems, it raises questions about the best way to protect the open source technology. David Humphrey, senior technology advisor for Ekaru, a Westbrook, Mass.-based technology services company, discussed some of those issues with Security Pipeline. |
||
| You can’t manage what you can’t see! | ||
6th, January, 2006
Security threats have grown more menacing with the appearance of the likes of Sober, Mytob, and Bagle. Along with the newer trends of spyware, phishing and key logging the implications of ineffective information security have become potentially debilitating to business operations and indeed strategy. |
||
| US-CERT's FUD | ||
6th, January, 2006
Everywhere you look in the trade press today, you'll find glowing misrepresentations of US-CERT's latest annual summary of vulnerabilities discovered in 2005. If you take the summary findings at face value, you would likely conclude that Windows -- with 812 reported vulnerabilities -- is a much safer operating system than something called "Unix/Linux," which totaled 2,328. The US-CERT summaries have become the fodder for a FUD festival, and many scribes sympathetic to the Microsoft cause go out of their way to make sure the real picture never emerges. |
||
| Experts question Windows win in flaw tally | ||
6th, January, 2006
Critics have taken aim at a study published by the U.S. Computer Emergency Readiness Team that said more vulnerabilities were found in Linux/Unix than in Windows last year. The report, Cyber Security Bulletin 2005, was released last week. It claimed that out of 5,198 reported flaws, 812 were found in Microsoft's Windows operating system, 2,328 were found in open-source Unix/Linux systems. The rest were declared to be multiple operating-system vulnerabilities. |
||
| A Step-By-Step Guide to Computer Attacks and Effective Defenses | ||
9th, January, 2006
Five years after writing one of the original books in the hack attack and countermeasures genre of books, Ed Skoudis has teamed up with Tom Liston to create a revised and updated version. Counter Hack Reloaded brings Counter Hack up to date with new technologies and attack types as well as providing the informaion you need to protect your computer and network from being targeted by these attacks. |
||
| Three more states add laws on data breaches | ||
9th, January, 2006
Companies struggling to keep up with a patchwork of state laws related to data privacy and information security have three more to contend with, as new security-breach notification laws went into effect in Illinois, Louisiana and New Jersey on Jan. 1. Like existing statutes in more than 20 other states, the new laws prescribe various actions that companies are required to take in the event of a security breach involving the compromise of personal data about their customers. |
||
| DNS Name Prediction With Google | ||
2nd, January, 2006
As discussed in “Google Hacking for Penetration Testers†| ||
