Linux Security Week: November 13th 2006

Something -- maybe a lot of things -- is wrong with how America conducts its elections. As you might have heard, there were a few problems down in Florida back in 2000, and more recently in the Maryland primary. No doubt, voting and vote-counting can be messy, complicated and subject to potentially outcome-shifting flaws. With that as backdrop and five days before Election Day, HBO weighs in tonight with "Hacking Democracy," a somewhat torpid documentary that is itself complicated, flawed and messy.

Widely used data security solutions have been found useless against several methods of data theft, according to tests conducted by a data security Innersafe Corporation. Types of data exposed included those useful for fraud, identity theft, phishing, or spamming. And, like tampered votes in certain electronic voting machines, data theft can remain undetected after it happens.

With security on the Internet, there's always some nagging doubt. Can you ever be absolutely certain, for example, that the e-mail you're sending with some confidential business information attached isn't going to be intercepted and read as it travels the digital highways and byways? Using the Internet for anything sensitive requires some faith that everything in place to ensure the security of the information you're working with?all the encryption, passwords, and security policies?will, in fact, work. But as with most things in life, nothing is certain except uncertainty itself.

news/cryptography/a-quantum-leap-in-data-encryption

"The ASSP server project is an Open Source platform-independent transparent SMTP proxy server that leverages numerous methodologies and technologies to both rigidly and adaptively identify spam. This web site's domain name, "ASSPSMTP", is the common name used for the daemon or service running ASSP." In short ASSP is the most kickass solution that is both free and works great. It reduced spam to an absurd minimum for me. The current solutions (Spamassassin,Razor,Pyzor,Dcc) were not enough for my situation. This software works from the port 25 on a system. and stop spam where it enters your system.

The requirement for domain name holders to provide a working abuse@ email address comes not only from tradition, but also from RFC 2142. It's interesting to note that that RFC doesn't address itself to just ISPs, it goes for any entity on the Internet. So do your postmaster, info, NOC, hostmaster, webmaster, abuse, security, ... email addresses actually work? Having been on both sides of the fence when it comes to This email address is being protected from spambots. You need JavaScript enabled to view it. let's look at some misconceptions.

Firewalls are used to protect your network from the outside world. Using a Linux firewall, you can do a lot more than just filtering packets. This book shows you how to implement Linux firewalls and Quality of Service using practical examples from very small to very large networks.

After giving us a background of network security, the book moves on to explain the basic technologies we will work with, namely netfilter, iproute2, NAT and l7-filter. These form the crux of building Linux firewalls and QOS. The later part of the book covers 5 real-world networks for which we design the security policies, build the firewall, setup the script, and verify our installation.

Providing only necessary theoretical background, the book takes a practical approach, presenting case studies and plenty of illustrative examples.

news/firewall/book-designing-and-implementing-linux-firewalls-and-qos-using-netfilter-iproute-nat-and-l7-filter

And the obvious question is - what is this response header? To answer that, we need to dig in the dusty archives. Apparently, the Refresh header was invented by Netscape, in their "">AN EXPLORATION OF DYNAMIC DOCUMENTS" paper. The document is un-dated, but it references Netscape Navigator 1.1, which was released in March 1995 according to Wikipedia. This makes the author believe that the paper actually pre-dated the first HTTP 1.0 specification (RFC 1945, dated May 1996), and somehow never made it to any of the HTTP RFCs (e.g. Roy T. Fielding post "Re: HTTP/1.1 Refresh header field comments". Nevertheless, since the Refresh header was de-facto standard in Navigator, Microsoft Explorer simply had to support it (and from personal experience, IE 6.0 indeed supports the Refresh header).

As more and more enterprises undergo server centralization projects, new products will be introduced to improve network and application performance. By following basic security precautions, enterprises can ensure that these performance improvements do not come at the expense of data security.

news/network-security/wan-acceleration-best-practices-for-preserving-security

Call it NAC (Cisco?s Network Admission Control) or, well, NAC (network access control), or even NAP (Microsoft?s Network Access Protection). Any way you refer to it, these schemes for shutting out unwanted users at the LAN switch port level are among the most buzzed about network technologies. Almost all Ethernet vendors offer some sort of NAC technology ? even D-Link, SMC and Linksys on the low end. Advanced network product integration, such as Cisco?s NAC or Nortel?s Secure Network Architecture, allow LAN switches to communicate with back-end security gear to filter dangerous or unsecure users and shut down unwanted network activity ? in theory. And almost every LAN vendor offers basic network protection features, such as 802.1X, access control lists, and media access control address filtering.

news/network-security/how-much-can-a-lan-switch-protect-your-network

It is a well known fact that viruses, trojan horses, worms, spam, and other forms of malware present a real threat to all modern-day organizations and affect productivity and business operations negatively. According to the 2006 FBI Crime and Security Survey, 97% of organizations have anti-virus software installed, yet 65% have been affected by a virus attack at least once during the previous 12 months. Network World cited studies that placed the cost of fighting Blaster, SoBig.F, Sober and other email viruses at $3.5 billion for US companies alone. Similarly a 2006 study by the British government found that 43% of companies in the United Kingdom were infected by viruses during 2005.

news/network-security/why-one-virus-engine-is-not-enough

For more than three decades now, the Internet?s endto- end model has functioned remarkably well. This model has allowed the evolution of a transparent network architecture that efficiently supports the transport of data without caring what the data it-self represents [7]. Furthermore, being transparent and application-neutral has facilitated the creation and evolution of new Internet applications and services that operate on the same thirtysomething network architecture?which until recently had not required any major overhaul.

news/network-security/ipv6-security-issues

The Atlanta-based software maker introduced several new add-ons to DevInspect 3.0, which promises to help Web applications designers locate potential flaws in their work using so-called black box testing tools in combination with source code inspection technology.

By identifying and verifying exploitable security defects using the automated black box system, and scouring program source code for more common errors, the company maintains that the product provides customers with a hybrid technique for eliminating potential glitches in Web-based systems. The product also seeks to facilitate more effective communication related to vulnerability reporting and remediation between IT security specialists and software developers.

news/vendors-products/spi-adds-web-application-security-tools-for-java-ajax

Guardian Digital is pleased to announce the release of EnGarde Secure Community 3.0.10 (Version 3.0, Release 10). This release includes our new SELinux Control Console and our new context-sensitive Guardian Digital help system, along with bug fixes and upgrades to major applications including Apache, Postfix, and Snort.

For details, see our new Community News and Upgrade page at:

https://linuxsecurity.com

news/vendors-products/engarde-secure-linux-v3010-now-available

OpenSSH 4.5 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

news/vendors-products/openssh-45-released

You may not always be able to protect your laptop from a thief, but you can keep the data it contains safe. Two new products -- PGP Corp.'s PGP Whole Disk Encryption 9.5 and SecurStar GmbH's DriveCrypt Plus Pack 3.5 -- promise to protect your data, so that even if your computer falls into the wrong hands, its contents will remain unreadable. Both applications are easy to use and offer an impressive suite of tools, but most users will appreciate the more practical features and lower price tag of PGP's product. Both PGP and DriveCrypt offer on-the-fly, full-disk encryption, which means that they scramble all the data on your hard drive the moment you save it to disk. Both use the AES-256 algorithm, a fast, well-established and trusted mechanism for encrypting data.

news/vendors-products/review-disk-encryption-products-for-your-laptop

A spam-sending Trojan dubbed "SpamThru" is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru exploited numerous tactics to eliminate detection and enhance outreach such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection.

Imagine being able to preview an attacker's next move based on the traces left on compromised machines. That's the aim of the Hacker's Profiling Project (HPP), an open methodology that hopes to enable analysts to work on the data (logs, rootkits, and any code) left by intruders from a different point of view, providing them with a profiling methodology that will identify the kind of attacker and therefore his modus operandi and potential targets.

We discussed the project with co-founder Stefania Ducci, criminologist for United Nations Interregional Crime and Justice Research Institute (UNICRI). In mid-2004 Ducci began collaborating with Raoul Chiesa on what became the HPP.

This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.

Online fraudsters slipped a virus into the German edition of the Wikipedia Internet encyclopedia to use as an infection point for a phishing campaign, antivirus firm Sophos said on Friday.

With Web 2.0, a lot of the logic is shifting to the client-side. This may expose the entire application to some serious threats. The urge for data integration from multiple parties and untrusted sources can increase the overall risk factor as well: XSS, XSRF, cross-domain issues and serialization on the client-side and insecure Web services, XML-RPC and REST access on the server-side.

After years of constant bombardment with news stories about viruses, worms, phishing, identity theft and other modern nightmares, you'd think that most enterprise users would have a good handle on what constitutes risky online behavior. But a new survey of 2,000 remote workers by Cisco Systems Inc. shows that many people still haven't gotten the message. Fully 30% of U.S. respondents said they use their work PC for personal use, and 24% admitted using corporate PCs to open unknown emails. The numbers are even scarier overseas. Executive Editor Dennis Fisher spoke with Cisco CSO John Stewart about the survey findings and how he handles end user security at Cisco.

More than 20 FBI offices are said to have been involved in the investigation into the global identity theft ring, which is claimed to have carried out a phishing attack against a major financial institution between August and October 2004.

news/privacy/phishing-gang-arrested-in-eastern-europe-and-usa

Your organization has a computer and Internet use policy. Fine. It?s been reviewed by corporate counsel, approved by senior management, and implemented over the years. The policy is comprehensive - it includes policies on expectations of privacy, employee monitoring, and the ownership of corporate electronic assets. Now, during the course of an internal investigation, you want to read an employees' e-mail, examine the contents of his company-supplied computer, and review his telephone calls made on the company-owned cell phone. You are all set, right? Umm... not so fast. A pair of recent cases in the United States raise the fundamental question, "do you have a reasonable expectation of privacy at the workplace?" In the United States at least, most people confronted with this question would answer a resounding no, right? I mean, the company policy makes it clear that the computer and network are company property, and that we shouldn?t expect any privacy there.

news/privacy/employee-privacy-employer-policy

Everybody's seen it by now. Spam is up like gangbusters in the last few months. And not just in volume; a lot more of it is getting through filtering mechanisms that had previously been pretty reliable. It's an aggravating and depressing situation. A number of factors have contributed to the situation, and what they all have in common, unfortunately, is that spammers are getting much more sophisticated.

news/privacy/the-spammers-strike-back

No, you're not imagining things. You have been getting a lot of spam lately. That's because digital miscreants are using contaminated images and stealthy malware to unleash unsolicited email at unprecedented levels, according to new research from San Carlos, Calif.-based Postini Inc. and UK-based Sophos. Attackers use these tactics to hijack computers and turn them into spam relays, often without the user's knowledge. "Bot activity is the major driver here," said Daniel Druker, Postini's executive vice president of marketing. "Bot-infected machines become part of these zombie PC armies that are used to push out spam."

news/privacy/spam-levels-surge-to-unprecedented-levels

US Customs and Border Protection issued a notice in the Federal Register yesterday which detailed the agency's massive database that keeps risk assessments on every traveler entering or leaving the country. Citizens who are concerned that their information is inaccurate are all but out of luck: the system "may not be accessed under the Privacy Act for the purpose of contesting the content of the record." The system in question is the Automated Targeting System, which is associated with the previously-existing Treasury Enforcement Communications System. TECS was built to screen people and assets that moved in and out of the US, and its database contains more than one billion records that are accessible by more than 30,000 users at 1,800 sites around the country. Customs has adapted parts of the TECS system to its own use and now plans to screen all passengers, inbound and outbound cargo, and ships.

news/government/us-customs-announces-massive-new-database-on-trucks-and-travelers

The authorities in Chile have arrested four people who the police say are members of one of the world's most successful groups of computer hackers. The men are accused of breaching more than 8,000 websites, including that of US space agency Nasa. One of the men, who has used the alias "Net Toxic", is alleged to be one of the most prolific hackers in the world. The men were detained in simultaneous raids in three cities in Chile, including the capital Santiago.

news/hackscracks/nasa-hackers-detained-in-chile

Rainbow tables reduce the difficulty in brute force cracking a single password by creating a large pre-generated data set of hashes from nearly every possible password. Rainbow Tables and RainbowCrack come from the work and subsequent paper by Philippe Oechslin [1]. The method, known as the Faster Time-Memory Trade-Off Technique, is based on research by Martin Hellman & Ronald Rivest done in the early 1980?s on the performance trade-offs between processing time and the memory needed for cryptanalysis. In his paper published in 2003, Oechslin refined the techniques and showed that the attack could reduce the time to attack 99.9% of Microsoft's LAN Manager passwords (alpha characters only) to 13.6 seconds from 101 seconds. Further algorithm refinements also reduced the number of false positives produced by the system.

news/hackscracks/tutorial-rainbow-tables-and-rainbowcrack

A confidential briefing for the Attorney-General's Department, prepared by the Australian Institute of Criminology, lashes the music and software sectors. The draft of the institute's intellectual property crime report, sighted by The Australian shows that copyright owners "failed to explain" how they reached financial loss statistics used in lobbying activities and court cases. Figures for 2005 from the global Business Software Association showing $361 million a year of lost sales in Australia are "unverified and epistemologically unreliable", the report says.

news/hackscracks/piracy-stats-dont-add-up

FON is still giving away their wireless routers for free in Germany and Austria until Wednesday ? under the premise that the devices will be connected and used as FON access points. The router, called 'La Fonera,' is a variant of OpenWRT, but locked down to prevent modification, including a signed firmware image to prevent the upload of new software. It is, however, possible to get shell access by connecting to a serial port present on the circuit board.