[ISN] Linux Security Week - December 26th 2005
InfoSec News
isn at c4i.org
Tue Dec 27 08:20:47 UTC 2005
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| December 26th, 2005 Volume 6, Number 52n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Adaptive
Firewalls with Iptables," "Protecting against undefined exploits and
security threats," and "Four Security Resolutions For The New Year."
---
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec
---
LINUX ADVISORY WATCH
Happy Holidays! This week, advisories were released for dropbear, nbd,
phpbb2, OpenLDAP, Xpdf, cURL, CenterICQ, digikam, apache2, sudo, kernel,
netpbm, udev, gpdf, kdegraphics, cups, and perl. The distributors
include Debian, Gentoo, Mandriva, and Red Hat.
http://www.linuxsecurity.com/content/view/121084/150/
---
* EnGarde Secure Community 3.0.2 Released
6th, December, 2005
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.2 (Version 3.0, Release 2). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool, the SELinux policy, and the LiveCD environment.
http://www.linuxsecurity.com/content/view/120951
---
Hacks From Pax: SELinux Administration
This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux.
http://www.linuxsecurity.com/content/view/120700/49/
---
Hacks From Pax: SELinux And Access Decisions
Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.
SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application.
http://www.linuxsecurity.com/content/view/120622/49/
---
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week ]----------
+---------------------+
* Hold the Photons!
20th, December, 2005
How would you feel if you invested millions of dollars in quantum
cryptography, and then learned that you could do the same thing with
a few 25-cent Radio Shack components?
I'm exaggerating a little here, but if a new idea out of Texas A&M
University turns out to be secure, we've come close.
http://www.linuxsecurity.com/content/view/121045
* OpenSSH cutting edge
20th, December, 2005
Federico Biancuzzi interviews OpenSSH developer Damien Miller to
discuss features included in the upcoming version 4.3, public key
crypto protocols details, timing based attacks and anti-worm
measures.
http://www.linuxsecurity.com/content/view/121048
* Encryption: A nice idea that few want to implement?
23rd, December, 2005
Companies are not embracing encryption as a way to protect sensitive
data. According to Ponemon Institute's 2005 National Encryption
Survey, only 4.2% of companies responding to our survey say their
organizations have an enterprisewide encryption plan.
However, the study also reveals that encryption is viewed by many as
an important security tool that enhances the IT professionals'
overall sense of trust or comfort in data-protection efforts. The
primary reasons cited for not encrypting sensitive or confidential
information were concern about system performance (69%), complexity
(44%) and cost (25%). (See "Securing Card Data Isn't An Easy Sell.")
http://www.linuxsecurity.com/content/view/121088
* Pre-Review: Penetration Tester's Open Source Toolkit
23rd, December, 2005
Today I received a copy of the new Syngress book Penetration Tester's
Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark
Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily
massive; it's probably 1/2 thicker than my first book, but at 704
pages it's nearly 100 pages shorter than Tao. I think Syngress used
thicker, "softer" paper, if that makes sense to anyone.
http://www.linuxsecurity.com/content/view/121087
* Adaptive Firewalls with iptables
26th, December, 2005
Up until now, we've looked at stateless and stateful firewalls.
Remember, stateless firewalls only have the features of a given packet
to use as criteria for whether that packet should be passed, blocked,
or logged. With a stateful firewall, in addition to the fields in that
packet, we also have access to the kernel's table of open
connections to use in deciding the fate of this packet.
http://www.linuxsecurity.com/content/view/121099
* New biometrics software looks for sweat
23rd, December, 2005
Researchers at Clarkson University have found that fingerprint
readers can be spoofed by fingerprint images lifted with Play-doh or
gelatin or a model of a finger molded out of dental plaster. The
group even assembled a collection of fingers cut from the hands of
cadavers.
In a systematic test of more than 60 of the carefully crafted
samples, the researchers found that 90 percent of the fakes could be
passed off as the real thing.
http://www.linuxsecurity.com/content/view/121089
* Ping: ICMP vs. ARP
22nd, December, 2005
Today almost every organization employs firewalls for enhanced
security. Firewalls can be set up in such a way that Internet Control
Message Protocol (ICMP) requests are blocked, which means that
traditional pings do not work. Setting a firewall to block ICMP
requests is based on the theory that if a would-be hacker cannot
"see" the target, he may not attack the host.
http://www.linuxsecurity.com/content/view/121078
* Protecting against undefined exploits and security threats
21st, December, 2005
There is a wealth of tools available to help protect the enterprise
from security threats. Firewalls, virtual private networks, strong
user authentication, encryption, intrusion detection/prevention
systems (IDS/IPS), email filters, antivirus, vulnerability scanners
are all options. Each of these point solutions is capable of
addressing a specific element of the security mosaic. In order to
address their limitations many enterprises attempt to aggregate these
solutions in a futile attempt to achieve effective IT security.
http://www.linuxsecurity.com/content/view/121068
* Security-Enhanced Linux Moving into Mainstream
19th, December, 2005
Security Enhanced Linux has move into the mainstream of operating
system architecture in recent years. For those who don't understand
the technology, many articles exist.
SELinux provides mandatory access control to a wider audience. It
helps eliminate O-day attacks.
http://www.linuxsecurity.com/content/view/121038
* Security the focus as Debian upgrades
21st, December, 2005
The Debian Project has released an update to its popular GNU/Linux
distribution, with security-related bugfixes a key feature.
"This is the first update of Debian GNU/Linux 3.1 (codename 'Sarge')
which mainly adds security updates to the stable release, along with
some corrections to serious problems," said Debian security team
member Martin Schulze in an e-mail announcing the update.
http://www.linuxsecurity.com/content/view/121067
* Nessus 3.0: The End of the Age of Open-Source Innocence?
22nd, December, 2005
"Here's the danger we are running into," said Alan Shimel, Chief
Strategy Officer for StillSecure. "People contribute resources to
these communities, whether it be time, money, or code. When they see
everything they give converted for the commercial success of an
individual rather than as a community as a whole, how long do you
think they are going to want to keep giving?"
http://www.linuxsecurity.com/content/view/121077
* VMWare: Virtual Machine Security Flaw 'Very Serious'
23rd, December, 2005
Virtual infrastructure software maker VMWare Inc. has rushed out
fixes for a "very serious" security flaw that put users of its
product line at risk of code execution attacks. The vulnerability,
which affects both Windows and Linux systems, affects VMware
Workstation 5.5, VMware GSX Server 3.2, VMware ACE 1.0.1 and the free
VMware Player 1.0. All previous versions of these products are also
affected.
http://www.linuxsecurity.com/content/view/121091
* Viewing 2005: The year in security
19th, December, 2005
The security events of 2005 led some to believe things were getting
better when, in truth, it was more the case that what you can't see
really can hurt you. The surface may have appeared still and
unthreatening but underneath the currents were anything but friendly,
as Will Sturgeon explains.
Phishing, spam, spyware, Trojans, viruses and worms - you'd be
forgiven for thinking 2005 was very much 'same old, same old' but
there were trends which came to light during the past 12 months that
will have the security experts scrutinising their radars long into
the New Year.
http://www.linuxsecurity.com/content/view/121039
* The Enemy Within
19th, December, 2005
Workers across Europe are continuing to place their own companies at
risk from information security attacks. This 'threat from within' is
undermining the investments organisations make to defend against
security threats, according to a study by security firm McAfee.
http://www.linuxsecurity.com/content/view/121040
* Social Engineering And Other Threats To Internal Security
21st, December, 2005
Consider the following scenario. A good looking woman is wandering
around your premises and approaches you asking to show her how to use
some functions in Excel or any other application. Do you start
quizzing her on who she is, from what department does she come from
or do you invite her to your PC and show her what she needs to know?
Let=E2..s say you choose the latter and then she asks you for a drink,
would you leave her unattended at your PC or do you get her to
accompany you?
http://www.linuxsecurity.com/content/view/121062
* Firms count the cost of security threats
20th, December, 2005
Security threats soared during 2005, along with the risk of financial
losses, but a new report shows that companies still aren't heeding
the warnings.
According to the State of Information Security 2005 report from
PricewaterhouseCoopers and CIO Magazine, not only are
security-related events up 22.4 percent on last year's figures, but
the number of organisations reporting financial losses as a result of
the attacks is also surging. Twenty-two percent of companies said
they had been hit financially, compared with last year's 7 per
cent.
http://www.linuxsecurity.com/content/view/121046
* Information Security for Small Businesses
20th, December, 2005
Due to technological advances, the rapid growth of the Internet, and
a significant decline in computer and network equipment prices in
recent years, many technologies and systems that were once only
available to large corporations are now employed by the small
business community. Thanks to the Internet and the world of
ecommerce, small businesses can dramatically increase their customer
base and reach new markets by selling their products and services
online.
http://www.linuxsecurity.com/content/view/121047
* Study: Network security market to reach $6 billion
20th, December, 2005
Network security software and hardware is expected to be a $6 billion
market by 2008, a jump fueled primarily by the increasing need for
companies to purchase products that secure content and devices, such
as intrusion prevention systems (IPS) and network access control
(NAC) equipment.
http://www.linuxsecurity.com/content/view/121058
* Security: Forensic Tools in Court
21st, December, 2005
An interesting question comes to mind when you use as many open
source forensic and security tools as I do =E2.. if I ever go to court
over this case, will my tools be considered valid? When you do
examine this issue closely, you find many versions of the answer,
both on the legal and techie sides.
http://www.linuxsecurity.com/content/view/121063
* Preparing for day zero
21st, December, 2005
The zero-day spectre is looming ever larger.
Nimda struck in 2001 =E2.. a year after Microsoft issued a patch for
the security hole in Internet Explorer. In 2003, Slammer exploited a
vulnerability for which a patch had been issued six months earlier.
Then with Blaster, the window was down to three weeks. =E2..If you had
no time to patch in 2001, and no time to patch in 2003, what about
now with three weeks? And what about the Zotob worm =E2.. five days?=E2.=9D
http://www.linuxsecurity.com/content/view/121070
* Security Risks You and Your Family Impose on your Companies=E2..
Computing and Networking Assets
22nd, December, 2005
Computer and Network Security is quickly becoming Information
Technology=E2..s hot occupation. After the colossal disasters of the
September, 2001 terrorist attacks and the more recent natural
disasters companies have looked long and hard at how to better
protect their computing and networking assets from the numerous
hackers, natural disasters and foreign terrorists. This includes
spending more resources on hardware, upgrading software, and
relearning Information Technology priorities. Unfortunately, a grand
majority of the greatest minds in Information Technology Security are
overlooking the one element that can stroll right up to a companies
computing asset and destroy it in one or two clicks. It=E2..s you the
employee, your family or family friend.
http://www.linuxsecurity.com/content/view/121074
* Rising to a Higher Standard Isn't Easy
22nd, December, 2005
Some employees are held to a higher standard of behavior than most.
Anyone in a position with broad powers or influence falls into this
group, including accountants, managers, systems administrators -- and
information security professionals.
Like systems administrators, information security professionals
generally have access to a great deal of data and information. Even
if they don't have direct access, they generally know how to obtain
it by exploiting a weakness (like hackers, but with the opposite
intent) or by simply giving themselves elevated privileges.
http://www.linuxsecurity.com/content/view/121075
* Top 7 PHP Security Blunders
23rd, December, 2005
PHP is a terrific language for the rapid development of dynamic
Websites. It also has many features that are friendly to beginning
programmers, such as the fact that it doesn't require variable
declarations. However, many of these features can lead a programmer
inadvertently to allow security holes to creep into a Web
application. The popular security mailing lists teem with notes of
flaws identified in PHP applications, but PHP can be as secure as any
other language once you understand the basic types of flaws PHP
applications tend to exhibit.
http://www.linuxsecurity.com/content/view/121090
* Four Security Resolutions For The New Year
26th, December, 2005
I always know what my first New Year=E2..s resolution is going to be,
because it's the same every year: lose weight. Chances are, you
have the same one. But by the time the Super Bowl happens, and you
eat seven thousand calories on that one day, you'll have already
have given up on that resolution.
http://www.linuxsecurity.com/content/view/121098
* IT security professionals moving up the corporate pecking order
26th, December, 2005
Ultimate responsibility for information security is moving up
corporate management hierarchies, as board-level directors and CEOs -
or CISO/CSOs =E2.. are increasingly held accountable for safeguarding
IT infrastructures, new research has revealed. The second annual
Global Information Security Workforce Study, conducted by global
analyst firm IDC and sponsored by not-for-profit IT security
educational organisation, the International Information Systems
Security Certification Consortium (ISC)2, expects this accountability
shift to continue as information security becomes more relevant in
risk management and IT governance strategies.
http://www.linuxsecurity.com/content/view/121100
* Feds Say Computer Surveillance Hindered Without Patriot Act
22nd, December, 2005
In part of a major Bush Administration lobbying blitz Wednesday, the
Department of Justice has released a list of technology-related
ramifications if the remaining provisions of the Patriot Act aren't
passed by Dec. 31.
Lobbying hard for the passage of the remaining portions of the
broad-sweeping legislation, the department released a statement
Wednesday stating that the federal government would revert back to a
"pre-9/11 mode of information sharing=E2.=A6where terrorists and spies
can use technology against us."
http://www.linuxsecurity.com/content/view/121076
* Dutch Botnet Bigger Than Expected
22nd, December, 2005
Dutch prosecutors who=09last month arrested a trio of young men for
creating a large botnet allegedly used to extort a U.S. company,
steal identities, and distribute spyware now say they bagged bigger
prey: a botnet of 1.5 million machines.
http://www.linuxsecurity.com/content/view/121081
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list