[ISN] Linux Security Week - April 4th 2006
InfoSec News
isn at c4i.org
Tue Apr 4 03:03:59 EDT 2006
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| April 4th, 2006 Volume 7, Number 14n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Steganography
FAQ," "IPCop-OpenVPN HOWTO," "International Body Adopts Network
Security Standard," and "The Top 10 Information Security Myths."
---
EnGarde Secure Linux: Why not give it a try?
EnGarde Secure Linux is a Linux server distribution that is geared
toward providing a open source platform that is highly secure by default
as well as easy to administer. EnGarde Secure Linux includes a select
group of open source packages configured to provide maximum security
for tasks such as serving dynamic websites, high availability mail
transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source,
and online security and application updates are also freely
available with GDSN registration.
http://www.engardelinux.org/modules/index/register.cgi
---
EnGarde Secure Community 3.0.5 Released
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.5 (Version 3.0, Release 5). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, and several new packages available
for installation.
http://www.linuxsecurity.com/content/view/121879/65/
---
pgp Key Signing Observations: Overlooked Social and
Technical Considerations
By: Atom Smasher
While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking. It is important to acknowledge and address social
aspects in a system such as pgp, because the weakest link in the
system is the human that is using it. The algorithms, protocols
and applications used as part of a pgp system are relatively
difficult to compromise or 'break', but the human user can often
be easily fooled. Since the human is the weak link in this chain,
attention must be paid to actions and decisions of that human;
users must be aware of the pitfalls and know how to avoid them.
http://www.linuxsecurity.com/content/view/121645/49/
---
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week ]----------
+---------------------+
* (IN)SECURE Issue 6 has been released
30th, March, 2006
The latest edition of this free PDF digital security magazine is
packed with content that caters all levels of knowledge. Get your
copy today!
http://www.linuxsecurity.com/content/view/122162
* Steganography FAQ
29th, March, 2006
Steganography is a subject which is rarely touched upon by most IT
Security Enthusiasts. Most people don't see Steganography has a
potential threat, some people don't even know what Steganography is.
With this FAQ I hope to answer any questions anyone may want to ask
about Steganography, and to educate people so they can understand
what exactly Steganography is. Is Steganography a potential threat?
Well your about to find out.
http://www.linuxsecurity.com/content/view/122140
* IPCop-OpenVPN HOWTO
30th, March, 2006
I=E2..m a huge fan of IPCop. It=E2..s a great firewall distro that makes
administration a snap using a slick web interface. My goal was to use
IPCop and an easy-to-use VPN client to allow access to my LAN while
away from home. I ended up going with the ZERINA OpenVPN addon for
IPCop and the OpenVPN GUI for Windows. If you=E2..ve ever wanted full,
secure, encrypted access to your LAN from any remote location, here
is your guide.
http://www.linuxsecurity.com/content/view/122168
* Defeating the Hacker
31st, March, 2006
Way back in the early 1980s, Robert Schifreen shot to notoriety as
one of the hackers who broke into Prince Philip's mailbox on the
Prestel service. It was this case that, after the Law Lords ruled
that the forgery laws did not cover typing a user name and password
into a computer screen, instigated the drafting and passage of the
Computer Misuse Act in 1984. Schifreen has spent the intervening
years being a respectable computer journalist, and his specialty --
as you might expect -- is security. Defeating the Hacker: A
Non-Technical Guide to IT Security is the result of years of writing,
research and speaking at conferences on security topics.
http://www.linuxsecurity.com/content/view/122178
* International Body Adopts Network Security Standard
25th, March, 2006
The International Organization for Standardization (ISO) approved
last month a comprehensive model that identifies critical
requirements to ensure end-to-end network security. Specifically,
the global standards group formally adopted ISO/IEC 18028-2, which
defines a standard security architecture and provides a systematic
approach to support the planning, design and implementation of
information technology networks.
http://www.linuxsecurity.com/content/view/122087
* Look Toward The Future
27th, March, 2006
Just like their larger brethren, small to medium-sized enterprises
that wish to garner a competitive advantage must develop an effective
IT plan. Increasingly, IT departments are becoming the hub of the
company, and more and more companies expect their IT managers to
accomplish a variety of tasks with limited resources. In fact, having
an established plan goes far to empower smaller firms so they=E2..ll be
able to play with the =E2..big boys=E2.=9D in their industry arenas.
http://www.linuxsecurity.com/content/view/122123
* Learning An Advanced Skillset
28th, March, 2006
It was almost two years ago now that I wrote the SecurityFocus
article on TCP/IP skills required for security analysts. That article
offered advice on how one can seek employment in the security field
through education, training, and a strong focus on TCP/IP. The idea
came about from all of the questions this author has been asked on
the subject. There is often a lot of uncertainty as to what one
should study to further one=E2..s career in the network security world.
Much as I mentioned previously, it can be a daunting task. What was
laid out as core skills required for a fully competent security
analyst are in reality, but a baseline. From that foundation of
skills learnt, and honed over time can you begin to think about
acquiring more advanced skills.
http://www.linuxsecurity.com/content/view/122133
* Visualization in the Security and New Media World
31st, March, 2006
Information visualization seems to be a growing trend in today's
knowledge driven, and information-overloaded society. The following
represents a URL tree graph of the Security Mind Streams blog --
looks resourceful! Want to freely graph your site/blog? Take
advantage of Texone's tree, just make sure you don't forget to press
the ESC key at a certain point.
http://www.linuxsecurity.com/content/view/122180
* Are Cyber Criminals Or Bureaucrats The Industry's Top Performer?
28th, March, 2006
Last week, I came across a great article at Forbes.com, "Fighting
Hackers, Viruses, Bureaucracy", an excerpt: "Cyber security largely
ends up in the backseat," says Kurtz, who prior to lobbying did
stints in the State Department, the National Security Council and as
an adviser to President George W. Bush on matters relating to
computer security. "Our job is to shine a bright light on it, to help
people understand it."
http://www.linuxsecurity.com/content/view/122136
* Open Source Security Testing Methodology
30th, March, 2006
Truth is made of numbers. Following this golden rule, Federico
Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of
the OSSTMM, to talk about the upcoming revision 3.0 of the Open
Source Security Testing Methodology Manual. He discusses why we need
a testing methodology, why use open source, the value of
certifications, and plans for a new vulnerability scanner developed
with a different approach than Nessus.
http://www.linuxsecurity.com/content/view/122165
* Lundquist's Guide To Not Getting Fired for Losing Your Laptop
2nd, April, 2006
How often do we have to read about someone losing a laptop with a
bunch of client data? I've included some links to recent stories:
Stolen Fidelity Laptop Exposes HP Workers and=09Lost Fidelity Laptop
Stirs Fear of ID Theft. Stop and think for a second. You are a
high-powered road warrior jetting around the world making lots of
complex but incredibly lucrative financial deals. You lose your
laptop with all that important information. You have to call your
boss back at the home office. Your next job involves asking customers
if they want the large or the super-jumbo Slurpee.
http://www.linuxsecurity.com/content/view/122184
* Roll Your Own Firewall
27th, March, 2006
Over the years I have learned how to roll my own firewall script and
call it from /etc directory. Of course, my firewall is only INPUT
based, instead of INPUT and OUTPUT based, but I find that building an
INPUT/OUTPUT based firewall is tremendously difficult and not really
all that necessary if you use good download practices on your Linux
server or PC and/or if you're already behind a NAT router (such as a
home-based DSL or cable router or wireless router) or other firewall.
http://www.linuxsecurity.com/content/view/122120
* Domain Registrar Joker Hit by DDoS
27th, March, 2006
Domain registrar Joker.com says its nameservers are under attack,
causing outages for customers. More than 550,000 domains are
registered with Joker, which is based in Germany. Any of those
domains that use Joker's DNS servers are likely to be affected.
"Joker.com currently experiences massive distributed denial of
service attacks against nameservers," the registrar says in an
advisory on its home page. "This affects DNS resolution of Joker.com
itself, and also domains which make use of Joker.com nameservers. We
are very sorry for this issue, but we are working hard for a
permanent solution."
http://www.linuxsecurity.com/content/view/122108
* Detecting Botnets Using a Low Interaction Honeypot
26th, March, 2006
This paper describes a simple honeypot using PHP and emulating
several vulnerabilities in Mambo and Awstats. We show the mechanism
used to 'compromise' the server and to download further malware. This
honeypot is 'fail-safe' in that when left unattended, the default
action is to do nothing =E2.. though if the operator is present,
exploitation attempts can be investigated. IP addresses and other
details have been obfuscated in this version.
http://www.linuxsecurity.com/content/view/122088
* The e-Crime Congress 2006. March 30 & 31 2006
27th, March, 2006
The e-Crime Congress 2006 will seek to challenge conventional
attitudes on e-Crime and examine how business, government and law
enforcement can continue to work together in order to tackle a threat
that undermines public confidence in the Internet as a viable and
secure commercial medium for the future.
http://www.linuxsecurity.com/content/view/122112
* The Pathogenesis of Dark Traffic Attacks
29th, March, 2006
As well as straightforward spam, dark traffic comprises directory
harvest attacks, email Denial of Service attacks, malformed SMTP
packets, invalid recipient addresses, and other requests and
communications unrelated to the delivery of valid email messages.
http://www.linuxsecurity.com/content/view/122139
* Amanda 2.5 - A major new release of the Open Source Backup Software
27th, March, 2006
Amanda is the world's most popular open source backup and recovery
software. Amanda allows system administrators to set up a single
server to back up multiple hosts to a tape- or disk-based storage
system over the network. It uses native dump and/or GNU tar
facilities and can back up a large number of workstations or servers
running various versions of Linux, Unix, Mac OS-X or Microsoft
Windows operating systems. On March 23rd, 2006, the Amanda team
released a major version (2.5) of the software. Overall the focus of
the release is on security of the backup process & backed up data,
scalability of the backup process and ease of installation &
configuration of Amanda.
http://www.linuxsecurity.com/content/view/122111
* Users of SELinux Now Have A Choice On Security
27th, March, 2006
The release of a new open-source security package has sparked debate
over how many Mandatory Access Control applications Linux really
needs, and if more than one would just dilute volunteer efforts.
Novell Inc. of Provo, Utah, recently released the source code for its
recently acquired Linux security application, AppArmor. It also set
up a project site in hopes of attracting outside developers to
further refine the program.
http://www.linuxsecurity.com/content/view/122125
* Linux Supporters Fiddle While OpenSSH Burns
30th, March, 2006
Once again, the OpenBSD project is asking for donations to keep its
operations in motion. It doesn't ask for much -- U.S. $100,000 (small
potatoes in the operating system development industry) -- yet it
provides so much to the software world. Even if you don't use
OpenBSD, you're likely to be benefiting from it unknowingly. If
you're using Solaris, SCO UnixWare, OS X, SUSE Linux, or Red Hat
Enterprise Linux, chances are you're using the OpenBSD-developed
OpenSSH for secure shell access to remote machines. If so many are
using this software, why are so few paying for it? Official responses
(and non-responses) from Sun Microsystems, IBM, Novell, and Red Hat
are below, but if you're one of the freeloaders who hasn't
contributed to OpenBSD or OpenSSH, what's your excuse?
http://www.linuxsecurity.com/content/view/122166
* Computer Forensics Tool Testing (CFTT) Project
27th, March, 2006
There is a critical need in the law enforcement community to ensure
the reliability of computer forensic tools. A capability is required
to ensure that forensic software tools consistently produce accurate
and objective test results. The goal of the Computer Forensic Tool
Testing (CFTT) project at the National Institute of Standards and
Technology (NIST) is to establish a methodology for testing computer
forensic software tools by development of general tool
specifications, test procedures, test criteria, test sets, and test
hardware.
http://www.linuxsecurity.com/content/view/122109
* Version 0.7 of the OSSEC HIDS is now available
29th, March, 2006
OSSEC HIDS is an open source host-based intrusion
detection system. It performs log analysis, integrity
checking, rootkit detection, time-based alerting and
active response.
This is one of the most improved versions so far. It
now includes support for squid, pure-ftpd, postfix and
AIX ipsec logs (in addition to a lot of improvements
to the previous rules).
http://www.linuxsecurity.com/content/view/122138
* Secure Coding
27th, March, 2006
The primary cause of commonly exploited software vulnerabilities is
software defects that could have been avoided. Through our analysis
of thousands of vulnerability reports, the CERT/CC has observed that
most of them stemmed from a relatively small number of root causes.
If we can identify the root causes of vulnerabilities and develop
secure coding practices for illustration, software producers may be
able to take practical steps to prevent introduction of
vulnerabilities into deployed software systems.
http://www.linuxsecurity.com/content/view/122110
* Exegesis of Virtual Hosts Hacking
28th, March, 2006
There is a lot that we can say about finding virtual hosts from a
given IP address. Sometimes this task is straightforward, other times
a bit of thinking is required. However, in general it is not a
mission impossible.
During the last few years, domain name databases have emerged like
mushrooms after a rainy day. This has certainly increased the
awareness among security professionals about the possibility of using
virtual hosts as backdoors when testing the security of a given
organization. In reality, a good attacker will try to break into your
organization by knocking on the not-so-obvious doors.
http://www.linuxsecurity.com/content/view/122128
* Ensure data doesn't leave with your staff
28th, March, 2006
With average employee turnover in the UK stable at about 15%, the
security implications of staff departures should not be overlooked.
While most departing employees are honourable, there is,
unfortunately, a sizeable minority who will copy databases, customer
requirements, tender documents or, in some cases, copy and remove
proprietary code.
http://www.linuxsecurity.com/content/view/122130
* Secure Your Applications From The Start
28th, March, 2006
Information security in financial services is one of the highest
priorities for C-level executives. CEOs don't want the bad press and
liabilities associated with a security breach, and CIOs know that
their phones will be the first to ring if data is compromised. Adding
to the urgency of the issue, the number of reported security
vulnerabilities and the cost per incident continue to rise, according
to the 2005 Computer Security Institute/FBI Computer Crime and
Security Survey. But most IT shops don't properly test applications
for security flaws during the development life cycle, resulting in
apps riddled with vulnerabilities. Too often, security and
application development are viewed as separate disciplines. Part of
the problem is that security teams often are called in to add
security to software post-development, rather than working alongside
developers during the development process.
http://www.linuxsecurity.com/content/view/122135
* Knoppix Hacks: Scanning For Viruses
28th, March, 2006
Ridding a network of Windows computers of a virus or worm can seem
impossible. Viruses may cause computers to reboot and infect new
machines while you are in the process of removing them. Through the
use of the live-software installer, Knoppix provides a solution to
this catch-22.
http://www.linuxsecurity.com/content/view/122137
* Looking For Love In All The Wrong Places
29th, March, 2006
Despite all the dire warnings about legal liabilities and security
risks, a new study indicates one in five workers uses his or her
company's Web access for personal use. Among the industries reporting
the highest abuse is the male-dominated manufacturing field, where
nearly 13% of users try accessing forbidden pornography, dating and
gambling sites. Its workforce also tended to chat longest with
friends while at work.
http://www.linuxsecurity.com/content/view/122160
* Security isn't always perfect, but it doesn't necessarily have to
be
30th, March, 2006
A big part of being a security professional, or for that matter an
informed citizen, is examining a proposed security control and
identifying weaknesses or ways it could potentially bypassed. But
there's a logic error frequently committed here, and that's
assuming that because a control has some weakness, that it's
useless. This is due to a poor understanding of what the goal of the
exercise is and a poor understanding of what security is really
about.
http://www.linuxsecurity.com/content/view/122163
* The Top 10 Information Security Myths
30th, March, 2006
When it comes to information security, there's a lot of popular
wisdom available, but much of it is unfounded and won't necessarily
improve your organization's security. Only by cutting through the
hype to separate reality from myth can IT professionals help take
their enterprises to the next level. Here are 10 network security
myths that bear further examination.
http://www.linuxsecurity.com/content/view/122164
* E-mail Security: Detecting Spam (II)
30th, March, 2006
As spam filters get more advanced, less spam is allowed to enter into
user=E2..s inbox so the business model of spammers gets hurt. Instead
of thinking that people don=E2..t really like to receive spam and they
would prefer less intrusive ways to get publicity, they try to
workaround these filters in, sometimes, really clever ways. So, spam
filters have to be continually modified and adapted to not fall into
these new tricks.
http://www.linuxsecurity.com/content/view/122167
* Why Phishing Attacks Work
30th, March, 2006
When asked if a phishing site was legit or a spoof, 23% of users use
only the content of the website to make the decision! The majority of
users ignore the address and SSL indicators in the browser. Some
users think that favicons and lock icons in HTML are more important
indicators. The paper hints that the proposed IE7 security indicators
and multi-colored address bar will also suffer a similar fate. This
study is brought to you by the people who developed the security
skins Firefox extension."
http://www.linuxsecurity.com/content/view/122169
* RSA Looks To Drown Phishers In Data Flood
1st, April, 2006
A novel tactic to defeat phishers is being employed by Cyota staff:
flooding phishing sites with fake bank details to make the real
information harder to find. RSA's Cyota division is helping fight
phishing attacks by giving the online fraudsters what they want =E2..
lots of user names, passwords, online banking credentials and credit
card numbers.
http://www.linuxsecurity.com/content/view/122183
* CYBEREYE: Security: Lots Of Lessons, Nothing Learned
28th, March, 2006
The issues of personal data security and identity theft broke into
the national consciousness a year ago, when Choice-Point reported
that thieves had established accounts with the data broker to obtain
sensitive information on 145,000 people. Outrage was immediate, but
the problem has persisted. Despite congressional hearings, a plethora
of federal bills and the passage of laws in at least 22 states, data
on more than 53 million people was stolen, lost or exposed in 121
more incidents over the next year, according to the Privacy Rights
Clearinghouse. By far the largest exposure was at payment processor
CardSystems Solutions Inc., which effectively was put out of business
after data on 40 million people was hacked.
http://www.linuxsecurity.com/content/view/122134
* GAO: Security Accreditation Program a Tough Sell
31st, March, 2006
The federal government's program for testing and accrediting the
security of commercial technology has not been proven a success,
according to a report by the Government Accountability Office.=09The
National Information Assurance Partnership (NIAP), which is sponsored
by the National Security Agency and the National Institute of
Standards and Technology, was created to make it easier for agencies
to find products that meet basic industry standards for security.
http://www.linuxsecurity.com/content/view/122181
* Consumer Data Security Bill Passes Out of House Committee
31st, March, 2006
A House committee this week unanimously approved a data security law
that would establish federal standards for protecting personal
information and would supersede state laws. The Data Accountability
and Trust Act, (HR 4127), is one of a spate of bills introduced last
year in the wake of publicity about the theft or loss of data that
could lead to identity theft. The incidents came to light as a result
of state laws requiring consumer notification of security breaches
and spurred a consumer demand for tighter regulation.
http://www.linuxsecurity.com/content/view/122182
* Industrial espionage worm authors jailed
28th, March, 2006
A married couple accused of using computer worms to conduct
industrial espionage has received jail terms of four and two years
after pleading guilty in an Israeli court.
http://www.linuxsecurity.com/content/view/122129
* Registrar Joker.com Suffers Attack
28th, March, 2006
Domain-name registrar Joker.com acknowledged this weekend that
distributed denial-of-service attacks had caused numerous problems
for customers that use its domain-name service (DNS) servers to
advertise the Internet addresses of their domains.
http://www.linuxsecurity.com/content/view/122132
* Two DNS Servers Hit By denial-of-service Attacks
29th, March, 2006
In the second attack of its kind in the past few days, Domain Name
System (DNS) servers at Network Solutions Inc. were hit by a
denial-of-service attack this afternoon, resulting in a brief
performance degradation for customers, according to the company. The
attacks, which started at around 2:20 p.m. EST, were targeted at the
company's WorldNIC name servers and resulted in a service
degradation for about 25 minutes before the server was restored to
normal, a spokeswoman for the company said.
http://www.linuxsecurity.com/content/view/122142
* Hackers Serve Rootkits with Bagles
31st, March, 2006
Malicious hackers have fitted rootkit features into the newest
mutants of the Bagle worm, adding a stealthy new danger to an already
virulent threat. According to virus hunters at F-Secure, of Helsinki,
Finland, the latest Bagle.GE variant loads a kernel-mode driver to
hide the processes and registry keys of itself and other
Bagle-related malware from security scanners.
http://www.linuxsecurity.com/content/view/122179
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list