+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 27th, 2006 Volume 7, Number 13n | | | | Editorial Team: Dave Wreski [EMAIL PROTECTED] | | Benjamin D. Thomas [EMAIL PROTECTED] | +---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week perhaps the most interesting articles include "Encrypt filesystems with EncFS and Loop-AES," "Revealing the myths about network security," and "Enterprise Security Threats Increasingly Come from Within." --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Multiple Live CDs In One DVD 24th, March, 2006 Live CDs do a great job of advertising Linux distributions. In addition to general-purpose live CD distributions, there are lots of task-oriented live CDs. Wouldn't it be great if you could carry multiple live CDs on one DVD disc? Nautopia.net has put up a script that you can use to make a custom DVD to boot multiple live CDs. http://www.linuxsecurity.com/content/view/122084 * Tunnels in Hash Functions - MD5 Collisions Within a Minute 20th, March, 2006 In this paper we introduce a new idea of tunneling of hash functions. In some sense tunnels replace multi-message modification methods and exponentially accelerate collision search. We describe in one minute on a standard notebook PC (Intel Pentium 1.6 GHz). The method works for any intializing value. Tunneling is a general idea, which can be used for finding collisions of other hash functions, such as SHA-1, http://www.linuxsecurity.com/content/view/121996 * Encrypt filesystems with EncFS and Loop-AES 21st, March, 2006 Encrypted filesystems may be overkill for family photos or your resume, but they make sense for network-accessible servers that hold sensitive business documents, databases that contain credit-card information, offline backups, and laptops. EncFS and Loop-AES, which are both released under the GNU General Public License (GPL), are two approaches to encrypting Linux filesystems. I'll compare the two and then look at other alternatives. http://www.linuxsecurity.com/content/view/122011 * Linux Dictionary 19th, March, 2006 (SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP has been very well perceived by the market. Throughout the last couple of years, SWP becomes the top leading OSS training and service provider in Hong Kong. And in fact we are leading the market direction in some ways. http://www.linuxsecurity.com/content/view/121977 * Useful Firefox Security Extensions 21st, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here's a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/122009 * Digital Forensics Wiki 22nd, March, 2006 This is the Forensics Wiki, devoted to information about digital forensics. We are just getting started, but still encourage you to browse the site and contribute whatever information you have available. http://www.linuxsecurity.com/content/view/122039 * Security Protocols: Google's FrSIRT Cache 23rd, March, 2006 As we previously reported, FrSIRT has decided that they want to start selling other security researchers exploits. Thanks to Layne, here is a list of 626 exploits from Google cache which were published on the FrSIRT website. FrSIRT also always seemed to fail to give the proper credit to the researchers who would submit code, and or advisories. http://www.linuxsecurity.com/content/view/122068 * International Body Adopts Network Security Standard 25th, March, 2006 The International Organization for Standardization (ISO) approved last month a comprehensive model that identifies critical requirements to ensure end-to-end network security. Specifically, the global standards group formally adopted ISO/IEC 18028-2, which defines a standard security architecture and provides a systematic approach to support the planning, design and implementation of information technology networks. http://www.linuxsecurity.com/content/view/122087 * The Effective Response To Computer Crime 23rd, March, 2006 The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag. http://www.linuxsecurity.com/content/view/122067 * Useful Firefox Security Extensions 18th, March, 2006 Mozilla's Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here.s a roundup of some of the more useful ones I've found. http://www.linuxsecurity.com/content/view/121975 * Old Physical Security Threats Still Working 20th, March, 2006 In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned: http://www.linuxsecurity.com/content/view/122000 * Revealing the myths about network security 20th, March, 2006 Many people and businesses unknowingly leave their private information readily available to hackers because they subscribe to some common myths about computer and network security. But knowing of the facts will help you to keep your systems secure. Here are some answers to these myths. http://www.linuxsecurity.com/content/view/121980 * Countering Cyber Terrorism 20th, March, 2006 Still using that tired and worn out password to log onto your PC? Is your mother's maiden name still the main prompt you use to log on and check your credit card statement? Worried that the PIN number you use to access your online banking is the same PIN you.ve given the children to access the Sky Digibox? You should be. The fact is that as individuals, we are not doing enough to guarantee user authentication. And if you think that's bad, the situation in organisations is even worse. http://www.linuxsecurity.com/content/view/121978 * Advances In Fingerprinting Could Bolster Network Security 23rd, March, 2006 New technology for matching fingerprints for security purposes is proving about as reliable but much more efficient than traditional techniques, according to a new study by the National Institute of Standards and Technology. NIST studied the use of "minutiae templates," which are mathematical representations of full-blown fingerprint images that are seen as being much easier for vendors of biometric security systems to exchange with each other. The study involved use of a new standard for minutiae data that makes data exchange simpler than when proprietary techniques for converting fingerprint images to minutiae data. http://www.linuxsecurity.com/content/view/122069 * Digging Security Tunnels With Spoons 24th, March, 2006 One of the biggest complaints I hear about security is the associated operational overhead. IT personnel are constantly adjusting multiple technologies in an effort to provide access to the good guys while locking out the bad guys. If you want to see a metric of this behavior in action, look no further than your network Access Control List (ACL) rules. http://www.linuxsecurity.com/content/view/122083 * HLBR - Hogwash Light BR 20th, March, 2006 HLBR is a brazilian project, started in november 2005, as a fork of the Hogwash project (started by Jason Larsen in 1996). This project is destined to the security in computer networks. HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn't need even an IP address). http://www.linuxsecurity.com/content/view/121995 * Detecting Botnets Using a Low Interaction Honeypot 23rd, March, 2006 This paper describes a simple honeypot using PHP and emulating several vulnerabilities in Mambo and Awstats. We show the mechanism used to 'compromise' the server and to download further malware. This honeypot is 'fail-safe' in that when left unattended, the default action is to do nothing . though if the operator is present, exploitation attempts can be investigated. IP addresses and other details have been obfuscated in this version. http://www.linuxsecurity.com/content/view/122064 * SOURCEFIRE AND CHECK POINT ANNOUNCE MUTUAL WITHDRAWAL FROM THE CFIUS PROCESS 24th, March, 2006 Sourcefire, Inc., the world leader in intrusion prevention, today announced that, with the consent of the US government, Sourcefire and Check Point Software Technologies have opted to withdraw their merger filing with the Committee on Foreign Investment in the United States (CFIUS). Sourcefire will continue to operate as the industry's largest private Intrusion Prevention System (IPS) vendor. http://www.linuxsecurity.com/content/view/122082 * Detecting Botnets Using a Low Interaction Honeypot 26th, March, 2006 This paper describes a simple honeypot using PHP and emulating several vulnerabilities in Mambo and Awstats. We show the mechanism used to 'compromise' the server and to download further malware. This honeypot is 'fail-safe' in that when left unattended, the default action is to do nothing though if the operator is present, exploitation attempts can be investigated. IP addresses and other details have been obfuscated in this version. http://www.linuxsecurity.com/content/view/122088 * OS X Sudo vs. Root: The Real Story 22nd, March, 2006 What are you really gaining by using sudo in the default Mac OS X configuration? First, you gain some comfort that nobody can login as root, either locally or remotely via SSH or FTP and tamper with your machine. Second, you get a log entry in /var/log/system.log every time sudo is used showing you who used it and what command was executed. These appear good enough reasons to endure the slight inconvenience of using sudo. http://www.linuxsecurity.com/content/view/122033 * Many Data Centers Still Have No Risk Management Plan 22nd, March, 2006 Business technology managers are facing tough challenges as data centers grow larger and more complex. More than 75% of all companies have experienced a business disruption in the past five years, including 20% who say the disruption had a serious impact on the business, according to a recent survey of data center managers. Despite the critical nature of data center operations to business, nearly 17% reported they have no risk management plan, and less than 5% have plans that address viruses and security breaches. http://www.linuxsecurity.com/content/view/122038 * Is Your DR Plan Vulnerable to an Attack? 24th, March, 2006 Sorry, I have to do this. I have to rant. Here's what I have to get off my chest. News item: "DHS Scores F on Cybersecurity Report Card." Last week, a congressional oversight committee gave the U.S. Department of Homeland Security a failing grade on its annual cybersecurity report card. Congress says that when it comes to protecting the country's data infrastructure -- an entity that in itself has become critical to the continued functioning of the U.S. economy -- the DHS is a D-U-N-C-E. Appalling. http://www.linuxsecurity.com/content/view/122086 * Finding Security's Next 'American Idol' 21st, March, 2006 It's like an "American Idol" for security geeks. Students at the Georgia Institute of Technology prep, sweat and show their stuff while a panel of critics decides their fates. But unlike the popular "reality" TV show, judges aren't determining who can best carry a tune. Instead they weigh students' ideas for making information security more user-friendly, with $50,000 -- enough cash to fund a project for 12 months -- hanging in the balance. http://www.linuxsecurity.com/content/view/122026 * Bringing Botnets Out of the Shadows 22nd, March, 2006 Nicholas Albright's first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father's death, Albright discovered that online criminals had broken into his dad's personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies. http://www.linuxsecurity.com/content/view/122040 * Social engineering reloaded 22nd, March, 2006 The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program. http://www.linuxsecurity.com/content/view/122032 * Forgotten password clues create hacker risk 23rd, March, 2006 Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest. It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack. http://www.linuxsecurity.com/content/view/122061 * Opinion: What a year it's been for e-crime 23rd, March, 2006 Looking back at the past year, it seems the security threats to businesses are only becoming more pervasive and more costly, says Simon Moores. In two weeks' time, leaders of the global law-enforcement, finance and online business communities will assemble in London for the annual e-Crime Congress. In the 12 months since they were here last, we've seen the financial services industry under almost constant Trojan horse attack, denial of service attacks increase by 50 per cent and phishing and identity theft attempts approach eight million per day, according to security company Symantec. http://www.linuxsecurity.com/content/view/122063 * Security Czar 23rd, March, 2006 In this column Scott Granneman takes the role of dictator of the security world and presents his ideas about mandatory reforms that would improve security for millions of people. http://www.linuxsecurity.com/content/view/122066 * Enterprise Security Threats Increasingly Come from Within 24th, March, 2006 While protecting corporate networks from outside intrusion remains a huge challenge for enterprise IT professionals, some experts contend that efforts to better police internal behavior and manage security policies have become every bit as important. Enterprises searching for the answers to their security problems should increasingly take a closer look at their internal operations before blaming outside threats, according to experts participating in an online IT security conference. http://www.linuxsecurity.com/content/view/122076 * IT Confidential: Choose Your Intrusion: Who's Your Friend? 20th, March, 2006 'm as big a fan of government intrusion as the next person, but things may have gotten a little out of hand lately. Take last week's legal contretemps between the Justice Department and Google. Forget for a minute that Google really faces no downside by refusing the government's request to turn over search data. Even if Google loses the case and has to turn over some (truncated) amount of (very general) information about a (random) selection of searches, it still wins in the court of public opinion as a defender of personal privacy. As my colleague Chris Murphy put it, Google should take the court costs out of its marketing budget. http://www.linuxsecurity.com/content/view/121984 * The Future of Privacy = Don't Over-empower The Watchers 20th, March, 2006 I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. http://www.linuxsecurity.com/content/view/121999 * Security: A Continuing Federal Challenge 21st, March, 2006 The latest FISMA scorecards are out, with the grades for different agencies' efforts in the computer security arena. Amazingly, the overall grade--for all 24 major agencies in the federal government--has moved not a notch. Last year's D+ remains intact. For those who may be new to FISMA Fun, it works more or less like this: the General Accounting Office (GAO) and the Office of Management and Budget (OMB) ask each major agency's Inspector General (IG) to submit an independent report about computer security based on numerous guidelines and scoring criteria. http://www.linuxsecurity.com/content/view/122028 * US turns to tech to shore up its ports 23rd, March, 2006 Airport screeners are using new technology to find explosives instead of hunting for tweezers, Department of Homeland Security secretary Michael Chertoff said on Friday. http://www.linuxsecurity.com/content/view/122062 * Trojan Cryzip Extorts Decryption Fee 18th, March, 2006 A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989. http://www.linuxsecurity.com/content/view/121976 * The effective response to computer crime 21st, March, 2006 The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag. It is much easier to steal, leak, manipulate or destroy electronic data. But just as in the physical world, cyber-criminals leave their electronic fingerprints all over a digital crime scene. http://www.linuxsecurity.com/content/view/122010 * Getting Paid For Getting Hacked 21st, March, 2006 In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article: "As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. http://www.linuxsecurity.com/content/view/122019 * Lost Ernst & Young laptop exposes IBM staff 22nd, March, 2006 Ernst & Young has lost another laptop containing the social security numbers and other personal information of its clients' employees. This time, the incident puts thousands of IBM workers at risk. http://www.linuxsecurity.com/content/view/122034 * The effective response to computer crime 24th, March, 2006 The attraction of computer-based crime is obvious. Twenty years ago corporate spies would find it difficult to steal the entire contents of a filing cabinet, but today they can take far more by slipping a disc into their pocket or e-mailing data to an online electronic swag bag. http://www.linuxsecurity.com/content/view/122075 * Are You Liable If Someone Does Something Illegal On Your WiFi? 21st, March, 2006 For years, whenever the press has written one of their fear-mongering stories about open WiFi, they almost always include some tidbit about how if someone uses your network to do something illegal, you can be arrested for it. It's one of the popular open WiFi horror stories -- but is it true? Well, of course, you can be arrested, but it's unlikely that there would be any legal grounds for the arrest. http://www.linuxsecurity.com/content/view/122027 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email [EMAIL PROTECTED] with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org