[ISN] GAO: IRS security is weak
http://www.fcw.com/article92737-03-24-06-Web By Matthew Weigelt Mar. 24, 2006 Taxpayers' financial and personal information remains at risk because the Internal Revenue Service has not yet strengthened its information security measures, according to a new Government Accountability Office report. The IRS fixed 41 of the 81 faults GAO discovered last year, the report states. Nevertheless, GAO identified new information security control weaknesses that threaten the confidentiality, integrity and availability of IRS' financial information systems and the information they process, according to the report, which was released today. The IRS has not established effective electronic access controls related to network management, user accounts, file permissions and logging and monitoring of security-related events, the report states. The agency has also failed to install other controls to secure computers physically. Collectively, these weaknesses increase the risk that sensitive financial and taxpayer data will be inadequately protected against disclosure, modification or loss, possibly without detection, and place IRS operations at risk of disruption, the report states. GAO recommends that the IRS align policies related to password age and configuration settings with federal guidelines, review system security plans, give specialized training to contractors, and update emergency action plans. For emergency plans, the report suggests training non-IRS staff members to restore operations and updating disaster recovery plans. It also recommends installing UNIX-based hardware and equipment for processing applications and data at the IRS' disaster recovery hot site, an alternative processing place to use in an emergency. Until the agency acts on these recommendations, it is at risk of not being able to appropriately recover in a timely manner, the report states. IRS Commissioner Mark Everson expressed agreement with GAO's assessment in a Feb. 27 letter to GAO's director of information technology, Gregory Wilshusen. Because the IRS' solution extends beyond the specific findings and addresses the root cause of the weaknesses at an enterprisewide level, a majority of the weaknesses remain open, Everson wrote. However, as a result of this agencywide approach and other initiatives we have under way, the IRS now has stronger controls to protect taxpayer data. He said IRS officials share the responsibility for IT security. _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] Terrorist 007, Exposed
Forwarded from: William Knowles [EMAIL PROTECTED] http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR2006032500020.html By Rita Katz and Michael Kern March 26, 2006 For almost two years, intelligence services around the world tried to uncover the identity of an Internet hacker who had become a key conduit for al-Qaeda. The savvy, English-speaking, presumably young webmaster taunted his pursuers, calling himself Irhabi -- Terrorist -- 007. He hacked into American university computers, propagandized for the Iraq insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their computers for the cause. Suddenly last fall, Irhabi 007 disappeared from the message boards. The postings ended after Scotland Yard arrested a 22-year-old West Londoner, Younis Tsouli, suspected of participating in an alleged bomb plot. In November, British authorities brought a range of charges against him related to that plot. Only later, according to our sources familiar with the British probe, was Tsouli's other suspected identity revealed. British investigators eventually confirmed to us that they believe he is Irhabi 007. The unwitting end of the hunt comes at a time when al-Qaeda sympathizers like Irhabi 007 are making explosive new use of the Internet. Countless Web sites and password-protected forums -- most of which have sprung up in the last several years -- now cater to would-be jihadists like Irhabi 007. The terrorists who congregate in those cybercommunities are rapidly becoming skilled in hacking, programming, executing online attacks and mastering digital and media design -- and Irhabi was a master of all those arts. But the manner of his arrest demonstrates how challenging it is to combat such online activities and to prevent others from following Irhabi's example: After pursuing an investigation into a European terrorism suspect, British investigators raided Tsouli's house, where they found stolen credit card information, according to an American source familiar with the probe. Looking further, they found that the cards were used to pay American Internet providers on whose servers he had posted jihadi propaganda. Only then did investigators come to believe that they had netted the infamous hacker. And that element of luck is a problem. The Internet has presented investigators with an extraordinary challenge. But our future security is going to depend increasingly on identifying and catching the shadowy figures who exist primarily in the elusive online world. The short career of Irhabi 007 offers a case study in the evolving nature of the threat that we at the SITE Institute track every day by monitoring and then joining the password-protected forums and communicating with the online jihadi community. Celebrated for his computer expertise, Irhabi 007 had propelled the jihadists into a 21st-century offensive through his ability to covertly and securely disseminate manuals of weaponry, videos of insurgent feats such as beheadings and other inflammatory material. It is by analyzing the trail of information left by such postings that we are able to distinguish the patterns of communication used by individual terrorists. Irhabi's success stemmed from a combination of skill and timing. In early 2004, he joined the password-protected message forum known as Muntada al-Ansar al-Islami (Islam Supporters Forum) and, soon after, al-Ekhlas (Sincerity) -- two of the password-protected forums with thousands of members that al-Qaeda had been using for military instructions, propaganda and recruitment. (These two forums have since been taken down.) This was around the time that Zarqawi began using the Internet as his primary means of disseminating propaganda for his insurgency in Iraq. Zarqawi needed computer-savvy associates, and Irhabi proved to be a standout among the volunteers, many of whom were based in Europe. Irhabi's central role became apparent to outsiders in April of that year, when Zarqawi's group, later renamed al-Qaeda in Iraq, began releasing its communiqués through its official spokesman, Abu Maysara al-Iraqi, on the Ansar forum. In his first posting, al-Iraqi wrote in Arabic about the good news that a group of proud and brave men intended to strike the economic interests of the countries of blasphemy and atheism, that came to raise the banner of the Cross in the country of the Muslims. At the time, some doubted that posting's authenticity, but Irhabi, who was the first to post a response, offered words of support. Before long, al-Iraqi answered in like fashion, establishing their relationship -- and Irhabi's central role. Over the following year and a half, Irhabi established himself as the top jihadi expert on all things Internet-related. He became a very active member of many jihadi forums in Arabic and English. He worked on both defeating and enhancing online security, linking to multimedia and providing online seminars on the use of the Internet. He seemed
[ISN] Domain Registrar Joker Hit by DDoS
http://news.netcraft.com/archives/2006/03/26/domain_registrar_joker_hit_by_ddos.html By Rich Miller March 26, 2006 Domain registrar Joker.com says its nameservers are under attack, causing outages for customers. More than 550,000 domains are registered with Joker, which is based in Germany. Any of those domains that use Joker's DNS servers are likely to be affected. Joker.com currently experiences massive distributed denial of service attacks against nameservers, the registrar says in an advisory on its home page. This affects DNS resolution of Joker.com itself, and also domains which make use of Joker.com nameservers. We are very sorry for this issue, but we are working hard for a permanent solution. Nameservers, which store the records that connect domain names with specific IP addresses, are attractive targets for hackers because they control the availability of large numbers of web sites. In 2002 the Internet's root nameserver system came under attack, with the DDoS causing network congestion but only minor performance problems for the DNS system, which a subsequent analysis noted is massively overprovisioned to make it robust against attacks or network failures. In the wake of that attack, most major registrars have robust infrasturcture to defend against DDoS attacks. It's not immediately clear whether the problems at Joker.com are related to the specifics of its DDoS defenses or the sheer volume of the attack. In recent weeks some Internet security groups have warned of the dangers posed by DNS recursion attacks, which can use the nameserver system to amplify a DDoS launched by a bot network. _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] Cyber security an emphasis at OCCC
http://www.okc.cc.ok.us/pioneer/Archives/March_27_2006/News8.html By Matthew Caban Staff Writer March 27, 2006 The battle against cyberterrorism is being fought around the globe - and on OCCC campus. As a part of President George W. Bush's plan to combat cyber terrorism a National Security Agency grant was used to find two national faculty development centers in June 2002 to train computer science instructors, said Al Heitkamper, Cyber Security Program director. One of the development centers is located at the University of Tulsa. A $3 million grant from the National Science Foundation in September 2004 helped further fund the program. Heitkamper and another OCCC professor, Brett Weber, studied at TU as part of the program. Both received master's degrees in computer science with an emphasis in cyber security. Weber said the cyber security field changes every month due to new threats or viruses. There are hundreds ofnew viruses introduced each month and security professionals fight them. The training allowed Weber and Heitkamper to start OCCC's cyber security program last fall. Weber said, currently, there are 75 cyber security majors at OCCC. Enrollment is up and the program is growing, he said. This semester marks the first time both professors are teaching cyber security classes full time. Weber said five classes are currently being offered in the cyber security field. The classes are principles of information security, security e-commerce, enterprise security management, network security and cyber forensics. The classes should be taken in order as they build upon each other, he said. The cyber security field includes network security and threat assessment, he said. The field is growing and constantly changing, Weber said. Heitkamper said OCCC is part of the Computer Security Education Consortium. The CSEC also includes Tulsa Community College, Rose State College, Oklahoma State University-Okmulgee and the Oklahoma Career Tech system. Heitkamper said CSEC's goals are to train the workforce (including students), train professors and meet the needs of the industry. Weber said OCCC's program also should alert the public about the need for security awareness. People need to be aware of what they should secure and how to do it. _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] VSC laptop theft creates security concerns
http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060324/NEWS/603240363/1002 By Darren M. Allen Vermont Press Bureau March 24, 2006 MONTPELIER - Thousands of Vermont State Colleges students, faculty and staff learned this week that a VSC laptop computer stolen from a car parked in Montreal on Feb. 28 could have given thieves access to their personal financial information, including Social Security numbers and payroll data. And while system administrators assured the thousands of potential identity-theft victims that they had all but eliminated access to the colleges' computer network from the laptop, some faculty and staff are furious that VSC took three weeks to warn them. I can share with you that many, many people have come to me to express their anger, said Ernest Broadwater, an education professor at Lyndon State College and the president of the Vermont State Colleges Faculty Federation. The union has contacted an attorney to learn what measures the VSC has taken to protect the information of our students, staff and faculty. College administrators on Thursday insisted that the threat of stolen identities was minimal, but nonetheless urged the system's 14,000 current students, teachers and staff to be vigilant about their bank and credit card accounts. They said they fear the stolen laptop may have contained information on people associated with the five-college system from as long ago as 2000. Upon being notified, information technology staff took immediate steps to block network access from the laptop, said a system-wide e-mail that was distributed this week. We have no evidence that any personal information has been accessed or used for illegal or malicious activities. However, the potential risks associated with identity theft are very serious matters. Karrin Wilks, VSC vice president for academic and strategic planning, said she has received many calls and e-mails since the warning went out Tuesday. Although we notified everyone just this week, we took precautions immediately, she said. We didn't know exactly what was on the machine. We had to spend time assessing the threat, and assessing our legal/moral respon-sibilities. To Broadwater, those responsibilities would include more timely notification. I'd be interested in hearing why it wasn't sooner, he said. It seems that they were worried about their system but not the individuals who had their identity information compromised. The laptop was stolen from an unidentified information technology officer's car while it was parked on a Montreal street Feb. 28. The woman whose name was not released by the VSC put her laptop under her seat and locked the car, Wilks said. However, she left a pair of skis in the back. Thieves broke a window, and took the skis, the laptop and other items of value, she said. Her vacation was ruined, Wilks said. The woman immediately contacted the VSC and also filed a report with the Montreal police. The potential breach of thousands of people's private information was the second one for the state colleges in less than a year. In October, a former Vermont Technical College student discovered that his Social Security number was posted on the Internet. As it turned out, the college had mistakenly posted every student's Social Security number on the Web. We have taken swift steps to secure the information and to remove the data from the Vermont Tech server and from other sources, then-VTC President Allan Rodgers said in an e-mail to students and to alumni. According to an Associated Press report, he ordered more training on computer security. Identity theft is a growing problem in the United States, and several states have begun passing laws to deal with it. Last year, Vermont consumers were given the ability to freeze their credit reports if they suspect that they are victims of identity theft. In California, lawmakers passed a credit report freeze and another measure that compels companies or organizations that lose sensitive information to immediately notify potential victims. And Congress is grappling with national legislation that would also compel quicker disclosure. Wilks said she understood people's frustration. People do need to be more vigilant, she said. People need to monitor their own debit and credit accounts for unusual activity. _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] Linux Advisory Watch - March 24th 2006
+-+ | LinuxSecurity.com Weekly Newsletter| | March 24th, 2006 Volume 7, Number 13n| | | | Editorial Team: Dave Wreski [EMAIL PROTECTED]| | Benjamin D. Thomas [EMAIL PROTECTED] | +-+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week advisories were released for xpvm, vlc, xine-lib, wzdftpd, drupal, kpdf, libmail-audit-perl, ilohamail, kernel-patch-vserver, unzip, snmptrapfmt, firebird2, sendmail, evolution, kernel, xorg, avahi, beagle, curl, php-pear, xterm, scim-anthy, tzdata, logwatch, shadow-utils, cpio, libsepol, bind, Freeciv, zoo, bypass, rshd, metamail, cube, squirrelmail, flex, gnupg, pngcrush, libcurl, cairo, flash-player, and realplayer. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, and SuSE. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- Linux Command Reference Manual: Linux File Structure By: Suhas Desai In the Linux file structure files are grouped according to purpose. Ex: commands, data files, documentation. Parts of a Unix directory tree are listed below. All directories are grouped under the root entry /. That part of the directory tree is left out of the below diagram. See the FSSTND standard(Filesystem standard). root - The home directory for the root user home - Contains the user's home directories along with directories for services ftp HTTP samba bin - Commands needed during bootup that might be needed by normal users sbin - Like bin but commands are not intended for normal users. Commands run by LINUX: -- proc - This filesystem is not on a disk. It is a virtual filesystem that exists in the kernels imagination, which is memory. usr - Contains all commands, libraries, man pages, games and static files for normal operation bin - Almost all user commands. some commands are in /bin or /usr/local/bin. sbin - System admin commands not needed on the root filesystem. e.g., most server programs. include - Header files for the C programming language. Should be below /user/lib for consistency. lib - Unchanging data files for programs and subsystems local - The place for locally installed software and other files. man - Manual pages info - Info documents doc - Documentation tmp X11R6 - The X windows system files. There is a directory similar to sr below this directory. X386 - Like X11R6 but for X11 release 5 boot - Files used by the bootstrap loader, LILO. Kernel images are often kept here. lib - Shared libraries needed by the programs on the root filesystem modules - Loadable kernel modules, especially those needed to boot the system after disasters. dev - Device files etc - Configuration files specific to the machine. sysconfig - Files that configure the linux system for devices. var - Contains files that change for mail, news, printers log files, man pages, temp files lib - Files that change while the system is running normally local - Variable data for programs installed in /usr/local. lock - Lock files. Used by a program to indicate it is using a particular device or file log - Log files from programs such as login and syslog which logs all logins and logouts. run - Files that contain information about the system that is valid until the system is next booted. spool - Directories for mail, printer spools, news and other spooled work. tmp - Temporary files that are large or need to exist for longer than they should in /tmp. mnt - Mount points for temporary mounts by the system administrator. tmp - Temporary files. Programs running after bootup should use /var/tmp. Read Full Paper http://www.linuxsecurity.com/images/stories/commandref.pdf -- EnGarde Secure Community 3.0.4 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.4 (Version 3.0, Release 4). This release includes several bug fixes and
[ISN] Inside Windows IT Security UPDATE
=== This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows IT Security UPDATE. Winternals http://list.windowsitpro.com/t?ctl=24EFC:4FB69 SPI Dynamics http://list.windowsitpro.com/t?ctl=24EEC:4FB69 === 1. What's New in the Latest Issue April 2006 Issue - Focus: Containing Your Wireless Network Signals - Feature: 3 Ways to Rein in Your Wireless Signals - Access Denied - Toolbox: Avoid Risky Rules with Netsh Sponsor: Winternals Winternals Protection Manager How will you protect your enterprise from zero-day attacks? Protection Manager blocks unknown applications from running until you specifically authorize them. No need to wait for an update--you're already protected. Plus, Protection Manager enables a secure successful least privilege network without compromising legacy applications by decoupling privilege levels of applications from users, and promotes culturally acceptable PC lockdown with real-time approval or denial of user application requests. Protection Manager forms a crucial layer of your defense-in-depth security strategy, helping enforce corporate technology policies, ensuring compliance with regulatory acts like HIPAA and Sarbanes-Oxley, and dramatically reducing the labor burden on IT. Download your 30-day evaluation copy of Protection Manager at: http://list.windowsitpro.com/t?ctl=24EFC:4FB69 === Windows IT Security is a monthly, paid, print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. In addition to receiving the monthly print newsletter, subscribers can access all the newsletter content, including the most recent issue, at the Windows IT Security Web site. http://list.windowsitpro.com/t?ctl=24EFB:4FB69 Subscribe today and access all the issues online! http://list.windowsitpro.com/t?ctl=24EEF:4FB69 === 1. What's New in the Latest Issue April 2006 Issue Focus: Containing Your Wireless Network Signals Who knew that adding security to your wireless APs could be as simple as adding a reflector to their antennas? Learn about this low-cost safety mechanism, get instructions for configuring SSL/TLS, and find out about a new password-cracking tool. The following article is available at no charge to nonsubscribers for a limited time: 3 Ways to Rein in Your Wireless Signals You can use three basic methods to limit wireless network radio signals. Here's how they work. --Mark Joseph Edwards http://list.windowsitpro.com/t?ctl=24EEB:4FB69 Nonsubscribers now have access to the Access Denied and Toolbox columns: Access Denied --Randy Franklin Smith Locating the User Causing Failures on a Folder Examining event ID 560 and associated event IDs 528, 540, and 592 will give you the answers you need. http://list.windowsitpro.com/t?ctl=24EF2:4FB69 Determining Who Enabled an Account The answer might lie in the Security event log of your Windows DC. http://list.windowsitpro.com/t?ctl=24EF1:4FB69 Distinguishing User Account Reenablements from Creations User account creations create a telltale pattern in the Security log of event ID 624, followed by several instances of event ID 642 interspersed with event IDs 626 and 628. http://list.windowsitpro.com/t?ctl=24EF3:4FB69 Viewing the Security Settings on a Computer The GPMC Group Policy Results feature lets you obtain a report of all the effective Group Policy settings (including security settings) from a system. http://list.windowsitpro.com/t?ctl=24EF4:4FB69 The Two Generate Resultant Set of Policy Permissions Use the Generate Resultant Set of Policy (Planning) permission and report when you're testing what-if scenarios and the Generate Resultant Set of Policy (Logging) permission and report when you need to know the actual status of a computer or user. http://list.windowsitpro.com/t?ctl=24EF0:4FB69 Toolbox: Avoid Risky Rules With Netsh You can use Netsh's firewall context to audit Windows Firewall configurations on users' computers. --Jeff Fellinge http://list.windowsitpro.com/t?ctl=24EEA:4FB69 Subscribers have access to the entire contents of the April 2006 issue. For a list of the other articles available in this issue, go to http://list.windowsitpro.com/t?ctl=24EED:4FB69 === Sponsor SPI Dynamics ALERT: PENETRATION TEST your Web Applications for FREE! WebInspect is a dynamic web application assessment tool that will automatically search for over 4,700 vulnerabilities and attack methods. Learn about the top web application Attack Methods and how to combat them with WebInspect. Run a FREE Test of your Web Apps via our
[ISN] Radioactive matter gets into U.S. in test
http://www.sacbee.com/24hour/politics/story/3242550p-11996962c.html By LIZ SIDOTI Associated Press Writer March 27, 2006 WASHINGTON (AP) - Undercover investigators slipped radioactive material - enough to make two small dirty bombs - across U.S. borders in Texas and Washington state in a test last year of security at American points of entry. Radiation alarms at the unidentified sites detected the small amounts of cesium-137, a nuclear material used in industrial gauges. But U.S. customs agents permitted the investigators to enter the United States because they were tricked with counterfeit documents. The Bush administration said Monday that within 45 days it will give U.S. Customs and Border Protection agents the tools they need to verify such documents in the future. The Government Accountability Office's report, the subject of a Senate hearing Tuesday, said detection equipment used by U.S. customs agents to screen people, vehicles and cargo for radioactive substances appeared to work as designed. But the investigation, carried out simultaneously at both border crossings in December 2005, also identified potential security holes terrorists might be able to exploit to sneak nuclear materials into the United States. This operation demonstrated that the Nuclear Regulatory Commission is stuck in a pre-9/11 mind-set in a post-9/11 world and must modernize its procedures, Sen. Norm Coleman, R-Minn., said Monday in a statement. The NRC, in charge of overseeing nuclear reactor and nuclear substance safety, challenged that notion. Security has been of prime importance for us on the materials front and the power plant front since 9/11, commission spokesman David McIntyre said in an interview. The head of the Homeland Security Department's Domestic Nuclear Detection Office, Vayl Oxford, said the substance could have been used in a radiological weapon with limited effects. A Senate Homeland Security subcommittee, which Coleman leads, released details of the investigation and two GAO reports on radiation detectors and port security before hearings on the issues this week. The GAO, the investigative arm of Congress, also found that installation of radiation detectors is taking too long and costing more money than the U.S. expected. It said the Homeland Security Department's goal of installing 3,034 detectors by September 2009 across the United States - at border crossings, seaports, airports and mail facilities - was unlikely to be met and said the government probably will spend $342 million more than it expects. Between October 2000 and October 2005, the GAO said, the government spent about $286 million installing radiation monitors inside the United States. To test security at U.S. borders with Mexico and Canada, GAO investigators represented themselves as employees of a fake company. When stopped, they presented counterfeit shipping papers and NRC documents that allegedly permitted them to receive, acquire, possess and transfer radioactive substances. Investigators found that customs agents weren't able to check whether a person caught with radioactive materials was permitted to possess the materials under a government-issued license. Unless nuclear smugglers in possession of faked license documents raised suspicions in some other way, CBP officers could follow agency guidelines yet unwittingly allow them to enter the country with their illegal nuclear cargo, a report said. It described this problem as a significant gap in the nation's safety procedures. Jayson Ahern, the assistant customs commissioner for field operations, said a system for customs agents to confirm the authenticity of government licenses will be in place within 45 days. Ahern noted the radiation detectors had sounded alarms. We're pleased when a test like this is able to demonstrate the efficacy of our technology, Ahern said. False radiation alarms are common - sometimes occurring more than 100 times a day - although the GAO said inspectors generally do a good job distinguishing nuisance alarms from actual ones. False alarms can be caused by ceramics, fertilizers, bananas and even patients who have recently undergone some types of medical procedures. At one port - which investigators did not identify - a director frustrated over false alarms was worried that backed-up trains might block the entrance to a nearby military base until an alarm was checked out. The director's solution: simply turn off the radiation detector. Associated Press writer Ted Bridis contributed to this report. -- On the Net: Customs and Border Protection: http://www.cbp.gov/ Government Accountability Office: http://www.gao.gov/ _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] Linux Security Week - March 27th 2006
+-+ | LinuxSecurity.com Weekly Newsletter| | March 27th, 2006 Volume 7, Number 13n| | | | Editorial Team: Dave Wreski [EMAIL PROTECTED]| | Benjamin D. Thomas [EMAIL PROTECTED] | +-+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week perhaps the most interesting articles include Encrypt filesystems with EncFS and Loop-AES, Revealing the myths about network security, and Enterprise Security Threats Increasingly Come from Within. --- EnGarde Secure Linux: Why not give it a try? EnGarde Secure Linux is a Linux server distribution that is geared toward providing a open source platform that is highly secure by default as well as easy to administer. EnGarde Secure Linux includes a select group of open source packages configured to provide maximum security for tasks such as serving dynamic websites, high availability mail transport, network intrusion detection, and more. The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are also freely available with GDSN registration. http://www.engardelinux.org/modules/index/register.cgi --- EnGarde Secure Community 3.0.5 Released Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.5 (Version 3.0, Release 5). This release includes several bug fixes and feature enhancements to the Guardian Digital WebTool and the SELinux policy, and several new packages available for installation. http://www.linuxsecurity.com/content/view/121879/65/ --- pgp Key Signing Observations: Overlooked Social and Technical Considerations By: Atom Smasher While there are several sources of technical information on using pgp in general, and key signing in particular, this article emphasizes social aspects of key signing that are too often ignored, misleading or incorrect in the technical literature. There are also technical issues pointed out where I believe other documentation to be lacking. It is important to acknowledge and address social aspects in a system such as pgp, because the weakest link in the system is the human that is using it. The algorithms, protocols and applications used as part of a pgp system are relatively difficult to compromise or 'break', but the human user can often be easily fooled. Since the human is the weak link in this chain, attention must be paid to actions and decisions of that human; users must be aware of the pitfalls and know how to avoid them. http://www.linuxsecurity.com/content/view/121645/49/ --- -- Take advantage of the LinuxSecurity.com Quick Reference Card! -- http://www.linuxsecurity.com/docs/QuickRefCard.pdf +-+ | Security News: | -[ Articles This Week ]-- +-+ * Multiple Live CDs In One DVD 24th, March, 2006 Live CDs do a great job of advertising Linux distributions. In addition to general-purpose live CD distributions, there are lots of task-oriented live CDs. Wouldn't it be great if you could carry multiple live CDs on one DVD disc? Nautopia.net has put up a script that you can use to make a custom DVD to boot multiple live CDs. http://www.linuxsecurity.com/content/view/122084 * Tunnels in Hash Functions - MD5 Collisions Within a Minute 20th, March, 2006 In this paper we introduce a new idea of tunneling of hash functions. In some sense tunnels replace multi-message modification methods and exponentially accelerate collision search. We describe in one minute on a standard notebook PC (Intel Pentium 1.6 GHz). The method works for any intializing value. Tunneling is a general idea, which can be used for finding collisions of other hash functions, such as SHA-1, http://www.linuxsecurity.com/content/view/121996 * Encrypt filesystems with EncFS and Loop-AES 21st, March, 2006 Encrypted filesystems may be overkill for family photos or your resume, but they make sense for network-accessible servers that hold sensitive business documents, databases that contain credit-card information, offline backups, and laptops. EncFS and Loop-AES, which are both released under the GNU General Public License (GPL), are two approaches to encrypting Linux filesystems. I'll compare the two and then look at other alternatives. http://www.linuxsecurity.com/content/view/122011 * Linux Dictionary 19th, March, 2006 (SWP) Sun Wah-PearL Linux Training and Development Centre has an ambitious aim to promote the use of Linux and related Open Source Software (OSS) and Standards. The vendor independent positioning of SWP
[ISN] S'kiddies get into spyware for just $15
http://www.theregister.co.uk/2006/03/27/spyware_diy/ By John Leyden 27th March 2006 A Russian website is selling a DIY spyware kit, called WebAttacker, for around $15 a throw. The site, which proudly boasts of its creator's credentials in the scumware industry, also offer technical supporter to potential buyers. The kits come in a script kiddie friendly form with code designed to make the task of infecting computers a breeze. All the buyers need do is send spam messages inviting potential marks to visit a compromised website. Spam samples trapped by internet security firm Sophos use newsworthy topics to lure unwary users. One presents itself as a warning about the deadly H5N1 bird flu virus, providing links to the bogus website, purporting to offer health advice. Another plays on claims that Slobodan Milosevic was murdered. Surfers visiting these websites will find themselves exposed to JavaScript code that attempts to take advantage of known web browser and Windows vulnerabilities to download malware. The exploit downloads a program that attempts to turn off the firewall and install malware, generally a password stealer, keylogger or a banking Trojan [1]. This type of behaviour is inviting the return of script-kiddies, said Carole Theriault, senior security consultant at Sophos. By simplifying the task of the potential hacker for a mere tenner, sites like this one will attract opportunists who aren't necessarily very skilled and turn them into cyber-criminals. ® [1] http://www.sophos.com/virusinfo/analyses/trojdloadradu.html _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] Offshore outsourcing cited in Florida data leak
http://www.computerworld.com/securitytopics/security/story/0,10801,109938,00.html By Robert McMillan MARCH 26, 2006 IDG NEWS SERVICE Florida state employees are being warned that their personal information may have been compromised after work on the state's People First payroll and human resources system was improperly subcontracted to a company in India. Employees who worked for the state during the 18-month period between Jan. 1, 2003, and June 30, 2004, may be affected, according to an e-mail message sent to all state employees on March 16. The state's Department of Management Services (DMS), which oversees the People First system, estimates that 108,000 current and former state employees may be affected by the data breach, although that estimate could change as the department's investigation into the matter continues. The e-mail was sent after a subcontractor of outsourcing service provider Convergys Corp. improperly allowed subcontractors in India to index state personnel files, said DMS spokeswoman Tiffany Koenigkramer. The offshoring was done as part of Convergys's nine-year, $350 million contract to manage the state's personnel work. Convergys had subcontracted the indexing work to GDXdata Inc., in Denver, which itself turned to a subcontractor in India, a violation of the GDXdata contract with Convergys, the DMS said. Convergys has since cancelled its contract with GDXdata, the agency said. Convergys said the offshore work was done without its knowledge. Convergys was misled by GDX, one of several subcontractors hired to perform work for the state of Florida, the company said in a statement. The offshore work was made public in late December, when documents were unsealed in a whistle-blower lawsuit brought against GDXdata by two former employees. The DMS is investigating the matter, but it has so far detected no known cases of credit fraud or identity fraud that resulted from this work, Koenigkramer said. It is common today for businesses and even government to use offshore companies, the DMS March 16 e-mail states. However, the use of offshore services in this case was inappropriate and unacceptable. Convergys and the DMS expect to provide affected employees with a credit-protection plan this week, Koenigkramer said. That is not enough for one of the state's public-employee unions, which is calling for an end to the Convergys deal and saying that the People First system has been mismanaged. We want this thing killed, said Doug Martin, communications director at the American Federation of State, County and Municipal Employees, Council 79. This is a joke, and the sad thing is, we're paying for it. State Sen. Walter Skip Campbell, a Democrat who would also like to see the contract pulled, called the outsourcing a critical security breach, in part because it inappropriately exposed sensitive information about the state's law enforcement agents. We don't know how far the dissemination of this information has gone, he said. Based in Cincinnati, Convergys is a provider of billing, customer service and human resources outsourcing services. It reported $2.5 billion in revenue last year, according to the company's Web site. A spokeswoman for GDXdata declined to comment for this story. _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
[ISN] Palm Beach County schools learn tough lesson: Hackers can always break in
http://www.sun-sentinel.com/news/local/palmbeach/sfl-pgrades27mar27,0,2175689.story?coll=sfla-news-palm By Marc Freeman South Florida Sun-Sentinel Education Writer March 27 2006 Despite numerous measures to protect its computer network and prevent hacking, Palm Beach County schools appear to be a victim again. A recent breach under police investigation -- possible grade changing by several students -- adds to a growing number of attacks on seemingly defenseless schools and colleges across Florida and the country. The sobering reaction among national experts and educators: Students and employees who want to cheat or attack computer networks are likely to be successful, regardless of high-tech security features and repeated warnings to abide by the rules. It's going to happen more, warns Greg Lindner, director of technology for the 60,000-student Elk Grove Unified School District, near Sacramento, Calif. During the past two years, Elk Grove high school students hacked into computers in three incidents, stealing personal information and changing grades of three-dozen other students. The violators used illegal hacking software and keystroke-recording devices. It captures [user] log-ins, their passwords, everything, Lindner said, who hopes recent network enhancements are more effective at blocking would-be hackers. Palm Beach County School District administrators declined to discuss details about their ongoing inquiry, but last week, in response to a request under the state open-records law, released confidential reports outlining their computer-security programs and procedures. We don't go out and publicize what we do and what we don't do for obvious reasons, said Linda Mainord, district chief technology officer. We are trying to use best practices as associated with a large computer installation. In April, administrators produced a plan outlining investigative and other security procedures to use after an incident. The blueprint followed the case of a high school student from Palm Beach Gardens who hacked into the district's computer systems in December 2003 and January 2004. Besides the incident-response guide, the district's Information Technology department oversees 19 ongoing computer-security projects, aimed at preventing attacks, documents show. In another proactive measure, the district requires all of its computer users to sign a form promising to avoid improper activity. In the schools, character-building lessons and behavior programs are aimed at preventing abuses, which helps curtail cheating and possibly computer hacking, district spokesman Nat Harrington said. Everybody knows what the expectations are, he said. Everybody knows what the consequences are. That has cut down on a lot of incidents. The district's measures to prevent computer crimes appear to follow strict guidelines recommended by the International Society for Technology in Education, a Washington, D.C., nonprofit organization that advocates expanding technology in schools. Leslie Conery, the group's deputy chief executive officer, said school systems must develop and promote policies regulating the acceptable use of computers. Second, the schools need to have an action plan for what steps to take after an incident, including how to conduct investigations and potential punishments for offenders. In June, Palm Beach County prosecutors dismissed a computer-offense charge against Ryan Duncan, the former student from Palm Beach Gardens caught breaching the district's network. Officials said he avoided the prospect of jail time because he did not attempt to crash the system or change grades. As part of a plea deal, he agreed to produce a video touting the evils of hacking, pay $2,025 in restitution and write an apology letter. While computer security is essential, it's also critical to convince cheaters they shouldn't cheat in the first place, said Timothy Dodd, executive director for The Center for Academic Integrity at Duke University in Durham, N.C. A kid with computer skills with a conscience is not going to hack into a transcript, said Dodd, whose organization helps college and secondary-school educators stop academic dishonesty. Dodd blames society for leading some students to hack away without fearing the consequences. There are a terrible set of messages to students to do whatever it takes to get ahead, he said. We want to fashion the mission that behavior with honesty matters. Still, student computer hackers have been refining their illicit skills ever since the 1983 film War Games. The problem has intensified in recent years as teachers and administrators began using online software to enter student grades and test scores. It's a challenge we've dealt with forever, Palm Beach County Schools Superintendent Art Johnson said. Copyright © 2006, South Florida Sun-Sentinel _ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org