[ISN] Linux Security Week - June 5th 2006

InfoSec News isn at c4i.org
Wed Jun 7 01:07:11 EDT 2006

|  LinuxSecurity.com                         Weekly Newsletter        |
|  June 5th, 2006                             Volume 7, Number 23n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Post-
Encryption Security," "Setup a transparent proxy with Squid in three
easy steps," and "Small Security Risk Still Big Selling Point for


Security on your mind?

Protect your home and business networks with the free, community
version of EnGarde Secure Linux.  Don't rely only on a firewall to
protect your network, because firewalls can be bypassed.  EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.

The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages.  Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more.  The result for you is high security, easy
administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.



EnGarde Secure Linux v3.0.6 Now Available

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.6 (Version 3.0, Release 6). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, several updated packages, and a couple
of new packages available for installation.



pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Password Hashing
  29th, May, 2006

In this article I'm going to cover password hashing, a subject which
is often poorly understood by newer developers. Recently I've been
asked to look at several web applications which all had the same
security issue - user profiles stored in a database with plain text


* Post-Encryption Security
  3rd, June, 2006

Last month I reviewed Voltage Security's secure email product, a
worthy exercise since email is the most common method of transmitting
documents from one department to another.


* How To Automate Spamcop Submissions
  29th, May, 2006

Spamcop is a service which provides RBLs for mailservers in order to
reject incoming mail from spammers. Their philosophy is to process
possible spam complaints from users. When they receive a certain
amount of complaints during a time-period then they will blacklist
the offender. This system is dependant on spam reporting from users.
However, their submission process is not very user-friendly.


* Disaster Practice
  4th, June, 2006

When the British government wanted to test the resiliency of its
financial institutions, it commissioned "an afternoon from hell". The
buildup started on a Monday morning last November. First, there was a
failure in the clearing systems used to transfer money between banks
after routine systems maintenance. Then, terrorists staged a series
of bomb attacks around Britain, causing hundreds of casualties in
London and considerable damage to major financial centres. Around the
same time, malicious hackers tried their best to break into the
banks' systems.  All in all, 'twas was a bad day. The disaster
recovery simulation was organized by the Tripartite Authorities, a
group comprising the Financial Services Authority, the UK Treasury
Department and the Bank of England.


* MicroWorld to Launch Futuristic Network Firewall
  27th, May, 2006

MicroWorld Technologies launched its futuristic, enterprise class
firewall eConceal. eConceal is a comprehensive network firewall
developed to prevent unauthorized access to a computer or network
connected to the Internet. It enforces a boundary between two or more
networks by implementing default or user-defined Access Control
Policies or Rules. These rules function as filters by analyzing data
packets to see if they fulfill the filter criteria and then allow or
block the traffic accordingly.


* Can single sign-on be simple sign-on?
  29th, May, 2006

Fundamentally, Single Sign On (SSO) is a straightforward idea. You
use a proxy device to authenticate a user, and the proxy then manages
all the login idiosyncrasies of the applications they want to

Easy to describe, and straightforward to transcribe onto slideware.
The devil is, of course, in the detail. For example, how do you know
how all of your enterprise applications manage their login? Does the
proxy do this for you or do you have to write a login script for each
one individually? If you deploy the solution and the application
decides it wants a password refresh, is your helpdesk buried by calls
from angry users who can't get into the application and do their


* Taking Steps To Protect Customer Data
  29th, May, 2006

With so much attention paid to malicious attacks by hackers, worms
and viruses, it's a common misconception that outside forces pose the
greatest danger to a company's data. The reality, however, is that
internal elements are far more dangerous when it comes to data
security than anything on the outside, including natural disasters.


* Biometrics - The Wave of the Future?
  1st, June, 2006

Will biometrics be a factor in our future? Of course it will, at
least to the extent that it has been in our past history. We as
citizens must decide upon the best methods to use and the best way to
utilize this technology. Biometrics can be defined in several ways
such as the study of measurable biological characteristics. In
reference to Information Security it specifically applies to the
automated use of physiological or behavioral characteristics to
determine or verify identity.


* Security Management From One Platform
  28th, May, 2006

Managing network security gets harder every day as the number and
types of threats multiply. Security is also a double-edged sword, and
an incorrectly implemented or mismanaged security policy can prevent
network commerce and stand in the way of the mission of the


* Linux: Setup a transparent proxy with Squid in three easy steps
  29th, May, 2006

Yesterday I got chance to play with Squid and iptables. The job was
to setup Squid proxy as a transparent server. Main benefit of setting
transparent proxy is you do not have to setup up individual browsers
to work with proxies.


* Follow the Appiant way to a more secure network.
  29th, May, 2006

Hardly a day goes by that we don't hear new information about some
company getting themselves hacked. Sure they all have firewalls, but
HOW are the hackers getting in? I was hired to perform an application
security audit for a local university. They wanted to make sure that
they didn't become part of the growing statistics.


* Network auditing on a shoestring
  30th, May, 2006

What do you do when the auditors are breathing down your neck,
wanting to see an exhaustive report on the Windows network security
of a 2,000-user network across eight sites? That's easy. Break out a
text editor and start writing some Perl.  That's what my colleague
Matt Prigge and I did when we were tasked with locating every share
available on a network and documenting who had access to their files.
At first blush, it was a Herculean effort. When we started coding and
the pieces began to fall into place, however, it became much


* Execs Express Top Security Concerns
  30th, May, 2006

When it comes to protecting corporate assets there seems to be little
security managers don't worry about.

That the impression of security executives attending this week's
Converge '06 conference - also known as security vendor Courion's
annual customer meeting.


* Security expert recommends 'Net diversity
  31st, May, 2006

What do you see as the top three information security threats that
are most likely to hit U.S.-based multinationals?

One of the biggest threats we have right now is deployment of
resources intended either to save on cost or enhance features without
thinking through the consequences. VoIP and wireless fall in this
category. They have failure modes that are very different than what
they are replacing and are not well understood. Perceived cost
advantages are driving these technologies, but that is overcoming the
caution that should be in place. That's a threat not in the sense of
a particular attack, but it is a systemic problem that leads to
weakness in security posture and therefore may lead to attacks.


* Most sites ready for SSL progress
  2nd, June, 2006

Despite the enormous success of SSL for securing web traffic, there
has been little technical change in the way that SSL is used for
secure HTTP in the ten years since SSL version 3 was introduced.
Although it has been around since 1996, most browsers have continued
to make connections compatible with the older SSL version 2 protocol.
But now the major browser developers are aiming to drop SSL v2
completely; export-grade encryption ciphers are also to be dropped.

SSL version 2 was supported by Netscape 1.0, back in 1994, and it was
made obsolete by SSL version 3, published in 1996. But while SSL
version 3 was soon widely supported . and over 97% of HTTPS sites
also support its successor, TLS . most browsers have continued to
make SSL-v2-compatible connections, in order to stay compatible.


* The Games Hackers Play
  2nd, June, 2006

This clash has nothing to do with the simulated battles on Gindis,
Eternal Duel, Mobstar or any of the more hip gaming sites. No, this
one's for real.

The villains in this combat are criminal hackers and phishing
scammers, and their targets: unsuspecting on-line gamers.


* Log Analysis for Intrusion Detection
  29th, May, 2006

Log analysis is one of the most overlooked aspects of intrusion
detection. Nowadays we see every desktop with an antivirus, companies
with multiple firewalls and even simple endusers buying the latest
security related tools.

However, who is watching or monitoring all the information these
tools generate? Or even worse, who is watching your web server, mail
server or authentication logs? I'm not talking about pretty usage
statistics of your web logs (like what webalizer does). I'm talking
about the crucial security information that only few of these events
have and nobody notices. A lot of attacks would not have happened (or
would have been stopped much earlier) if administrators cared to
monitor their logs.

We are not saying that log analysis is easy or that you should be
manually looking at all your logs on a daily basis. Because of their
complexity and generally high volume, automatic log analysis is


* Cybersecurity Contests go National
  1st, June, 2006

It has all the makings of a B-movie plot: A corporate network
targeted by hackers and a half dozen high-school students as the
company's only defense.
Click here for Core!!

Yet, teams of students from ten different Iowa high schools faced
exactly that scenario during a single night in late May in the High
School Cyber Defense Competition. The contest tasked the teenagers
with building a network in the three weeks leading up to the
competition with only their teachers, and mentoring volunteers from
local technology firms, as their guides.


* Small Security Risk Still Big Selling Point for Linux
  27th, May, 2006

When the Indiana Department of Education rolled out PCs running Linux
to schools last year, it installed open source Latest News about open
source antivirus software on the servers connected to the desktop
systems to scan incoming e-mail. However, it didn't bother to put
antivirus tools on the PCs themselves.

"I hate to admit this, but I wasn't worried," said Forrest Gaston, a
consultant who is managing the project for the Indianapolis-based
agency. And despite heavy Internet usage by students, Gaston's
optimism has been borne out thus far. Desktop security "hasn't been
an issue," he said.


* 13 Ways To Get Your Developers On Board With Software Security
  2nd, June, 2006

It's easy to understand that software security starts with writing
secure code. Keep the flaws out from the beginning and you've bought
yourself several pounds of prevention.

Baking security in up front is logical and makes good technical and
business sense; however, getting your developers on board with
security training is not necessarily going to be an easy task. At
first glance, it might seem that selling software security to
developers would require the same approach as getting buy-in from
executive management and the average user. It's not quite that


* Macro virus aims at OpenOffice, StarOffice
  30th, May, 2006

An unknown virus writer has created the first macro virus that
targets computers running the alternative word processors OpenOffice
and StarOffice, antivirus firm Kaspersky Labs said on Tuesday.


* Linux comes to Sun SPARC servers
  31st, May, 2006

Sun is officially giving customers a wider choice on its SPARC
servers with the announcement that it will support Linux on its new
multicore UltraSPARC T1 systems.


* Firefox 2.0 Bakes in Anti-Phish Antidote
  31st, May, 2006

Mozilla has reached the latest development milestone for its
next-generation Firefox 2.0 "Bon Echo" browser with a little
anti-phishing help from Google.


* Red Hat releases testing and integration tools to Linux developers
  1st, June, 2006

Red Hat has released development tools to the open source community,
which are designed to make it easier for enterprises and developers
to quickly test and integrate new applications with Red Hat Linux and
other Linux distributions.


* The Intelligence Cycle for a Vulnerability Intelligence program
  30th, May, 2006

A Vulnerability Intelligence program should be a key component of any
sound network security strategy.  It should dovetail with a
Vulnerability Assessment process and a patching/remediation process.
While a Vulnerability Assessment process will tell you what needs to
be patched, Vulnerability Intelligence should tell you what needs to
be patched first and what new patches need to be evaluated.


* The Finnish security vendor said the services are for small to
midsize ISPs and their private custom
  30th, May, 2006

The Finnish security vendor said the services are for small to
midsize ISPs and their private customers. The services are PC
Protection, which includes virus and spyware detection and a
firewall, and PC Protection Plus, which adds a parental and spam
control features.


* John the Ripper Pro
  30th, May, 2006

This is to announce three things at once: 1) I have started making
and maintaining commercial releases of John the Ripper password
cracker, known as John the Ripper Pro. 2) A new version of the tiny
POP3 server, popa3d 1.0.2, has been released adding a couple of minor
optimizations specific to x86-64 to the included MD5 routines. 3) A
new version of the password hashing package (for use in C/C++
applications and libraries), crypt_blowfish 1.0.2, has been released
adding a minor optimization specific to x86-64.


* Everybody's a Server
  28th, May, 2006

The IT world has a reputation of being extremely fast-paced. And it
is: an accounting program in the .80s would have been written in
COBOL. In the .90s it would have been written with a RAD (Rapid
Application Developer) environment such as Delphi or Visual Basic. In
the... .00s (noughties?), today, the same application would
probably be written as a web system, possibly using all of the .Web
2.0. technologies to make it responsive and highly usable.


* Application Security Hacking Videos
  29th, May, 2006

With college campuses being hacked into on a seemingly daily basis,
and student information being stolen and used for Identity Theft; I
thought you might like to see how the hacks are being done, and how
astoundingly easy they are. I have produced a video of a security
audit I performed on a local college website that shows how easy
these exploits are. There is also a brief training on the homepage
that introduces non-experts to SQL injection concepts in a fashion
that makes it easy to understand.


* Oracle exec hits out at 'patch' mentality
  29th, May, 2006

Oracle's security chief says the software industry is so riddled with
buggy product makers that "you wouldn't get on a plane built by
software developers."

Chief Security Officer Mary Ann Davidson has hit out at an industry
in which "most software people are not trained to think in terms of
safety, security and reliability." Instead, they are wedded to a
culture of "patch, patch, patch," at a cost to businesses of $59
billion, she said.


* Malware Challenges in a Cross-Platform World
  30th, May, 2006

With the advent of the inexpensive and powerful personal computer,
networks have evolved and are now implemented exclusively using small
computers connected among themselves and to the Internet. Don't get
me wrong, though -- the mainframe isn't dead yet. In fact, Gartner
estimates that more than 80% of business applications are written in
Cobol, one of the earliest high-level programming languages. But the
truth is that, although still alive and kicking, the mainframe has
nevertheless lost ground in our current environment, which is focused
on PCs and distributed server architectures.


* Users Versus Hackers: Which Are Worse?
  31st, May, 2006

It.s 5 p.m. on a Friday, and you're the lead security engineer
for the headquarters site of a major corporation. Just as you.re
getting ready to ease out the door for the weekend, the phone rings
and there's a frantic voice on the other end of the line. It's
one of the managers from your financial department, and it seems that
someone has accessed the payroll records of a number of
higher-ranking executives within the company and attempted changes to
their salaries and monthly paychecks.


* Perspective:	Hyperlink insecurity
  31st, May, 2006

Imagine a world where no Web site or hyperlink can be trusted, and a
simple click on a hyperlink could slam your computer with a malicious
driveby download. Sound far-fetched? It's not. Today, trusted Web
sites can no longer be trusted. Those of us who collectively click on
the billions of hyperlinks generated each day by search engines,
blogs and e-mail are playing Russian roulette with our computers.


* Chief Hacks Around With Google
  1st, June, 2006

A reader asked me months ago to talk about the threat of 'Google
Hacking' to an organization, and asked if I used 'Google Hacking' in
any of my risk assessments.

In short: hell yes. If you're not attempting to do any type of
reconnaissance with Google on your organization or clients, you're
setting yourself up for a very unwelcome surprise down the road.


Security Spending Shifts
  3rd, June, 2006

Lingering concern about the overall state of the economy has many
CIOs forecasting a slowdown in IT spending in 2007, according to a
new survey from analyst firm Merrill Lynch.  But compliance concerns
and the looming threat of organized crime online mean that security
spending remains healthy.  The survey of 75 U.S. and 25 European CIOs
reveals that users expect 5.2 percent spending growth in 2006 and 4.8
percent in 2007. American execs predict only 4.4 percent spending
growth over the coming 12 months, compared to their more bullish
international counterparts who expect 6.1 percent growth.


* Hackers Found to Target University Systems
  31st, May, 2006

Increasing numbers of university systems are becoming targets for
hackers. The recent incident involves the Fairfield,
Connecticut-based Sacred Heart University. The university's system
containing information on 135,000 individuals was hacked recently and
data consisting of personal information like names, addresses, and
Social Security numbers were stolen.


* FAQ: The new 'annoy' law explained
  1st, June, 2006

So what does the rewritten law now say?
The section as amended reads like this: "Whoever...utilizes any
device or software that can be used to originate telecommunications
or other types of communications that are transmitted, in whole or in
part, by the Internet... without disclosing his identity and with
intent to annoy, abuse, threaten, or harass any person...who receives
the communications...shall be fined under title 18 or imprisoned not
more than two years, or both."


Euro Security Initiatives Proposed
  1st, June, 2006

The European Commission today issued a report that calls for greater
education on IT security, and the creation of a common framework for
collecting incident data.

In its report, the EC states that European spending on IT security
"represents only around 5 to 13 percent of IT expenditure, which is
alarmingly low." The commission calls for a cross-border effort to
educate users about security and to unify disjointed national efforts
to track exploits.


* Study: Companies should do more to protect employees' personal
  2nd, June, 2006

A study on workplace privacy found that less than half of the people
surveyed believe their employers are doing a good job protecting the
privacy of their personal information.

The independent study, "Americans' Perceptions about Workplace
Privacy," was conducted by Elk Rapids, Mich.-based Ponemon Institute
LLC, which looks at information and privacy management practices in
business and government. The report, which was released yesterday, is
based on 945 responses from adults across the U.S. who work for
companies with at least 1,000 employees.


* Stolen YMCA Computer Contains Members' Personal Information
  2nd, June, 2006

The Y-M-C-A of Greater Providence is reporting that one of its two
missing laptop computers contains members information.

The non-profit organization that provides a range of educational,
social and recreational services says it discovered last week that
the computers were missing.


* The growing challenge of identity management
  2nd, June, 2006

Identity management is a security issue which is becoming
increasingly challenging as the perimeter of the network crumbles.
This is well illustrated by the DTI Information Security Breaches
Survey of 2006, which shows that one in five larger businesses had a
security breach associated with weaknesses in their identity
management, with the number of incidents being less for smaller


* Stronger cybersecurity bill passes House committee
  31st, May, 2006

The U.S. House of Representatives Judiciary Committee today approved
a bill that would significantly strengthen existing federal
cybercrime law and provide law enforcement with increased enforcement
tools.The bill also offers authorities greater enforcement powers
and resources. Included is a section that provides an additional $10
million annually to the Secret Service, FBI and Department of Justice
to investigate and prosecute cybercrimes. The bill makes failing to
report breaches to the FBI or Secret Service than involve at least
5,000 customers a crime punishable by up to five years in prison.


* Fed plan for cybersecurity R&D released
  2nd, June, 2006

The government has outlined its first steps for coordinating and
expanding federal research and development efforts aimed at improving
cybersecurity. The new Federal Plan for Cyber Security and
Information Assurance Research and Development, issued in April and
now available online, lays the groundwork for developing an R&D
agenda that will help address critical gaps in current technologies
and capabilities.


* Phar out! Phishers are now Pharming
  29th, May, 2006

If the phishers don't get you the pharmers will, police have warned.

People are now getting wary of the scam called phishing - where
people are sent emails claiming to be from their bank asking them to
"confirm" their account details and passwords.


* Hostage Threat to Home PCs
  30th, May, 2006

Family photos and other priceless content stored in your home
computer could one day be held hostage by a new breed of security
threat called "ransomware".

Ransomware typically takes the form of a trojan horse that holds
personal computer files "hostage" and then then demands a ransom for
their safe return.


* Video: Hacking A College... or Two
  31st, May, 2006

Joel over at appiant.net has posted a great video of how he
used SQL injection to bypass security controls on a college website.
While his methods may seem 1-2-3 to web application security testers,
they are a great example of just how simple this type of attack is,
and a reminder that you MUST perform this same type of testing on
EVERY web application you deploy, period.


* Turkish Hackers go on Defacement Rampage
  31st, May, 2006

Two Sony websites were hacked yesterday by a Turkish hacker (thanks
to Roberto Preatoni of Zone-H.org for heads up and explanation).  The
two site URLs are: http://sonymusic.it/index.php and


* Woman Targeted by Web Hackers
  1st, June, 2006

A woman from Greater Manchester has become a victim of an internet
scam in which hackers hijack computer files and blackmail owners to
get them back.

Helen Barrow, a 40-year-old nurse from Rochdale, is believed to be
one of the first victims of the con in the UK.


* Swedish police Web site shut down by hacker attack
  2nd, June, 2006

The Web site of Sweden's national police was shut down after a hacker
attack that investigators on Friday said could be a retaliation for a
crackdown on a popular file-sharing site called The Pirate Bay.


* Police will not pursue ransom hackers
  4th, June, 2006

After a Manchester woman was held to ransom by hackers, experts and
senior police officers have voiced concern that such cases are
falling between the cracks. Greater Manchester Police (GMP) will not
be pursuing the criminals who used a Trojan horse program to lock a
Manchester woman's files and demanded a ransom to release them.


* Triangulation homes in on rogue WLan access points
  30th, May, 2006

Although wireless access points use encryption to secure network
traffic, access to the WLan is open to anyone with a valid log-in.
Foundry Networks aims to control this access based on the physical
location of the end-user.

The technology uses triangulation between three access points to
determine the location of a WLan user to within five metres, said the


* Wireless Authentication Solutions
  1st, June, 2006

As is the case with any valuable resource, there must be limitations
on who can access and use your wireless medium. In some situations,
such as when offering wireless access to attract customers, these
limitations will be minimal. In others, we want the greatest possible
protection available. Controlling access to computer resources is
best illustrated in the AAA framework: Authentication, Authorization,
and Accounting.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list