[ISN] Linux Security Week - June 12th 2006

InfoSec News isn at c4i.org
Mon Jun 12 04:23:57 EDT 2006

|  LinuxSecurity.com                         Weekly Newsletter        |
|  June 12th, 2006                            Volume 7, Number 24n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Building a
heterogeneous home network for Linux and Mac OS X," "Fundamentals of
Storage Media Sanitation," and "Password Cracking and Time-Memory
Trade Off."


Security on your mind?

Protect your home and business networks with the free, community
version of EnGarde Secure Linux.  Don't rely only on a firewall to
protect your network, because firewalls can be bypassed.  EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.

The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages.  Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more.  The result for you is high security, easy
administration, and automatic updates.

The Community edition of EnGarde Secure Linux is completely
free and open source.  Updates are also freely available when
you register with the Guardian Digital Secure Network.



EnGarde Secure Linux v3.0.7 Now Available

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7).  This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.



pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Cleaning up data breach costs 15x more than encryption
  7th, June, 2006

Protecting customer records is a magnitude less expensive than paying
for cleanup after a data breach or massive records loss, a research
company said Tuesday. Gartner analyst Avivah Litan said in a research
note that data protection is cheaper than a data breach. She recently
testified on identity theft at a Senate hearing held after the
Department of Veterans Affairs lost 26.5 million vet identities.


* A Comparison of SNMP v1, v2 and v3
  5th, June, 2006

During its development history, the communities of researchers,
developers, implementers and users of the DARPA/DoD TCP/IP protocol
suite have experimented with a wide range of protocols in a variety
of different networking environments. The Internet has grown,
especially in the last few years, as a result of the widespread
availability of software and hardware supporting this system. The
scaling of the size and scope of the Internet and increased use of
its technology in commercial applications has underscored for
researchers, developers and vendors the need for a common network
management framework within which TCP/IP products can be made to


* Disaster Practice
  4th, June, 2006

When the British government wanted to test the resiliency of its
financial institutions, it commissioned "an afternoon from hell". The
buildup started on a Monday morning last November. First, there was a
failure in the clearing systems used to transfer money between banks
after routine systems maintenance. Then, terrorists staged a series
of bomb attacks around Britain, causing hundreds of casualties in
London and considerable damage to major financial centres. Around the
same time, malicious hackers tried their best to break into the
banks' systems.  All in all, 'twas was a bad day. The disaster
recovery simulation was organized by the Tripartite Authorities, a
group comprising the Financial Services Authority, the UK Treasury
Department and the Bank of England.


* May's Security Streams
  5th, June, 2006

Here's May's summary of all the security streams during the month.
This is perhaps among the few posts in which I can actually say
something about the blog, the individual behind it, and its purpose,
which is to - question, provoke, and inform on the big picture. After
all, "I want to know God's thoughts... all the rest are details", one
of my favorite Albert Einstein's quotes. The way we often talk about
a false feeling of security, we can easily talk about a false feeling
of blogging, and false feeling of existence altogether. It is often
assumed that the more you talk, the more you know, which is exactly
the opposite, those that talk know nothing, those that don't, they
do. There's nothing wrong with that of refering to yourself, as
enriching yourself through past experience helps you preserve your
own unique existence, and go further. Awakening the full potential
within a living entity is a milestone, while self preservation may
limit the very development of a spirit -- or too much techno
thrillers recently? :)


* (IN)SECURE Magazine Issue 7 Has Been Released
  9th, June, 2006

(IN)SECURE Magazine is a free digital security magazine in PDF
format. In this issue you can read about SSH port forwarding, server
monitoring with munin and monit, compliance vs. awareness, and much
more. Get your copy today!


* Abandon E-mail!
  5th, June, 2006

Back in 1972, by some accounts, a new form of communication known as
e-mail was born. It was a practical implementation of electronic
messaging that was first seen on local timeshare computers in the
1960s. I can only imagine how much fun and revolutionary it must have
been to use e-mail in those early years, to have been at the bleeding
edge of the curve.  Almost ten years later, in November 1981,
Jonathan Postel published RFC 788 (later deprecated by RFC 821, also
by Postel, and RFC 822 by David Crocker), thereby inventing the
foundations of the Simple Mail Transport Protocol (SMTP) - a proposal
that would revolutionize e-mail again. Since that time, e-mail has
become as important an invention to the world as the telegraph and
the telephone, and it has long been synonymous with the Internet


* Building a heterogeneous home network for Linux and Mac OS X
  8th, June, 2006

You can find plenty of information online about building
heterogeneous networks involving Windows, but relatively little about
connecting Macs with Linux PCs in a home or small office network. Mac
OS X's Unix base, however, means there are plenty of good options for
networking a Mac with a Linux PC, despite the relative lack of
documentation. In this article, I'll discuss how to set up Mac-Linux
printer and file sharing using NFS and SSH.


* Security Without Firewalls: Sensible Or Silly?
  6th, June, 2006

For years, infosec experts have called the firewall a critical
ingredient to security, whether it's in a large enterprise or on a
home PC. But the San Diego Supercomputer Center (SDSC) has defied
that logic with what some would consider surprising success.  Abe
Singer, computer security manager for the SDSC's Security
Technologies Group, explained how companies can maintain strong
firewall-free security at the 2006 USENIX Annual Technical Conference
Thursday. He has also produced a presentation (.pdf) on the subject.


* Standards In Desktop Firewall Policies
  7th, June, 2006

The idea of a common desktop firewall policy in any size organization
is a very good thing. It makes responses to external or internal
situations such as virus outbreaks or network-oriented propagation of
viruses more predictable. In addition to providing a level of
protection against port scanning, attacks or software
vulnerabilities, it can provide the organizations local security team
a baseline or starting point in dealing with such events. The purpose
of this article is to discuss the need for a desktop firewall policy
within an organization, determine how it should be formed, and
provide an example of one along with the security benefits it
provides an organization.


* Users hit by multi-browser threat
  8th, June, 2006

Security vendors have warned of a flaw that affects an unusually
broad cross-section of browsers -- Internet Explorer, Firefox and the
Mozilla suite on Windows, Linux and Mac OS X -- and could be used to
hoover up files from vulnerable systems.

The problem is in the way the browsers implement scripting --
JavaScript in Firefox and Active Scripting in IE. Both browsers have
a design error in which a script can cancel certain keystroke events
when users are entering text.


* UTM - Preparing for New Generation of Security Threats
  6th, June, 2006

Securing networks has rapidly taken center stage among most
enterprises as the threat from increasingly sophisticated attacks
becomes more complex and costly to manage. According to the research
group IDC, enterprises worldwide spent an estimated $32.6Bn in 2005
on network security but are still faced with an ever-changing
landscape of new security threats. Traditional network defense
solutions such as firewalls and intrusion prevention devices must be
supplemented by secure content management devices in order to block
the full range of sophisticated attacks including viruses, spyware,
spam and phishing.


* Social Engineering, The USB Way
  7th, June, 2006

We recently got hired by a credit union to assess the security of its
network. The client asked that we really push hard on the social
engineering button. In the past, they'd had problems with employees
sharing passwords and giving up information easily. Leveraging our
effort in the report was a way to drive the message home to the
employees.  The client also indicated that USB drives were a concern,
since they were an easy way for employees to steal information, as
well as bring in potential vulnerabilities such as viruses and
Trojans. Several other clients have raised the same concern, yet few
have done much to protect themselves from a rogue USB drive plugging
into their network. I wanted to see if we could tempt someone into
plugging one into their employer's network.


* Researchers eye machines to analyze malware
  8th, June, 2006

The reverse engineer--better known amongst security researchers by
his nom de plume, Halvar Flake-- created an automated system for
classifying software into groups, a process he believes for which
machines are much better suited. Research using the system has
underscore the sometimes-arbitrary decisions humans make in
classifying malicious programs, he said.


* The top five ways to prevent IP spoofing
  9th, June, 2006

The term "spoofing" is generally regarded as slang, but refers to the
act of fooling -- that is, presenting a false truth in a credible
way. There are several different types of spoofing that occur, but
most relevant to networking is the IP spoof. Most types of spoofing
have a common theme: a nefarious user transmits packets with an IP
address, indicating that the packets are originating from another
trusted machine.


* How To Analyze HijackThis Logs
  5th, June, 2006

HijackThis is a free tool developed by Merijn Bellekom, a student in
The Netherlands. Spyware removal software such as Adaware or Spybot
S&D do a good job of detecting and removing most spyware programs,
but some spyware and browser hijackers are too insidious for even
these great anti-spyware utilities.

HijackThis is written specifically to detect and remove browser
hijacks, or software that takes over your web browser, alters your
defaut home page and search engine and other malicious things.


* How-To: Back-up your blog (Linux)
  7th, June, 2006

Bad things happen. If you've ever worried that the over caffeinated
tech might spill his latte down your web server, then today's How-To
will help you out. Forgetting to back up your blog (or your website)
is something that isn't a big deal until you need it -- like backing
up anything, really. But your blog's files and databased aren't
really so simply accessible as the files on your PC, so today we're
showing you how to automatically back up your blog (or website) with
some freely available tools that will use a minimum amount of your
precious bandwidth.


* EnGarde Secure Community 3.0.7
  6th, June, 2006

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.7 (Version 3.0, Release 7).  This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, several updated packages, and several
new packages available for installation.


* Symantec to Port Veritas Storage Software to IBM Linux Platform
  8th, June, 2006

Software security and storage specialist Symantec June 7 announced an
agreement with IBM to port its Veritas Cluster Server, Veritas
Storage Foundation family and NetBackup recovery technology to IBM's
Linux on POWER platform, opening a new door to the open-source
enterprise storage market.


* Announcement: RSBAC 1.2.7
  9th, June, 2006

The RSBAC team is happy to announce that RSBAC 1.2.7 has just been
released for both kernels 2.4.32 and 2.6.16.


* Non-standard Incident Prediction
  5th, June, 2006

We are all familiar with the use of firewall logs, intrusion
detection alerts, antivirus warnings, and watching for "funny"
entries in our system logs as ways to indicate that somebody on the
Internet is up to no good.  But those traditional detection systems
don't do any good against attacks that are not oriented on one of the
traditional seven layers of the OSI model.


* The Enterprise Gets Googled
  5th, June, 2006

On February 14, 2006, many Google e-mail users received an unexpected
Valentine's Day present. When they logged in to their accounts, there
it was: instant messaging, fully integrated with their e-mail system.
Gmail users could now chat in the same browser window as their inbox.
Just as with e-mail, the system would save a transcript of every chat
and, better yet, the text of archived transcripts would be
searchable. There was nothing to download, nothing to install.


* Spyware infections spreading, security expert says
  5th, June, 2006

Spyware programs are increasing in number and growing in
sophistication to avoid detection, making it harder to guard against
infections and more costly to repair their damage, according to a
security expert whose company tracks them on a regular basis.


* Open source consortium addresses security
  5th, June, 2006

The Open Web Application Security Project (OWASP) has announced the
availability of a process guide that it hopes will help a broad range
of developers incorporate security into the software application
development lifecycle (SDLC).


* Fundamentals of Storage Media Sanitation
  6th, June, 2006

One of the most fundamental principles of information security is
that its all about the data. Data in transit or at rest is the
primary focus of administrative, physical, and technical safeguards.
Security professionals are doing better every day when it comes to
protecting information in static production environments. But what
happens when magnetic, optical, or semiconductor media is repurposed
or retired? In this paper, I define media sanitation and how it fits
into an overall security program. Next, I examine how attackers can
extract information from electronic media even after its been
overwritten. Finally, I explore ways you can protect your
organization from attacks both casual and highly motivated.


* How to win friends and influence people with IT security
  7th, June, 2006

The public and private sectors put IT Security on top of their agenda
these days, and, as a result, the IT and Information Security job
market is growing. At some point though, the market will saturate as
businesses seek to curb their investments, security services become
more standardized and IT as a whole moves to a more service-oriented
business model. Is your career strategy ready?


* A Continuing Work in Progress: The State of Linux 2006
  7th, June, 2006

To label Linux a purely enthusiast or hobbyist operating system is
overly facile; such a stance also categorically denies that Linux has
any real industry presence. On the contrary, prominent top-tier
manufacturers such as Dell, IBM, Sun Microsystems, and
Hewlett-Packard all openly support Linux in select product lines, and
many lower-tier manufacturers have adopting this platform to
establish cost-effective price points in various highly competitive
marketplaces. Government support for Linux also comes in a variety of
forms. Most notably, this includes the NSA-sponsored Security
Enhanced Linux (SELinux) policy extensions adopted into the
mainstream by Red Hat starting with Fedora Core 2 (the current
version is Fedora Core 5). SELinux extends basic security
functionality to the Linux platform, and makes it easier to create a
hardened installation. These are only a few examples of where Linux
is actively developed by high-visibility organizations, all of which
take this platform very seriously.


* JavaScript security threat to Internet Explorer and Firefox
  7th, June, 2006

A JavaScript security bug has been discovered in both the Internet
Explorer and Firefox browsers. The threat covers the Windows, Linux,
and Mac operating systems, say internet security software companies.


* Cybercrime Spurs College Courses In Digital Forensics
  7th, June, 2006

One of the hottest new courses on U.S. college campuses is a direct
result of cybercrime.  Classes in digital forensics - the collection,
examination and presentation of digitally stored evidence in criminal
and civil investigations - are cropping up as fast as the hackers and
viruses that spawn them. About 100 colleges and universities offer
undergraduate and graduate
courses in digital forensics, with a few offering majors. There are
programs at Purdue University, Johns Hopkins University, the
University of Tulsa, Carnegie Mellon University and the University of
Central Florida. Five years ago, there were only a handful.


* Cyber extortion, A very real threat
  7th, June, 2006

Criminal gangs are increasingly using the internet as a tool to
extort money from businesses. Thousands of distributed denial of
service attacks (DDoS) are occurring globally every day and it is
vital that senior management wakes up to the very real risk of such
an assault.


* Password Cracking and Time-Memory Trade Off
  8th, June, 2006

Every time I go on line, I usually am up to no good. My intentions
are often never hostile, but I do take part in the shady business of
password cracking. Meaning I actively use unorthodox methodology,
that I know for a fact the FBI frowns down upon, to obtain hashes.
Once obtained I usually spend a few hours cracking these hashes via
good old fashion bruteforcing. Now, bruteforcing is the most reliable
method of password cracking in existence today.


* The top 9 ways to secure mobile devices
  8th, June, 2006

In the past six months a disturbing trend has emerged involving the
theft of laptops containing sensitive personal information -- most
recently from the home of a U.S. Department of Veterans Affairs data


* Digital forensics hits U.S. college campuses
  9th, June, 2006

About 100 colleges and universities offer undergraduate and graduate
courses in digital forensics, with a few offering majors. There are
programs at Purdue University, Johns Hopkins University, the
University of Tulsa, Carnegie Mellon University and the University of
Central Florida. Five years ago, there were only a handful.


* British Library to secure its digital treasures
  9th, June, 2006

The British Library is adopting a new data security system that will
enable it to safely store web publishing content.

The library has selected nCipher to protect the integrity of its
National Digital Library.

This library will contain everything from digitised versions of
centuries-old manuscripts to digital journals and web archives, and
is expected to amass up to 300 terabytes of content over the next
five years.


* Browsers, Phishing, and User Interface Design
  6th, June, 2006

 Occasionally a criminal is so, well, clever that you have to admire
him even as you wish that he spends the rest of his life in jail.
Take Arnold Rothstein, for instance. One of the kingpins of organized
crime in New York City during Prohibition and before, the "Great
Brain," as he was termed, was more than likely behind the infamous
Black Sox scandal, in which the 1919 World Series was fixed in favor
of the Cincinnati Reds.


* Personal Displays Keep Data Private
  7th, June, 2006

The dueling needs for privacy and data sharing played out here at the
annual SID (Society of Information Display) International Symposium.
Vendors showed new technologies that can keep neighbors on a flight
from getting a glimpse of the corporate secrets on a laptop screen
and new ways to share video on an iPod or handheld.


* When data walks
  7th, June, 2006

The recent theft of data on 26.5 million veterans sends agencies a
chilling message: Lock down your own data security and privacy
policies immediately or you might wind up with confidential data
walking out your own door. The Veterans Affairs Department probably
is not the only agency whose security and privacy policies have
gaping holes, government and industry experts agree.


* IRS missing laptop with employee data
  7th, June, 2006

The IRS said that one of its laptops containing data about 291 IRS
employees and job applicants went missing in early May when it was
lost in transit to an agency event. The information contained on the
laptop included fingerprints, names, dates of birth and Social
Security numbers for the 291 individuals.


* Ervin: DHS Fails Security Mission
  8th, June, 2006

Clark Ervin was strolling down a Manhattan street in April 2005 when
the red light on his BlackBerry indicated he had a message. The
former inspector general of the Homeland Security Department looked
at the device and saw that the Associated Press had reported the
results of the latest IG investigation on airport security. Those
results showed no improvement in screeners abilities to detect
deadly weapons, compared with the results of similar investigations
done in 2001 and 2003. It was far easier than it should have been
even after the [Sept. 11, 2001] attacks for government investigators
to sneak these weapons through, said Ervin, who served as the
department's first IG for about two years. He recounted the story
in his keynote speech today at the 26th Annual Management of Change
Conference sponsored by the American Council for Technology and by
the Industry Advisory Council, to illustrate an important point.


* House rejects Net neutrality rules
  9th, June, 2006

The U.S. House of Representatives definitively rejected the concept
of Net neutrality on Thursday, dealing a bitter blow to Internet
companies like Amazon.com, eBay and Google that had engaged in a
last-minute lobbying campaign to support it.


* Police will not pursue ransom hackers
  4th, June, 2006

After a Manchester woman was held to ransom by hackers, experts and
senior police officers have voiced concern that such cases are
falling between the cracks. Greater Manchester Police (GMP) will not
be pursuing the criminals who used a Trojan horse program to lock a
Manchester woman's files and demanded a ransom to release them.


* A degree in hacking
  6th, June, 2006

The University of Advancing Technology (UAT) in Phoenix, Ariz., is
marketing its new Network Security program as a way to get a degree
in hacking. The school is drawing the interest of geeks who use
Windows, Linux, and Macintosh, according to UAT's IT manager Raymond
Todd Blackwood, and even a few who want to go to the dark side of
network security.  Hackerdegree.com's Web page looks like a
non-Windows desktop with a few terminals open, inviting the curious
to learn more about fighting "cybercrime," "cybertheft," and even


* Forget your password? Be google!
  8th, June, 2006

For more and more websites you need to register or pay to have full
access. The odd thing is that Google has the complete and full index
of the website. So what's going on here? Why must regular users pay
or register to have access when the google search engine bot has full
access?. The reason is simple; every site wants to use the benefits
of the wonderful world of Google, for webmasters free advertising is
always welcome. But there is a simple way to be the Google
(search)Bot. In this little article i will try to explain it.


* Man charged with selling hacked VOIP services
  8th, June, 2006

A Miami man was charged Wednesday with stealing more than 10 million
minutes of VOIP (Voice over Internet Protocol) telephone service and
then selling them to unsuspecting customers for as little as US$0.004
per minute.


* PC hidden in 'BlueBag' exposes Bluetooth flaws
  8th, June, 2006

If you happened to fly through Milan's Malpensa Airport last March,
your mobile phone may have been scanned by the BlueBag. Billed as a
research lab on wheels, BlueBag was created by Milan's Secure Network
SRL to study how malicious software might be able to spread among
devices that use the Bluetooth wireless standard.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list