[ISN] Linux Security Week - March 20th 2006

InfoSec News isn at c4i.org
Tue Mar 21 04:12:53 EST 2006

|  LinuxSecurity.com                         Weekly Newsletter        |
|  March 20th, 2006                           Volume 7, Number 12n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "An
introduction to Elliptic Curve Cryptography," "The 7 myths about
protecting your web applications," and "Wi-Fi Security's Personal


EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared
toward providing a open source platform that is highly secure by default
as well as easy to administer. EnGarde Secure Linux includes a select
group of open source packages configured to provide maximum security
for tasks such as serving dynamic websites, high availability mail
transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source,
and online security and application updates are also freely
available with GDSN registration.



EnGarde Secure Community 3.0.5 Released

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.5 (Version 3.0, Release 5). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, and several new packages available
for installation.



pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking. It is important to acknowledge and address social
aspects in a system such as pgp, because the weakest link in the
system is the human that is using it. The algorithms, protocols
and applications used as part of a pgp system are relatively
difficult to compromise or 'break', but the human user can often
be easily fooled. Since the human is the weak link in this chain,
attention must be paid to actions and decisions of that human;
users must be aware of the pitfalls and know how to avoid them.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Cryptography in the Database: The Last Line of Defense
  14th, March, 2006

Excerpt: This chapter discusses how cryptography can address the
concerns raised in the previous chapter. After explaining what
cryptography is and providing a general idea of how it works, we dig
into the various types of cryptographic algorithms and see where the
strengths and weaknesses of each lie.


* Philip Zimmermann releases Zfone for Linux
  15th, March, 2006

Phil Zimmermann thinks Zfone is better than the other approaches to
secure VoIP, because it achieves security without reliance on a PKI,
key certification, trust models, certificate authorities, or key
management complexity that bedevils the email encryption world.


* An introduction to Elliptic Curve Cryptography
  17th, March, 2006

Elliptic Curve Cryptography (ECC) has been gaining momentum as a
replacement for RSA public key cryptography largely based on its
efficiency, but also because the US National Security Agency (NSA)
included it, while excluding RSA, from its Suite B cryptography
recommendations. Suite B is a set of algorithms that the NSA
recommends for use in protecting both classified and unclassified US
government information and systems.

Public key cryptography is the basis for tools like ssh as well as
Secure Sockets Layer (SSL) for encrypting web traffic. For readers
who would like more information, a nice introduction to public key
cryptography and the RSA algorithm can be found on Wikipedia.


* Linux Dictionary
  19th, March, 2006

(SWP) Sun Wah-PearL Linux Training and Development Centre has an
ambitious aim to promote the use of Linux and related Open Source
Software (OSS)	and Standards. The vendor independent positioning of
SWP has been very well perceived by the market. Throughout the last
couple of years, SWP becomes the top leading OSS training and service
provider in Hong Kong. And in fact we are leading the market
direction in some ways.


* Febuary's Security Streams
  11th, March, 2006

It's about time I summarize all my February's Security Streams, you
can of course go through my January's Security Streams as well, in
case you're interested in what was inspiring me to blog during


* SC Magazine CSO of the Year: Thomas Dunbar, Global Chief Security
Officer, XL Capital
  15th, March, 2006

As the global chief security officer at a leading multinational
insurance company, Thomas Dunbar has a lot of data to protect, a
range of regulations with which to comply and a huge number of
employees whose access to corporate IT assets he must manage. The
efforts he undertakes on a daily basis to achieve these and other
mandates are the primary reasons why the SC Magazine Awards U.S. for
2006 saw him walk away with the title of CSO of the Year.


*  10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery)
  16th, March, 2006

The newest contender on the block of course is BackTrack, which we
have spoken about previously. An innovative merge between WHax and
Auditor (WHax formely WHoppix).

BackTrack is the result of the merging of two Innovative Penetration
Testing live Linux distributions Whax and Auditor, combining the best
features from both distributions, and paying special attention to
small details, this is probably the best version of either
distributions to ever come out.


* US Government Studies Open Source Quality
  17th, March, 2006

"US Government Studies Open Source Quality" reads the SlashDot
thread, and it certainly sounds interesting. Reading deeper, it links
to an article by the Reg titled "Homeland Security report tracks down
rogue open source code". The author of the article, Gavin Clarke,
doesnt link to the company who performed the study (Coverity) or the
report itself. A quick Google search finds the Coverity home page.


* FrSIRT Puts Exploits up for Sale
  17th, March, 2006

Independent security research outfit FrSIRT.com is putting its
database of security exploits behind the paid curtain. FrSIRT,
previously known as K-Otik, has shut down the public exploits section
of its Web site and announced that all exploits and proof-of-concept
code will be sold through its subscription-based VNS (Vulnerability
Notification Service).


* Social Engineering Reloaded
  15th, March, 2006

The purpose of this article is to go beyond the basics and explore
how social engineering, employed as technology, has evolved over the
past few years. A case study of a typical Fortune 1000 company will
be discussed, putting emphasis on the importance of education about
social engineering for every corporate security program.


*  Anti Phishing Toolbars - Can You Trust Them?
  12th, March, 2006

A lot of recent phishing events occured, and what should be mentioned
is their constant ambitions towards increasing the number of trust
points between end users and the mirror version of the original site.
The use of SSL and the ease of obtaining a valid certificate for
to-be fraudelent domain is a faily simple practice. Phishing is so
much more than this, and it even has to do with buying 0day
vulnerabilities to keep itself competitive. How should phishing be
fought? Educating the end user not to trust that he/she's on
Amazon.com, when he just typed it, or enforcing a technological
solution to the problem of digital social engineering and trust


* VM Rootkits: The Next Big Threat
  13th, March, 2006

Lab rats at Microsoft Research and the University of Michigan have
teamed up to create prototypes for virtual machine-based rootkits
that significantly push the envelope for hiding malware and that can
maintain control of a target operating system.	The proof-of-concept
rootkit, called SubVirt, exploits known security flaws and drops a
VMM (virtual machine monitor) underneath a Windows or Linux


*  Useful Firefox Security Extensions
  18th, March, 2006

Mozilla's Firefox browser claims to provide a safer browsing
experience out of the box, but some of the best security features of
Firefox are only available as extensions. Here's a roundup of some
of the more useful ones I've found.


* Kids Learn About Cyber Security
  13th, March, 2006

A group of students at Rome Catholic School are learning how to
become the future defenders of cyberspace through a pilot program
that officials say is the first of its kind in the country. The
program teaches students about data protection, computer network
protocols and vulnerabilities, security, firewalls and forensics,
data hiding, and infrastructure and wireless security. Most
importantly, officials said, teachers discuss ethical and legal
considerations in cyber security.


* Skype Branded Danger To Enterprise IT Security
  16th, March, 2006

Although cost savings and improved communications are luring
enterprises to Skype, the popular voice over IP service may violate
security policies, industry experts have warned. Burton Group
recommended enterprises assess the risks vs. rewards of Skype as the
simplest solution for evaluating its use.


* The Enemy Within The Firewall
  16th, March, 2006

Employees are now regarded as a greater danger to workplace cyber
security than the gangs of hackers and virus writers launching
targeted attacks from outside the firewall. That is the perception of
75 per cent of Australian information technology managers who took
part in an  international IBM security survey.


* How to Create RFID Access for Your Front Door
  17th, March, 2006

There are many uses for RFID such as supply chain management, but
access control is one of the most relevant applications for personal
use. Many people use RFID access cards to get into buildings, use
elevators, or even open the doors to those special penthouse type
hotel suites. Setting up your own front door (or any door for that
matter) with an RFID enabled access mechanism is pretty easy.


* Digital Forensics and Hacking Investigations
  13th, March, 2006

We discuss network forensics and misuse investigations; different
types of devices that may hold suspect data or evidence; introduction
to the 7-layer OSI model; network forensics and the role of sniffers
and protocol analysis software; the function of network interface
cards and layer-2 content inspection; overview of how a NIC works;
overview of how a sniffer works; introduction to promiscuous mode;
the 4 ways to capture traffic for network forensics; introduction to
spanning and mirroring switch ports; introduction to buffered and
unbuffered network taps; layer-2 transparent bridging concepts.


* Security Podcasts Roundup
  13th, March, 2006

We at PaulDotCom security weekly listen to many podcasts in an
attempt to assimilate as much information as possible. Each podcast
we listen to has its own strengths, and there are few on this list
that I would dismiss altogether, but I'll let you be the judge. There
have been a few other blog postings related to security podcasts.


* Photoshop Concepts For Law Enforcement
  13th, March, 2006

With its comprehensive suite of powerful digital imaging products,
Adobe software provides the solutions law enforcement agencies need
to conduct enhanced forensic investigations.  With its unmatched set
of image management tools, Adobe Photoshop software is widely used by
law enforcement agencies to make digital phtots of suspects and crime
scenes clearer for positive identification.


* Married Couple Indicted for Corporate Espionage
  14th, March, 2006

An Israeli couple has been charged with corporate espionage after the
two were discovered engineering and distributing a Trojan horse
application found to be responsible for several cases of data theft.

The Tel Aviv District Attorney filed the 65-page indictment Sunday
and announced that prosecutors had entered into a plea bargain
agreement with the two defendants. The couple, formerly residents of
London, were extradited to Israel.

Prosecutors consider Ruth Haephrati, 29, the ringleader and principal
party responsible for the couple's criminal enterprise. According to
the indictment, Haephrati was the one who sought out new clients to
increase business.


* 'Security pro' - an oxymoron?
  14th, March, 2006

The term 'infosec professional' is almost a contradiction in terms,
according to analyst group Gartner, which warns the field of IT
security is still finding its feet.

The analyst house said there is little agreement on what constitutes

This means hiring decisions are complicated by a lack of consensus on
the skills needed and, as a result, many security problems will
remain unsolved until specialists pool their knowledge and
experience, Gartner said in a briefing note.


* The 7 myths about protecting your web applications
  15th, March, 2006

Web applications are currently proving to be one of the most powerful
communication and business tool. But they also come with weaknesses
and potential risks that network security devices are simply not
designed to protect.


* Basketball Social Engineering
  15th, March, 2006

On March 4, University of California Berkeley (Cal) played a
basketball game against the University of Southern California (USC).
With Cal in contention for the PAC-10 title and the NCAA tournament
at stake, the game was a must-win. Enter "Victoria."

Victoria was a hoax UCLA co-ed, created by Cal's Rally Committee. For
the previous week, "she" had been chatting with Gabe Pruitt, USC's
starting guard, over AOL Instant Messenger. It got serious. Pruitt
and several of his teammates made plans to go to Westwood after the
game so that they could party with Victoria and her friends.


* Study Says RFID Tags Are Vulnerable To Viruses
  15th, March, 2006

A group of European computer researchers have demonstrated that it is
possible to insert a software virus into radio frequency
identification tags, part of a microchip-based tracking technology in
growing use in commercial and security applications.  In a paper to
be presented Wednesday at an academic computing conference in Pisa,
Italy, the researchers plan to demonstrate how it is possible to
infect a tiny portion of memory in the chip, which can hold as little
as 128 characters of information.


* LAMP lights the way in open-source security
  16th, March, 2006

The most popular open-source software is also the most free of bugs,
according to the first results of a U.S. government-sponsored effort
to help make such software as secure as possible.

The so-called LAMP stack of open-source software has a lower bug
density--the number of bugs per thousand lines of code--than a
baseline of 32 open-source projects analyzed, Coverity, a maker of
code analysis tools, announced Monday.


* Top 50 malicious code samples reveals secrets
  16th, March, 2006

While past attacks were designed to destroy data, today's attacks are
increasingly designed to silently steal data for profit without doing
noticeable damage that would alert a user to its presence, the
company said.

In its previous report, Symantec cautioned that malicious code for
profit was on the rise, and this trend continued during the second
half of 2005.


* BS7799 Ver 3 Security Standard Published
  17th, March, 2006

The new security standard from BSI, BS7799 3, has been published
today. This is titled "Guidelines for Information Security Risk
Management", and supports the more general security management
standard, ISO27001, which was published last year.


* Report: 80 percent of emails out to manipulate
  14th, March, 2006

Four out of five inbound emails are designed to deceive the
recipient, according to a new report studying the scope of abusive
online messages.

The Messaging Anti-Abuse Working Group's (MAAWG) Email Metric Report,
which analyzed data from more than 127 million mailboxes during last
year's fourth quarter, found that more than 142 billion emails either
were tagged or blocked before they reached the end user.

Another 61.3 billion emails were the victims of dropped connections,
the study showed. Nearly 37 billion emails were unaltered before
reaching their destination.


* Human Rights and Wrongs Online
  14th, March, 2006

A government's position on censorship used to protect its citizenry
is dictated by who they are. The well-popularized censorship of
Internet content in China by Google and other big players, and
criticism of this by the U.S. government, is really just the tip of
the iceburg. On Febrary 15, the United States Congress held hearings
on the role of U.S. Internet companies like Google, Microsoft, Yahoo
and Cisco in suppressing free expression and therefore encouraging
repressive tactics by countries like China. The hearings explored the
role and the responsibility of these companies for deliberately
filtering communications, assisting in the interception of citizen's
communications, and using technology to restrict access by citizens
to information.


* Search firms surveyed on privacy
  15th, March, 2006

We asked the same seven questions of each company. Their answers are
reproduced below, with the responses sorted by the companies' names
in alphabetical order. What information do you record about searches?
Do you store IP addresses linked to search terms and types of
searches (image vs. Web)?  Weinstein: Any time a search is done on
the AOL service or AOL.com, the left rail on the results page offers
a list of the most recent searches conducted by that user.


* Federal Budget For 2007 To Boost Cybersecurity
  11th, March, 2006

Although President Bush's proposed budget for fiscal 2007 (starting
Oct. 1, 2006) increases spending for key cybersecurity programs, it
is not clear how that money would be spent, raising concerns in the
information security industry. One of the biggest security-related
boosts would be a $35 million infusion to the "critical
infrastructure outreach and partnerships" initiative within the
Department of Homeland Security. The goal of that effort is to
increase cooperation and information sharing among DHS, state and
local governments and infrastructure providers. Thirty million
dollars of that allocation would go toward implementing partnership
plans for private industry verticals like information technology,
finance and electrical utilities.


* How To Legislate Against Hackers
  16th, March, 2006

Everyone is in favour of sending hackers to prison for longer, but
technology commentator Bill Thompson wonders if our MPs are competent
to make good cyber-laws. If all goes to plan and the fuss over ID
cards and school governance does not derail the parliamentary
timetable, then we will soon have a new Police and Justice Act.


* NIST sets FISMA Standards For Federal IT Systems
  17th, March, 2006

The National Institute of Standards and Technology has released the
final standard for securing agency computer systems under the Federal
Information Security Management Act. Federal Information Processing
Standard 200 [1] sets minimum security requirements for federal
systems in 17 security areas. It is the third of three publications
required from NIST under FISMA, which requires
executive branch agencies to establish consistent, manageable IT
security programs for non-national security systems. The intent of
FISMA is to implement risk-based processes for selecting and
implementing security controls.


* Linux Zero IP ID Vulnerability?
  15th, March, 2006

I've recently stumbled upon an interesting behaviour of some Linux
kernels that may be exploited by a remote attacker to abuse the ID
field of IP packets, effectively bypassing the zero IP ID in DF
packets countermeasure implemented since 2.4.8 (IIRC).


* Trojan Cryzip Extorts Decryption Fee
  18th, March, 2006

A Trojan making the rounds encrypts victims' files and demands a $300
payment to have them decrypted and unlocked, according to a report by
security firm Lurhq Threat Intelligence Group.	This so-called
"ransomware" Trojan, dubbed Cryzip, is the second of its type to
emerge in the past 10 months, following the PGPcoder Trojan. It also
is the third such Trojan to appear since 1989.


* Wi-Fi Security's Personal Problems
  13th, March, 2006

With security such an important concern for wireless networks, most
new Wi-Fi gear has long supported Wi-Fi Protected Access 2 (WPA2),
the latest standard for encrypting data sent over the air. As of this
month, all Wi-Fi gear will, as the Wi-Fi Alliance is making WPA2
compatibility a mandatory part of its interoperability tests. But
there are two kinds of WPA2, and most Wi-Fi phones and many other
gadgets support only the lesser version, which was originally
designed for home networks.


* ISO Rejects China's WAPI Wireless Security Protocol
  16th, March, 2006

The International Standards Organization (ISO) last week rejected a
security protocol that was backed by some Chinese representatives as
an amendment to the group's wireless LAN standard. The ISO turned
down the Chinese technology, called the WLAN Authentication and
Privacy Infrastructure (WAPI), in voting to adopt the IEEE 802.11i
security specification that was developed by the
Institute of Electrical and Electronics Engineers Inc., according to
a member of the IEEE 802.11 Working Group who asked not to be named
because of working group rules.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list