[ISN] Linux Security Week - March 27th 2006

InfoSec News isn at c4i.org
Tue Mar 28 01:18:22 EST 2006

|  LinuxSecurity.com                         Weekly Newsletter        |
|  March 27th, 2006                           Volume 7, Number 13n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week perhaps the most interesting articles include "Encrypt
filesystems with EncFS and Loop-AES," "Revealing the myths about
network security," and "Enterprise Security Threats Increasingly
Come from Within."


EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared
toward providing a open source platform that is highly secure by default
as well as easy to administer. EnGarde Secure Linux includes a select
group of open source packages configured to provide maximum security
for tasks such as serving dynamic websites, high availability mail
transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source,
and online security and application updates are also freely
available with GDSN registration.



EnGarde Secure Community 3.0.5 Released

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.5 (Version 3.0, Release 5). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, and several new packages available
for installation.



pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking. It is important to acknowledge and address social
aspects in a system such as pgp, because the weakest link in the
system is the human that is using it. The algorithms, protocols
and applications used as part of a pgp system are relatively
difficult to compromise or 'break', but the human user can often
be easily fooled. Since the human is the weak link in this chain,
attention must be paid to actions and decisions of that human;
users must be aware of the pitfalls and know how to avoid them.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Multiple Live CDs In One DVD
  24th, March, 2006

Live CDs do a great job of advertising Linux distributions. In
addition to general-purpose live CD distributions, there are lots of
task-oriented live CDs. Wouldn't it be great if you could carry
multiple live CDs on one DVD disc? Nautopia.net has put up a script
that you can use to make a custom DVD to boot multiple live CDs.


* Tunnels in Hash Functions - MD5 Collisions Within a Minute
  20th, March, 2006

In this paper we introduce a new idea of tunneling of hash functions.
 In some sense tunnels replace multi-message modification methods and
exponentially accelerate collision search.  We describe in one minute
on a standard notebook PC (Intel Pentium 1.6 GHz).  The method works
for any intializing value.  Tunneling is a general idea, which can be
used for finding collisions of other hash functions, such as SHA-1,


* Encrypt filesystems with EncFS and Loop-AES
  21st, March, 2006

Encrypted filesystems may be overkill for family photos or your
resume, but they make sense for network-accessible servers that
hold sensitive business documents, databases that contain credit-card
information, offline backups, and laptops. EncFS and Loop-AES, which
are both released under the GNU General Public License (GPL), are two
approaches to encrypting Linux filesystems. I'll compare the two and
then look at other alternatives.


* Linux Dictionary
  19th, March, 2006

(SWP) Sun Wah-PearL Linux Training and Development Centre has an
ambitious aim to promote the use of Linux and related Open Source
Software (OSS)	and Standards. The vendor independent positioning of
SWP has been very well perceived by the market. Throughout the last
couple of years, SWP becomes the top leading OSS training and service
provider in Hong Kong. And in fact we are leading the market
direction in some ways.


* Useful Firefox Security Extensions
  21st, March, 2006

Mozilla's Firefox browser claims to provide a safer browsing
experience out of the box, but some of the best security features of
Firefox are only available as extensions. Here's a roundup of some
of the more useful ones I've found.


* Digital Forensics Wiki
  22nd, March, 2006

This is the Forensics Wiki, devoted to information about digital
forensics. We are just getting started, but still encourage you to
browse the site and contribute whatever information you have


* Security Protocols: Google's FrSIRT Cache
  23rd, March, 2006

As we previously reported, FrSIRT has decided that they want to start
selling other security researchers exploits. Thanks to Layne, here is
a list of 626 exploits from Google cache which were published on the
FrSIRT website. FrSIRT also always seemed to fail to give the proper
credit to the researchers who would submit code, and or advisories.


* International Body Adopts Network Security Standard
  25th, March, 2006

The International Organization for Standardization (ISO) approved
last month a comprehensive model that identifies critical
requirements to ensure end-to-end network security.  Specifically,
the global standards group formally adopted ISO/IEC 18028-2, which
defines a standard security architecture and provides a systematic
approach to support the planning, design and implementation of
information technology networks.


* The Effective Response To Computer Crime
  23rd, March, 2006

The attraction of computer-based crime is obvious. Twenty years ago
corporate spies would find it difficult to steal the entire contents
of a filing cabinet, but today they can take far more by slipping a
disc into their pocket or e-mailing data to an online electronic swag


*  Useful Firefox Security Extensions
  18th, March, 2006

Mozilla's Firefox browser claims to provide a safer browsing
experience out of the box, but some of the best security features of
Firefox are only available as extensions. Here.s a roundup of some
of the more useful ones I've found.


*  Old Physical Security Threats Still Working
  20th, March, 2006

In "The Complete Windows Trojans Paper" that I released back in 2003
(you can also update yourself with some recent malware trends!) I
briefly mentioned on the following possibility as far as physical
security and malware was concerned:


* Revealing the myths about network security
  20th, March, 2006

Many people and businesses unknowingly leave their private
information readily available to hackers because they subscribe to
some common myths about computer and network security. But knowing of
the facts will help you to keep your systems secure. Here are some
answers to these myths.


* Countering Cyber Terrorism
  20th, March, 2006

Still using that tired and worn out password to log onto your PC? Is
your mother's maiden name still the main prompt you use to log on
and check your credit card statement? Worried that the PIN number you
use to access your online banking is the same PIN you.ve given the
children to access the Sky Digibox? You should be. The fact is that
as individuals, we are not doing enough to guarantee user
authentication. And if you think that's bad, the situation in
organisations is even worse.


* Advances In Fingerprinting Could Bolster Network Security
  23rd, March, 2006

New technology for matching fingerprints for security purposes is
proving about as reliable but much more efficient than traditional
techniques, according to a new study by the National Institute of
Standards and Technology. NIST studied the use of "minutiae
templates," which are mathematical representations of full-blown
fingerprint images that are seen as being much easier for vendors of
biometric security systems to exchange with each other. The study
involved use of a new standard for minutiae data that makes data
exchange simpler than when proprietary techniques for converting
fingerprint images to minutiae data.


* Digging Security Tunnels With Spoons
  24th, March, 2006

One of the biggest complaints I hear about security is the associated
operational overhead. IT personnel are constantly adjusting multiple
technologies in an effort to provide access to the good guys while
locking out the bad guys. If you want to see a metric of this
behavior in action, look no further than your network Access Control
List (ACL) rules.


* HLBR - Hogwash Light BR
  20th, March, 2006

HLBR is a brazilian project, started in november 2005, as a fork of
the Hogwash project (started by Jason Larsen in 1996). This project
is destined to the security in computer networks.  HLBR is an IPS
(Intrusion Prevention System) that can filter packets directly in the
layer 2 of the OSI model (so the machine doesn't need even an IP


* Detecting Botnets Using a Low Interaction Honeypot
  23rd, March, 2006

This paper describes a simple honeypot using PHP and emulating
several vulnerabilities in Mambo and Awstats. We show the mechanism
used to 'compromise' the server and to download further malware. This
honeypot is 'fail-safe' in that when left unattended, the default
action is to do nothing . though if the operator is present,
exploitation attempts can be investigated. IP addresses and other
details have been obfuscated in this version.


  24th, March, 2006

Sourcefire, Inc., the world leader in intrusion prevention, today
announced that, with the consent of the US government, Sourcefire and
Check Point Software Technologies have opted to withdraw their merger
filing with the Committee on Foreign Investment in the United States
(CFIUS). Sourcefire will continue to operate as the industry's
largest private Intrusion Prevention System (IPS) vendor.


* Detecting Botnets Using a Low Interaction Honeypot
  26th, March, 2006

This paper describes a simple honeypot using PHP and emulating
several vulnerabilities in Mambo and Awstats. We show the mechanism
used to 'compromise' the server and to download further malware. This
honeypot is 'fail-safe' in that when left unattended, the default
action is to do nothing though if the operator is present,
exploitation attempts can be investigated. IP addresses and other
details have been obfuscated in this version.


* OS X Sudo vs. Root: The Real Story
  22nd, March, 2006

What are you really gaining by using sudo in the default Mac OS X
configuration? First, you gain some comfort that nobody can login as
root, either locally or remotely via SSH or FTP and tamper with your
machine. Second, you get a log entry in /var/log/system.log every
time sudo is used showing you who used it and what command was
executed. These appear good enough reasons to endure the slight
inconvenience of using sudo.


* Many Data Centers Still Have No Risk Management Plan
  22nd, March, 2006

Business technology managers are facing tough challenges as data
centers grow larger and more complex. More than 75% of all companies
have experienced a business disruption in the past five years,
including 20% who say the disruption had a serious impact on the
business, according to a recent survey of data center managers.
Despite the critical nature of data center operations to business,
nearly 17% reported they have no risk management plan, and less than
5% have plans that address viruses and security breaches.


* Is Your DR Plan Vulnerable to an Attack?
  24th, March, 2006

Sorry, I have to do this. I have to rant. Here's what I have to get
off my chest. News item: "DHS Scores F on Cybersecurity Report Card."
Last week, a congressional oversight committee gave the U.S.
Department of Homeland Security a failing grade on its annual
cybersecurity report card. Congress says that when it comes to
protecting the country's data infrastructure -- an entity that in
itself has become critical to the continued functioning of the U.S.
economy -- the DHS is a D-U-N-C-E. Appalling.


* Finding Security's Next 'American Idol'
  21st, March, 2006

It's like an "American Idol" for security geeks. Students at the
Georgia Institute of Technology prep, sweat and show their stuff
while a panel of critics decides their fates.  But unlike the popular
"reality" TV show, judges aren't determining who can best carry a
tune. Instead they weigh students' ideas for making information
security more user-friendly, with $50,000 -- enough cash to fund a
project for 12 months -- hanging in the balance.


* Bringing Botnets Out of the Shadows
  22nd, March, 2006

Nicholas Albright's first foray into some of the darkest alleys of
the Internet came in November 2004, shortly after his father
committed suicide. About a month following his father's death,
Albright discovered that online criminals had broken into his dad's
personal computer and programmed it to serve as part of a worldwide,
distributed network for storing pirated software and movies.


* Social engineering reloaded
  22nd, March, 2006

The purpose of this article is to go beyond the basics and explore
how social engineering, employed as technology, has evolved over the
past few years. A case study of a typical Fortune 1000 company will
be discussed, putting emphasis on the importance of education about
social engineering for every corporate security program.


* Forgotten password clues create hacker risk
  23rd, March, 2006

Security flaws in the "forgotten password" feature of ecommerce
websites leave half the UK's online retailers open to attack,
according to security consultancy SecureTest.

It warns that the log-in process of many transactional websites can
be subverted by a "brute force" or enumeration attack. In a survey of
107 popular online retail websites in the UK, SecureTest found that
54 of the sites (or 50.5 per cent) are potentially vulnerable to this
type of hack attack.


* Opinion: What a year it's been for e-crime
  23rd, March, 2006

Looking back at the past year, it seems the security threats to
businesses are only becoming more pervasive and more costly, says
Simon Moores.

In two weeks' time, leaders of the global law-enforcement, finance
and online business communities will assemble in London for the
annual e-Crime Congress. In the 12 months since they were here last,
we've seen the financial services industry under almost constant
Trojan horse attack, denial of service attacks increase by 50 per
cent and phishing and identity theft attempts approach eight million
per day, according to security company Symantec.


* Security Czar
  23rd, March, 2006

In this column Scott Granneman takes the role of dictator of the
security world and presents his ideas about mandatory reforms that
would improve security for millions of people.


* Enterprise Security Threats Increasingly Come from Within
  24th, March, 2006

While protecting corporate networks from outside intrusion remains a
huge challenge for enterprise IT professionals, some experts contend
that efforts to better police internal behavior and manage security
policies have become every bit as important.  Enterprises
searching for the answers to their security problems should
increasingly take a closer look at their internal operations before
blaming outside threats, according to experts participating in an
online IT security conference.


* IT Confidential: Choose Your Intrusion: Who's Your Friend?
  20th, March, 2006

'm as big a fan of government intrusion as the next person, but
things may have gotten a little out of hand lately.

Take last week's legal contretemps between the Justice Department and
Google. Forget for a minute that Google really faces no downside by
refusing the government's request to turn over search data. Even if
Google loses the case and has to turn over some (truncated) amount of
(very general) information about a (random) selection of searches, it
still wins in the court of public opinion as a defender of personal
privacy. As my colleague Chris Murphy put it, Google should take the
court costs out of its marketing budget.


*  The Future of Privacy = Don't Over-empower The Watchers
  20th, March, 2006

I blog a lot about privacy, anonymity and censorship, mainly because
I feel not just concerned, but obliged to build awareness on the big
picture the way I see it. Moreover, I find these interrelated and
excluding any of these would result in missing the big picture, at
least from my point of view.


* Security: A Continuing Federal Challenge
  21st, March, 2006

The latest FISMA scorecards are out, with the grades for different
agencies' efforts in the computer security arena. Amazingly, the
overall grade--for all 24 major agencies in the federal
government--has moved not a notch. Last year's D+ remains intact.
For those who may be new to FISMA Fun, it works more or less like
this: the General Accounting Office (GAO) and the Office of
Management and Budget (OMB) ask each major agency's Inspector General
(IG) to submit an independent report about computer security based on
numerous guidelines and scoring criteria.


* US turns to tech to shore up its ports
  23rd, March, 2006

Airport screeners are using new technology to find explosives instead
of hunting for tweezers, Department of Homeland Security secretary
Michael Chertoff said on Friday.


* Trojan Cryzip Extorts Decryption Fee
  18th, March, 2006

A Trojan making the rounds encrypts victims' files and demands a $300
payment to have them decrypted and unlocked, according to a report by
security firm Lurhq Threat Intelligence Group.	This so-called
"ransomware" Trojan, dubbed Cryzip, is the second of its type to
emerge in the past 10 months, following the PGPcoder Trojan. It also
is the third such Trojan to appear since 1989.


* The effective response to computer crime
  21st, March, 2006

The attraction of computer-based crime is obvious. Twenty years ago
corporate spies would find it difficult to steal the entire contents
of a filing cabinet, but today they can take far more by slipping a
disc into their pocket or e-mailing data to an online electronic swag
bag. It is much easier to steal, leak, manipulate or destroy
electronic data. But just as in the physical world, cyber-criminals
leave their electronic fingerprints all over a digital crime


*  Getting Paid For Getting Hacked
  21st, March, 2006

In the middle of February, Time Magazine ran a great article on
Cyberinsurance or "Shock Absorbers", and I feel this future trend
deserves a couple of comments, from the article: "As companies grow
more dependent on the Internet to conduct business, they have been
driving the growing demand for cyber insurance. Written premiums have
climbed from $100 million in 2003 to $200 million in 2005, according
to Aon Financial Services Group.


* Lost Ernst & Young laptop exposes IBM staff
  22nd, March, 2006

Ernst & Young has lost another laptop containing the social security
numbers and other personal information of its clients' employees.
This time, the incident puts thousands of IBM workers at risk.


* The effective response to computer crime
  24th, March, 2006

The attraction of computer-based crime is obvious. Twenty years ago
corporate spies would find it difficult to steal the entire contents
of a filing cabinet, but today they can take far more by slipping a
disc into their pocket or e-mailing data to an online electronic swag


* Are You Liable If Someone Does Something Illegal On Your WiFi?
  21st, March, 2006

For years, whenever the press has written one of their fear-mongering
stories about open WiFi, they almost always include some tidbit about
how if someone uses your network to do something illegal, you can be
arrested for it. It's one of the popular open WiFi horror stories --
but is it true? Well, of course, you can be arrested, but it's
unlikely that there would be any legal grounds for the arrest.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list