AOH :: ISN-1860.HTM

Linux Security Week - December 26th 2005

Linux Security Week - December 26th 2005
Linux Security Week - December 26th 2005

|                         Weekly Newsletter        |
|  December 26th, 2005                        Volume 6, Number 52n    |
|                                                                     |
| Editorial Team: Dave Wreski | 
| Benjamin D. Thomas | 

Thank you for reading the weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Adaptive
Firewalls with Iptables," "Protecting against undefined exploits and
security threats," and "Four Security Resolutions For The New Year."


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



Happy Holidays!  This week, advisories were released for dropbear, nbd,
phpbb2, OpenLDAP, Xpdf, cURL, CenterICQ, digikam, apache2, sudo, kernel,
netpbm, udev, gpdf, kdegraphics, cups, and perl.  The distributors
include Debian, Gentoo, Mandriva, and Red Hat. 


* EnGarde Secure Community 3.0.2 Released
  6th, December, 2005

Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.2 (Version 3.0, Release 2). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool, the SELinux policy, and the LiveCD environment. 


Hacks From Pax: SELinux Administration

This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux. 


Hacks From Pax: SELinux And Access Decisions

Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.

SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application. 


-->  Take advantage of the Quick Reference Card!

| Security News:      | <<-----[ Articles This Week ]----------

* Hold the Photons!
  20th, December, 2005

How would you feel if you invested millions of dollars in quantum
cryptography, and then learned that you could do the same thing with
a few 25-cent Radio Shack components?

I'm exaggerating a little here, but if a new idea out of Texas A&M
University turns out to be secure, we've come close. 

* OpenSSH cutting edge
  20th, December, 2005

Federico Biancuzzi interviews OpenSSH developer Damien Miller to
discuss features included in the upcoming version 4.3, public key
crypto protocols details, timing based attacks and anti-worm

* Encryption: A nice idea that few want to implement?
  23rd, December, 2005

Companies are not embracing encryption as a way to protect sensitive
data. According to Ponemon Institute's 2005 National Encryption
Survey, only 4.2% of companies responding to our survey say their
organizations have an enterprisewide encryption plan.

However, the study also reveals that encryption is viewed by many as
an important security tool that enhances the IT professionals'
overall sense of trust or comfort in data-protection efforts. The
primary reasons cited for not encrypting sensitive or confidential
information were concern about system performance (69%), complexity
(44%) and cost (25%). (See "Securing Card Data Isn't An Easy Sell.") 

* Pre-Review: Penetration Tester's Open Source Toolkit
  23rd, December, 2005

Today I received a copy of the new Syngress book Penetration Tester's
Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark
Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily
massive; it's probably 1/2 thicker than my first book, but at 704
pages it's nearly 100 pages shorter than Tao. I think Syngress used
thicker, "softer" paper, if that makes sense to anyone. 

* Adaptive Firewalls with iptables
  26th, December, 2005

Up until now, we've looked at stateless and stateful firewalls.
Remember, stateless firewalls only have the features of a given packet
to use as criteria for whether that packet should be passed, blocked,
or logged. With a stateful firewall, in addition to the fields in that
packet, we also have access to the kernel's table of open
connections to use in deciding the fate of this packet. 

* New biometrics software looks for sweat
  23rd, December, 2005

Researchers at Clarkson University have found that fingerprint
readers can be spoofed by fingerprint images lifted with Play-doh or
gelatin or a model of a finger molded out of dental plaster. The
group even assembled a collection of fingers cut from the hands of

In a systematic test of more than 60 of the carefully crafted
samples, the researchers found that 90 percent of the fakes could be
passed off as the real thing. 

* Ping: ICMP vs. ARP
  22nd, December, 2005

Today almost every organization employs firewalls for enhanced
security. Firewalls can be set up in such a way that Internet Control
Message Protocol (ICMP) requests are blocked, which means that
traditional pings do not work. Setting a firewall to block ICMP
requests is based on the theory that if a would-be hacker cannot
"see" the target, he may not attack the host. 

* Protecting against undefined exploits and security threats
  21st, December, 2005

There is a wealth of tools available to help protect the enterprise
from security threats. Firewalls, virtual private networks, strong
user authentication, encryption, intrusion detection/prevention
systems (IDS/IPS), email filters, antivirus, vulnerability scanners
are all options. Each of these point solutions is capable of
addressing a specific element of the security mosaic. In order to
address their limitations many enterprises attempt to aggregate these
solutions in a futile attempt to achieve effective IT security. 

* Security-Enhanced Linux Moving into Mainstream
  19th, December, 2005

Security Enhanced Linux has move into the mainstream of operating
system architecture in recent years. For those who don't understand
the technology, many articles exist.

SELinux provides mandatory access control to a wider audience. It
helps eliminate O-day attacks. 

* Security the focus as Debian upgrades
  21st, December, 2005

The Debian Project has released an update to its popular GNU/Linux
distribution, with security-related bugfixes a key feature.

"This is the first update of Debian GNU/Linux 3.1 (codename 'Sarge')
which mainly adds security updates to the stable release, along with
some corrections to serious problems," said Debian security team
member Martin Schulze in an e-mail announcing the update. 

* Nessus 3.0: The End of the Age of Open-Source Innocence?
  22nd, December, 2005

"Here's the danger we are running into," said Alan Shimel, Chief
Strategy Officer for StillSecure. "People contribute resources to
these communities, whether it be time, money, or code. When they see
everything they give converted for the commercial success of an
individual rather than as a community as a whole, how long do you
think they are going to want to keep giving?" 

* VMWare: Virtual Machine Security Flaw 'Very Serious'
  23rd, December, 2005

Virtual infrastructure software maker VMWare Inc. has rushed out
fixes for a "very serious" security flaw that put users of its
product line at risk of code execution attacks.  The vulnerability,
which affects both Windows and Linux systems, affects VMware
Workstation 5.5, VMware GSX Server 3.2, VMware ACE 1.0.1 and the free
VMware Player 1.0. All previous versions of these products are also

* Viewing 2005: The year in security
  19th, December, 2005

The security events of 2005 led some to believe things were getting
better when, in truth, it was more the case that what you can't see
really can hurt you. The surface may have appeared still and
unthreatening but underneath the currents were anything but friendly,
as Will Sturgeon explains.

Phishing, spam, spyware, Trojans, viruses and worms - you'd be
forgiven for thinking 2005 was very much 'same old, same old' but
there were trends which came to light during the past 12 months that
will have the security experts scrutinising their radars long into
the New Year. 

* The Enemy Within
  19th, December, 2005

Workers across Europe are continuing to place their own companies at
risk from information security attacks. This 'threat from within' is
undermining the investments organisations make to defend against
security threats, according to a study by security firm McAfee. 

* Social Engineering And Other Threats To Internal Security
  21st, December, 2005

Consider the following scenario. A good looking woman is wandering
around your premises and approaches you asking to show her how to use
some functions in Excel or any other application. Do you start
quizzing her on who she is, from what department does she come from
or do you invite her to your PC and show her what she needs to know?
Let=E2..s say you choose the latter and then she asks you for a drink,
would you leave her unattended at your PC or do you get her to
accompany you? 

* Firms count the cost of security threats
  20th, December, 2005

Security threats soared during 2005, along with the risk of financial
losses, but a new report shows that companies still aren't heeding
the warnings.

According to the State of Information Security 2005 report from
PricewaterhouseCoopers and CIO Magazine, not only are
security-related events up 22.4 percent on last year's figures, but
the number of organisations reporting financial losses as a result of
the attacks is also surging. Twenty-two percent of companies said
they had been hit financially, compared with last year's 7 per

* Information Security for Small Businesses
  20th, December, 2005

Due to technological advances, the rapid growth of the Internet, and
a significant decline in computer and network equipment prices in
recent years, many technologies and systems that were once only
available to large corporations are now employed by the small
business community. Thanks to the Internet and the world of
ecommerce, small businesses can dramatically increase their customer
base and reach new markets by selling their products and services

* Study: Network security market to reach $6 billion
  20th, December, 2005

Network security software and hardware is expected to be a $6 billion
market by 2008, a jump fueled primarily by the increasing need for
companies to purchase products that secure content and devices, such
as intrusion prevention systems (IPS) and network access control
(NAC) equipment. 

* Security: Forensic Tools in Court
  21st, December, 2005

An interesting question comes to mind when you use as many open
source forensic and security tools as I do =E2.. if I ever go to court
over this case, will my tools be considered valid? When you do
examine this issue closely, you find many versions of the answer,
both on the legal and techie sides. 

* Preparing for day zero
  21st, December, 2005

The zero-day spectre is looming ever larger.

Nimda struck in 2001 =E2.. a year after Microsoft issued a patch for
the security hole in Internet Explorer. In 2003, Slammer exploited a
vulnerability for which a patch had been issued six months earlier.
Then with Blaster, the window was down to three weeks. =E2..If you had
no time to patch in 2001, and no time to patch in 2003, what about
now with three weeks? And what about the Zotob worm =E2.. five days?=E2.=9D 

* Security Risks You and Your Family Impose on your Companies=E2..
Computing and Networking Assets
  22nd, December, 2005

Computer and Network Security is quickly becoming Information
Technology=E2..s hot occupation. After the colossal disasters of the
September, 2001 terrorist attacks and the more recent natural
disasters companies have looked long and hard at how to better
protect their computing and networking assets from the numerous
hackers, natural disasters and foreign terrorists. This includes
spending more resources on hardware, upgrading software, and
relearning Information Technology priorities. Unfortunately, a grand
majority of the greatest minds in Information Technology Security are
overlooking the one element that can stroll right up to a companies
computing asset and destroy it in one or two clicks. It=E2..s you the
employee, your family or family friend. 

* Rising to a Higher Standard Isn't Easy
  22nd, December, 2005

Some employees are held to a higher standard of behavior than most.
Anyone in a position with broad powers or influence falls into this
group, including accountants, managers, systems administrators -- and
information security professionals.

Like systems administrators, information security professionals
generally have access to a great deal of data and information. Even
if they don't have direct access, they generally know how to obtain
it by exploiting a weakness (like hackers, but with the opposite
intent) or by simply giving themselves elevated privileges. 

* Top 7 PHP Security Blunders
  23rd, December, 2005

PHP is a terrific language for the rapid development of dynamic
Websites. It also has many features that are friendly to beginning
programmers, such as the fact that it doesn't require variable
declarations. However, many of these features can lead a programmer
inadvertently to allow security holes to creep into a Web
application. The popular security mailing lists teem with notes of
flaws identified in PHP applications, but PHP can be as secure as any
other language once you understand the basic types of flaws PHP
applications tend to exhibit. 

* Four Security Resolutions For The New Year
  26th, December, 2005

I always know what my first New Year=E2..s resolution is going to be,
because it's the same every year: lose weight. Chances are, you
have the same one. But by the time the Super Bowl happens, and you
eat seven thousand calories on that one day, you'll have already
have given up on that resolution. 

* IT security professionals moving up the corporate pecking order
  26th, December, 2005

Ultimate responsibility for information security is moving up
corporate management hierarchies, as board-level directors and CEOs -
or CISO/CSOs =E2.. are increasingly held accountable for safeguarding
IT infrastructures, new research has revealed. The second annual
Global Information Security Workforce Study, conducted by global
analyst firm IDC and sponsored by not-for-profit IT security
educational organisation, the International Information Systems
Security Certification Consortium (ISC)2, expects this accountability
shift to continue as information security becomes more relevant in
risk management and IT governance strategies. 

* Feds Say Computer Surveillance Hindered Without Patriot Act
  22nd, December, 2005

In part of a major Bush Administration lobbying blitz Wednesday, the
Department of Justice has released a list of technology-related
ramifications if the remaining provisions of the Patriot Act aren't
passed by Dec. 31.

Lobbying hard for the passage of the remaining portions of the
broad-sweeping legislation, the department released a statement
Wednesday stating that the federal government would revert back to a
"pre-9/11 mode of information sharing=E2.=A6where terrorists and spies
can use technology against us." 

* Dutch Botnet Bigger Than Expected
  22nd, December, 2005

 Dutch prosecutors who=09last month arrested a trio of young men for
creating a large botnet allegedly used to extort a U.S. company,
steal identities, and distribute spyware now say they bagged bigger
prey: a botnet of 1.5 million machines. 

Distributed by: Guardian Digital, Inc.      

To unsubscribe email 
         with "unsubscribe" in the subject of the message.

Earn your Master's degree in Information Security ONLINE 
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.

Site design & layout copyright © 1986-2014 CodeGods