[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Linux Security Week - July 10th 2006

|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 10th, 2006                            Volume 7, Number 28n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@xxxxxxxxxxxxxxxxx    |
|                   Benjamin D. Thomas      ben@xxxxxxxxxxxxxxxxx     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Using DNS
to Securely Publish Secure Shell (SSH) Key Fingerprints," "Installing
a firewall on Ubuntu," and "Limiting Vulnerability Exposure Through
Effective Patch Management."


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



EnGarde Secure Linux v3.0.7 Now Available

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7).  This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.



Review: How To Break Web Software

With a tool so widely used by so many different types of
people like the World Wide Web, it is necessary for everyone
to understand as many aspects as possible about its
functionality. From web designers to web developers to web
users, this is a must read. Security is a job for everyone
and How To Break Web Software by Mike Andrews and James A.
Whittaker is written for everyone to understand.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Malicious Cryptography, part one
  3rd, July, 2006

Cryptology is everywhere these days. Most users make good use of it
even if they do not know they are using cryptographic primitives from
day to day. This two-part article series looks at how cryptography is
a double-edged sword: it is used to make us safer, but it is also
being used for malicious purposes within sophisticated viruses.


* Malicious Cryptography, part two
  4th, July, 2006

In part one of this article series, the concepts behind crytovirology
were discussed. Two examples of malicious cryptography were used,
involving weaknesses in the SuckIt rootkit and the potential for
someone to design an effective SSH worm. The concept of armored
viruses were also introduced.


* Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
  5th, July, 2006

This document describes a method of verifying Secure Shell (SSH) host
keys using Domain Name System Security (DNSSEC).  The document
defines a new DNS resource record that contains a standard SSH key


* The real security solution
  4th, July, 2006

I had yet another computer journalist call me to ask if Vendor X's
security solution was THE security product to solve all our security
problems. I get a call or e-mail like this about once every two
weeks. Usually they've read the vendor's own PR, another newspaper
article, or even my own column touting a particular product. The
typical conversation goes something like this:


* You Can Never Be Too Secure
  6th, July, 2006

When I think about our security strategy, I have to ask myself if
we've done enough. Have we covered all the bases? If we haven't, do
we have a work-around or some other risk-mitigation plan in place?
The best security approach is applied in layers. You can apply the
layers from the inside out or the outside in, but most companies
start from the outside, putting firewalls at every entry point to the
network. At my state agency, though, we work from the inside out.
State systems are sprawling. When I came to work at this agency, the
state-level WAN guys assured me that they had adequately protected
the state network, including my agency. But when you realize how vast
the network is, stretching to every state government office and
university classroom, you wonder how secure it can be without
assistance from the various agencies. And so we have taken
responsibility for the agency's security, working from the inside


* Installing a firewall on Ubuntu
  4th, July, 2006

Ubuntu's desktop install provides a bunch of useful software for
desktop users, but it doesn't install a firewall by default. Luckily,
it's really simple to get a firewall up and running on Ubuntu.

Frankly, I'm glad that the default install doesn't set up a firewall.
Most of my computers live behind a firewall at all times anyway, and
I've always been annoyed by installers that demand I deal with
firewall questions when I've already got the situation well in hand.
If I want a firewall on a machine, I can set one up on my own. Since
Ubuntu is, in part, aimed at corporate desktops, a firewall is
unnecessary for many installations.


* Limiting Vulnerability Exposure Through Effective Patch Management
  4th, July, 2006

This paper aims to provide a complete discussion on vulnerability and
patch management.It looks first at the trends relating to
vulnerabilities, exploits, attacks and patches. These trends provide
the drivers of patch and vulnerability management.


* SSH Tricks
  5th, July, 2006

SSH (secure shell) is a program enabling secure access to remote
filesystems. Not everyone is aware of other powerful SSH
capabilities, such as passwordless login, automatic execution of
commands on a remote system or even mounting a remote folder using
SSH! In this article we.ll cover these features and much more. SSH
works in a client-server mode. It means that there must be an SSH
daemon running on the server we want to connect to from our
workstation. The SSH server is usually installed by default in modern
Linux distributions. The server is started with a command like
/etc/init.d/ssh start. It uses the communication port 22 by default,
so if we have an active firewall, the port needs to be opened. After
installing and starting the SSH server, we should be able to access
it remotely.


* Defense-in-Depth against SQL Injection
  6th, July, 2006

A few years ago, mentioning the phrase SQL Injection to developers or
asking to adopt a defense-in-depth strategy would probably get you a
blank stare for a reply. These days, more people have heard of SQL
Injection attacks and are aware of the potential danger these attacks
present, but most developers. knowledge of how to prevent SQL
Injection is still inadequate.


* How to Bypass BIOS Passwords
  7th, July, 2006

BIOS passwords can be add extra layer of security for desktop and
laptop computers, and are used to either prevent a user from changing
the BIOS settings or to prevent the PC from booting without a
password. BIOS passwords can also be a liability if a user forgot
their passwords, or if a malicious user changes the password. Sending
the unit back to the manufacturer to have the BIOS reset can be
expensive and is usually not covered in an a typical warranty.
However, there are a few known backdoors and other tricks of the
trade that can be used to bypass or reset the BIOS password on most


* Using ICMP tunneling to steal Internet
  1st, July, 2006

The scenario is you are without Internet connectivity anywhere. You
have found either an open wireless access pointed or perhaps you're
staying in a hotel which permits rented Internet via services like
Spectrum Interactive [1] (previously known as UKExplorer). You make
the connection, whether its physically connecting the Ethernet
cables, or instructing you're wireless adapter to lock onto the radio
signal. You are prompted with some sort of authorization page when
you open a browser. You don't have access to it, so what do you


* Introduction to ipaudit
  3rd, July, 2006

IPAudit is a handy tool that will allow you to analyze all packets
entering and leaving your network. It listens to a network device in
promiscuous mode, just as an IDS sensor would, and provides details
on hosts, ports, and protocols. It can be used to monitor bandwidth,
connection pairs, detect compromises, discover botnets, and see whos
scanning your network. When compared to similar tools, such as Cisco
System's Netflow it has many advantages (see the SecurityFocus
articles on Netflow, part 1 and part 2). It is easier to setup than
Netflow, and if you install it on your existing IDS sensors, there is
no extra hardware to purchase. Since it captures traffic from a span
port, it does not require that you modify the configuration of your
networking equipment, or poke holes in firewalls for Netflow data.


* HP: Hacking techniques help security
  6th, July, 2006

HP is to launch a penetration-testing service for businesses in
October, but has denied reports that it will unleash worms on its

The company said on Tuesday it would use the same techniques as
hackers to gain access to its customers' machines. However, the
exploit code it will use will be controlled and will not propagate
itself, HP said.


* Spam once again on the rise
  6th, July, 2006

Spam is again on the rise, led by a flood of junk images that
spammers have crafted over the past few months to trick e-mail
filters, according to security vendors.
Called "image-based" spam, these junk images typically do not contain
any text, making it harder for filters that look for known URLs or
suspicious words to block them.


* Basic journey of a packet
  7th, July, 2006

 The purpose of this introductory article is to take a basic look at
the journey of a packet across the Internet, from packet creation to
switches, routers, NAT, and the packet's traverse across the
Internet. This topic is recommended for those who are new to the
networking and security field and may not have a basic understanding
of the underlying process.Previous articles by this author have
looked at the importance of two key areas of computer security for
new users: programming and networking. While they are different
disciplines, both networking and programming should largely be viewed
as complimentary. If it were it not for the early programming of
networking protocols there would be no network. That said, does one
have to be a programmer in order to fully grasp networking concepts
and theory at a low level? In many cases, you do not. However, a
reader's natural curiosity will likely lead him toward programming at
some point, in order to further experiment with various protocols and
networking theory.


* Backup, backup and more backup
  3rd, July, 2006

I've noticed recently that more and more of my clients and friends
are having drive failures.

Now I don't know if it's the recent heat waves, global warming, or
the fact that most of the drives that are in play right now were
purchased quite some time ago and have just run their spindles out,
but at least once a week for the past two months I've heard about a
full on drive failure or seen a drive showing the signs of impending


* Tip of the Trade: Pyramid Linux
  4th, July, 2006

When you need a new network border appliance you owe it to yourself
to give serious consideration to the do-it-yourself option. You'll
save a lot of money and have complete control, which are always good
things when it comes to your network security. There are no shortage
of DIY choices in the Free/Open Source software world; today we'll
take a look at Pyramid Linux on small form-factor hardware.

Pyramid Linux is designed for embedded wireless devices, but it lends
itself quite nicely to ordinary wired networking as well. Based on
Ubuntu Breezy, it weighs in under 64 MB. It installs read-only,
making it perfect for Compact Flash devices because you don't want
unnecessary writes on CF cards.


* The Holdup On DNSSEC
  6th, July, 2006

When you type in a hostname like www.example.com, your computer's
resolver looks in its local cache and uses the information found
there, then it sends the query to a name server that it has defined.
That DNS server is then responsible for resolving the name and
sending the response to your computer. If the DNS server doesn't have
the name in the local cache, then it starts at one of the root
servers and works its way down to a so-called authoritative name
server for that host name. Pretty straightforward -- and, as a
distributed database, the DNS (I use "the DNS" to mean "the
distributed name service" in general, not a specific DNS server) is
pretty effective. But as security wonks, we care about the veracity
of the data, and as DNS is deployed today, we can't even begin to
verify DNS data.


* PC-based Sniffer makes the Rounds of Public Places
  1st, July, 2006

If you happened to fly through Milan's Malpensa Airport last March,
your mobile phone may have been scanned by the BlueBag.


* ATMs Linked to IP Networks Vulnerable to Threats, security firm says
  2nd, July, 2006

A continuing trend by banks to take automated teller machines off
proprietary networks and put them on the banks. own TCP/IP networks
is introducing new vulnerabilities in the ATM transaction


* SCADA industry debates flaw disclosure
  1st, July, 2006

 The outing of a simple crash bug has caused public soul-searching in
an industry that has historically been closed-mouthed about its
. The guys who are setting up these systems are not security
professionals. And many of the systems that are running SCADA
applications were not designed to be secure--it's a hacker's
playground. .
Jonathan Pollet, vice president and founder, PlantData Technologies,
a division of Verano


* Computers 'glued' to protect data
  4th, July, 2006

SOME companies are taking drastic action - including supergluing
computer connections - in a bid to stop data theft.

A rise in the level of corporate data theft has spurred some
companies to take measures to stop rogue employees sneaking corporate
data out of the workplace on memory sticks, iPods and mobile phones,
The Australian Financial Review reported.


* Web services increasingly under attack
  4th, July, 2006

As more people turn to Web applications for everyday tasks like
e-mail, friendship and payments, cyber criminals are following them
in search of bank account details and other valuable data, security
researchers said.

Users of Yahoo's e-mail service, Google, Orkut social networking site
and eBay's PayPal online payment service were among the targets of
attacks in recent weeks. All three companies have acknowledged and
plugged the security holes.


* Snail mail falters open source campaign
  5th, July, 2006

Linux Australia's battle against proposed copyright laws had the
Attorney General's Department a tad confused yesterday.

The open source group issued an open letter to the Attorney General
Philip Ruddock attacking anti-circumvention laws.


* Sophos: because of malware home users should switch to Macs
  5th, July, 2006

Sophos has published new research into the past six months of cyber
crime. The Sophos Security Threat Management Report Update reveals
that while there has been a vast drop in new viruses and worms, this
has been over-compensated by increases in other types of malware, as
cyber criminals turn their attention to stealing information and


* DNSChanger redirects users to fake bank websites
  6th, July, 2006

You want to pay up your credit card account immediately, as you just
remembered that today is the due date. After getting on to your
bank.s website by carefully typing in the URL, you put in your
account number and password, go to the credit card payment section
and perform the transaction. Satisfied with completing a task in
time, you move onto other chores, till you find out that the website
you visited and punched in confidential financial information was in
fact a fake one!


* It's the Economy, Stupid
  6th, July, 2006

I'm sitting in a conference room at Cambridge University, trying to
simultaneously finish this article for Wired News and pay attention
to the presenter onstage.  I'm in this awkward situation because 1)
this article is due tomorrow, and 2) I'm attending the fifth Workshop
on the Economics of Information Security, or WEIS: to my mind, the
most interesting computer security conference of the year. The idea
that economics has anything to do with computer security is
relatively new. Ross Anderson and I seem to have stumbled upon the
idea independently. He, in his brilliant article from 2001, "Why
Information Security Is Hard -- An Economic Perspective" (.pdf), and
me in various essays and presentations from that same period.


* Spammers increase pump-and-dump scams
  7th, July, 2006

Spammers are profiting from share manipulation by coaxing victims
into investing in junk bonds.
The spammers purchase cheap shares (which artificially raises the
stock price) and sell them off as victim investment raises their
value further.


* Secure Coding Catches Fire
  7th, July, 2006

If you build security in from the get-go, will the malware still
come? Of course. But proponents of secure software coding say attacks
and exploits won't be as widespread or prevalent if developers build
security into their operating systems, applications, and network
device software from the ground up. Applications are increasingly
becoming the targets of attacks and often represent the weakest link
in the security chain. It gets dicier when these apps are as
prevalent as systems management agent software, for instance, which
Matasano Security's recent research has shown to be a security
nightmare. (See Demons Lurk in Management Software.)


* Criminals Increasingly Blend IT Threats
  7th, July, 2006

Security researchers at software maker MessageLabs contend that
malware writers, hackers and other cyber-criminals are combining
multiple forms of IT threats in an attempt to amplify their efforts.


* Security breaches hit 84% of surveyed companies
  8th, July, 2006

CA has announced a security survey of 642 large North American
organisations which shows that more than 84% experienced a security
incident over the past 12 months, and that the number of breaches
continues to rise.


* Thinking about email security
  2nd, July, 2006

ith the National Security Agency (NSA) monitoring our phone calls,
now might be a good time to think seriously about the security of our
email as well. In particular, you might want to think about
encrypting your email, and about whether it's safe in the hands of
third-party providers like Yahoo!, Google, and Microsoft.


* EFF Defends Tech Liberties
  5th, July, 2006

In March 1990, when few people had even heard of the internet, U.S.
Secret Service agents raided the Texas offices of a small board-game
maker, seizing computer equipment and reading customers' e-mail
stored on one machine. A group of online pioneers already worried
about how the nation's laws were being applied to new technologies
became even more fearful and decided to intervene.

And thus the Electronic Frontier Foundation was born -- 16 years ago
this Monday -- taking on the Secret Service as its first case, one
the EFF ultimately won when a judge agreed that the government had no
right to read the e-mails or keep the equipment.


* Identity Thief Finds Easy Money Hard to Resist
  5th, July, 2006

Note: free registration required to access this page
By the time of Shiva Brent Sharma's third arrest for identity theft,
at the age of 20, he had taken in well over $150,000 in cash and
merchandise in his brief career. After a certain point, investigators
stopped counting.


* EU opens public consultation on RFID
  6th, July, 2006

Fears about new Radio Frequency Identification technology (RFID),
have prompted the EU to open a public consultation process.

The commission has been holding discussions with government agencies
and the private sector since March based on general themes of
standardising RFID frequencies and formats across Europe, but now the
emphasis has changed slightly to inform citizens on how the
technology can improve quality of life without encroaching on
individual privacy issues. With this in mind, the commission has
initiated an online public consultation on its 'Your Voice in Europe'


* Concerns About Fraud Potential Continue to Plague Users of
Electronic Voting Machines
  4th, July, 2006

Electronic voting machines will be vulnerable to fraud this election
season unless countermeasures are taken, according to a report issued
last week by the New York University School of Law.
E-voting devices, such as touch-screen or optical scan systems, are
becoming more prevalent nationwide, and most of them are vulnerable
to external attack, according to the report compiled by the school's
Brennan Center for Justice.


* Hacker attacks hitting Pentagon: But NSA's methods for safeguarding
data are growing obsolete
  3rd, July, 2006

(Baltimore Sun, The (KRT) Via Thomson Dialog NewsEdge) Jul.
2--WASHINGTON -- The number of reported attempts to penetrate
Pentagon computer networks rose sharply in the past decade, from
fewer than 800 in 1996 to more than 160,000 last year - thousands of
them successful. At the same time, the nation's ability to safeguard
sensitive data in those and other government computer systems is
becoming obsolete as efforts to make improvements have faltered and


* A Good Start
  3rd, July, 2006

It's a start. On June 23, the Office of Management and Budget
announced that federal agencies have 45 days to put new
data-protection measures in place. The new requirements (technically,
they're "recommendations," but the OMB appears serious about this
anyway) include encryption for all sensitive data on mobile devices,
logging of all extracts from databases containing sensitive
information and verification that the downloaded sensitive data is
deleted after 90 days.


* U.S. gov't mandates laptop security
  6th, July, 2006

The Bush Administration is giving federal civilian agencies just 45
days to comply with new recommendations for laptop encryption and
two-factor authentication.


* Hong Kong drafts first anti-spam law
  7th, July, 2006

Hong Kong is readying its first anti-spam laws, promising fines and
long prison terms for serious offenders. The Chinese territory
currently has no laws specifically outlawing junk email, and recent
surveys looking at the sources of spam have included Hong Kong and
China among the worst in the world.


* VIDEO: Interview with Ex-Hacker Gary McKinnon
  4th, July, 2006

In 2002, Gary McKinnon was arrested by the UK's national high-tech
crime unit, after being accused of hacking into Nasa and the US
military computer networks.He says he spent two years looking for
photographic evidence of alien spacecraft and advanced power
technology.  America now wants to put him on trial, and if tried
there he could face 60 years behind bars.


* Cross Site Scripting Vulnerability in Google
  6th, July, 2006

Google is vulnerable to cross site scripting. While surfing around
the personalization section of Google I ran accross the RSS feed
addition tool which is vulnerable to XSS. The employees at Google
were aware of XSS as they protected against it as an error condition,
however if you input a valid URL (like my RSS feed) it will return
with a JavaScript function containing the URL.


* Reid agrees British hacker can be deported for US trial
  9th, July, 2006

A Briton accused of hacking into the Pentagon's computers is to be
extradited to the US, the Home Office has confirmed. Gary McKinnon,
from north London, stands accused of what American prosecutors call
the "biggest military hack of all time", and potentially faces a
sentence of 70 years if found guilty.


* Securing wireless, remote and mobile computing
  3rd, July, 2006

The rapid growth of wireless, remote and mobile computing is creating
a significant increase in the risks that organisations face. All the
indications are that this growth will continue, and indeed
accelerate. It is clearly time to review what actions are required to
manage access risks from these forms of computing. Fortunately, there
are some quick fixes that are available.


* Cracking WEP with Ubuntu
  3rd, July, 2006

This post should enable anyone to get Linux up and running and crack
a WEP key. It took me about 2 days and myriad tutorials to finally
get this to work, and now that I have I feel that I should share it
with everyone. I am by no means a Linux expert, but this works
regardless. All you need is a old laptop with a wireless card and a
copy of Ubuntu Linux, currently one of the most popular and easily
installed distributions of linux. If you haven.t already bought a
wireless card, you should select one from this list to save yourself
some trouble.


* Wardriving with Ubuntu Linux and Google Earth
  5th, July, 2006

Wardriving is fun. Going around the neighborhood and mapping all the
wireless networks may be nothing more than a geeky hobby but it can
sure teach you alot. And viewing the results in Google Earth is icing
on the cake.  I.ve used NetStumbler on windows and this works great
but since my computers at home are now nearly Microsoft-free, I had
to relearn the process on Linux. It breaks down into a few easy


* Wireless security "inadequate" in companies
  5th, July, 2006

The adoption of wireless hotspots within the enterprise is growing
fast, though there are concerns too little is being done to secure


* Raw Wireless Tools Homepage
  7th, July, 2006

This is the main web site of several proof-of-concept tools using
IEEE 802.11 raw injection. These tools are provided as-is and thus
cannot be considered as a complete and functional tool set.


* A scanner for wireless interlopers
  7th, July, 2006

Wireless security firm Network Chemistry recently released a
cross-platform, free software security tool called RogueScanner in
conjunction with its wireless network protection package RFprotect.
RogueScanner, licensed under the GPL and the latest of three free
software security modules available from Network Chemistry, allows
you to monitor your network for rogue wireless devices. Release 1.0
comes in both Windows and Linux versions.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.