Source: james-morris.livejournal.com - Posted by Bill Keys
Version 2.6.28 of the Linux kernel was released during Christmas, so I thought it'd be worthwhile waiting until after typical vacation days to post a summary of changes to the security subsystem. As always, thanks to the Kernel Newbies folk who track major kernel changes. Serge Hallyn added a dummy policy for SELinux to the kernel tree. This is useful for testing SELinux and a base for building minimal and experimental security policies.
Have you noticed some of the security changes to the latest upstream Linux kernel? Read on for more information on these changes.
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "MD5: The Internet has a Major Problem," "Top 5 Cybersecurity News Stories of 2008," and "Helping Protect Cookies With HTTPOnly Flag."
Firstly, allow me to recap. A couple of days ago, I reported a presentation at the Chaos Computer Club conference in Berlin which outlined a major problem with the way Certificate Authorities handle message hashing, essentially this attack relied on well-known problems with the MD5 hash algorithm.
Problems based on hash collisions, which were previously considered to be theoretical having been discovered in 2004, were now well-lodged within the domain of reality.
Have you heard about the news about the reported problem with how Certificate Authorities are handling message hashing? Read on for more information on some security issues with the current Certificate Authorities.
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, advisories were released for phpgadmin, php-xajax, kernel, seamonkey, samba, and Qemu. The distributors include Debian, Mandriva, Slackware, and Pardus.
Data breaches continued to make their very public mark on cybersecurity news in 2008. And this time it wasn't TJX making headlines. Despite being PCI compliant, Hannaford Brothers supermarkets announced that 4.2 million credit and debit card numbers were pilfered from its servers. We also learned in 2008 that attackers aren't necessarily becoming more sophisticated.
Check out this list of top 5 cybersecurity news stories of of the year. Did they miss any that you think should be on the list?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, perhaps the most interesting articles include "Top 5 Cybersecurity News Stories of 2008," "5 Known Linux Anti-virus Software for Paranoid Users," and "Nipper - The Network Infrastructure Parser."
The bottom line is this - while this cookie option flag does absolutely nothing to prevent XSS attacks, it does significanly help to prevent the #1 XSS attack goal which is stealing SessionIDs. While HTTPOnly is not a "silver bullet" by any means, the potential ROI of implement it is quite large. Notice I said "potential" as in order to provide the intended protections, two key players have to work together.
This article looks at one way you can make your Web cookies more secure by using the Apache's extension called modsecurity. If you are interested in this please read on for more information and how you set this up on your own Apache web server.
