Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.

Important news in this issue regarding ClamAV, the popular open source anti-virus scanner, and the discussion over the end-of-life of a relatively recent version and how to avoid a potential problem on your network. Feature Extras:

SSH: Best Practices - If you're reading then it's a safe bet that you are already using SSH, but are you using it in the best way possible? Have you configured it to be as limited and secure as possible?

Read on for my best practices for using Secure Shell.

Review: Linux Firewalls - Security is at the forefront of everyone's mind and a firewall can be an integral part of your Linux defense. But is Michael's Rash's "Linux Firewalls," the newest release from NoStarchPress, up for the challenge? Eckie S. here at gives you the low-down on this newest addition to the Linux security resource library and how it's one of the best ways to crack down on attacks to your Linux network.

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.22 (Version 3.0, Release 22). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.

How Young Upstarts Can Get Their Big Security Break (Apr 26)

Companies crave experience in their security staffers, dimming prospects for entry-level applicants. Bill Brenner on how a young upstart can break through. If you're young, breaking into the security industry can be hell.

PGP co-founder takes OS security job with Apple (Apr 26)

Jon Callas, who as co-founder and chief technologist of PGP helped bring strong encryption to the masses, has taken a job with Apple working on operating-system security.

Malware hides from search engines (Apr 26)

Criminals are increasingly attempting to conceal malware embedded in hacked websites from search engines such as Yahoo! and Google. Their aim is to prevent browsers which use technology such as Google's Safe Browsing API from sounding the alarm when a user visits a hacked website. Google's Safe Browsing API allows client applications to query Google's phishing and malware blacklist. Firefox and Google Chrome both make use of the API, which is based on Google searches of websites for suspicious code.

(Apr 26)

It was simply a matter of time before Linux became my primary operating system. My most recent malware incident was the final straw that sent me into welcoming and safe haven of Ubuntu.

How Blippy users' credit cards got into Google (Apr 24)

A series of gaffes at Blippy, Google, and a Midwest bank exposed the credit card numbers of four individuals within Google search results for more than two months. Friday was easily the worst day in the history of Blippy, a young start-up that enables people to create social networks around sharing information on goods and services they buy.

OAuth Is the New Hotness in Identity Management (Apr 24)

With Facebook Connect being abandoned in its favor, and a new draft specification before the IETF, OAuth is shaping up as the cornerstone of identity management for cloud-based applications and services. eWEEK Labs Senior Analyst P. J. Connolly looks at what's behind the seamless access to services on social media sites such as Facebook, LinkedIn and Twitter.

(Apr 23)

What's more devastating than a DDoS attack launched by a botnet? In some cases, that's the DDoS attack launched by the "opt-in botnet" aggregated through a crowdsourcing campaign.

Hacktivism makes use of voluntary zombies (Apr 23)

Social media is making hacktivism easier, especially as politically motivated online crowds come together to create distributed denial of service attacks, finds a new paper by security researcher Gunter Ollmann of Damballa.

Encrypt everything (Apr 23)

Companies stand to lose their reputation, not to mention business, in cases of severe data loss. One way to prevent the inadvertent leakage of information is to go in for encryption to secure data on hard drives, flash drives and the like. Subhankar Kundu looks at the different aspects of data encryption in the corporate world.

White House releases open source code (Apr 23)

The US government has released open source code that it has been working on. In an unusual move for government transparency, the White House is letting developers get their mitts on its open source code. The US executive branch has been working on its custom code as part of its ongoing efforts to "develop an open platform for"

10 Nations Demand Online Privacy - Or Else (Apr 23)

Google was the main target of a group of privacy commissioners from 10 nations who held a press event in Washington, D.C., on Tuesday to air their grievances. They castigated the company over its botched Buzz rollout and criticized its Street View operations. However, other online companies -- such as Facebook and other social networks -- should also take notice, the commissioners warned.

Metasploit Goes Commercial in New Express Edition (Apr 23)

A new version of the open source Metasploit Framework penetration testing tool is set to debut next month with the release of Metasploit Express -- ushering in new enhancements for ease-of-use and management that come courtesy of its new commercial underpinnings.

Hacker runs Google's Android on Apple's iPhone (Apr 23)

There are matches made in heaven, and on the other side of the spectrum, there is David Wang's accomplishment: booting Google's Android operating system on Apple's iPhone Wang, the "planetbeing" member of the a group called the iPhone Dev Team devoted to hacking iPhones, on Wednesday posted a video demonstrating Android on an iPhone.

More Than One-Third Of Network Devices Show Vulnerabilities, Study Says (Apr 22)

Nearly 40 percent of enterprise network devices exhibit some form of security vulnerability, according to a study published today.

(Apr 22)

Havoc decended upon Coles stores across the country this morning after 10 per cent of the company's cash registers were knocked out by a botched McAfee anti-virus update. The Internet Storm Center, an initiative of the SANS Technology Institute which monitors problems on the web, said "the affected systems will enter a reboot loop and lose all network access."

Zeus banking Trojan is hitting Firefox (Apr 21)

Reports have surfaced that Internet Explorer users are not the only targets of the Zeus banking Trojan - Firefox users are now also under threat.

Google Privacy Failings Criticized by Ten Countries (Apr 21)

Privacy officials from 10 countries on Tuesday penned a letter to Google criticizing its approach to privacy, pointing to its Buzz and Street View products as examples.

Google shows government requests data (Apr 21)

In the spirit of being open, search engine outfit Google has stated under what conditions it will hand over data to governments or delete information on its websites.

Open source lessons could help move to the cloud (Apr 21)

We continue our conversation today with Gunnar Hellekson, chief technology strategist for Red Hat's U.S. Public Sector Group.When it comes to security, he explains why the old adage, "the more things change, the more they stay the same" often applies.

Security: Red Hat announces beta of Enterprise Linux 6 (Apr 21)

LEADING US LINUX VENDOR Red Hat has given the public a first look at the next version of its Enterprise Linux distribution. ... The new System Security Services Daemon (SSSD) feature allows for centralised identity management, while the SELinux sandbox feature lets administrators better tackle untrusted content.

(Apr 21)

This is a seminal piece of writing from the underground, forgotten by many but adored by many more. It still resonates with me and has as much meaning as it did back in the day when I first read it in Phrack Issue 7.

(Apr 21)

The Open Web Application Security Project (OWASP) today issued the final version of its new Top 10 list of application security risks.The list, which was first unveiled in November at the OWASP conference, is a departure from OWASP's previous lists, which ranked the most commonly found weaknesses and vulnerabilities in Web applications.

Firefox add-on disrupts Google data collection (Apr 20)

I think this is one plugin we won't see released by Google for Chrome anytime soon. A computer security researcher has launched a project designed to provide people greater privacy when using Google, as the company expands the scope of data its collects about its users.

Secret Anti-Piracy Treaty Details Going Public (Apr 20)

Countries negotiating a major cross-border agreement to crack down on intellectual property crimes have agreed to release previously secret draft language of the controversial accord this week.

Amazon Brute Force SIP Attacks