Linux Security Week: May 29th 2006

The computer scientist credited with inventing the World Wide Web on Tuesday strongly condemned moves by U.S. broadband providers to control their subscribers’ content, saying it threatens the Internet’s greatest strength: openness.

Defeated antispam vendor Blue Security may be no more, but that's not the case for its technology and its spam-fighting hubris. A new independent group called Okopipi intends to pick up where Blue Security left off by creating an open source, peer-to-peer software program that automatically sends "unsubscribe" messages to spammers and/or reports them to the proper authorities.

A lawsuit filed Wednesday accuses the Motion Picture Association of America of hiring a hacker to steal information from a company that the MPAA has accused of helping copyright violators.

Studying cryptanalysis is difficult because there is no standard textbook, and no way of knowing which cryptanalytic problems are suitable for different levels of students. This paper attempts to organize the existing literature of block-cipher cryptanalysis in a way that students can use to learn cryptanalytic techniques and ways to break new algorithms.

news/cryptography/self-study-course-in-block-cipher-cryptanalysis

The use of strong public encryption has always been popular among geeks. Perhaps the most commonly used and most beloved encryption for e-mail is Pretty Good Privacy (PGP); started as a free method for protecting emails or other sensitive information, later turned into a cornerstone for a large company. As PGP became more corporate, costly and used patented algorithms, another project, GnuPG, sprung up to continue to offer strong encryption to the masses.

news/cryptography/social-implications-of-keysigning

There are various types and methods of data encryption. Some of the most popular forms of data encryption include single file encryption, folder encryption, volume encryption, whole disk encryption, and of course email encryption. The Windows XP operating system has the ability to perform file and folder encryption.

news/cryptography/how-do-you-know-your-data-encryption-is-really-secure

The University of Washington Computer Science department has made CSEP 590 cryptography lectures available in PDF, PPT, video, and audio format. Those interested in learning more about cryptography from an academic perspective will surely find this interesting.

news/cryptography/audio-university-of-washington-cryptography-lecture-archive

In this article I'm going to cover password hashing, a subject which is often poorly understood by newer developers. Recently I've been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords

news/cryptography/password-hashing

Imagine how useful it would be to have an online knowledge base that can easily be updated created by key people within your organization. That's the promise of a wiki -- a Web application that "allows users to easily add, remove, or otherwise edit all content, very quickly and easily," as Wikipedia, perhaps the best-known wiki, puts it. Why not bring the benefits of a wiki to your organization? If you're sold on the concept, the first thing you need to do is to pick the software that you're going to use for your wiki. If you want hunt around to find out what's out there, a good place to start is Wikipedia's wiki software wiki. If you say, "I'll use whatever Wikipedia is using," that'll be MediaWiki.

In late 2004 Z4CK - meaning Zaurus-ACK, a novel about a hacker who creates the ultimate hacking tool was released in PDF and paperback formats. The novel was well received by the Linux, PDA and Security communities. In Z4CK Duncan Steele creates the ultimate hacking tool, which goverment agencies and criminals alike are desperate to obtain, so much so that the main character finds himself framed by the government for a murder he did not commit. Unlike films such as 'The Net' and 'Swordfish' real world hacking techniques are used.

Spamcop is a service which provides RBLs for mailservers in order to reject incoming mail from spammers. Their philosophy is to process possible spam complaints from users. When they receive a certain amount of complaints during a time-period then they will blacklist the offender. This system is dependant on spam reporting from users. However, their submission process is not very user-friendly.

Scandoo.com is the first secure search service available free to anyone on the web. Currently in initial beta testing, Scandoo.com provides an early warning system to help users search the web safely and securely and avoid the risk of clicking on unknown web sites. The simple, intuitive service guides web users through searches, allowing them to detect and avoid malware, including spyware, adware and viruses, as well as harmful, offensive or illegal content, such as pornography, gambling, hatred and phishing sites.

IptablesWeb is a free software (under GPL licence): it allows to inspect iptables logs, to receive e-mails and alerts using a web browser; it's a plugin-based multilanguage and multiuser software written in PHP.

Would you like to have a Linux-based router capable of doing tasks such as stateful firewall inspection, virtual private networking, and traffic shaping, in addition to packet routing? Tired of having to do administration from the command line but want to be able to administer your box from a Windows-based client PC? MikroTik's RouterOS may what you need. You can boot RouterOS via diskette, CD, or over the network via PXE or Etherboot-enabled network interface card. You can find a full list of RouterOS technical specifications at the homepage.

news/firewall/test-driving-routeros-29

MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal. eConceal is a comprehensive network firewall developed to prevent unauthorized access to a computer or network connected to the Internet. It enforces a boundary between two or more networks by implementing default or user-defined Access Control Policies or Rules. These rules function as filters by analyzing data packets to see if they fulfill the filter criteria and then allow or block the traffic accordingly.

news/firewall/microworld-to-launch-futuristic-network-firewall

Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

With so much attention paid to malicious attacks by hackers, worms and viruses, it's a common misconception that outside forces pose the greatest danger to a company's data. The reality, however, is that internal elements are far more dangerous when it comes to data security than anything on the outside, including natural disasters.

As hackers and cyber-thieves become increasingly sophisticated, I often wonder why some organizations still think it's a good idea to bypass expert help and develop their own (vulnerable) systems.

news/network-security/security-101-dont-roll-your-own

This technical note describes a detection/prevention technique that works in many cases both with HTTP Response Splitting and with HTTP Request Smuggling. This technique makes use of implicit information found in the TCP stream, namely the segmentation into packets and the TCP PSH bit.

In HTTP Response Splitting, the proposed technique needs to be applied at the proxy server, the one closest to the web server, and to the response stream. In HTTP Request Smuggling, this technique needs to be applied at the entity closest to the attacked proxy server/device (i.e. implemented in another proxy server, or the web server itself), and to the request stream (note, however, that this second server may be off the premises of the organization wherein the web server is, see also "Can HTTP Request Smuggling be blocked by Web Application Firewalls?".

news/network-security/detecting-and-preventing-http-response-splitting-and-http-request-smuggling-attacks-at-the-tcp-level

Managing network security gets harder every day as the number and types of threats multiply. Security is also a double-edged sword, and an incorrectly implemented or mismanaged security policy can prevent network commerce and stand in the way of the mission of the enterprise.

news/network-security/security-management-from-one-platform

Yesterday I got chance to play with Squid and iptables. The job was to setup Squid proxy as a transparent server. Main benefit of setting transparent proxy is you do not have to setup up individual browsers to work with proxies.

news/network-security/linux-setup-a-transparent-proxy-with-squid-in-three-easy-steps

Hardly a day goes by that we don't hear new information about some company getting themselves hacked. Sure they all have firewalls, but HOW are the hackers getting in? I was hired to perform an application security audit for a local university. They wanted to make sure that they didn't become part of the growing statistics.

A new documet, titled "Log analysis for Intrusion Detection", is available. It shows how some threats can be detected by correlating specific patterns on web logs, proxy logs and authentication logs..

"Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an anti-virus, companies with multiple firewalls and even simple end-users buying the latest security related tools. However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs?"

Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools.

However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs.

We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential.

Blue Security may have been forced to close because of denial of service attacks from spammers, but the internet community is determined to carry on its work.

news/organizations-events/black-frog-takes-up-blue-frog-spam-challenge

SSL is a wonderful protocol, but it is frequently used badly. This note is intended to point out some of the more common errors made by applications using SSL. This checklist should be useful for application developers, system administrators, and the occasional penetration tester. This note assumes you have at least a casual knowledge of SSL, but is not a paper about cryptography. If you know enough to write an SSL library, you will know every single one of the mistakes I mention below, plus a few more. Still, I hope that those of you who are writing SSL toolkits will consider why these mistakes are made. Perhaps it will help you design your toolkits so that novices use them correctly.

news/server-security/five-ways-to-screw-up-ssl

When the Indiana Department of Education rolled out PCs running Linux to schools last year, it installed open source Latest News about open source antivirus software on the servers connected to the desktop systems to scan incoming e-mail. However, it didn't bother to put antivirus tools on the PCs themselves. "I hate to admit this, but I wasn't worried," said Forrest Gaston, a consultant who is managing the project for the Indianapolis-based agency. And despite heavy Internet usage by students, Gaston's optimism has been borne out thus far. Desktop security "hasn't been an issue," he said.

news/server-security/small-security-risk-still-big-selling-point-for-linux

Skype is advising users to upgrade to a more recent version of its voice-over-IP software to fix a security bug reported late last week by a security researcher in New Zealand. The bug affects several versions of the Skype client for Windows and could allow an attacker to download a file from an affected PC without permission. Skype rated the vulnerability "medium risk."

news/vendors-products/skype-patches-medium-risk-security-hole

iamjoltman writes "I've been looking to replace the McAfee anti-virus on my parent's XP machine. So, I've been looking at the three free anti-virus choices, AVG Free Edition, avast! Home Edition and AntiVir Personal Edition. I know there are other options, but I believe any others are only on-demand scanners, and that's not an option. So, what does the Slashdot crowd think is the best of these choices? Keep in mind, I'm only looking in anti-virus, I'll go elsewhere for firewall or malware protection."

news/vendors-products/best-of-the-free-anti-virus-choices

Mozilla, maker of the open source Firefox web browser and Thunderbird email client, says a reliance on proprietary technologies is still an obstacle for IT directors looking to deploy open source in the enterprise. Mozilla Corporation CEO Mitchell Baker readily admitted to silicon.com that the enterprise is "not our sweet spot" but said the organisation offers an enterprise customisation kit created by an IBM developer and said it's interested in working with partners to address the needs of corporate IT.

news/vendors-products/mozilla-ceo-why-were-still-shunned-in-the-enterprise

Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said Thursday at the W3C conference in Edinburgh, Scotland.

news/vendors-products/oracles-security-chief-lambastes-faulty-coding

ArcSight this week announced it would acquire NAC vendor Enira Technologies to augment ArcSight's security information management software with Enira's automated network response technology.

news/vendors-products/security-vendor-arcsight-scoops-up-nac-technology

John the Ripper 1.7.2 (a "development" version) adds bitslice DES assembly code for x86-64 making use of the 64-bit mode extended SSE2 with 16 XMM registers. You can download it at the usual location: John the Ripper password cracker.

news/security-projects/john-the-ripper-172

Businesses have blindly joined in the reactive post-and-patch game of AV updates and application vulnerability patching, without fully understanding that it will inevitably lead them to a never-ending spiral of security updates. This would seem not to be the most effective way of keeping your endpoints free from infiltration, and yet the industry as a whole has stumbled onward, quite happily playing this reactive game for some time.

Only about half of the vulnerabilities (technical vulnerabilities) in web applications can be scanned for. The other half (logical vulnerabilities) must be tested for by an experienced expert. WhiteHat Security founder and CTO, Jeremiah Grossman, explains differences between the two issues and the fundamentals reasons why technology alone cannot solve the problem.

The Information Security Breaches Survey 2006 highlights the fact that most businesses are a long way from having a security aware culture. Although three quarters of UK businesses rate IT Security as a high priority, with protecting customer information becoming increasingly important, worryingly just 1 firm in 8 has IT security qualified staff to put procedures in place. Businesses that rely on online interaction with their customers are advised to get a handle on Identity Management to counteract the growing threat of identity theft and fraudulent attacks.

When it comes to software security, the general perception is that including technologies such as firewalls, intrusion prevention systems, and malware protection throughout the software development life cycle is all that’s needed to keep information secure in the end product. However, these technologies are mostly reactive in nature and don’t prevent the vulnerabilities in the first place. Also, at the development level, there’s a lot of talk about testing for buffer overruns, validating user input, using the principle of least privilege, and so on. These are certainly solid practices, but there’s still a considerable gap when it comes to getting to the root of software flaws – the development process itself.

StopBadware.org, the organization dedicated to highlighting software that consumers might prefer to avoid, Wednesday added another round of software programs to its "Badware Watch List." The latest inductees into this hall of software shame include four programs: FunCade, a gaming application that comes bundled with BullsEye and NaviSearch; Team Taylor Made's "Jessica Simpson Screensaver"; a scanner called "UnSpyPC; and WinFixer 2005 and 2006. Each was cited by StopBadware.org for specific reasons that relate to deceptive installation, causing harm to other computers, modifying other software or transmitting user data, interfering with computer use or being difficult to uninstall completely.

Has it really come to this? Researchers are now so wary of reporting security vulnerabilities that some infosec experts in academia are advising their student charges to walk away from problems. Pascal Meunier, author of the Cassandra system, and a researcher at the Centre for Education and Research in Information and Assurance (CERIAS) at Purdue University, reckons it has become too risky to report security flaws in websites to their administrators. His opinion was formed after reporting a vulnerability in custom software on a production website discovered by one of his students.

Mary Ann Davidson, chief security officer for database giant Oracle, remembers the first time she heard her company's marketing scheme that advertised its database products as "unbreakable." "I think my response was 'What idiot dreamed this up?," Davidson said Thursday at the W3C conference in Edinburgh, Scotland.

If civil engineers built bridges in the same fashion in which software developers write code, people would face the "blue bridge of death" every morning going to work, Davidson said. Software developers, she noted, tend to laugh nervously when they hear the analogy -- an insider reference to what programmers call the blank, "blue screen of death" on a PC display when Windows fails.

The IT world has a reputation of being extremely fast-paced. And it is: an accounting program in the ’80s would have been written in COBOL. In the ’90s it would have been written with a RAD (Rapid Application Developer) environment such as Delphi or Visual Basic. In the... ’00s (noughties?), today, the same application would probably be written as a web system, possibly using all of the “Web 2.0â€