[ISN] Linux Security Week - May 28th 2001

From: InfoSec News (isnat_private)
Date: Tue May 29 2001 - 07:35:07 PDT

  • Next message: Joe Barr: "Re: [ISN] Serving in Silence: NSA's Fallen Comrades"

    |  LinuxSecurity.com                         Weekly Newsletter        |
    |  May 28th 2001                            Volume 2, Number 21n      |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security
    newsletter. The purpose of this document is to provide our readers
    with a quick summary of each week's most relevant Linux security
    This week, our readers should pay particular attention to "DoE: First 
    Responder's Manual," "Two Open Source Security Code Scanners," and 
    "SMTP over an SSH Tunnel."  Also in the news, the saga surrounding 
    Max Butler continues.  An updated Wired story appears in the General 
    section of this newsletter.
    ### FREE Apache SSL Guide from Thawte
    Planning Web Server Security? Find out how to implement SSL!  Get 
    the free Thawte Apache SSL Guide and find the answers to all your 
    Apache SSL security issues and more.  
     -> Go to:  http://www.gothawte.com/rd12.html 
    This week, advisories were released for samba, minicom, xemacs,
    kernel (TurboLinux), man, mktemp, openssh, pine, and vixie-cron.  The
    vendors include Caldera, EnGarde, Mandrake, Red Hat, and TurboLinux. 
     It is critical that you update all insecure packages.
    HTML Version available:
    | Host Security News: | <<-----[ Articles This Week ]-----------------+
    * Hardening Linux
    May 22nd, 2001
    IPChains in my opinion is a poor man's firewall. Now while most Linux
    binaries are open source I mean this in the sense that most people
    who use IPChains have little knowledge about firewalls or protocols
    and look for IPChains as a solution to a firewall. IPChains has its
    ups and downs, but a strong firewall by comparison should be the
    ultimate resolution. 
    * Two Open Source Security Code Scanners
    May 22nd, 2001
    David Wheeler, author of the Secure Programming HOWTO and the RATS
    development team from Secure Software Solutions today announced open
    source source code security flaw scanners. RATS scans through code,
    finding potentially dangerous function calls.  The goal of this tool
    is not to definitively find bugs.  Instead, this tool aims to provide
    a reasonable starting point for performing manual security audits."
    "Flawfinder" states it will "scan source code and identify out
    potential security flaws, ranking them by likely severity.
    * DoE: First Responder's Manual
    May 21st, 2001
    This manual "is designed as a guide concerning the initial  response
    to a computer incident for both system administrators and security 
    personnel." Although this manual is being written with system
    administrators and  security personnel in mind, it can be useful to
    anyone who suspects a  computer was used, intentionally or
    unintentionally, in a security incident  or criminal act. 
    | Network Security News: |
    * DoS attacks hit anyone, not just corporations
    May 25th, 2001
    Denial of service (DoS) attacks against big Internet players like
    Amazon.com draw media attention, but according to  a new study, these
    electronic assaults frequently are targeted against individual
    personal computers.   DoS attacks disable Web servers on the Internet
    by overloading them with messages, according to the study.  
    * Firewalling: Reject vs. Deny, Default-open vs. Default-closed
    May 23rd, 2001
    There are a number of issues considered all too rarely by firewall 
    administrators. Most IP level firewalls have a number of options for
    handling a packet. The packet can  typically be accepted, dropped, or
    sent through another set of rules for inspection  (allowing you to
    break up your ruleset into more manageable pieces.
    * Enter the Decentralized Zone
    May 22nd, 2001
    Digital security is a trade-off. If securing digital data were the
    only concern a business had, users would have no control over their
    own computing environment  at all-the Web would be forbidden
    territory; every disk drive would be welded shut. The current
    compromise between security and flexibility is a sort of
    intranet-plus-firewall sandbox, where the IT department sets the
    security policies that workers live within. This  allows workers a
    measure of freedom and flexibility while giving their companies 
    heightened security.
    * SMTP over an SSH Tunnel
    May 22nd, 2001
    The first thing I decided was to establish the tunnel as a non-root
    user. Since the tunnel was going to exist for solely mail relaying
    purposes, I created a relay user on both my laptop and the server in
    question. I also ran ssh-keygen(1) and gave the relay user an empty
    passphrase. If you're overly paranoid, you can use a passphrase and
    then use ssh-agent(1). The way I figure is if someone gets into my
    laptop, I have more things to worry about than them sending mail
    through my relay. 
    | Vendors/Products/Tools:|
    * Intrusion-Detection Systems by the Numbers
    May 21st, 2001
    My company recently tested and acquired a network-based
    intrusion-detection  system (IDS). Over the past few months, I've
    received many e-mails from  readers asking me to explain the
    performance-testing methodology I used, so  I've decided to share how
    I tested our network-based IDS. (A network-based  IDS server
    watches traffic destined for all host systems on a subnet, while a 
    host-based IDS typically runs on each host system to be protected.) 
    | General Security News: |
    * Internet architects zero in on reliability, security
    May 26th, 2001
    As the architects of the future Internet struggle to define
    underlying technologies for providing a range of new network
    services, reliability and security are again moving to the top of the
    agenda. According to security experts at a meeting this week
    sponsored by the Global Internet Project and the Cross-Industry
    Working Team, the reliability issue lends itself to market-driven
    technology solutions. 
    * A 'White Hat' Goes to Jail: Updated
    May 25th, 2001
    Max Butler lived three lives for five years. As "Max Vision," he
    was an incredibly skilled hacker and security expert who boasted that
     he'd never met a computer system he couldn't crack. As "The
    Equalizer," he was an FBI informant, reporting on the activities of
    other hackers. As Max Butler, he was a family man in Santa Clara,
    California who ran a  Silicon Valley security firm. 
    * A common language for security vulnerabilities
    May 25th, 2001
    When hackers want to breach your systems, they typically  look for
    well-known security flaws and bugs to exploit. In  the past, vendors
    and hackers gave different names to the  same vulnerabilities. One
    company might package a group  of five vulnerabilities into a patch
    or service pack and call it  by one name, while another vendor might
    call the same  group by five separate names. 
    * Security outsourcing set to soar
    May 23rd, 2001
    Spurred on by the  increasing complexity of  systems and the 
    seemingly growing  number of threats,  businesses with critical 
    electronic processes are  increasingly turning to  third party
    security  suppliers to guard their  gates.    
    * NSF funds infosec scholarships
    May 23rd, 2001
    The National Science Foundation on Tuesday announced it has awarded
    $8.6 million  in scholarship money to six schools in the first round
    of its Scholarship for Service program. The program provides
    scholarships to undergraduate and graduate students who  agree to
    study information security and information assurance in exchange for
    two  years of related government service. 
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed May 30 2001 - 02:25:19 PDT