+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 13th, 2001 Volume 2, Number 32n | | | | Editorial Team: Dave Wreski daveat_private | | Benjamin Thomas benat_private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, the most interesting articles include "Your Network's Secret Life, Part 5," "Triple your remote office protection: The Layered Approach," and "Linux IPsec Gateways Using FreeS/Wan." Also this week, if you are in the information security field, Computerworld has released an excellent summary of statistics for year 2000 and projected 2001. This week, advisories were released for xmcd, tomcat, squid, zope, FreeBSD kernel, openldap, xloadimage, and kerberos. The vendors include Caldera, Debian, FreeBSD, and Red Hat and SuSE. http://www.linuxsecurity.com/articles/forums_article-3475.html PacketStorm Security named EnGardeLinux.com, the Official Site for the Engarde Secure Linux distribution, "Site of The Week". PacketStorm Security is known as one of the largest and highly regarded security sites on the Internet, offering the latest security exploits, articles and tools. We would like to thank our friends at PacketStorm for the prestigious honor. http://www.linuxsecurity.com/articles/projects_article-3478.html HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * IPFilter on OpenBSD August 8th, 2001 What is IPFilter? Very simply, a package for permitting (or passing) and denying IP packets based on a range of criteria. It can also provide Network Address Translation (NAT) services, if desired. The IPFilter web site has more details. http://www.linuxsecurity.com/articles/firewalls_article-3463.html * Introduction to Input Validation with Perl August 8th, 2001 How can we make software that withstands malicious input attacks? We can start by minimizing the set of entities our software trusts and by vigorously validating all input. A very important, well known, yet too often lightly dismissed problem in software security is that of trust management. http://www.linuxsecurity.com/articles/general_article-3462.html * Blame it on the buffer overflows August 7th, 2001 It used to be that buffer overflows were just a nagging 40-year-old glitch in the software development process. Today, as illustrated by Code Red, they are the No. 1 reason hackers can slice through corporate networks like Swiss cheese. http://www.linuxsecurity.com/articles/host_security_article-3458.html +------------------------+ | Network Security News: | +------------------------+ * Hacking the hacker August 12th, 2001 You're a hot shot. You know how to use Linux and hey, you even got that modem working. People think you're smart because you know how to use Linux. But then one night, you're sitting in front of your computer (the one that has the always-on cable modem or DSL connection) and being the smart person that you are, you said that you didn't need security. http://www.linuxsecurity.com/articles/host_security_article-3489.html * Your Network's Secret Life, Part 5 August 12th, 2001 Other than my little excursion into xinetd, I've used this series to show you ways in which you can make some sense of the packets flying around your network, and the tools that can help you do that. I started this article by giving you the dictionary definition for "ethereal". Ethereal also happens to be the name of an excellent network protocol analyzer, a powerful tool that lets you see what is happening on your network right now. http://www.linuxsecurity.com/articles/network_security_article-3490.html * WLANs Cause Widespread Security Concerns August 10th, 2001 By the end of 2002, 30 percent of all enterprises will risk security breaches because they've deployed 802.11b wireless local area networks (WLANs) without proper security, research and advisory firm Gartner, Inc. said Thursday. About 50 percent of all enterprises plan to install WLANs, according to Gartner, but at least 20 percent of large businesses already have "rogue" WLANs in place that were installed by users, not information technology (IT) shops, the firm claims. http://www.linuxsecurity.com/articles/network_security_article-3476.html * Triple your remote office protection: The Layered Approach August 9th, 2001 We all know that two-thirds of corporate hacks come from inside the firewall, making internal security as important as external. But what about your remote offices and SOHO workers? Are they as vulnerable to attacks as your corporate workers? http://www.linuxsecurity.com/articles/network_security_article-3468.html * Linux IPsec Gateways Using FreeS/Wan August 9th, 2001 By far the most viable VPN solution is an IPsec variant Not only is IPsec built in to IPV6, but also all the major vendors and software consortiums are gearing their products towards this standard. There's only one real choice here for IPsec and open-source on Linux and that is FreeS/WAN. http://www.linuxsecurity.com/articles/network_security_article-3474.html +------------------------+ | Cryptography News: | +------------------------+ * Encryption cores ramp for pervasive security August 10th, 2001 With subtle distinctions, intellectual-property (IP) core vendors are readying implementations of the Advanced Encryption Standard (AES) security algorithm. The vendors, established and startup, are banking on applications from miniature wireless devices to massively parallel Web servers to support the rapid and pervasive deployment of encryption-enabled devices and systems. http://www.linuxsecurity.com/articles/cryptography_article-3477.html * 128 Bit Wireless Encryption Cracked August 10th, 2001 We implemented an attack against WEP, the link-layer security protocol for 802.11 networks. The attack was described in a recent paper by Fluhrer, Mantin, and Shamir. With our implementation, and permission of the network administrator, we were able to recover the 128 bit secret key used in a production network, with a passive attack. http://www.linuxsecurity.com/articles/cryptography_article-3479.html * Cryptographer: Sklyarov case shows business outweighs First Amendment August 10th, 2001 Noted cryptographer Bruce Schneier has produced a damning critique of the way the Digital Millennium Copyright Act was used to jail Russian software researcher Dmitry Sklyarov. Schneier, chief technology officer of Counterpane Internet Security, and inventor of the Blowfish algorithm, will argue in the next issue of his Crypro-Gram email newsletter that the Sklyarov case shows the DMCA is being used to restrict basic freedoms of speech. http://www.linuxsecurity.com/articles/cryptography_article-3480.html +------------------------+ | Vendors/Tools | +------------------------+ * Shrink-Wrapped Security August 11th, 2001 In a sense, there is no reason why testing a security solution should not be as simple as point and click. Most of the other things we do on a daily basis are done the same way. Perhaps the bigger issue is that while the software to test our security solutions may be simple and easy to use, are those doing the pointing and clicking able to effectively test, and (just as important) interpret the information produced from such a test? http://www.linuxsecurity.com/articles/general_article-3482.html * EnGardeLinux.com Named Site of the Week! August 10th, 2001 PacketStorm Security named EnGardeLinux.com, the Official Site for the Engarde Secure Linux distribution, "Site of The Week". PacketStorm Security is known as one of the largest and highly regarded security sites on the Internet, offering the latest security exploits, articles and tools. http://www.linuxsecurity.com/articles/projects_article-3478.html * ComputerWorld: Security Statistics August 6th, 2001 A nice account of the costs associated with attacks and computer security. " The threat from computer crimes and other online security breaches has barely slowed, never mind stopped, according to a recent survey of 538 security professionals in U.S. corporations that was conducted by the Computer Security Institute and the FBI?s Computer Intrusion Squad." http://www.linuxsecurity.com/articles/server_security_article-3455.html +------------------------+ | General Security News: | +------------------------+ * Tech watch: Hackers get no respect -- but they might be marketable August 11th, 2001 Hackers are a misunderstood lot. And they're more powerful than they realize. So says John Lee. "They can destroy, steal or corrupt valuable information if they want to," Lee said. He should know. In 1992, he earned the distinction of making Wired magazine's "Rogue's Gallery" after he and four cronies (his code name was "Corrupt") were convicted of hacking the networks of AT&T, Bank of America, TRW and the National Security Agency and stealing confidential information from credit reports. http://www.linuxsecurity.com/articles/general_article-3485.html * Who is responsible for security? August 9th, 2001 Board members could face criminal proceedings if security systems are inadequate, writes Ian Murphy. For companies that are publicly quoted, poor or non-existent security measures can become a legal issue that could see the board of directors charged with negligence if the company suffers a material loss. http://www.linuxsecurity.com/articles/general_article-3469.html * Taking Steps Toward a Security Posture August 9th, 2001 In order to approach security comprehensively, what steps should a company take? Following are a number of processes fundamental to maintaining a security posture-all of which must be addressed if you want to manage risk company-wide. http://www.linuxsecurity.com/articles/security_sources_article-3467.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 05:44:59 PDT