[ISN] Linux Security Week - August 13th 2001

From: InfoSec News (isnat_private)
Date: Tue Aug 14 2001 - 02:58:00 PDT

  • Next message: InfoSec News: "Re: [ISN] Japan arrests woman for email snooping"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  August 13th, 2001                           Volume 2, Number 32n   |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, the most interesting articles include "Your Network's Secret
    Life, Part 5," "Triple your remote office protection: The Layered
    Approach," and "Linux IPsec Gateways Using FreeS/Wan."  Also this week, if
    you are in the information security field, Computerworld has released an
    excellent summary of statistics for year 2000 and projected 2001.
    This week, advisories were released for xmcd, tomcat, squid, zope, FreeBSD
    kernel, openldap, xloadimage, and kerberos.  The vendors include Caldera,
    Debian, FreeBSD, and Red Hat and SuSE.
    PacketStorm Security named EnGardeLinux.com, the Official Site for the
    Engarde Secure Linux distribution, "Site of The Week".  PacketStorm
    Security is known as one of the largest and highly regarded security sites
    on the Internet, offering the latest security exploits, articles and
    tools. We would like to thank our friends at PacketStorm for the
    prestigious honor.
    HTML Version:
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * IPFilter on OpenBSD
    August 8th, 2001
    What is IPFilter? Very simply, a package for permitting (or passing) and
    denying IP packets based on a range of criteria. It can also provide
    Network Address Translation (NAT) services, if desired. The IPFilter web
    site has more details.
    * Introduction to Input Validation with Perl
    August 8th, 2001
    How can we make software that withstands malicious input attacks? We can
    start by minimizing the set of entities our software trusts and by
    vigorously validating all input.  A very important, well known, yet too
    often lightly dismissed problem in software security is that of trust
    * Blame it on the buffer overflows
    August 7th, 2001
    It used to be that buffer overflows were just a nagging 40-year-old glitch
    in the software development process. Today, as illustrated by Code Red,
    they are the No. 1 reason hackers can slice through corporate networks
    like Swiss cheese.
    | Network Security News: |
    * Hacking the hacker
    August 12th, 2001
    You're a hot shot. You know how to use Linux and hey, you even got that
    modem working. People think you're smart because you know how to use
    Linux. But then one night, you're sitting in front of your computer (the
    one that has the always-on cable modem or DSL connection) and being the
    smart person that you are, you said that you didn't need security.
    * Your Network's Secret Life, Part 5
    August 12th, 2001
    Other than my little excursion into xinetd, I've used this series to show
    you ways in which you can make some sense of the packets flying around
    your network, and the tools that can help you do that. I started this
    article by giving you the dictionary definition for "ethereal". Ethereal
    also happens to be the name of an excellent network protocol analyzer, a
    powerful tool that lets you see what is happening on your network right
    * WLANs Cause Widespread Security Concerns
    August 10th, 2001
    By the end of 2002, 30 percent of all enterprises will risk security
    breaches because they've deployed 802.11b wireless local area networks
    (WLANs) without proper security, research and advisory firm Gartner, Inc.
    said Thursday. About 50 percent of all enterprises plan to install WLANs,
    according to Gartner, but at least 20 percent of large businesses already
    have "rogue" WLANs in place that were installed by users, not information
    technology (IT) shops, the firm claims.
    * Triple your remote office protection: The Layered Approach
    August 9th, 2001
    We all know that two-thirds of corporate hacks come from inside the
    firewall, making internal security as important as external. But what
    about your remote offices and SOHO workers? Are they as vulnerable to
    attacks as your corporate workers?
    * Linux IPsec Gateways Using FreeS/Wan
    August 9th, 2001
    By far the most viable VPN solution is an IPsec variant Not only is IPsec
    built in to IPV6, but also all the major vendors and software consortiums
    are gearing their products towards this standard. There's only one real
    choice here for IPsec and open-source on Linux and that is FreeS/WAN.
    | Cryptography News:     |
    * Encryption cores ramp for pervasive security
    August 10th, 2001
    With subtle distinctions, intellectual-property (IP) core vendors are
    readying implementations of the Advanced Encryption Standard (AES)
    security algorithm. The vendors, established and startup, are banking on
    applications from miniature wireless devices to massively parallel Web
    servers to support the rapid and pervasive deployment of
    encryption-enabled devices and systems.
    * 128 Bit Wireless Encryption Cracked
    August 10th, 2001
    We implemented an attack against WEP, the link-layer security protocol for
    802.11 networks. The attack was described in a recent paper by Fluhrer,
    Mantin, and Shamir. With our implementation, and permission of the network
    administrator, we were able to recover the 128 bit secret key used in a
    production network, with a passive attack.
    * Cryptographer: Sklyarov case shows business outweighs First
    August 10th, 2001
    Noted cryptographer Bruce Schneier has produced a damning critique of the
    way the Digital Millennium Copyright Act was used to jail Russian software
    researcher Dmitry Sklyarov. Schneier, chief technology officer of
    Counterpane Internet Security, and inventor of the Blowfish algorithm,
    will argue in the next issue of his Crypro-Gram email newsletter that the
    Sklyarov case shows the DMCA is being used to restrict basic freedoms of
    | Vendors/Tools          |
    * Shrink-Wrapped Security
    August 11th, 2001
    In a sense, there is no reason why testing a security solution should not
    be as simple as point and click. Most of the other things we do on a daily
    basis are done the same way. Perhaps the bigger issue is that while the
    software to test our security solutions may be simple and easy to use, are
    those doing the pointing and clicking able to effectively test, and (just
    as important) interpret the information produced from such a test?
    * EnGardeLinux.com Named Site of the Week!
    August 10th, 2001
    PacketStorm Security named EnGardeLinux.com, the Official Site for the
    Engarde Secure Linux distribution, "Site of The Week".  PacketStorm
    Security is known as one of the largest and highly regarded security sites
    on the Internet, offering the latest security exploits, articles and
    * ComputerWorld: Security Statistics
    August 6th, 2001
    A nice account of the costs associated with attacks and computer security.
    " The threat from computer crimes and other online security breaches has
    barely slowed, never mind stopped, according to a recent survey of 538
    security professionals in U.S. corporations that was conducted by the
    Computer Security Institute and the FBI?s Computer Intrusion Squad."
    | General Security News: |
    * Tech watch: Hackers get no respect -- but they might be marketable
    August 11th, 2001
    Hackers are a misunderstood lot. And they're more powerful than they
    realize. So says John Lee. "They can destroy, steal or corrupt valuable
    information if they want to," Lee said. He should know. In 1992, he earned
    the distinction of making Wired magazine's "Rogue's Gallery" after he and
    four cronies (his code name was "Corrupt") were convicted of hacking the
    networks of AT&T, Bank of America, TRW and the National Security Agency
    and stealing confidential information from credit reports.
    * Who is responsible for security?
    August 9th, 2001
    Board members could face criminal proceedings if security systems are
    inadequate, writes Ian Murphy. For companies that are publicly quoted,
    poor or non-existent security measures can become a legal issue that could
    see the board of directors charged with negligence if the company suffers
    a material loss.
    * Taking Steps Toward a Security Posture
    August 9th, 2001
    In order to approach security comprehensively, what steps should a company
    take? Following are a number of processes fundamental to maintaining a
    security posture-all of which must be addressed if you want to manage risk
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 05:44:59 PDT