[ISN] Linux Security Week - September 10th 2001

From: InfoSec News (isnat_private)
Date: Mon Sep 10 2001 - 23:09:31 PDT

  • Next message: InfoSec News: "[ISN] World's first DeCSS executable prime number"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  September 10th, 2001                        Volume 2, Number 36n   |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "OpenSSH key
    management, Part 2," "An Introduction to OpenSSL, Part Two:  
    Cryptographic Functions Continued," and "Remote Monitoring."  Also this
    week, if you have not read about Echelon, there are two good articles in
    the general section of this newsletter.
    EnGarde was designed from the ground up as a secure solution, starting
    with the principle of least privilege, and carrying it through every
    aspect of its implementation.
    This week, advisories were released for xinet, windowmaker, sendmail,
    fetchmail, xli, telnetd, rmuser, NetBSD kernel, and fts.  The vendors
    include Conectiva, NetBSD, Mandrake, and SuSE. Mandrake users are
    especially encouraged to update this week because there is such a great
    number of advisories.
    HTML Version:
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * An Introduction to OpenSSL, Part Two: Cryptographic Functions
    September 6th, 2001
    This is the second article in a series on OpenSSL, a library written in
    the C programming language that provides routines for cryptographic
    primitives utilized in implementing the Secure Sockets Layer (SSL)
    protocol. In the first article in the series, we discussed some of the
    basics of cryptography.
    * OpenSSH key management, Part 2
    September 6th, 2001
    Many developers use the excellent OpenSSH as a secure, encrypted
    replacement for the venerable telnet and rsh commands. One of OpenSSH's
    more intriguing features is its ability to authenticate users using the
    RSA and DSA authentication protocols, which are based upon a pair of
    complementary numerical "keys".
    * Inside Jail: FreeBSD
    September 6th, 2001
    On most UNIX systems, root has omnipotent power. This promotes insecurity.
    If an attacker were to gain root on a system, he would have every function
    at his fingertips. In FreeBSD there are sysctls which dilute the power of
    root, in order to minimize the damage caused by an attacker.
    * The First Step of Exploring a System
    September 6th, 2001
    The first step to exploring a system is not just another point and click.
    It is the part that suprisingly, no one really talks about; gathering
    information on the subject. In order to successfully get in a system, one
    must know enough about the entity to gain access to it.
    | Network Security News: |
    * Honeynet Project: September Scan Results
    September 4th, 2001
    The purpose of this monthly project is to help the security community
    develop the forensic and analysis skills to decode blackhat attacks. This
    is done by taking signatures we have captured in the wild and challenging
    the security community to decode the signatures.
    * SC Mag: Remote Monitoring
    September 4th, 2001
    Why Outsource IDS Monitoring, Anyway?  The simple answer to that, if there
    is one, is that organizations are caught between massive security
    requirements and miniscule security budgets. Outsourcing offers the
    benefits of economies of scale in that the client does not need to hire
    staff, spend money for specialized infrastructure, etc.
    * A Growing Demand for Security Administrators, Part 2
    September 4th, 2001
    Demand for security specialists will only continue to grow, enabling
    security administrators to move in several different directions.
    Advertisement Within internal IT, they can move up the management chain to
    security architect, network architect, ecommerce architect, and beyond to
    director of networking or operations director and up.
    * A network setup with FreeBSD and OpenBSD
    September 3rd, 2001
    This article discusses a network setup which might prove useful for people
    who like to put some extra effort into connecting their machines to the
    Internet. The goal is to build a secure client and server farm on a single
    IP address.
    | Cryptography News:     |
    * PGP opens up complete encryption source code
    September 7th, 2001
    One of the first encryption products is made available to all.  PGP
    Security -- a division of Network Associates that has been criticised in
    the past for being too proprietary -- has made available the electronic
    distribution of its complete source code for the PGPsdk, its cryptographic
    toolkit. PGP, which was one of the world's first encryption products and a
    de facto standard for encryption, is the foundation of all PGP Desktop,
    Wireless and Server products.  The release of the source code will provide
    academic researchers and cryptographers the ability to review every detail
    of PGPsdk's cryptographic features. The move comes a short time after the
    US government recently relaxed export regulations on cryptographic source
    code, Santa Clara, California-based PGP Security said. All of article.
    * Quantum Crypto to the Rescue
    September 7th, 2001
    This week has been big for cryptography.  It's seen both technical and
    theoretical advances in next-generation quantum crypto systems and
    technology.  It's seen a prototype enter its testing phase that could send
    secret crypto keys through open air to a satellite or across town.
    * In PKI We Trust?
    September 4th, 2001
    When PKIs hit the streets a few years ago, a media frenzy ensued --
    remember 1999, the year of the public-key infrastructure? Now it's the
    morning after, and we've gotten a dose of reality when it comes to the
    cost and complexity of rolling out a PKI.
    | Vendors/Products:      |
    * Prioritizing patches: A precipitous pandemonium
    September 8th, 2001
    Is the patching of mission critical systems and related software a
    priority for your business? May I suggest that patching such software
    become an imperative task incorporated into an IT position ASAP.
    * Rule Set Based Access Control version 1.1.2 Now Available
    September 3rd, 2001
    After project leaders pan vulnerability assessment, a Back Orifice
    demonstration quells the skeptics. My company is about to deploy a virtual
    private network (VPN). During a recent project meeting, the project
    manager asked each department representative to identify six tasks related
    to our areas of responsibility.
    | General Security News: |
    * Echelon spying network exists, EU committee says
    September 6th, 2001
    Echelon exists, the European Union (EU) Parliament was told Wednesday.  
    Echelon, allegedly a vast information collection system capable of
    monitoring all the electronic communications in the world, has been talked
    about in security circles for several years. But no government agency in
    the world has ever confirmed or denied its existence. An EU committee has
    been investigating the system for almost a year.  Just because the
    surveillance network exists, however, doesn't mean that government
    agencies can access all the information Echelon collects, Gerhard Schmid,
    the German Member of the European Parliament (MEP), told Parliament
    members in Strasbourg.  The European Parliament accepted Schmid and his
    team's 130-page-plus report and its 44 recommendations in a 367-159 vote.
    There were 34 abstentions, though these were not explained.
    * Information Security Certification: A Rule Of Thumb
    September 4th, 2001
    Take a wander through the landscape of infosec certification and you will
    encounter a morass of acronyms, training and exam fees, claims and
    counterclaims. Pete Thomas, Editor of SecurityWatch, and Tony Rich,
    Account Director of UK IT security recruitment specialists Acumin, help
    you find your way.
    * What is Echelon?
    September 4th, 2001
    The following information consists entirely of excerpts from the European
    Parliament's "Temporary Committee on the ECHELON Interception System"
    report. After reading the entire lengthy, and often technical, report I
    decided to sift through and find the information that most people would
    find informative and applicable to their own lives and use of the Internet
    and electronic communications in general.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 01:49:21 PDT