[ISN] Linux Security Week - October 22nd 2001

From: InfoSec News (isnat_private)
Date: Tue Oct 23 2001 - 00:37:19 PDT

  • Next message: InfoSec News: "[ISN] (U) Replacement column"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  October 22nd, 2001                          Volume 2, Number 42n   |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Good Security
    information is crucial," "An Overview of LIDS," and "Intrusion Detection
    Systems for the Uninitiated."  Also this week, several interesting
    articles were written on privacy and encryption.
    This week, advisories were released for w3m, xvt, procmail, zope, openssh,
    openssl, until-linux, htdig, kernel, apache, and xinetd. The vendors
    include Caldera, Conectiva, Debian, EnGarde, Immunix, Mandrake, Red Hat,
    and Trustix.
      ** FREE Apache SSL Guide from Thawte **
      Planning Web Server Security? Find out how to implement SSL!
      Get the free Thawte Apache SSL Guide and find the answers to all your
      Apache SSL security issues and more at:
    * Don't Risk your network installing an insecure OS *
    EnGarde was designed from the ground up as a secure solution, starting
    with the principle of least privilege, and carrying it through every
    aspect of its implementation.
    * http://www.engardelinux.org
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Good security administration is crucial
    October 20th, 2001
    Firms should revamp their security admin rather than just avoiding
    Microsoft products, warns expert.  Firms are being advised to tighten up
    on security administration rather than switch from Microsoft software to
    open source operating systems, as fears over digital vulnerabilities
    * An Overview of LIDS
    October 18th, 2001
    In traditional Unix models, the root user is all-powerful. Root is exempt
    from the rules and regulations of the filesystem, and has abilities that
    other users do not: putting interfaces into promiscuous mode, for example.
    Many folks realized that this uncontrolled access could be a bad thing.
    Should a vulnerability be found in a program that is run as root, it could
    cause boundless damage.
    | Network Security News: |
    * Firewalls not perfect but needed these days
    October 21st, 2001
    With the numbers of hackers and viruses these days, everyone who has a
    computer that's connected to a network -- including the Internet -- should
    have a firewall or be running behind one. This is a Q&A sessions about
    firewalls with Patrick Marshall, a Technology columnists for The Seattle
    * Firing up Firewalls
    October 20th, 2001
    One of the first lines of defense against hackers is your firewall. The
    firewall acts as a filter, blocking unwanted packets from reaching your
    network. In most cases, a properly configured firewall will protect a
    network from viruses such as the Code Red worm, even if there are
    vulnerable machines residing inside the network.
    * Intrusion Detection Systems for the Uninitiated, Part 2; Installing
    and Configuring Snort
    October 17th, 2001
    Shashank Pandey returns to Linux.com with part two of his popular series
    on IDS: Intrusion detection Systems for Linux. Quizzing PortSentry in his
    last article, in today's Pandey cast a sharp eye over working with snort.
    And remember in some primitive parts of the world you have to pay for
    information like this!
    | Cryptography News:     |
    * Encryption: How Prevalent Is It?
    October 15th, 2001
    Many companies have reassessed their technology initiatives in the month
    since the tragic attacks on the United States. Some are focusing on
    security measures for IT systems while others are deepening efforts to
    secure facilities and intellectual property.
    |Vendors/Tools/Products: |
    * Openwall Kernel Security Patch Update
    October 21st, 2001
    The Openwall kernel security patch is a collection of security-related
    features for the Linux kernel, all configurable via the new 'Security
    options' configuration section.  In addition to the new features, some
    versions of the patch contain various security fixes. A new revision of
    the Openwall Linux kernel patch, 2.2.19-ow3, is now available.
    * A Sysadmin's Security Basics
    October 19th, 2001
    System administrators are no longer alone in their concern for security.
    The increase in high-profile virus attacks, and a general sense of
    heightened security, means that executives are likely to have security on
    their mind. It may be easier than ever to enlist their support for
    securing our networks and systems, and they may be more likely to put up
    with some inconvenience for users if it means tighter security.
    * Open source tool put on red alert
    October 15th, 2001
    Hundreds of thousands of websites may be at risk after hackers discovered
    a vulnerability in a popular web server program. Users running PHP Nuke, a
    free open source tool for database-based websites, were put on red alert
    yesterday when it was discovered that hackers were exploiting a recently
    discovered flaw in the code to take control of servers.  The glitch exists
    in all versions of PHP Nuke and allows unauthorised users to copy files to
    and from the web server and possibly gain control of the machine.  There
    are over 22,000 users registered at the program's PHPNuke.org website but
    it is thought that there may be hundreds of thousands of sites running the
    vulnerable software.
    * Startup offers gains in multilayer security silicon
    October 15th, 2001
    A security processor startup with a design team composed of engineers from
    Compaq Computer Corp.'s former Alpha operation has introduced a new
    encryption chip that it claims will shatter the current standards for
    high-end encryption.
    |  General News:         |
    * Eric Raymond Responds to Disclosure Rhetoric
    October 21st, 2001
    Cryptographers and security experts have known for years that peer review
    of open source code is the only reliable way to verify the effectiveness
    of encryption systems and other security software.  So Microsoft's
    closed-source mode of development guarantees that customers will continue
    getting cracked and Microsoft will continue pointing the finger of blame
    everywhere except where it actually belongs.
    * IRS seeks more security funding
    October 18th, 2001
    John Reece, the chief information officer at the Internal Revenue Service,
    said priorities have changed in the wake of the Sept. 11 terrorist
    attacks, and the tax agency is seeking more money for security.  Like
    other agencies, Reece said the IRS has asked the Office of Management and
    Budget for increased funds immediately to help secure systems at the tax
    * Must privacy die too?
    October 16th, 2001
    As an IT security professional Neil Barrett welcomes moves to record
    online activity, but as a private citizen he doubts that increased online
    surveillance is healthy So, the terrorists who hijacked the planes and
    caused heart- and commerce-stopping panic used email, encryption,
    steganography and the rest, did they? And because of this, the FBI and
    police forces are re-opening the painful debates about retention and
    release of Internet content and traffic data, the extensive interception
    of email, and the release of information on users.
    * CERT/CC Statistics 1988-2001
    October 16th, 2001
    The CERT/CC statistics on incidents handled, vulnerabilities reported,
    security alerts and notes published, hotline calls handled, and email
    messages handled have been updated with information from the third quarter
    of 2001.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 02:39:32 PDT