[ISN] Linux Security Week - October 29th 2001

From: InfoSec News (isnat_private)
Date: Tue Oct 30 2001 - 01:35:21 PST

  • Next message: InfoSec News: "Re: [ISN] Cryptanalysis of Multiswap"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  October 29th, 2001                          Volume 2, Number 43n   |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Avoiding
    security holes when developing an application," "Secure Communications
    with OpenSSH," and "Intrusion Detection Systems for the Uninitiated."
    This week, advisories were released for gftp, diffutils, nvi, squid,
    util-linux, openssh, shadow/login, htdig, mod_auth_pgsql, and the Linux
    kernel.  The vendors include Conectiva, Debian, Immunix, and Red Hat.
      ** FREE Apache SSL Guide from Thawte **
      Planning Web Server Security? Find out how to implement SSL! 
      Get the free Thawte Apache SSL Guide and find the answers to all 
      your Apache SSL security issues and more at: 
    * Don't Risk your network installing an insecure OS *
    EnGarde was designed from the ground up as a secure solution, starting
    with the principle of least privilege, and carrying it through every
    aspect of its implementation.
    * http://www.engardelinux.org 
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Avoiding security holes when developing an application - Part 5:
    race conditions
    October 24th, 2001
    This fifth article of our series is dedicated to security problems related
    to multitasking. A race condition occurs when different processes use the
    same resource (file, device, memory) at the same time and each one
    "believes" it has exclusive access.
    * Secure Communications with OpenSSH
    October 22nd, 2001
    Computer networks are an inherently insecure medium. Unless you are
    assured that your packets will never pass through a router or computer
    which you do not have direct control over, your data is not safe. It may
    be viewed by an untrustworthy sysadmin or script kiddie, it may be
    tampered with en route, or it may be intercepted and replaced with
    entirely different data.
    | Network Security News: |
    * Intrusion Detection Systems for the Uninitiated, Part 2; Installing
    and Configuring Snort
    October 26th, 2001
    Snort is a lightweight network-based intrusion detection system (called
    NIDS). NIDS is unlike 'portsentry', which is a host based IDS and capable
    of performing real-time traffic analysis and packet logging on IP
    networks. The reason Snort is called 'lightweight' NIDS, is because it's
    easy to use and install and is designed primarily for small networks.
    * Survey finds security practices appalling
    October 24th, 2001
    Despite the recent attacks of viruses, individuals are reluctant to review
    their security practices, according to a recent survey conducted by
    Central Command. The results however, were completely aligned to the
    general feeling among industry analysts that security is not seen as a
    priority among users.
    * Introduction to Security Policies, Part Four: A Sample Policy
    October 24th, 2001
    This is the fourth in a four-part overview of security policies. In the
    first article, we looked at what policies are and what they can achieve.
    The second article looked at the organizational support required to
    implement security policies successfully. The third installment discussed
    how to develop and structure a security policy.
    | Cryptography News:     |
    * Encryption technology is not an enemy of the state
    October 25th, 2001
    The perennial target for government disapproval is encryption, and recent
    events in New York have added serious fuel to the already glowing embers
    of the argument. It is a touchy subject in light of the recent atrocities,
    which are being used as an excuse to push legislation through.
    * Master key encryption plan abandoned
    October 25th, 2001
    As concern grows over the vulnerability of government and industry
    organizations, a familiar and controversial battle has been revisited on
    Capitol Hill: the question of whether government should have control of
    encrypted messages.
    * Prediction in chaos points to secure transmissions
    October 25th, 2001
    A secure method for sending and receiving encrypted messages may follow
    the first demonstration of a technique that predicts chaotic fluctuations
    in laser light.  Researchers from the University of Wales in Bangor have
    shown that by using two duplicate chaotic semiconducting laser systems,
    one to send an encrypted message and another to receive and decipher it, a
    state called anticipating synchronisation occurs.
    |Vendors/Tools/Products: |
    * Now is the time for two-factor security
    October 26th, 2001
    Whether you're a consumer, or a manager who shares the responsibility for
    protecting your company's digital assets and the privacy of your
    customers, it's time to get ready for two-factor security. In fact, it's
    time to start insisting on it
    |  General News:         |
    * Cybernarks - Who's hunting the Hackers?
    October 27th, 2001
    Steven Lynch was first introduced to the joys of hunting down hackers in
    MIT in 1989. While working in the University's IT department he came
    across Australia's very own Leftist and Urvile, as they took control of
    the institutions servers and used them to poke holes in systems on the
    other side of the world. Phoenix and Electron were eventually tracked down
    to a flat in Melbourne, but not before Lynch spent countless hours
    following their clandestine progress through unsuspecting networks.
    * Keeping Security Issues in the Open
    October 26th, 2001
    Microsoft's security manager is arguing, in effect, that security issues
    should be kept secret - and out of the flow of publicly available
    information.  The manager of the security response center at Microsoft
    (Nasdaq: MSFT), Scott Culp, apparently wants to keep security issues in a
    box -- and out of the hands of those affected by them.
    * Dave Dittrich Responds to WinXP Security Claim
    October 25th, 2001
    Dave Dittrich, best known for his Honeynet and DDoS expertise, responds to
    claims made by Steve Gibson claiming that "raw sockets are the devil" in
    the latest OS by Microsoft. Dave writes, "Steve Gibson is *still* pushing
    "raw sockets are the devil?" Anyone (especially journalists) who are
    interested in this topic had best look into the details, not just take
    what Steve tells them."
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 03:40:13 PST