+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 19th, 2001 Volume 2, Number 46n | | | | Editorial Team: Dave Wreski daveat_private | | Benjamin Thomas benat_private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "On the Security of PHP," "Brute-Forcing Web Session IDs," and "Public Key Infrastructure Nuts and Bolts." Also this week, vsftpd-1.0.0 was released. This week advisories were released for webalizer, ssh-nonfree, ssh-socks, postix, and the Korean release of Red Hat. The vendors include Conectiva, Debian, and Red Hat. http://www.linuxsecurity.com/articles/forums_article-4028.html ### SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION ### Guarantee transmitted data integrity, secure all communication sessions and more with SSL encryption from Thawte - a leading global certificate provider for the Open Source community. Learn more in our FREE GUIDE--click here to get it now: --> http://www.gothawte.com/rd89.html * Don't Risk your network installing an insecure OS * EnGarde was designed from the ground up as a secure solution, starting with the principle of least privilege, and carrying it through every aspect of its implementation. * http://www.engardelinux.org +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Overview of LIDS, Part Three November 16th, 2001 This is the third part of a four-part article devoted to the exploration of LIDS, a Linux kernel patch that will allow users to take away the all-powerful nature of root. The first article in this series offered an overview of LIDS. http://www.linuxsecurity.com/articles/projects_article-4031.html * On the Security of PHP, Part 2 November 14th, 2001 The way to secure PHP scripts is through a carefully selected combination of configuration settings and safe programming practices. Based on the vulnerabilities that we have studied so far, we will now set forth to establish some rules that can help avoid dangerous situations. http://www.linuxsecurity.com/articles/server_security_article-4019.html * Brute-Forcing Web Session IDs November 13th, 2001 Almost all of today's "stateful" web-based applications use session IDs to associate a group of online actions with a specific user. This has security implications because many state mechanisms that use session IDs also serve as authentication and authorization mechanisms -- purposes for which they were not well designed. http://www.linuxsecurity.com/articles/network_security_article-4012.html +------------------------+ | Network Security News: | +------------------------+ * An Analysis of the RADIUS Authentication Protocol November 12th, 2001 RADIUS is a widely used protocol in network environments. It is commonly used for embedded network devices such as routers, modem servers, switches, etc. This analysis deals with some of the characteristics of the base RADIUS protocol and of the User-Password attribute. http://www.linuxsecurity.com/articles/network_security_article-4011.html +------------------------+ | Cryptography News: | +------------------------+ * Crypto-Gram November 15, 2001 November 15th, 2001 This month's crypto-gram includes comments on security full disclosure, great comments on GOVNET, Microsoft on XP, and news. "Microsoft is leading the charge to restrict the free flow of computer security vulnerabilities. Last month Scott Culp, manager of the security response center at Microsoft, published an essay describing the current practice of publishing security vulnerabilities to be "information anarchy." http://www.linuxsecurity.com/articles/cryptography_article-4025.html * Strategies & Issues: Public Key Infrastructure Nuts and Bolts November 12th, 2001 Like a successful public works project, a good Public Key Infrastructure (PKI) should also be invisible to its end users, whether they're company employees, business partners, or customers. Similarly, PKI and the digital certificates that are its stock in trade can be complex and complicated-the potential for messy mishaps is high. http://www.linuxsecurity.com/articles/cryptography_article-4008.html +------------------------+ | Vendors/Products: | +------------------------+ * vsftpd-1.0.0 Released November 12th, 2001 A search for one kind of problem led analysts at the CERT Coordination Center to find another. In August, the security organization had begun to contact vendors to get lpd codes from the makers of various printers in an attempt to create a clearer picture of vulnerabilities surrounding the software packages known as Internet Security Scanners, said Jason Rafail, a security analyst at CERT, which is based at Carnegie Mellon University in Pittsburgh. http://www.linuxsecurity.com/articles/server_security_article-4010.html +------------------------+ | General News: | +------------------------+ * Watchfire, PwC unveil tools to help with privacy November 17th, 2001 While pushing a joint privacy management product to enterprises Monday, Watchfire Corp. and PricewaterhouseCoopers LLP (PwC) also raised a new specter for the holiday e-buying season. New York-based PwC along with Watchfire, in Ottawa, said their product, WebCPO, can help companies comply with a new privacy-related standard called P3P (Platform for Privacy Preferences). http://www.linuxsecurity.com/articles/privacy_article-4033.html * House OKs Bill With Cyber-Security Funding November 16th, 2001 Brian Krebs and Robert MacMillan, Newsbytes. The House of Representatives today passed a spending bill that contains funding for a raft of cyber-security and online crime-fighting initiatives. http://www.linuxsecurity.com/articles/government_article-4029.html * Do-it-yourself Internet anonymity November 14th, 2001 Along with the recent government hysteria over terrorists, we've seen legislative measures and 'emergency powers' inviting law-enforcement agencies worldwide to conduct Internet surveillance on an unprecedented scale. http://www.linuxsecurity.com/articles/privacy_article-4018.html * Bug secrecy vs. full disclosure November 13th, 2001 [Culp] claimed that we'd all be a lot safer if researchers would keep details about vulnerabilities to themselves, and stop arming hackers with offensive tools. Last week, at Microsoft's Trusted Computing Forum, Culp announced a new coalition to put these ideas into practice. http://www.linuxsecurity.com/articles/forums_article-4017.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 16:05:46 PST