[ISN] Linux Security Week - November 19th 2001

From: InfoSec News (isnat_private)
Date: Wed Nov 21 2001 - 02:26:21 PST

  • Next message: InfoSec News: "[ISN] FBI software cracks encryption wall"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  November 19th, 2001                         Volume 2, Number 46n   |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "On the Security
    of PHP," "Brute-Forcing Web Session IDs," and "Public Key Infrastructure
    Nuts and Bolts."  Also this week, vsftpd-1.0.0 was released.
    This week advisories were released for webalizer, ssh-nonfree, ssh-socks,
    postix, and the Korean release of Red Hat.  The vendors include Conectiva,
    Debian, and Red Hat.
    Guarantee transmitted data integrity, secure all communication sessions
    and more with SSL encryption from Thawte - a leading global certificate
    provider for the Open Source community. Learn more in our FREE
    GUIDE--click here to get it now:
       --> http://www.gothawte.com/rd89.html
    * Don't Risk your network installing an insecure OS *
    EnGarde was designed from the ground up as a secure solution, starting
    with the principle of least privilege, and carrying it through every
    aspect of its implementation.
    * http://www.engardelinux.org 
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Overview of LIDS, Part Three
    November 16th, 2001
    This is the third part of a four-part article devoted to the exploration
    of LIDS, a Linux kernel patch that will allow users to take away the
    all-powerful nature of root. The first article in this series offered an
    overview of LIDS.
    * On the Security of PHP, Part 2
    November 14th, 2001
    The way to secure PHP scripts is through a carefully selected combination
    of configuration settings and safe programming practices. Based on the
    vulnerabilities that we have studied so far, we will now set forth to
    establish some rules that can help avoid dangerous situations.
    * Brute-Forcing Web Session IDs
    November 13th, 2001
    Almost all of today's "stateful" web-based applications use session IDs to
    associate a group of online actions with a specific user. This has
    security implications because many state mechanisms that use session IDs
    also serve as authentication and authorization mechanisms -- purposes for
    which they were not well designed.
    | Network Security News: |
    * An Analysis of the RADIUS Authentication Protocol
    November 12th, 2001
    RADIUS is a widely used protocol in network environments. It is commonly
    used for embedded network devices such as routers, modem servers,
    switches, etc. This analysis deals with some of the characteristics of the
    base RADIUS protocol and of the User-Password attribute.
    | Cryptography News:     |
    * Crypto-Gram November 15, 2001
    November 15th, 2001
    This month's crypto-gram includes comments on security full disclosure,
    great comments on GOVNET, Microsoft on XP, and news. "Microsoft is leading
    the charge to restrict the free flow of computer security vulnerabilities.  
    Last month Scott Culp, manager of the security response center at
    Microsoft, published an essay describing the current practice of
    publishing security vulnerabilities to be "information anarchy."
    * Strategies & Issues: Public Key Infrastructure Nuts and Bolts
    November 12th, 2001
    Like a successful public works project, a good Public Key Infrastructure
    (PKI) should also be invisible to its end users, whether they're company
    employees, business partners, or customers.  Similarly, PKI and the
    digital certificates that are its stock in trade can be complex and
    complicated-the potential for messy mishaps is high.
    |  Vendors/Products:     |
    * vsftpd-1.0.0 Released
    November 12th, 2001
    A search for one kind of problem led analysts at the CERT Coordination
    Center to find another. In August, the security organization had begun to
    contact vendors to get lpd codes from the makers of various printers in an
    attempt to create a clearer picture of vulnerabilities surrounding the
    software packages known as Internet Security Scanners, said Jason Rafail,
    a security analyst at CERT, which is based at Carnegie Mellon University
    in Pittsburgh.
    |  General News:         |
    * Watchfire, PwC unveil tools to help with privacy
    November 17th, 2001
    While pushing a joint privacy management product to enterprises Monday,
    Watchfire Corp. and PricewaterhouseCoopers LLP (PwC) also raised a new
    specter for the holiday e-buying season. New York-based PwC along with
    Watchfire, in Ottawa, said their product, WebCPO, can help companies
    comply with a new privacy-related standard called P3P (Platform for
    Privacy Preferences).
    * House OKs Bill With Cyber-Security Funding
    November 16th, 2001
    Brian Krebs and Robert MacMillan, Newsbytes. The House of Representatives
    today passed a spending bill that contains funding for a raft of
    cyber-security and online crime-fighting initiatives.
    * Do-it-yourself Internet anonymity
    November 14th, 2001
    Along with the recent government hysteria over terrorists, we've seen
    legislative measures and 'emergency powers' inviting law-enforcement
    agencies worldwide to conduct Internet surveillance on an unprecedented
    * Bug secrecy vs. full disclosure
    November 13th, 2001
    [Culp] claimed that we'd all be a lot safer if researchers would keep
    details about vulnerabilities to themselves, and stop arming hackers with
    offensive tools. Last week, at Microsoft's Trusted Computing Forum, Culp
    announced a new coalition to put these ideas into practice.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 16:05:46 PST