[ISN] Linux Security Week - January 21st 2002

From: InfoSec News (isnat_private)
Date: Tue Jan 22 2002 - 11:16:19 PST

  • Next message: InfoSec News: "[ISN] Data on Internet threats still out cold"

    +---------------------------------------------------------------------+
    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  January 21st, 2002                           Volume 3, Number 3n   |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    +---------------------------------------------------------------------+
     
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    
    This week, perhaps the most interesting articles include "The Simplest
    Security: A Guide To Better Password Practices," "Filtering Spam with
    Procmail," "Using ssh Port Forwarding to Print at Remote Locations," and
    "The SANS Network Security Roadmap Poster."
    
    Get 10% Off & FREE Shipping for all Guardian Digital secure servers! Visit
    Guardian Digital's online store for details:
     
     http://store.guardiandigital.com
    
    This week, advisories were released for imp, horde, x-chat, gzip, glibc,
    cipe, sudo, at, stunnel, NetBSD kernel, slashcode, pine, lids, groff,
    bugzilla, and uuxqt.  The vendors include Caldera, Conectiva, Debian,
    EnGarde, Mandrake, NetBSD, Red Hat, Slackware, and SuSE.
    
    http://www.linuxsecurity.com/articles/forums_article-4302.html
    
    
    ## FREE Apache SSL Guide from Thawte ##                                                          
    
    Are you worried about your web server security?  Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
    
     http://www.gothawte.com/rd180.html
    
    
    Find technical and managerial positions available worldwide.  Visit the
    LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
      
    +---------------------+
    | Host Security News: | <<-----[ Articles This Week ]-------------
    +---------------------+
    
    
    * ProFTPD's DoS Problem and Slash's Weak Link
    January 18th, 2002
    
    In this column, we look at several problems with ProFTPD; a Trojan Horse
    application disguised as an exploit; buffer overflows in the glibc
    library, dtspcd, wmcube-gdk, and Mandrake Linux's Kerberos telnet; and
    problems in Slash, IBM Websphere, popauth, Aftpd, TWIG, PGPMail.pl, and
    the Cisco SN 5420 Storage Router.
    
    http://www.linuxsecurity.com/articles/server_security_article-4300.html
    
    
    * The Simplest Security: A Guide To Better Password Practices
    January 18th, 2002
    
    While we may find them annoying, and even take them for granted, it is
    important to remember why passwords are important: passwords are the
    foundation of authentication, which is often the first line of security.
    This article will provide a brief overview of how to create and maintain
    strong, effective passwords.
    
    http://www.linuxsecurity.com/articles/general_article-4304.html
    
    
    * Debian, security, and you
    January 17th, 2002
    
    An interesting bug was filed today by Florian Weimer. I'll quote the bug
    report in full:  "Over the past few months, the GNU/Linux community has
    slowly adopted a way of dealing with security issues which closely
    resembles the approach suggested by Microsoft last year: more-or-less
    systematic hiding of security problems from end users, at least for some
    time.
    
    http://www.linuxsecurity.com/articles/projects_article-4299.html
    
    
    * Filtering Spam with Procmail
    January 14th, 2002
    
    Here's an article that talks about keeping your site safe.  It is a
    discussion of some commercial security products, some of which run on
    Linux. "Still, there's a more insidious threat that such technologies
    don't guard against: actions by your staff to invite seemingly innocuous
    data into your organization. Such data can be harmful because it brings
    viruses or Trojan horses into your systems, exposes your companies to
    lawsuits or merely wastes valuable time and resources."
    
    http://www.linuxsecurity.com/articles/server_security_article-4271.html
    
    
    * The Perfect Forensics Candidate
    January 14th, 2002
    
    This is a great multi-part article on computer forensics, the story of a
    couple of break-ins and how they were detected, and the tools used to
    detect the attacks. "Exodus Communications Inc. has a team of 22 incident
    response analysts, and it can always use a few more people with expertise
    in the field to support internal and client investigations."
    
    http://www.linuxsecurity.com/articles/intrusion_detection_article-4275.html
    
    
    
    
    +------------------------+
    | Network Security News: |
    +------------------------+
    
    * Using ssh Port Forwarding to Print at Remote Locations
    January 17th, 2002
    
    ssh--oh yeah, that's a secure Telnet program, right? Yes, it is, and it's
    much, much more. You're not still using Telnet, are you? Previous issues
    of Linux Journal have talked about the ``much, much more'' of ssh (see
    Resources).
    
    http://www.linuxsecurity.com/articles/network_security_article-4298.html
    
    
    * The SANS Network Security Roadmap Poster
    January 15th, 2002
    
    The SANS Network Security Roadmap poster is now online. It answers
    questions on Integrating Security Into Your Site, How to Get the Work
    Done, Where to Find the Right Information, Pitfalls and Vulnerabilities.
    Great stuff.
    
    http://www.linuxsecurity.com/articles/security_sources_article-4284.html
    
    
    * Kernel Korner: Inside the Linux Packet Filter
    January 15th, 2002
    
    In Part I of this two-part series on the Linux Packet Filter, Gianluca
    describes a packet's journey through the kernel. Network geeks among you
    may remember my article, ``Linux Socket Filter: Sniffing Bytes over the
    Network'', in the June 2001 issue of LJ, regarding the use of the packet
    filter built inside the Linux kernel.
    
    
    http://www.linuxsecurity.com/articles/server_security_article-4279.html
    
    
    
    
    +------------------------+
    |   Cryptography News:   |
    +------------------------+
     
    * Computer Security, Biometrics Dominate NIST Agenda
    January 16th, 2002
    
    NIST is just a few months away from announcing a new biometric standard
    that will be used to confirm the identity of people seeking U.S.  visas or
    using a visa to enter the United States
    
    http://www.linuxsecurity.com/articles/security_sources_article-4297.html
    
    
    
    * Crypto-Gram - January 15, 2002
    January 15th, 2002
    
    This month's cryptogram talks about the Microsoft Plug-and-Play
    vulnerability, reader feedback, Counterpane news, and more. "The big news
    of late December was a security flaw in Microsoft's Universal Plug and
    Play system, a feature in a variety of Windows flavors.
    
    http://www.linuxsecurity.com/articles/cryptography_article-4280.html
    
    
    * Cryptographic Abundance
    January 15th, 2002
    
    Knowledge of cryptographic techniques used to belong almost exclusively to
    governments, which use cryptography to protect political, diplomatic and
    military secrets against the prying eyes of other governments.
    
    http://www.linuxsecurity.com/articles/cryptography_article-4278.html
    
    
    
    +------------------------+
    |  Vendors/Products:     |
    +------------------------+
    
    * Debian Has Slow Security Updates?
    January 15th, 2002
    
    Some comments on the Linux Today story about the recent glibc security
    update challenged my perception that Debian is very responsive to security
    problems in core packages. Basically, they say that this vulnerability was
    reported on December 14th. Has it really taken one month to deliver a core
    glibc update?
    
    http://www.linuxsecurity.com/articles/forums_article-4283.html
    
    
    * Sudo version 1.6.4 now available
    January 14th, 2002
    
    Here's an article that talks about keeping your site safe.  It is a
    discussion of some commercial security products, some of which run on
    Linux. "Still, there's a more insidious threat that such technologies
    don't guard against: actions by your staff to invite seemingly innocuous
    data into your organization. Such data can be harmful because it brings
    viruses or Trojan horses into your systems, exposes your companies to
    lawsuits or merely wastes valuable time and resources."
    
    http://www.linuxsecurity.com/articles/server_security_article-4276.html
    
    
    
    +------------------------+
    |  General News:         |
    +------------------------+
     
    * Hacker mag takes on US court
    January 18th, 2002
    
    Hacker magazine 2600 has filed a request for the reversal of an earlier US
    court ruling prohibiting the publication of the DeCSS DVD decrypting
    software. The move comes just days after Norwegian authorities indicted
    Jon Johansen, the creator of the DeCSS tool.
    
    http://www.linuxsecurity.com/articles/hackscracks_article-4301.html
    
    
    * EPIC Sues For Govt. Data Collection Info
    January 16th, 2002
    
    Privacy and civil liberties advocacy group Electronic Privacy Information
    Center (EPIC)  said that it asked a federal court Monday to order the
    release of records that detail the sale of personal information to law
    enforcement agencies
    
    http://www.linuxsecurity.com/articles/privacy_article-4285.html
    
    
    * Security Vs. Privacy
    January 14th, 2002
    
    State motor-vehicle offices will propose that drivers' licenses
    incorporate biometrics. Is that the same as a national ID card? Calls for
    creating a national ID card system, which advocates say would make it
    harder for terrorists to move undetected within U.S. borders, have drawn
    criticism for their totalitarian overtones.
    
    http://www.linuxsecurity.com/articles/privacy_article-4273.html
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 15:15:39 PST