+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | April 1st, 2002 Volume 3, Number 13n | | | | Editorial Team: Dave Wreski daveat_private | | Benjamin Thomas benat_private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "A Buffer Overflow Study: Attacks & Defenses," "Connecting SSH Through a Gateway," "Experts Debate Risks to Crypto," and "Your Web Server Is Not A Good Hiding Place." This week, advisories were released for zlib, php, mtr, squid, analog, and imlib. The vendors include Conectiva, Debian, FreeBSD, and Red Hat. http://www.linuxsecurity.com/articles/forums_article-4700.html Performance and Stability meet Security - EnGarde has everything necessary to create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end. EnGarde Secure Professional provides those features and more! --> http://store.guardiandigital.com/html/eng/promo.shtml FEATURE: Dsniff 'n the Mirror - This is a practical step by step guide showing how to use Dsniff, MRTG, IP Flow Meter, Tcpdump, NTOP, and Ngrep, and others. It also provides a discussion of how and why we should monitor network traffic. http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * A Buffer Overflow Study: Attacks & Defenses March 27th, 2002 A technical overview of heap and buffer overflows, Linux tools that can be used to reduce their risk, the kinds of exploits these tools can prevent, and more. "This study deals with the various kinds of overflows (heap, stack) to understand how they work and how they may be used to execute malicious code http://www.linuxsecurity.com/articles/projects_article-4688.html +------------------------+ | Network Security News: | +------------------------+ * Case Studies: Connecting SSH Through a Gateway March 29th, 2002 In the corporate world, companies commonly require all outgoing connections to pass through a proxy server or gateway host : a machine connected to both the company network and the outside. Although connected to both networks, a gateway host doesn't act as a router, and the networks remain separated. http://www.linuxsecurity.com/articles/cryptography_article-4705.html * Wireless LANs Security March 29th, 2002 A nice resource of links to articles on wireless networking security. "LAN 802.11 benefits and applications have recently gained enthusiastic acceptance in workplaces where mobility is essential. http://www.linuxsecurity.com/articles/network_security_article-4704.html * Come on, own up: IT managers leave firewalls open for hackers March 28th, 2002 The number of flaws reported in firewalls have rocketed by nearly 50 per cent over the past four years because IT pros don't know how to configure them. A report by security testing specialist NTA Monitor found that flaws in firewalls have increased by 45 per cent since 1998. http://www.linuxsecurity.com/articles/hackscracks_article-4693.html +------------------------+ | Cryptography: | +------------------------+ * Experts Debate Risks to Crypto March 28th, 2002 There is a growing debate in the cryptography community over whether the cryptographic keys used in dozens of applications should be considered compromised in light of a recent paper detailing a more efficient way of factoring large numbers. http://www.linuxsecurity.com/articles/cryptography_article-4691.html * Pretty Geeky Privacy March 28th, 2002 More and more people want powerful, easy-to-use encryption software, but the commercial world isn't providing it. Can open source deliver? But online security, just like everything else, is subject to the ebb and flow of capitalism -- and the relentless releases of new software products with which one must be compatible. http://www.linuxsecurity.com/articles/privacy_article-4692.html * Public encryption keys are no longer secure March 27th, 2002 Keys used for the vast majority of encryption systems - including ecommerce - are no longer secure. A paper by Daniel Bernstein, an associate professor at the University of Illinois at Chicago, has shown that it is possible to build a computer that could break the vast majority of encryption keys in minutes. http://www.linuxsecurity.com/articles/cryptography_article-4684.html * Secrecy Is an Illusion March 25th, 2002 Phil Zimmermann says he doesn't regret creating the Pretty Good Privacy (PGP) strong encryption program, even though terrorists may use it. But while encryption may protect our Internet transactions and routine communications, it would be naive to think that governments or even wealthy companies and individuals can't get around it. http://www.linuxsecurity.com/articles/cryptography_article-4675.html +------------------------+ | Vendors/Products: | +------------------------+ * Sentry Firewall CD HOWTO March 31st, 2002 This document is designed as an introduction on how the Sentry Firewall CDROM works and how to get started using the system. The Sentry Firewall CD is a Linux-based bootable CDROM suitable for use in a variety of different operating environments. http://www.linuxsecurity.com/articles/firewalls_article-4707.html +------------------------+ | General News: | +------------------------+ * XML Security Library March 31st, 2002 XMLSec is a C library based on XibXML2 and OpenSSL. XMLSec Library supports all MUST/SHOULD/MAY features and algorithms described in the W3C standard and provides API to sign prepared document templates, add signature(s) to a document "on-the-fly" or verify the signature(s) in the document. http://www.linuxsecurity.com/articles/cryptography_article-4708.html * How to Plan for the Inevitable March 29th, 2002 A great story about how Fleet developed an incident response plan. "Wondering how Fleet kept track of transaction history, he entered a random number. To his shock, he pulled up someone else's transaction. "The hole allowed you to see people's personal information," says Bryce, who works for Rackspace Managed Hosting in San Antonio. http://www.linuxsecurity.com/articles/intrusion_detection_article-4703.html * Your Web Server Is Not A Good Hiding Place March 29th, 2002 The sad truth is that if you keep sensitive files on any Web server, you are inviting people to view or copy those files. And not just Web servers, either. FTP servers can also be indexed by automated scanning tools, similar to Web indexing robots. http://www.linuxsecurity.com/articles/network_security_article-4702.html * Understanding Cross-Site Scripting March 28th, 2002 For a few years now, a security vulnerability called "cross-site scripting" has been receiving widespread attention. This problem is particularly insidious because it arises from a simple and very common oversight. Tens of thousands of server-side programs have this problem, and no programming language or development tool is exempt. http://www.linuxsecurity.com/articles/hackscracks_article-4695.html * Top Web Sites Scale Back Consumer Data Mining March 27th, 2002 The most popular sites on the Internet now collect less personal information and offer consumers a broader range of privacy options than ever before, according to a report released by a conservative think-tank today. http://www.linuxsecurity.com/articles/privacy_article-4687.html * MS vs. open source: Security's the same March 27th, 2002 The fact is, both sides have their share of problems--but neither side has the edge when it comes to fixing security holes. You're just as likely to encounter a security problem with open source code as you are with Microsoft Windows, and the fix is just as likely to appear quickly and be done properly. http://www.linuxsecurity.com/articles/vendors_products_article-4680.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 04:04:40 PST