[ISN] Linux Security Week - April 1st 2002

From: InfoSec News (isnat_private)
Date: Tue Apr 02 2002 - 00:07:10 PST

  • Next message: InfoSec News: "[ISN] Security researcher uncovers two Office XP flaws"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  April 1st, 2002                              Volume 3, Number 13n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "A Buffer
    Overflow Study: Attacks & Defenses," "Connecting SSH Through a Gateway,"
    "Experts Debate Risks to Crypto," and "Your Web Server Is Not A Good
    Hiding Place."
    This week, advisories were released for zlib, php, mtr, squid, analog, and
    imlib.  The vendors include Conectiva, Debian, FreeBSD, and Red Hat.
    Performance and Stability meet Security - EnGarde has everything necessary
    to create thousands of virtual Web sites, manage e-mail, DNS, firewalling
    database functions for an entire organization, and supports high-speed
    broadband connections all using a Web-based front-end. EnGarde Secure
    Professional provides those features and more!
      --> http://store.guardiandigital.com/html/eng/promo.shtml
    FEATURE: Dsniff 'n the Mirror - This is a practical step by step guide
    showing how to use Dsniff, MRTG, IP Flow Meter, Tcpdump, NTOP, and Ngrep,
    and others. It also provides a discussion of how and why we should monitor
    network traffic.
    Find technical and managerial positions available worldwide.  Visit the
    LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * A Buffer Overflow Study: Attacks & Defenses
    March 27th, 2002
    A technical overview of heap and buffer overflows, Linux tools that can be
    used to reduce their risk, the kinds of exploits these tools can prevent,
    and more. "This study deals with the various kinds of overflows (heap,
    stack) to understand how they work and how they may be used to execute
    malicious code
    | Network Security News: |
    * Case Studies: Connecting SSH Through a Gateway
    March 29th, 2002
    In the corporate world, companies commonly require all outgoing
    connections to pass through a proxy server or gateway host : a machine
    connected to both the company network and the outside. Although connected
    to both networks, a gateway host doesn't act as a router, and the networks
    remain separated.
    * Wireless LANs Security
    March 29th, 2002
    A nice resource of links to articles on wireless networking security. "LAN
    802.11 benefits and applications have recently gained enthusiastic
    acceptance in workplaces where mobility is essential.
    * Come on, own up: IT managers leave firewalls open for hackers
    March 28th, 2002
    The number of flaws reported in firewalls have rocketed by nearly 50 per
    cent over the past four years because IT pros don't know how to configure
    them. A report by security testing specialist NTA Monitor found that flaws
    in firewalls have increased by 45 per cent since 1998.
    |  Cryptography:         |
    * Experts Debate Risks to Crypto
    March 28th, 2002
    There is a growing debate in the cryptography community over whether the
    cryptographic keys used in dozens of applications should be considered
    compromised in light of a recent paper detailing a more efficient way of
    factoring large numbers.
    * Pretty Geeky Privacy
    March 28th, 2002
    More and more people want powerful, easy-to-use encryption software, but
    the commercial world isn't providing it. Can open source deliver? But
    online security, just like everything else, is subject to the ebb and flow
    of capitalism -- and the relentless releases of new software products with
    which one must be compatible.
    * Public encryption keys are no longer secure
    March 27th, 2002
    Keys used for the vast majority of encryption systems - including
    ecommerce - are no longer secure. A paper by Daniel Bernstein, an
    associate professor at the University of Illinois at Chicago, has shown
    that it is possible to build a computer that could break the vast majority
    of encryption keys in minutes.
    * Secrecy Is an Illusion
    March 25th, 2002
    Phil Zimmermann says he doesn't regret creating the Pretty Good Privacy
    (PGP) strong encryption program, even though terrorists may use it. But
    while encryption may protect our Internet transactions and routine
    communications, it would be naive to think that governments or even
    wealthy companies and individuals can't get around it.
    |  Vendors/Products:     |
    * Sentry Firewall CD HOWTO
    March 31st, 2002
    This document is designed as an introduction on how the Sentry Firewall
    CDROM works and how to get started using the system.  The Sentry Firewall
    CD is a Linux-based bootable CDROM suitable for use in a variety of
    different operating environments.
    |  General News:         |
    * XML Security Library
    March 31st, 2002
    XMLSec is a C library based on XibXML2 and OpenSSL.  XMLSec Library
    supports all MUST/SHOULD/MAY features and algorithms described in the W3C
    standard and provides API to sign prepared document templates, add
    signature(s) to a document "on-the-fly" or verify the signature(s) in the
    * How to Plan for the Inevitable
    March 29th, 2002
    A great story about how Fleet developed an incident response plan.
    "Wondering how Fleet kept track of transaction history, he entered a
    random number. To his shock, he pulled up someone else's transaction. "The
    hole allowed you to see people's personal information," says Bryce, who
    works for Rackspace Managed Hosting in San Antonio.
    * Your Web Server Is Not A Good Hiding Place
    March 29th, 2002
    The sad truth is that if you keep sensitive files on any Web server, you
    are inviting people to view or copy those files. And not just Web servers,
    either. FTP servers can also be indexed by automated scanning tools,
    similar to Web indexing robots.
    * Understanding Cross-Site Scripting
    March 28th, 2002
    For a few years now, a security vulnerability called "cross-site
    scripting" has been receiving widespread attention. This problem is
    particularly insidious because it arises from a simple and very common
    oversight.  Tens of thousands of server-side programs have this problem,
    and no programming language or development tool is exempt.
    * Top Web Sites Scale Back Consumer Data Mining
    March 27th, 2002
    The most popular sites on the Internet now collect less personal
    information and offer consumers a broader range of privacy options than
    ever before, according to a report released by a conservative think-tank
    * MS vs. open source: Security's the same
    March 27th, 2002
    The fact is, both sides have their share of problems--but neither side has
    the edge when it comes to fixing security holes. You're just as likely to
    encounter a security problem with open source code as you are with
    Microsoft Windows, and the fix is just as likely to appear quickly and be
    done properly.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 04:04:40 PST