[ISN] Linux Security Week - April 29th 2002

From: InfoSec News (isnat_private)
Date: Tue Apr 30 2002 - 01:58:48 PDT

  • Next message: InfoSec News: "RE: [ISN] FAA hacked"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  April 29th, 2002                             Volume 3, Number 17n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Cracking the
    Cracking," "Setting up a FreeBSD firewall with an IPSec uplink,"  
    "Security is poor because vendors are not held responsible," and "Wireless
    LAN Security: A Short History."
    ** FREE Apache SSL Guide from Thawte **
    Are you worried about your web server security?  Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
     -> http://www.gothawte.com/rd252.html
    This week, advisories were released for the FreeBSD kernel, webalizer,
    sudo, PHPprojekt, ethereal, icecast, and squid.  The vendors include
    Caldera, Conectiva, Debian, EnGarde, FreeBSD, and Red Hat.
    Find technical and managerial positions available worldwide.  Visit the
    LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Multiple vulnerabilities in stack smashing protection technologies
    April 24th, 2002
    As if IT managers didn't have enough security headaches, the rise of Web
    site-based intrusions has risen over the last year, with aggressive
    cookies and pop-up-spawned spyware leading the charge. Products like the
    Gator password manager utility are reported to include a Web-user
    monitoring component, which may even cause Web browsers to crash or behave
    * Cracking the Cracking
    April 24th, 2002
    Learning about the ins and outs of computer forensics technology and the
    law make four recent releases worth investigating. Computer-based crime
    has given rise to a new type of evidence gathering-or forensics-and a new
    breed of investigator. But computer forensics is still a young discipline,
    and almost no one today has been trained purely as a computer forensic
    * Using GnuPG
    April 23rd, 2002
    GnuPG, the GNU Privacy Guard, is the open source equivalent to PGP, or
    Pretty Good Privacy, which has been available for Windows, DOS, and some
    other operating systems for many years. It has all the same features,
    based on the OpenPGP standard. The uses for GnuPG (or GPG) are varied: It
    can be used to encrypt email messages and files, or to digitally sign
    email messages and files.
    * Apache and SSL
    April 22nd, 2002
    Secure Sockets Layer (SSL), developed by Netscape Communications, and
    Transport Layer Security (TLS), the open-standard replacement for SSL from
    the Internet Engineering Task Force, are the two protocols that add
    encryption and authentication to TCP/IP.
    | Network Security News: |
    * Wireless Lans can be secure
    April 26th, 2002
    In the 1994 film Renaissance Man, Danny DeVito describes Military
    Intelligence as an oxymoron. Who would have thought that eight years later
    many would be making the same criticism of wireless security? At the heart
    of the problem is the slow rate at which most corporate security policies
    and solutions actually develop, and the way that 'mobile' is viewed within
    * Setting up a FreeBSD firewall with an IPSec uplink
    April 25th, 2002
    Though this article mainly deals with problems inherent to wireless
    networks, the principals apply equally well to wired networks. Also,
    though FreeBSD is the OS referenced, this may work equally well with other
    flavors of BSD . The version of FreeBSD used was 4.5-release.
    * ipsec_tunnel: An IPsec tunnel implementation for Linux
    April 25th, 2002
    I started this project because I was using a number of IPIP tunnels to
    connect a number of private networks over the Internet, and I needed
    encryption for a few resons. Above all I wanted to be able to use standard
    protocols such as FTP and NFS without having to worry about cleartext
    passwords and snooping.
    * Security is poor because vendors are not held responsible
    April 25th, 2002
    Network security is not a technological problem; it's a business problem.
    The only way to address it is to focus on business motivations. To improve
    the security of their products, companies - both vendors and users - must
    care; for companies to care, the problem must affect stock price. The way
    to make this happen is to start enforcing liabilities.
    * Wireless LAN Security: A Short History
    April 22nd, 2002
    If you're holding back on an 802.11 deployment because of security
    concerns, you're not alone. Research indicates that the perceived
    insecurity of wireless networks is a major inhibitor to further market
    growth.  This short history of the security issues in wireless networks
    should help shed some light on the problem.
    |  Cryptography:         |
    * Keeping e-mail encryption alive
    April 22nd, 2002
    Phil Zimmermann knows a thing or two about adversity. His invention for
    encrypting e-mail, Pretty Good Privacy, was so good that the government
    considered it munitions subject to tough export controls. Prosecutors
    threatened him with criminal charges when others leaked it overseas.
    |  Vendor/Products:      |
    * More Cross site Scripting in PHPNuke
    April 24th, 2002
    The European Commission has unveiled new proposals that could send
    Internet hackers and spreaders of computer viruses to jail for years.
     Industry and security experts welcomed the proposals, but said more
    needed to be done to get companies, cautious of bad publicity, to
    report Internet attacks and to boost law enforcement resources in the
    fight against cybercrime
    |  General:              |
    * Training the cyberwar troops
    April 26th, 2002
    Systems administrator David Riebrandt's first hint that intruders had
    hacked the military network came from telltale electronic footprints. From
    the logs--electronic records of the information passed on the network--it
    quickly became evident that a server with gate-keeping control over
    different parts of the system was getting downright chatty with a foreign
    computer via the Internet.
    * Worries Of Cyberattacks On U.S. Are Aired
    April 26th, 2002
    U.S. officials warned yesterday that the Chinese military may be searching
    for ways to attack defense and civilian computer networks in the United
    States and Taiwan. But they said intelligence analysts have concluded that
    China so far lacks the ability to cause much disruption.
    * Honeynet looks to sting hackers
    April 22nd, 2002
    A group of 30 computer security researchers who set up inexpensive "fake"
    networks to observe how hackers behave as they break into them are finding
    out about new software vulnerabilities and warning the public.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 12:21:01 PDT