[ISN] Linux Security Week - July 1st 2002

From: InfoSec News (isnat_private)
Date: Tue Jul 02 2002 - 02:31:27 PDT

  • Next message: InfoSec News: "[ISN] Chalk symbols expose London's wireless points"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  July 1st, 2002                               Volume 3, Number 26n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Seven Common SSL
    Pitfalls," "Filtering E-Mail with Postfix and Procmail," "A Rookie's Guide
    to Defensive Blocks," and "Network Security in an Encrypted World."
    ## Developing with open standards? Demanding High Performance? ##
    Catch the Oracle9i JDeveloper wave now and check out how built-in
    profilers and CodeCoach make your Java code tighter and faster than ever
    before. Download your FREE copy of Oracle9i J Developer Today.
    This week, advisories were released for openssh, apache, and secureweb.  
    The vendors include Conectiva, Debian, EnGarde, Immunix, Mandrake, Red
    Hat, and Yellow Dog.
     * Guardian Digital offers new Secure Linux server OS *
    Setting up a secure server isn't necessarily for the faint of heart.  To
    make it easier for IT administrators, Guardian Digital Inc. has released
    EnGarde Secure Linux Version 1.2, offering a secure server operating
    system for mail, Web and other servers without the hassle of an intricate
    Find technical and managerial positions available worldwide.  Visit the
    LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * New Apache worm starts to spread
    June 29th, 2002
    Security experts are rushing to decode a worm program that exploits a
    2-week-old flaw to infect computers running vulnerable versions of the
    popular open-source Apache Web server application.
    * Seven Common SSL Pitfalls
    June 28th, 2002
    SSL is an excellent protocol. Like many tools, it is effective if you know
    how to use it well, but it is also easy to misuse. If you are deploying
    SSL, there are many pitfalls to be aware of, but with a little work, most
    can be avoided. In this article, we discuss the seven most common pitfalls
    when deploying SSL-enabled applications with OpenSSL.
    * Apache Worm?
    June 28th, 2002
    In the wake of the Apache Chunk Encoding vulnerability, the fun just
    doesn't seem to end.  There seems to be another worm on the loose.  The
    details of it are still being investigated. Currently, there is a thread
    on Bugtraq dedicated to this discussion.
    * Filtering E-Mail with Postfix and Procmail, Part Two of Three
    June 27th, 2002
    This article is the second of three articles that will help systems
    administrators configure SMTP daemons and local mail delivery agents to
    filter out unwanted e-mails before they arrive in the end-users' in-box.
    * Change My Password Again?
    June 27th, 2002
    Sex, Drugs, Money...How many of these words are common passwords on your
    network?  The answer is probably too many.  For beginners and even
    seasoned Linux security veterans, this should be something that needs to
    be consistantly checked.
    * A Guide to Building Secure Web Applications and Web Services:
    June 26th, 2002
    The Open Web Application Security Project (or OWASP pronounced O'WASP) was
    started in September of 2001. At the time there was no central place where
    developers and security professionals could learn how to build secure web
    applications or test the security of their products.
    | Network Security News: |
    * A Rookie's Guide to Defensive Blocks
    June 27th, 2002
    Rule No. 1: Firewalls are all about access control. You create a set of
    rules defining which ports to keep open, which to disallow, and any IP
    addresses or entire networks to block. A firewall on the edge of your
    network is effective only if it is configured correctly. And don't forget
    in-house traffic--firewalls are not just for Internet connections.
    * Squid Vulnerability: Insecure forwarding of proxy_auth
    June 27th, 2002
    Vendors have not issued updates yet for a vulnerability just reported by
    the Squid Project. "Under some conditions Squid may forward the proxy
    authentication credentails. This can happen if you normally require your
    users to log in to use the proxy, but allow some sites to be reached
    without needing to log in."
    * OpenSSH Remote Vulnerability Roundup
    June 26th, 2002
    In a recent discussion about the Apache Chunk Handling vulnerability,
    which consisted of many debates and rants on how the reporting was done,
    ISS mentioned that they found another serious vulnerability in one other
    vendor's open source product.
    * Network Security in an Encrypted World
    June 24th, 2002
    If current trends continue, we will probably see encryption's use
    increase. However, the extensive use of encryption affects current
    conventional security methods in a very profound way, and this is
    something the security community must consider.
    |  Cryptography:         |
    * OpenSSL, the Cryptography Lego(TM) Set
    June 27th, 2002
    When I got a new Lego set the other day, I discovered that it made a
    really cool train. However, it was missing the cow-catcher, so I built one
    for the Lego engine.
    |  Vendors/Products:     |
    * DOD Tests Biometrics
    June 25th, 2002
    The Defense Department's Biometrics Fusion Center soon will begin testing
    software on four types of biometric devices for use on its Common Access
    smart cards.  DOD's Biometrics Management Office last week awarded a
    $915,000 contract to KPMG Consulting Inc. of McLean, Va., to conduct a
    90-day test of biometric identifiers that could authenticate smart-card
    holders for building and network access.
    |  General:              |
    * Linux: Feelin' Secure
    June 28th, 2002
    TechWeb summarizes the recent articles they have published on security
    Linux distributions including EnGarde, the Editor's Choice, HP Secure
    Linux and Immunix.  " IT pros navigating a minefield of insecure software
    and systems are finding safe ground in Linux.
    * Honeynet Project Releases June Scan of the Month Results
    June 28th, 2002
    This month's challenge is to make sense of a seemingly innocuous flurry of
    UDP packets. On the evening of Feb 15th, three different members of the
    Honeynet Research Alliance received a flurry of strange UDP packets, that
    at first look seemed to have no apparent purpose. This month's Scan of the
    Month challenge is to understand the purpose of these packets.
    * Mind Games - Social Engineering
    June 24th, 2002
    This small article is a brief overview on social engineering. It talks a
    bit about the psychology of social engineering, the security threat it
    imposes and about the methods used for it. Basically, this article is a
    summary that covers the important facts (from my point of view) about
    social engineering.
    * You need more than a firewall to stop hackers
    June 24th, 2002
    Think malicious users need sophisticated tools to attack a Web site? Think
    again. All they really need is a Web browser and basic knowledge of SQL or
    another scripting language.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 05:26:26 PDT