+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 1st, 2002 Volume 3, Number 26n | | | | Editorial Team: Dave Wreski daveat_private | | Benjamin Thomas benat_private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Seven Common SSL Pitfalls," "Filtering E-Mail with Postfix and Procmail," "A Rookie's Guide to Defensive Blocks," and "Network Security in an Encrypted World." ## Developing with open standards? Demanding High Performance? ## Catch the Oracle9i JDeveloper wave now and check out how built-in profilers and CodeCoach make your Java code tighter and faster than ever before. Download your FREE copy of Oracle9i J Developer Today. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle1 This week, advisories were released for openssh, apache, and secureweb. The vendors include Conectiva, Debian, EnGarde, Immunix, Mandrake, Red Hat, and Yellow Dog. http://www.linuxsecurity.com/articles/forums_article-5211.html * Guardian Digital offers new Secure Linux server OS * Setting up a secure server isn't necessarily for the faint of heart. To make it easier for IT administrators, Guardian Digital Inc. has released EnGarde Secure Linux Version 1.2, offering a secure server operating system for mail, Web and other servers without the hassle of an intricate customization. http://www.linuxsecurity.com/articles/vendors_products_article-5153.html Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * New Apache worm starts to spread June 29th, 2002 Security experts are rushing to decode a worm program that exploits a 2-week-old flaw to infect computers running vulnerable versions of the popular open-source Apache Web server application. http://www.linuxsecurity.com/articles/hackscracks_article-5219.html * Seven Common SSL Pitfalls June 28th, 2002 SSL is an excellent protocol. Like many tools, it is effective if you know how to use it well, but it is also easy to misuse. If you are deploying SSL, there are many pitfalls to be aware of, but with a little work, most can be avoided. In this article, we discuss the seven most common pitfalls when deploying SSL-enabled applications with OpenSSL. http://www.linuxsecurity.com/articles/cryptography_article-5217.html * Apache Worm? June 28th, 2002 In the wake of the Apache Chunk Encoding vulnerability, the fun just doesn't seem to end. There seems to be another worm on the loose. The details of it are still being investigated. Currently, there is a thread on Bugtraq dedicated to this discussion. http://www.linuxsecurity.com/articles/vendors_products_article-5214.html * Filtering E-Mail with Postfix and Procmail, Part Two of Three June 27th, 2002 This article is the second of three articles that will help systems administrators configure SMTP daemons and local mail delivery agents to filter out unwanted e-mails before they arrive in the end-users' in-box. http://www.linuxsecurity.com/articles/privacy_article-5207.html * Change My Password Again? June 27th, 2002 Sex, Drugs, Money...How many of these words are common passwords on your network? The answer is probably too many. For beginners and even seasoned Linux security veterans, this should be something that needs to be consistantly checked. http://www.linuxsecurity.com/articles/hackscracks_article-5208.html * A Guide to Building Secure Web Applications and Web Services: Introduction June 26th, 2002 The Open Web Application Security Project (or OWASP pronounced O'WASP) was started in September of 2001. At the time there was no central place where developers and security professionals could learn how to build secure web applications or test the security of their products. http://www.linuxsecurity.com/articles/projects_article-5192.html +------------------------+ | Network Security News: | +------------------------+ * A Rookie's Guide to Defensive Blocks June 27th, 2002 Rule No. 1: Firewalls are all about access control. You create a set of rules defining which ports to keep open, which to disallow, and any IP addresses or entire networks to block. A firewall on the edge of your network is effective only if it is configured correctly. And don't forget in-house traffic--firewalls are not just for Internet connections. http://www.linuxsecurity.com/articles/firewalls_article-5209.html * Squid Vulnerability: Insecure forwarding of proxy_auth June 27th, 2002 Vendors have not issued updates yet for a vulnerability just reported by the Squid Project. "Under some conditions Squid may forward the proxy authentication credentails. This can happen if you normally require your users to log in to use the proxy, but allow some sites to be reached without needing to log in." http://www.linuxsecurity.com/articles/server_security_article-5210.html * OpenSSH Remote Vulnerability Roundup June 26th, 2002 In a recent discussion about the Apache Chunk Handling vulnerability, which consisted of many debates and rants on how the reporting was done, ISS mentioned that they found another serious vulnerability in one other vendor's open source product. http://www.linuxsecurity.com/articles/network_security_article-5195.html * Network Security in an Encrypted World June 24th, 2002 If current trends continue, we will probably see encryption's use increase. However, the extensive use of encryption affects current conventional security methods in a very profound way, and this is something the security community must consider. http://www.linuxsecurity.com/articles/network_security_article-5186.html +------------------------+ | Cryptography: | +------------------------+ * OpenSSL, the Cryptography Lego(TM) Set June 27th, 2002 When I got a new Lego set the other day, I discovered that it made a really cool train. However, it was missing the cow-catcher, so I built one for the Lego engine. http://www.linuxsecurity.com/articles/cryptography_article-5204.html +------------------------+ | Vendors/Products: | +------------------------+ * DOD Tests Biometrics June 25th, 2002 The Defense Department's Biometrics Fusion Center soon will begin testing software on four types of biometric devices for use on its Common Access smart cards. DOD's Biometrics Management Office last week awarded a $915,000 contract to KPMG Consulting Inc. of McLean, Va., to conduct a 90-day test of biometric identifiers that could authenticate smart-card holders for building and network access. http://www.linuxsecurity.com/articles/government_article-5191.html +------------------------+ | General: | +------------------------+ * Linux: Feelin' Secure June 28th, 2002 TechWeb summarizes the recent articles they have published on security Linux distributions including EnGarde, the Editor's Choice, HP Secure Linux and Immunix. " IT pros navigating a minefield of insecure software and systems are finding safe ground in Linux. http://www.linuxsecurity.com/articles/server_security_article-5213.html * Honeynet Project Releases June Scan of the Month Results June 28th, 2002 This month's challenge is to make sense of a seemingly innocuous flurry of UDP packets. On the evening of Feb 15th, three different members of the Honeynet Research Alliance received a flurry of strange UDP packets, that at first look seemed to have no apparent purpose. This month's Scan of the Month challenge is to understand the purpose of these packets. http://www.linuxsecurity.com/articles/intrusion_detection_article-5218.html * Mind Games - Social Engineering June 24th, 2002 This small article is a brief overview on social engineering. It talks a bit about the psychology of social engineering, the security threat it imposes and about the methods used for it. Basically, this article is a summary that covers the important facts (from my point of view) about social engineering. http://www.linuxsecurity.com/articles/network_security_article-5184.html * You need more than a firewall to stop hackers June 24th, 2002 Think malicious users need sophisticated tools to attack a Web site? Think again. All they really need is a Web browser and basic knowledge of SQL or another scripting language. http://www.linuxsecurity.com/articles/network_security_article-5180.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 05:26:26 PDT