[ISN] Linux Security Week - July 29th 2002

From: InfoSec News (isnat_private)
Date: Tue Jul 30 2002 - 00:29:17 PDT

  • Next message: InfoSec News: "[ISN] Cyberinsurance may cover damage of computer woes"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  July 29th, 2002                              Volume 3, Number 30n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Unix Shell
    Scripting Malware," "My Guide To Linux Security," "VPN Setup using IPsec,"
    and "Network Defenders Get Stuck in to Honeynet Challenge."
    This week, advisories were released for glibc, php, and bind.  The vendors
    include EnGarde and Red Hat.
    FEATURE: Assessing Internet Security Risk, Part Two: an Internet
    Assessment Methodology
    This article is the second in a series that is designed to help readers to
    assess the risk that their Internet-connected systems are exposed to. In
    the first installment, we established the reasons for doing a technical
    risk assessment. In this installment, we'll start discussing the
    methodology that we follow in performing this kind of assessment.
    >> Guardian Digital Combats Proprietary Software Licensing Deadline <<
    Guardian Digital, Inc., the first full-service open source Internet server
    security company, has announced a special incentive program designed to
    provide companies with an alternative to Windows-based servers and
    applications as the July 31st deadline for Microsoft's new licensing
    program approaches.
     Press Release:
     Save Now:
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    Find technical and managerial positions available worldwide.  Visit the
    LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Unix Shell Scripting Malware
    July 27th, 2002
    Unix/Linux binary malware can be very dependent upon distribution flavour
    and kernel version. Furthermore, the use of binary files as a starting
    point for virus infection may not always be very successful - starting off
    with a coredump will result in a rapid failure.
    * Slashdot: Additional Security in the Linux Kernel?
    July 25th, 2002
    "Recently, I was looking for some way to improve security on my linux
    boxes. I found few linux patches like grsecurity, LIDS (now also as Linux
    Security Module), Medusa DS9. I'm testing grsecurity (and it's ACLs) now
    and I'm quite satisfied with it, but I wonder, what are pros and cons of
    other solutions. Anybody tried them and can share his experience with us?"
    * My Guide To Linux Security
    July 24th, 2002
    This article explains the steps I take to secure my home computer and data
    communications. If you are an active proponent of computer security, this
    article will be a review. If you do not have any security practices
    currently, you should read on to get a general idea of how to secure a
    Linux box.
    * Serious PHP vuln reported
    July 23rd, 2002
    The PHP form-data POST handler is susceptible to a malicious POST request
    that can trigger an error condition which, depending on your hardware, can
    crash the machine or provide for remote exploitation. On an Intel x86
    machine an attacker has no control over memory allocation/recovery and can
    only cause a denial of service; on a Sparc/Solaris machine an attacker
    would be able to free chunks of memory and overwrite them arbitrarily to
    run code.
    | Network Security News: |
    * VPN Setup using IPsec
    July 24th, 2002
    Manish Arya has contributed an article he has written on using FreeS/WAN
    to build a VPN. "IPsec has many implementations.one of the common IPsec
    implementations is Freeswan. IPsec provides encryption and authentication
    services at the IP (Internet Protocol) level of the network protocol
    stack. freeswan is a opensource IPsec implementation available from
    * Network Defenders Get Stuck in to Honeynet Challenge
    July 22nd, 2002
    In a further attempt to enable defenders to learn from the hacking
    experience itself, The Honeynet Project, which was established by a group
    of computer security researchers, set up the Reverse Challenge. The test
    was to make a full analysis of an unknown program code found on a
    compromised honeynet system, using the reverse engineering tools and
    techniques used by security specialists.
    |  Cryptography:         |
    * What Does the Future Hold for PGP?
    July 24th, 2002
    Bad things do happen to good code. So learned Phil Zimmermann, author of
    Pretty Good Privacy, which in the early 1990s became the de facto standard
    for cryptology development on the Internet, according to analysts and user
    * IETF puts weight behind Advanced Encryption Standard
    July 23rd, 2002
    The Internet Engineering Task Force (IETF) has published standards for
    improvements to SSL which add support for the recently ratified Advanced
    Encryption Standard. Request for Comments (RFC) 3268 adds support for AES
    to the TLS protocol (Transport Layer Security - which was formerly known
    as SSL).
    |  Vendors/Products:     |
    * Book: Hacking Exposed: Web Applications
    July 25th, 2002
    For the past five years a silent but revolutionary shift in focus has been
    changing the information security industry and the hacking community
    alike. As people came to grips with technology and process to secure their
    networks and operating systems using firewalls, intrusion detection
    systems and host hardening techniques, the world started exposing its
    heart and soul on the Internet via a phenomenon called the world wide web.
    |  General:              |
    * Deal struck for security alerts
    July 26th, 2002
    The National Association of State Chief Information Officers today
    announced it has signed an agreement with the primary federal
    infrastructure security analysis and warning center so that individual
    states can receive alerts on cyber and physical threats.
    * Finally.real security standards
    July 26th, 2002
    Last week's announcement by the Center for Internet Security that it was
    releasing its long-awaited security standards is good news for everyone.
    Everyone, that is, except the Forces of Evil, in the form of hackers,
    virus writers, and worm purveyors.
    * Executives Advised to Take Role in Internet Security
    July 25th, 2002
    Internet security issues need to be addressed in boardrooms and executive
    suites, not just data centers and network storage closets. That's the
    message one industry organization is trying to convey by targeting the
    upper echelon of management with a guide on how to ward off potential
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 02:58:47 PDT