+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 29th, 2002 Volume 3, Number 30n | | | | Editorial Team: Dave Wreski daveat_private | | Benjamin Thomas benat_private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Unix Shell Scripting Malware," "My Guide To Linux Security," "VPN Setup using IPsec," and "Network Defenders Get Stuck in to Honeynet Challenge." This week, advisories were released for glibc, php, and bind. The vendors include EnGarde and Red Hat. http://www.linuxsecurity.com/articles/forums_article-5400.html FEATURE: Assessing Internet Security Risk, Part Two: an Internet Assessment Methodology This article is the second in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In this installment, we'll start discussing the methodology that we follow in performing this kind of assessment. http://www.linuxsecurity.com/feature_stories/feature_story-114.html >> Guardian Digital Combats Proprietary Software Licensing Deadline << Guardian Digital, Inc., the first full-service open source Internet server security company, has announced a special incentive program designed to provide companies with an alternative to Windows-based servers and applications as the July 31st deadline for Microsoft's new licensing program approaches. Press Release: http://www.guardiandigital.com/company/press/ EnGarde-Licensing-Promotion.pdf Save Now: http://store.guardiandigital.com/html/eng/493-AA.shtml Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-requestat_private with "subscribe" as the subject. Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Unix Shell Scripting Malware July 27th, 2002 Unix/Linux binary malware can be very dependent upon distribution flavour and kernel version. Furthermore, the use of binary files as a starting point for virus infection may not always be very successful - starting off with a coredump will result in a rapid failure. http://www.linuxsecurity.com/articles/host_security_article-5412.html * Slashdot: Additional Security in the Linux Kernel? July 25th, 2002 "Recently, I was looking for some way to improve security on my linux boxes. I found few linux patches like grsecurity, LIDS (now also as Linux Security Module), Medusa DS9. I'm testing grsecurity (and it's ACLs) now and I'm quite satisfied with it, but I wonder, what are pros and cons of other solutions. Anybody tried them and can share his experience with us?" http://www.linuxsecurity.com/articles/host_security_article-5392.html * My Guide To Linux Security July 24th, 2002 This article explains the steps I take to secure my home computer and data communications. If you are an active proponent of computer security, this article will be a review. If you do not have any security practices currently, you should read on to get a general idea of how to secure a Linux box. http://www.linuxsecurity.com/articles/documentation_article-5391.html * Serious PHP vuln reported July 23rd, 2002 The PHP form-data POST handler is susceptible to a malicious POST request that can trigger an error condition which, depending on your hardware, can crash the machine or provide for remote exploitation. On an Intel x86 machine an attacker has no control over memory allocation/recovery and can only cause a denial of service; on a Sparc/Solaris machine an attacker would be able to free chunks of memory and overwrite them arbitrarily to run code. http://www.linuxsecurity.com/articles/network_security_article-5382.html +------------------------+ | Network Security News: | +------------------------+ * VPN Setup using IPsec July 24th, 2002 Manish Arya has contributed an article he has written on using FreeS/WAN to build a VPN. "IPsec has many implementations.one of the common IPsec implementations is Freeswan. IPsec provides encryption and authentication services at the IP (Internet Protocol) level of the network protocol stack. freeswan is a opensource IPsec implementation available from www.freeswan.org. http://www.linuxsecurity.com/articles/cryptography_article-5385.html * Network Defenders Get Stuck in to Honeynet Challenge July 22nd, 2002 In a further attempt to enable defenders to learn from the hacking experience itself, The Honeynet Project, which was established by a group of computer security researchers, set up the Reverse Challenge. The test was to make a full analysis of an unknown program code found on a compromised honeynet system, using the reverse engineering tools and techniques used by security specialists. http://www.linuxsecurity.com/articles/hackscracks_article-5373.html +------------------------+ | Cryptography: | +------------------------+ * What Does the Future Hold for PGP? July 24th, 2002 Bad things do happen to good code. So learned Phil Zimmermann, author of Pretty Good Privacy, which in the early 1990s became the de facto standard for cryptology development on the Internet, according to analysts and user groups, http://www.linuxsecurity.com/articles/cryptography_article-5387.html * IETF puts weight behind Advanced Encryption Standard July 23rd, 2002 The Internet Engineering Task Force (IETF) has published standards for improvements to SSL which add support for the recently ratified Advanced Encryption Standard. Request for Comments (RFC) 3268 adds support for AES to the TLS protocol (Transport Layer Security - which was formerly known as SSL). http://www.linuxsecurity.com/articles/cryptography_article-5383.html +------------------------+ | Vendors/Products: | +------------------------+ * Book: Hacking Exposed: Web Applications July 25th, 2002 For the past five years a silent but revolutionary shift in focus has been changing the information security industry and the hacking community alike. As people came to grips with technology and process to secure their networks and operating systems using firewalls, intrusion detection systems and host hardening techniques, the world started exposing its heart and soul on the Internet via a phenomenon called the world wide web. http://www.linuxsecurity.com/articles/network_security_article-5396.html +------------------------+ | General: | +------------------------+ * Deal struck for security alerts July 26th, 2002 The National Association of State Chief Information Officers today announced it has signed an agreement with the primary federal infrastructure security analysis and warning center so that individual states can receive alerts on cyber and physical threats. http://www.linuxsecurity.com/articles/government_article-5410.html * Finally.real security standards July 26th, 2002 Last week's announcement by the Center for Internet Security that it was releasing its long-awaited security standards is good news for everyone. Everyone, that is, except the Forces of Evil, in the form of hackers, virus writers, and worm purveyors. http://www.linuxsecurity.com/articles/security_sources_article-5409.html * Executives Advised to Take Role in Internet Security July 25th, 2002 Internet security issues need to be addressed in boardrooms and executive suites, not just data centers and network storage closets. That's the message one industry organization is trying to convey by targeting the upper echelon of management with a guide on how to ward off potential threats. http://www.linuxsecurity.com/articles/government_article-5398.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 02:58:47 PDT