[ISN] Linux Security Week - August 12th 2002

From: InfoSec News (isnat_private)
Date: Tue Aug 13 2002 - 02:26:47 PDT

  • Next message: InfoSec News: "[ISN] CERT: CDE ToolTalk flaw could give root access"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  August 12th, 2002                            Volume 3, Number 31n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Advanced Log
    Processing," "Securing WLAN Links," "Wireless Security: An IP VPN
    Conspiracy Theory," and "Simplicity Is Key To Keeping Code Secure."
    This week, advisories were released for openssl, bind/glibc, libpng,
    openafs, kerberos 5, wwwofle, tinyproxy, dietlibc, kqueue, ffs, kfs,
    sendmail, secureweb, and gaim. The vendors include Caldera, Conectiva,
    Debian, EnGarde, FreeBSD, Mandrake, and Red Hat.
    ----> FREE Apache SSL Guide from Thawte <----
    Are you worried about your web server security? Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
      => http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte1
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Installing OpenBSD 3.1
    August 9th, 2002
    OpenBSD has always been on my "must toy with" list, so the recent release
    of version 3.1 made it seem like a good time to check it out. The OpenBSD
    Web site shows that OpenBSD includes all of the usual BSD goodies; heaps
    of programs, an extensive ports tree, good documentation, and so on. Their
    security claims are intriguing, and some of the features (such as authpf)
    seem quite interesting. But marketing claims made on a Web site can be
    quite distant from reality, so I decided to install the OS on both a
    desktop and a laptop and see what I could do.
    * Advanced Log Processing
    August 5th, 2002
    One of Murphy's laws advises to "only look for those problems that you
    know how to solve." In security, this means to only monitor for those
    attacks that you plan to respond to. It is well known that any intrusion
    detection system is only as good as the analyst watching its output.
    | Network Security News: |
    * Addressing Teleworker Network Security Risks
    August 10th, 2002
    RFG believes teleworkers accessing corporate resources via virtual private
    network (VPN) connections can potentially pose security risks beyond those
    presented by employees working on-site.
    * OECD publishes cyber-security guidelines
    August 8th, 2002
    In response to a U.S. call made in October 2001 that it update its
    principles on security of information systems and networks, the 30-member
    inter-governmental Organization for Economic Cooperation and Development
    (OECD) has made public its latest guidelines.
    * FreeS/WAN: The KEY debate
    August 7th, 2002
    This week's lists.freeswan.org Email Summary reports that Michael
    Richardson debated the new DNS Key-Restrict draft with folks from the list
    namedroppersat_private If that draft is widely implemented, FreeS/WAN
    will need to use a different DNS record type to distribute public keys.
    Interesting stuff.
    * One, Two, Three Factor Security?
    August 7th, 2002
    People who access their work systems are the equivalent of people holding
    the keys to the company premises, this incurs responsibility. If that is
    widely known and respected, half the security battle will have been won.
    * Securing WLAN Links: Part 2
    August 6th, 2002
    The 802.11 specification has some clear authentication discrepancies that
    create security headaches for WLAN design engineers. In Part 2 of this
    series, we'll examine the 802.11 authentication mechanisms and the
    security problems they provide.
    * Securing WLAN Links: Part 3
    August 6th, 2002
    There's no escaping that WEP is a problem for WLAN designers. In the final
    part of this series, we'll layout some technology solutions that can help
    designers enhance security in WLAN systems. Depending on which side of the
    wireless LAN (WLAN) fence you are on, you may like or dislike the wireless
    equivalent privacy (WEP) protocol.
    * Wireless Security: An IP VPN Conspiracy Theory
    August 5th, 2002
    More than a decade ago, cell phone users faced a serious security problem:
    Everything they said was broadcast over the public airwaves, available for
    all to hear. Take a simple radio receiver, tune it to the correct
    frequency at the right time and place, and you could pick up the details
    of Newt Gingrich's plotting or Princess Di's sex life.
    |  Cryptography:         |
    * Crypto scientists crack prime problem
    August 9th, 2002
    Computer scientists in India have cracked an age-old mathematical problem
    by designing a method for computers to quickly prove whether a figure is a
    prime number--a vital step in cryptography.
    * 'Creative Attacks' Beat Crypto -- Expert
    August 9th, 2002
    In 1998 cryptographer Paul Kocher developed a method for deducing the
    secret key embedded in a cryptographic smart card by monitoring tiny
    fluctuations in power consumption. Three years earlier, at the tender age
    of 22, he made headlines with a technique to compromise implementations of
    the RSA algorithm.
    * Scalable Encryption Solutions For Today's Environment
    August 6th, 2002
    The scope and character of today's computing environment is changing
    dramatically. There are more systems in more locations and these are often
    spread across the world. Many, if not most, IT organizations today, are
    running lights-out data center operations.
    * E-Mail Encryption: Isn't Everyone Doing It?
    August 5th, 2002
    Any illusion that your corner of the Internet is a private place where
    your data is secure and your e-mail is read only by the people to whom you
    send it can be shattered by a single click on the Privacy.Net Web site.  
    Within seconds, you will see your IP address, your computer host name and
    the link from which you arrived at the site.
    |  Vendors/Products:     |
    * Researcher: Biometrics Unproven, Hard To Test
    August 8th, 2002
    James Bond technologies like face recognition, fingerprint sensors, hand
    geometry, and other biometric security systems may be impossible to
    accurately evaluate, unless researchers also measure the performance of
    the testers and the demographics of the subjects, a key researcher said
    |  General:              |
    * USENIX - Expert: Simplicity Is Key To Keeping Code Secure
    August 9th, 2002
    When it comes to writing secure code, less is more. That was the advice
    passed down Thursday by security expert Paul Kocher, president of
    Cryptography Research, who told the Usenix Security Symposium here that
    more powerful computer systems and increasingly complex code will be a
    growing cause of insecure networks.
    * Data security needs staff effort
    August 8th, 2002
    Companies that have spent millions of rand on network and data security
    will be completely horrified to learn that 80% of their employees will
    happily divulge not only their passwords but their log-on details to a
    complete stranger.
    * Database Security Breaches On The Increase
    August 7th, 2002
    Direct security breaches against databases appear to be on the rise,
    according to the recently released Summer 2002 Database Developers survey
    from research firm Evans Data Corp.
    * Security pros develop flaw database
    August 6th, 2002
    The Internetworked Security Information Service (ISIS) brings together
    four independent projects--the Open Source Vulnerability Database, the
    Alldas.de defacement-tracking service, the PacketStorm software database
    and the vulnerability watchdog VulnWatch--into a loosely organized
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 05:02:52 PDT