[ISN] Linux Security Week - August 19th 2002

From: InfoSec News (isnat_private)
Date: Tue Aug 20 2002 - 05:41:23 PDT

  • Next message: InfoSec News: "[ISN] Wireless hackers take to the air"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  August 19th, 2002                            Volume 3, Number 32n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Intrusion
    detection: Too Much Information," "Secure Infrastructure Design,"  
    "Secure Remote Workstations With Integrated VPNs," and "Unlocking the
    Secrets of Crypto: Cryptography, Encryption, and Cryptology Explained."
     * Developing with open standards? 
     * Demanding High Performance?  
    Catch the Oracle9i JDeveloper wave now and check out how built-in
    profilers and CodeCoach make your Java code tighter and faster than ever
     --> Download your FREE copy of Oracle9i JDeveloper Today. 
     --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle4
    FEATURE: Centralized File-Integrity With Samhain Part I There is no silver
    bullet in security; rather, due diligence and knowledge are the best
    foundations for solid management of risk. The focus of this document is
    distinctively on workstations: those located in a corporate environment,
    those situated at the house, and the myriad of situations that fall
    somewhere in-between.
    This week, advisories were released for cvs, mailman, hylafax,
    interchange, l2tpd, xinetd, glibc, modssl, chfn, libpng, bind, xchat,
    shareutils, tcl/tk, mm, and ipppd.  The vendors include Caldera, Debian,
    Gentoo, Mandrake, OpenBSD, Red Hat, SuSE, Trustix, and Yellow Dog.
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    Find technical and managerial positions available worldwide.  Visit the
    LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Configuring IPsec/IKE on Solaris
    August 15th, 2002
    The IP Security Protocol (IPsec) and the Internet Key Exchange (IKE)
    protocol are designed to permit system and network administrators the
    capability to protect traffic between two systems. These systems can be
    network devices or individual hosts.
    * No Stone Unturned, Part Six
    August 14th, 2002
    This is an additional installment to the No Stone Unturned series, which
    was written to help clarify to NT/2K admins the steps they can take to
    determine the nature and purpose of suspicious files found on their
    systems. In Part Five of the series, our heroic system administrator found
    an unusual file on a compromised system.
    * xinetd: Update: File descriptor leak vulnerability
    August 14th, 2002
    xinetd version 2.3.7 was released that addresses a mior file descriptor
    leak present in 2.3.4 - 2.3.6. Steve Grubb, co-maintainer of xinetd, sent
    in a note stating, "At the most, if everything is in just the right
    configuration...which is probably rare, all they can do is terminate
    | Network Security News: |
    * Intrusion detection: Too Much Information
    August 16th, 2002
    Intrusion detection systems have been around for years, but lately
    companies have shown new interest in them as worm and virus attacks have
    risen, and as new cyber-attacks have been launched from overseas. But
    contrary to some enthusiastic claims, these systems aren't some new
    security panacea for the enterprise.
    * Secure Wireless Workers
    August 15th, 2002
    Companies need to continue getting more productivity from employees, the
    cost of wireless equipment to make this a reality has never been lower.
    Now is a good time to setup secure remote corporate access.
    * Secure Infrastructure Design
    August 14th, 2002
    This paper describes the fundamental components of infrastructure design,
    provides an overview of risk management concepts, and illustrates samples
    of network topologies.
    * The Large-Scale Threat of Bad Data in DNS
    August 14th, 2002
    Nmap is a utility for network exploration or security auditing. It
    supports ping scanning (determine which hosts are up), many port scanning
    techniques (determine what services the hosts are offering), and TCP/IP
    fingerprinting (remote host operating system identification).
    * IP VPN: An Attractive Service
    August 14th, 2002
    Service providers have various options in the way in which they can offer
    outsourced IP virtual private network (VPN) services to customers.  The
    original service offerings were mostly customer premises equipment
    (CPE)-based. In such services, service providers deploy and manage CPE VPN
    gateways (in other words, dedicated VPN appliances or VPN-enabled
    routers/firewalls) at customer sites.
    * Secure Remote Workstations With Integrated VPNs
    August 12th, 2002
    There's no question that remote workstations require protection from the
    increasing security threats present today. When a remote user connects to
    the corporate network via a VPN, a hacker gaining access to the remote
    computer could also potentially enter the corporate network as an
    authorized user.
    |  Cryptography:         |
    * Unlocking the Secrets of Crypto: Cryptography, Encryption, and
    Cryptology Explained
    August 13th, 2002
    Encryption, decryption and code breaking came into the public
    consciousness in the 1980s with popularity of the movie War Games. It
    became newsworthy in the 1990s with the legal battles surrounding PGP and
    the political discussion of the Clipper Chip. Now, with information
    security becoming more and more of a common concern, the terms encryption,
    cryptography and cryptology - commonly grouped together under the term
    "crypto" - are seeping into our daily language.
    * Security Flaws Found in PGP E-Mail Encryption
    August 13th, 2002
    Now that the flaw has been demonstrated, it is more likely to be used.
    However, according to Elias Levy, a security architect at SecurityFocus
    and Symantec, there is no cause for alarm.
    |  General:              |
    * NIPC Asks for Help on Cyber Alerts
    August 17th, 2002
    Security expert Ryan Russell told NewsFactor that the NIPC is known for
    trailing other cyber security groups, such as CERT, in putting out alerts
    and warnings. The National Infrastructure Protection Center (NIPC), the
    government's main cyber protection agency, is seeking outside help with
    tracking Internet threats and incidents and generating alerts.
    * Homeland Insecurity
    August 13th, 2002
    As was often the case, Bruce Schneier was thinking about a really terrible
    idea. We were driving around the suburban-industrial wasteland south of
    San Francisco, on our way to a corporate presentation, while Schneier
    looked for something to eat not purveyed by a chain restaurant.
    * White-Hat Hate Crimes on the Rise
    August 13th, 2002
    When hackers broke into Ryan Russell's server and plastered his private
    e-mails and other personal files on the Internet last week, Russell tried
    to shrug it off as a harmless prank.  But Russell, editor of Hack Proofing
    Your Network and an analyst with SecurityFocus.com, also seemed shaken by
    the incident.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:38:53 PDT