[ISN] Linux Security Week - September 9th 2002

From: InfoSec News (isnat_private)
Date: Tue Sep 10 2002 - 00:11:02 PDT

  • Next message: InfoSec News: "[ISN] Demand For Managed Security To Surge"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  September 9th, 2002                          Volume 3, Number 35n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Open Source
    Software: Is it Really Secure," "Who Goes There: An Introduction to
    On-Access Virus Scanning," "Adaptive Linux Firewalls," and "Airwave
    camouflage to stop drive-by hacking."
    Concerned about the next threat? EnGarde is the undisputed winner! 
     Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing 
     Editor's Choice Award, EnGarde "walked away with our Editor's Choice 
     award thanks to the depth of its security strategy..." Find out what 
     the other Linux vendors are not telling you. 
      -> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    FEATURE: NFS Security - NFS (Network File System) is a widely used and 
    primitive protocol that allows computers to share files over a network. 
    The main problems with NFS are that it relies on the inherently insecure 
    UDP protocol, transactions are not encrypted and hosts and users cannot 
    be easily authenticated. Below we will show a number of issues that one 
    can follow to heal those security problems.
    This week, advisories were released for pxe, ethereal, scrollkeeper,
    mailman, mantis, amavis, and glibc.  The vendors include Conectiva,
    Debian, Gentoo, Red Hat, and SuSE.
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Open Source Software: Is it Really Secure?
    September 5th, 2002
    People often ask me if they should trust Open Source Software (OSS). This
    question predates the emergence of Linux and the various Berkeley Software
    Distribution (BSD) OSs, as popular security software for Unix systems,
    such as COPS and Tripwire (www.tripwire.com), began showing up in the
    early 1990s.
    * Password guessing games with Check Point firewall
    September 4th, 2002
    Security researchers have discovered two potentially serious flaws with
    Check Point's flagship FireWall-1 firewall which give rise to both
    username guessing and sniffing issues.  First, affected versions permit
    attackers to determine if a firewall username is valid without having to
    know the associated password.
    * Apache Flaw Leaves Server Wide Open
    September 3rd, 2002
    Although this problem doesn't affect UNIX and Linux variants, it does
    apply to more than just Microsoft Windows platforms. You should check it
    out even if you are running NetWare or OS/2 (both of which are definitely
    vulnerable) or any other non-UNIX platform.
    * Who Goes There: An Introduction to On-Access Virus Scanning, Part One
    September 3rd, 2002
    By now, most savvy computer users have anti-virus software (AV) installed
    on their machines and use it as part of their regular computing routine.
    However, most average users do not know how anti-virus software works.
    This two-part series will offer a brief overview of a particular type of
    anti-virus mechanism know as on-access virus scanners.
    | Network Security News: |
    * Control the Keys to the Kingdom
    September 6th, 2002
    We've said it before and we'll say it again: You will never have a totally
    secure network. The best you can hope for is that your security strategies
    will minimize exposure to attack, and if you are hit, the damage can be
    contained. Plenty of point products are available to help eliminate
    avenues of attack
    * Wireless Security Blackpaper
    September 6th, 2002
    In 1999 the IEEE completed and approved the standard known as 802.11b, and
    WLANs were born. Finally, computer networks could achieve connectivity
    with a useable amount of bandwidth without being networked via a wall
    socket. Suddenly connecting multiple computers in a house to share an
    Internet connection or play LAN games no longer required expensive or ugly
    * Airwave camouflage to stop drive-by hacking
    September 5th, 2002
    Software that generates a blizzard of bogus wireless network access points
    could bamboozle hackers trying to access corporate and home computer
    networks.  This would stop them stealing wireless surfing time and
    exploring corporate wireless networks, say the two US computer programmers
    behind the scheme.
    * Three Fallacies About Remote Access
    September 3rd, 2002
    Security precautions are only as good as the assumptions that underpin
    them. Enterprises must be scrupulous in separating myth from fact when it
    comes to how, why, and by whom the enterprise's network and information
    might be illicitly accessed--with potentially disastrous consequences.
    * Adaptive Linux Firewalls
    September 2nd, 2002
    Automatic firewall hardening is a technique used by many commercial
    firewalls to prevent invalid packets from reaching protected networks. The
    objective of this document is to demonstrate how to harden iptables in
    |  Cryptography:         |
    * Encrypted e-mails may be digital bullets
    September 6th, 2002
    For more than a decade, the United States government classified encryption
    technology as a weapon. Now that label might actually apply.
    Security-consulting firm Foundstone said Thursday that e-mail messages
    encrypted with the Pretty Good Privacy program can be used as digital
    bullets to attack and take control of a victim's computer.
    |  General:              |
    * Profile of the Perfect Security Guru
    September 6th, 2002
    They know how to set up and maintain firewall, antivirus and intrusion
    detection systems. They know how to scan the company network for holes.
    They are up to speed on the latest vulnerabilities -- and know whether or
    not software patches are available.  They know what to do when the
    corporate servers get hacked, and they know how to stop the attack in its
    tracks. They also have the gumption to tell you when they cannot handle
    something, and they can recommend where to go for help.
    * Are Hackers Accessing Your Company Via Your PBX?
    September 6th, 2002
    Although most companies today have improved security on their data
    networks, thus cutting down on white-collar crime and hack attacks, too
    few have paid enough attention to their PBX system. The PBX remains a
    potentially huge back door problem for data network security.
    * Companies exposed to .social engineers. . Mitnick
    September 5th, 2002
    "A lot of people think they are not gullible, that they can't be
    manipulated, but nothing could be further from the truth," says Mitnick.
    He claims that using such techniques - combined with substantial technical
    know-how - he was able to break into all but one of the systems he
    targeted in a 15-year hacking career.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 02:56:49 PDT