[ISN] Linux Security Week - October 21st 2002

From: InfoSec News (isnat_private)
Date: Tue Oct 22 2002 - 01:55:02 PDT

  • Next message: InfoSec News: "[ISN] Army locks down wireless LAN"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  October 21st, 2002                           Volume 3, Number 41n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Embedding
    security into servers," "Detecting Cyberattacks By Profiling "Normal"  
    Computer Habits," "Using CFS, the Cryptographic Filesystem," and "Fear
    Factor: Reporting Security Incidents."
     ** FREE  SSL Guide from Thawte ** 
     Are you planning your Web Server Security? Click here to get a 
     FREE Thawte  SSL guide and find the answers to all your  SSL 
     security issues.
      --> http://www.gothawte.com/rd407.html
    This week, advisories were released for heatbeat, syslog-ng, gv, heimdal,
    unzip, tar, apache, squirrelmail, dvips, xinetd, Red Hat kernal, nss_ldap,
    sendmail, tomcat, fetchmail, XFree86, glibc, postgresql, python, and ppp.  
    Then vendors include Conectiva, Debian, EnGarde, Gentoo, Mandrake, Red
    Hat, SuSE and Trustix.
    BOOK REVIEW: Honeypots: Tracking Hackers
    Tracking Hackers by Lance Spitzner is fantastically written. The detailed
    definitions and descriptions make it a great book even for the honeypot
    novice to understand. It grabs your attention right from the very
    beginning, holds it to the end and leaves you wanting more.
    Concerned about the next threat? EnGarde is the undisputed winner!  
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Update: New Linux Kernel Exploit? / ABFrag
    October 19th, 2002
    An early version of a new software system developed by University at
    Buffalo researchers that detects cyberattacks while they are in progress
    by drawing highly personalized profiles of users has proven successful 94
    percent of the time in simulated attacks.
    * OpenBSD Systrace
    October 18th, 2002
    OpenBSD's systrace now has privilege elevation support. This means
    binaries no longer need to be suid or sgid an longer. Applications can be
    executed completely unprivileged. Systrace raises the privileges for a
    single system call depending on the configured policy.
    * Security Expert Gives Operating Systems Poor Security Grade
    October 17th, 2002
    Is open source software more secure? To most Linux enthusiasts, the answer
    is obvious: open source means more people can look for bugs and a faster
    dissemination of bug fixes. Obviously, yes. But noted security expert Gene
    Spafford says that this may not necessarily be true.
    * Embedding security into servers
    October 16th, 2002
    Embedded systems control much of the world's critical infrastructure,
    which makes them a prime target for attack by everyone from hackers to
    terrorists. Embedded systems, however, have at their disposal an
    impressive set of defenses, mechanisms and procedures that are in common
    use for operations other than security, but that result in security
    mechanisms that prove stronger in some cases than traditional enterprise
    systems like Windows or Linux.
    * Openwall Linux (Owl) 1.0 Release
    October 16th, 2002
    For those who don't know yet, Openwall GNU/*/Linux (or Owl) is a
    security-enhanced operating system with Linux and GNU software as its
    core, intended as a server platform.  And, of course, it's free.  More
    detailed information is available on the web site.
    * Detecting Cyberattacks By Profiling "Normal" Computer Habits
    October 15th, 2002
    An early version of a new software system developed by University at
    Buffalo researchers that detects cyberattacks while they are in progress
    by drawing highly personalized profiles of users has proven successful 94
    percent of the time in simulated attacks. The "user-level anomaly
    detection system" was described Oct. 10, 2002 at the military
    communications conference known as MILCOM 2002 in Anaheim, CA.
    * Chroot Jails Made Easy with the Jail Chroot Project
    October 14th, 2002
    So what is a "chroot jail"?  Essentially it is a security method for
    creating a safe user enviroment on systems that allow remote access
    accounts. The "jail" locks users into a virtual directory structure and
    grants access only to applications created for the jailed users by the
    | Network Security News: |
    * Cyber chief speaks on Data network security
    October 18th, 2002
    President Bush's point man on computer security says that the nation has a
    long way to go in securing its data networks but that new federal
    regulations would be a step in the wrong direction.  Richard Clarke, head
    of the White House Office of Cyber Security, also said the government
    should modify a controversial law designed to prevent exploitation of
    software security flaws because it can be used to stifle research to
    improve computer security.
    * Linux firewalls: IT Manager's top picks
    October 15th, 2002
    Linux firewalls--it's one of the hot topics for CIOs and IT managers at
    the moment. ZDNet Australia takes a look at some of the options available
    for IT departments.
    * Firewalling /proc Entries
    October 15th, 2002
    The Linux Kernel can be configured using iptables or ipchains to enforce
    strong network protections.  However there are several useful kernel flags
    you can set to increase your default network security posture without any
    complicated rules.
    * Intel beefs up network security
    October 15th, 2002
    Intel plans to announce a new network processor on Tuesday that will
    handle security functions, a move it expects will reduce the cost and
    improve the performance of networking equipment.  The company will also
    delay a similar product that does not offer security features.
    | Cryptography News:     |
    * UK Firm Touts Alternative To Digital Certs
    October 18th, 2002
    Two factor authentication, using secure tokens is being backed as an
    alternative to digital certificates by a UK company, which is enjoying
    support from the Parliamentary All Party Export Group.
    * Voiceprints Provide Mobile Encryption Keys
    October 18th, 2002
    The uniqueness of everyone's voice can now be used to lock up data extra
    securely on mobile phones and portable computers, thanks to a prototype
    system developed by US researchers. The system could render stolen devices
    useless.  Existing voice identification systems rely on a person's
    voiceprint alone before granting security clearance.
    * Government Security Experts Urge Whitehall To Adopt US Cryptography
    October 18th, 2002
    The Government's leading IT security advisors are to recommend that
    Whitehall departments adopt a US cryptography standard that many
    commercially available security products fail to meet.
    * Using CFS, the Cryptographic Filesystem
    October 16th, 2002
    If you want to keep private your personal files, such as those containing
    phone numbers, correspondence or journals, you could keep them in a hidden
    directory named ~/.private with mode 0700, so only you could read the
    files. Are you chuckling yet? Then let's consider employing a stronger
    privacy technique: cryptography.
    | Vendors/Products News: |
    * Backdoor LAN
    October 18th, 2002
    Veterans of past Cellular Telecommunications & Internet Association (CTIA)
    shows tell us one major security problem they faced was having their
    analog phones cloned.  Happened all the time apparently.
    * Book Review: The Art of Deception
    October 16th, 2002
    Kevin Mitnick says "the term 'social engineering' is widely used within
    the computer security community to describe the techniques hackers use to
    deceive a trusted computer user within a company into revealing sensitive
    information, or trick an unsuspecting mark into performing actions that
    create a security hole for them to slip through."
    * Linux Security Protection System Released
    October 16th, 2002
    LinSec team is proud to announce the first stable release of LinSec.  
    LinSec, as the name says, is Linux Security Protection System. The main
    aim of LinSec is to introduce Mandatory Access Control (MAC) mechanism
    into Linux (as opposed to existing Discretionary Access Control mechanism.
    |  General News:         |
    * Senate Approves Almost $1B for Cybersecurity Research
    October 18th, 2002
    The U.S. Senate Wednesday night unanimously passed legislation that would
    more than triple the federal funding commitment to cybersecurity research,
    to about $978 million over five years. The bill authorizes grants for
    basic research and industry partnership programs.
    * Reduce Risks and Eliminate Headaches Through Sensible Account
    October 17th, 2002
    Security is a big, challenging topic, but everyone with server-side
    responsibilities should know the basic steps. Cameron outlines a number of
    ways to keep your user accounts clean and safe. Security is hard.
    * Firms 'must do better' On IT Security
    October 17th, 2002
    The British government has urged companies to take IT security more
    seriously, amid concern that almost three-quarters of firms have no policy
    on information security.  Speaking at an event in London on Tuesday,
    e-commerce minister Stephen Timms said it is unacceptable that just 27
    percent of companies have an IT security policy, according to a recent
    official survey.
    * The Tech Industry Rescue Squad
    October 17th, 2002
    What makes CERT/CC unique is that it functions as an independent security
    reporting center that assumes anonymity with each client unless it
    receives permission to use the client's identity.
    * Fear Factor: Reporting Security Incidents
    October 16th, 2002
    The NIPC, is placing the agency's emphasis on preventing crime rather than
    on catching perpetrators. "Now if I call Ron's people up and say I've got
    a problem, I'm not necessarily going to have a guy with a gun and badge
    here tomorrow," says Jarocki. "He's changed things.
    * NIST Drafts Security Buying Guides
    October 14th, 2002
    The National Institute of Standards and Technology's Computer Security
    Division has released three new draft guides for agencies on buying
    security technologies and services.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 05:04:28 PDT