[ISN] Linux Security Week - October 28th 2002

From: InfoSec News (isnat_private)
Date: Tue Oct 29 2002 - 03:06:14 PST

  • Next message: InfoSec News: "[ISN] Home isn't where security is"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  October 28th, 2002                           Volume 3, Number 42n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Tool Unmasks Web
    Server Vulnerabilities," "Controlling Access To Your Services With
    xinetd," "Exposing the Underground: Adventures of an Open Proxy Server,"
    and "Reverse Engineering Hostile Code."
    ** FREE SSL Guide from Thawte ** Are you planning your Web Server
    Security? Click here to get a FREE Thawte SSL guide and find the answers
    to all your SSL security issues.
      --> http://www.gothawte.com/rd408.html
    This week, advisories were released for webalizer, ethereal, ggv, mod-ssl,
    tetex, NetBSD kernel, heimdal, groff, new, Linux kernel, unzip, xinetd,
    php, nss_ldap, gaim, fetchmail, glibc, apache, xfree, zope, ypserv,
    postgresql, and kdegraphics.  The vendors include Caldera, Debian,
    EnGarde, Gentoo, Mandrake, NetBSD, Red Hat, SuSE, and Yellow Dog.
    FEATURE:   Designing Shellcode Demystified 
    This paper is about the fundamentals of shellcode design and totally Linux
    2.2 on IA-32 specific architectures. The base principles apply to all
    architectures, whereas the details might obviously not.
    Concerned about the next threat? EnGarde is the undisputed winner!  
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Tool Unmasks Web Server Vulnerabilities
    October 25th, 2002
    In response to increasingly militant attacks carried out by hackers,
    system administrators across the spectrum of IT have worked diligently in
    recent months to remove telltale signs that can classify their Web
    servers. However, this may fashion a false sense of confidence.
    * Passwords: Poor Excuse for Security
    October 25th, 2002
    Cut costs. Save money. Maintain the status quo. With that mantra in mind,
    many network managers figure they've got authentication covered. As long
    as there's a password policy in place, who needs to spend money on
    authentication tools?
    * Top Linux/UNIX Security Threats
    October 24th, 2002
    It's depressing for security professionals to see just how many of the
    vulnerabilities on the new SANS/FBI Top 20 List have CVE numbers in the
    1999-xxxx range--meaning that they were identified and fixed years ago on
    some systems.  Newer problems appear in each category, but far too many
    bear old CVE numbers
    * Reverse Engineering Hostile Code
    October 24th, 2002
    Computer criminals are always ready and waiting to compromise a weakness
    in a system. When they do, they usually leave programs on the system to
    maintain their control. We refer to these programs as "Trojans" after the
    story of the ancient Greek Trojan horse. Often these programs are custom
    compiled and not widely distributed.
    * Build a Secure Webmail Service Supporting IMAP and SSL
    October 23rd, 2002
    This article describes how you can set up your Linux computer to be a
    web-based e-mail system for yourself or a group of friends. It will work
    best, of course, if you are on a dedicated internet connection, like a
    cable modem or a DSL line at home.
    * Controlling Access To Your Services With xinetd
    October 22nd, 2002
    Whenever you learn about controlling access to a Linux box, one "creature"
    you usually encounter is the "superdaemon." A superdaemon is a daemon that
    controls other daemons--and daemons are typically network service control
    programs that run long-term behind the scenes, waiting for when they need
    to step into action.
    | Network Security News: |
    * Wireless: Wide Open To Attack
    October 23rd, 2002
    You may be enjoying the convenience of a newly installed wireless
    solution, but how many strangers are doing the same with your network?  
    Not so long ago, war driving was the latest hacking method, consisting of
    driving a car around areas populated by business, equipped with laptops
    and 802.11b NICs that would detect wireless access points.
    * Exposing the Underground: Adventures of an Open Proxy Server
    October 22nd, 2002
    "This paper discusses the abuse of misconfigured HTTP proxy servers,
    taking a detailed look at the types of traffic that flow through this
    underground network. Also discussed is the use of a "honeyproxy", a server
    designed to look like a misconfigured HTTP proxy. Using such a tool we can
    spy on the Internet underground without the need for a full-blown
    | Cryptography News:     |
    * Images get distortion-proof crypto marks
    October 24th, 2002
    Researchers have created a new way to encrypt information in a digital
    image and extract it later without any distortion or loss of information.  
    A team of scientists from Xerox and the University of Rochester said that
    the technique, called reversible data hiding, could be used in situations
    that require proof that an image has not been altered.
    * Using GnuPG
    October 24th, 2002
    The GNU Privacy Guard is a free replacement for the PGP PKI (Public Key
    Infrastructure) encryption tool. It can be used to encrypt data and to
    create digital signatures. It includes an advanced key management facility
    and is compliant with the proposed OpenPGP Internet standard.
    * PGP Poised For Major Comeback
    October 24th, 2002
    PGP encryption products will be back on the market by the end of the year,
    with a raft of new releases in the pipeline.  PGP 8.0 will be out by the
    end of December and will include a freeware version for non-commercial
    use, a single user personal package and an enterprise version.
    * "Critical" Kerberos flaw revealed
    October 24th, 2002
    Kerberos has lost some of its bite, according to the US government, which
    on Wednesday warned of a critical flaw that could allow hackers to
    circumvent the secure networking system.
    * Net Guru: Encrypt Everything
    October 22nd, 2002
    Ray Ozzie believes in shared workspaces. The inventor of Lotus Notes
    collaboration software founded Groove Networks Inc. in 1997 because
    server-based architectures "fundamentally could not address the dynamic
    collaboration requirements of a decentralized business environment."
    |  General News:         |
    * Certifiably Certified
    October 24th, 2002
    A recent issue of SC Magazine, one of the information security industry's
    cheerleading trade rags, featured a full-page advertisement with the
    following emblazoned across the top of the page: "How to increase your
    salary by 21.39% in 7 days or less."
    * HIPAA A Hardship For Health Care Companies
    October 23rd, 2002
    A difficult economic climate may make it harder for health care providers
    to comply with provisions of the Health Insurance Portability and
    Accountability Act (HIPAA) in time for deadlines next year, according to a
    report by the consulting company Frost & Sullivan.
    * Guidelines for Reporting Security Incidents
    October 21st, 2002
    CIO magazine, in conjunction with the Secret Service and FBI, has put
    together a set of guidelines for businesses to follow when notifying law
    enforcement agencies and other authorities of security incidents. The
    report covers what kind of events should be reported, the data that should
    be collected, and who to send it to.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 06:21:28 PST