[ISN] Linux Security Week - December 16th 2002

From: InfoSec News (isnat_private)
Date: Tue Dec 17 2002 - 03:23:49 PST

  • Next message: InfoSec News: "[ISN] Interview with Bob Toxen"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  December 16th, 2002                          Volume 3, Number 49n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Know Your Enemy
    - Learning with User-Mode Linux," "Buried By The Authentication
    Avalanche," "Secure Passwordless Logins with SSH," and "Six Basic Tips For
    Securing Wireless Networks."
    Network Security Audit - "Information for the right people at right time
    and from anywhere" has been the driving force for providing access to the
    most of the vital information on the network of an organization over the
    Internet. This is a simple guide on conducting a network security audit.
    This week, advisories were released for nss_ldap, icecast, fileutils, imp,
    apache, groff, html2ps, im, gtetrinet, tcpdump, tetex, perl, python,
    canna, and wget.  The distributors include Caldera, Debian, Mandrake, and
    Red Hat.
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    Security: MySQL and PHP (3 of 3) - This is the third installation of a 3
    part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a
    MySQL server to the basic level, one has to abide by the following
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Know Your Enemy - Learning with User-Mode Linux
    December 13th, 2002
    This paper will focus on building a Honeynet using a single computer and
    free, OpenSource software. This will be accomplished by building a Virtual
    Honeynet, using the OpenSource solutions User-Mode Linux (often called
    UML) and IPTables.
    * Buried By The Authentication Avalanche
    December 13th, 2002
    With identity theft on the rampage, network managers are being hit by an
    increasing barrage of software, hardware and services for user
    authentication. Organizations are implementing technologies ranging from
    traditional passwords/PINs to PKI and SSL certificates, tokens,
    fingerprint readers, and even voiceprints.
    * Rooting Out Corrupted Code
    December 12th, 2002
    Sometimes it's easy to tell when you're dealing with an imposter. That
    Mona Lisa at your neighbor's yard sale is unlikely to be the real thing.
    When you see Elvis at the mall, you can be pretty sure that he's a fake,
    * Apache Suffers More Attacks
    December 12th, 2002
    I report on a lot of software vulnerabilities, and I try to weed out the
    unimportant ones. But there's no real way to know in advance which ones
    will be exploited and which ones cybervandals will essentially ignore.
    * Secure Passwordless Logins with SSH Part 1
    December 11th, 2002
    Many of my past newsletters have detailed configuration setups that
    required you to be able to execute commands on remote machines without
    interactively supplying a password. The next few articles will help show
    how you can set up such a system.
    * IT users in password hell
    December 11th, 2002
    Heavy users of technology now employ nearly two dozen passwords to gain
    access to various IT systems and Web sites--but are compromising security
    by writing them down. The 2002 NTA Monitor Password Survey found that the
    typical intensive IT user now has 21 passwords, and has two strategies to
    cope, neither of which is advisable from a security standpoint: they
    either use common words as passwords or keep written records of them. The
    survey found that some of these heavy users maintain up to 70 passwords.
    | Network Security News: |
    * Network Vulnerability Rises Exponentially When Moving From Wired To
    December 12th, 2002
    In international news at the end of last week, Richard Clarke, special
    advisor to the US president for cyberspace security, together with other
    experts labelled wireless networking technology as a potential terrorist
    * XML Encryption Specs Approved
    December 11th, 2002
    The two specs, XML Encryption Syntax and Processing and Decryption
    Transform for XML Signature, will enable Web pages using Extensible Markup
    Language to encrypt parts of a document being exchanged between Web sites,
    the World Wide Web Consortium said.
    * Law may be updated to cover DoS attacks
    December 11th, 2002
    The government is considering amending the Computer Misuse Act (CMA), amid
    concern within the Internet industry that denial of service (DoS) attacks
    may not be covered by the law.The Home Office, in consultation with groups
    such as the police and industry representatives, is currently examining
    ways of updating the CMA, according to a Home Office spokeswoman.
    * Six Basic Tips For Securing Wireless Networks
    December 10th, 2002
    Wireless networks offer opportunities for hackers. But it doesn't have to
    be that way The purpose of properly securing a wireless access point is to
    close off the network from outsiders who do not have authoristion to use
    your services. This is often easier said than done.
    * Risk Assessment Essentials
    December 9th, 2002
    We all claim to understand the importance of network security. We stand
    around water coolers chatting about this worm, that newly discovered
    security hole, this patch, and that hot fix.  As IT managers, we know it's
    our job to ensure that all the latest patches are not only applied, but
    applied immediately.
    | Cryptography News:     |
    * Crypto-Gram December 15th, 2002
    December 15th, 2002
    Crypto-Gram is a free monthly newsletter providing summaries, analyses,
    insights, and commentaries on computer security and cryptography. This
    month, Comments on the Department of Homeland Security, Security Notes
    from All Over:  Dan Cooper, Crime: The Internet's Next Big Thing, and
    | General News:          |
    * IDC: Cyberterror to hit in 2003
    December 13th, 2002
    A major cyberterrorism event will occur in 2003, a technology research
    group predicted on Thursday, one that will disrupt the economy and bring
    the Internet to its knees for at least a day or two.
    * Homeland Security Will Consolidate Software Licenses
    December 12th, 2002
    Speaking at a Spy Museum breakfast today, Secret Service assistant
    director Steve Colo said the new Homeland Security Department will
    consolidate all its component agencies' software licenses "for the greater
    good," looking first at large contracts with vendors such as Microsoft
    Corp. and Oracle Corp. <
    * Today's Pain Points Are Tomorrow's Vendor Opportunities
    December 11th, 2002
    If you want to predict the most important information security tools for
    CSOs in the coming year, just look at the problems that CIOs are trying to
    resolve today. Whereas today's security tools are intrusive, clunky and
    require significant commitment from both staff and users alike, tomorrow's
    tools will increasingly be automatic and even autonomous.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 13:14:29 PST