+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 30th, 2002 Volume 3, Number 52n | | | | Editorial Team: Dave Wreski daveat_private | | Benjamin Thomas benat_private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Trojan Horses Plague Open Source," "Using ssh with public key authentication," "Secure Passwordless Logins with SSH." and "Making Security Pay." LINUXSECURITY.COM FEATURE: No 'A' Word In Time - Maintaining accurate time is required for security. Many tools and devices exist to ensure that accurate time is maintained on an organization's system. It makes the job of analysis and system administration much easier to deal with, as well. http://www.linuxsecurity.com/feature_stories/feature_story-133.html LINUX ADVISORY WATCH: This week, advisories were released for bind, perl, canna, klisa, cyrus-imapd, wget, kde, and fetchmail. The distributors include Caldera, Debian, Gentoo, and SuSE. http://www.linuxsecurity.com/articles/forums_article-6443.html --------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 --------------------------------------------------------------------- LINUXSECURITY.COM FEATURE: If It Ain't Broke See If It's Fixed - Attackers are still compromising servers with well-known attacks. General awareness can assist the busy administrators and users to protect their systems from these kinds of attacks. SANS provides a list of the Top 20 most common security vulnerabilities, how to identify each, and what can be done to protect against these vulnerabilities. http://www.linuxsecurity.com/feature_stories/feature_story-132.html +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Trojan Horses Plague Open Source December 27th, 2002 At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year. The three most commonly used packages affected were Sendmail, OpenSSH and tcpdump/libpcap. Others to be modified included BitchX, a chat client, and Fragrouter, a network security tool. http://www.linuxsecurity.com/articles/hackscracks_article-6444.html * Key to Secure Web Services December 23rd, 2002 One of the most important issues addressed at Gartner's U.S. Symposium/ITxpo 2002 was the security demands of evolving Web services models. SAML is an Extensible Markup Language (XML) based mechanism that enables disparate entities to exchange identity-related security information. http://www.linuxsecurity.com/articles/security_sources_article-6417.html * Who's Got Root? Find Out With Tripwire December 23rd, 2002 Your network groans under the weight of monitors and alarms. Every packet, every bit is inspected, scrutinized, sanitized, and organized. Surely it is time to relax and take it easy. Except for one little nagging worry- if an intruder slides through all the barriers, past all the traps, and successfully cozies into a snug corner, how will you know? http://www.linuxsecurity.com/articles/security_sources_article-6419.html +------------------------+ | Network Security News: | +------------------------+ * Using ssh with public key authentication, AgentForward, and keychain December 27th, 2002 The idea is that you can engage in a "multi-machine ssh session" in which all authentication is tunneled back to the first machine from which you started your session. http://www.linuxsecurity.com/articles/documentation_article-6445.html * Government Agencies Plug Leaks In Wireless Networks December 27th, 2002 Since anyone with the software could pry, cable is back in style. The Meteorological Agency and the Tokyo metropolitan government stopped using wireless local area networks (LAN) last week after learning data was wide open to anyone with the will and the right software. http://www.linuxsecurity.com/articles/network_security_article-6448.html * Secure Passwordless Logins with SSH Part 2 December 26th, 2002 Setting up your accounts to allow identity-based authentication gives you several new options to allow passwordless access to those accounts. The end goal is to allow passwordless access that can only run specific commands, rather than full fettered login ability, but we'll start with the more general solution as our first step. http://www.linuxsecurity.com/articles/documentation_article-6435.html * Security Year in Review by Mixter December 24th, 2002 With the media hype generated about the possibility, I'm sure there will be superworms (exploit-using platform independent worms) out relatively soon. Also, Microsoft security continues to be a problem with MDAC- and RPC-related vulnerabilities. http://www.linuxsecurity.com/articles/forums_article-6425.html * 2003 Survivor's Guide to Security December 24th, 2002 Consider stalled IT budgets and a lingering feeling of insecurity a mandate to get a handle on new security technologies and products in 2003. Of course, with vendors bombarding you with an ever-widening range of gee-whiz security gizmos, that's easier said than done. http://www.linuxsecurity.com/articles/security_sources_article-6429.html +------------------------+ | Cryptography News: | +------------------------+ * Encryption of Agency's Web Documents Probed December 27th, 2002 Computer security followers are questioning the way the U.S. transportation security administration, which oversees airport security and other transportation issues, is protecting some restricted documents on its Web site. http://www.linuxsecurity.com/articles/cryptography_article-6447.html * Encrypting Your E-mail December 24th, 2002 Afraid an unauthorized someone is reading your personal e-mail? Then prevent it by encrypting your e-mail using a program such as PGP (Pretty Good Privacy). http://www.linuxsecurity.com/articles/cryptography_article-6426.html * Encryption in the Enterprise December 24th, 2002 When it comes to computer security, the primary question is not whether enterprises should be paranoid, but how paranoid they should be. To reduce their risk, many companies are attempting to put encryption Latest News about encryption to work. http://www.linuxsecurity.com/articles/cryptography_article-6428.html +------------------------+ | General News: | +------------------------+ * Phrack #60 Released December 29th, 2002 In this issue of phrack magazine, Smashing The Kernel Stack For Fun And Profit, Big Loop Integer Protection, Burning the bridge: Cisco IOS exploits, Static Kernel Patching, Basic Integer Overflows, SMB/CIFS By The Root, Firewall Spotting with broken CRC, Low Cost and Portable GPS Jammer, Phrack World News, and comments from the staff. http://www.linuxsecurity.com/articles/documentation_article-6450.html * FBI IT Falls Short December 26th, 2002 The FBI is not effectively managing the costs, schedules and performance of its information technology investments, including its multimillion-dollar Trilogy program, according to the Justice Department's Office of the Inspector General. http://www.linuxsecurity.com/articles/government_article-6442.html * Santa Considering Move to Linux December 26th, 2002 North Pole - Citing concerns about security and licensing costs, Santa Claus is considering migrating his computer systems from Microsoft Windows to Linux. http://www.linuxsecurity.com/articles/projects_article-6433.html * Is the Sky Really Falling? December 26th, 2002 A CSO who spreads security paranoia is only making his own job harder. THE SQUEAKY WHEEL doesn't always get the grease. Sometimes it gets replaced." This fortune cookie quote nicely sums up the career cycles of security professionals. http://www.linuxsecurity.com/articles/general_article-6437.html * Making Security Pay December 23rd, 2002 No company can expect to stay in business unless it sheds unnecessary costs while also preserving value-added services. This is a major problem for security, since it's typically seen as a "grudge spend" that doesn't actually generate revenue or create immediate ROI. http://www.linuxsecurity.com/articles/general_article-6420.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 08:01:46 PST