[ISN] Linux Security Week - December 30th 2002

From: InfoSec News (isnat_private)
Date: Tue Dec 31 2002 - 01:01:58 PST

|  LinuxSecurity.com                            Weekly Newsletter     |
|  December 30th, 2002                          Volume 3, Number 52n  |
|                                                                     |
|  Editorial Team:  Dave Wreski             daveat_private    |
|                   Benjamin Thomas         benat_private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Trojan Horses
Plague Open Source," "Using ssh with public key authentication," "Secure
Passwordless Logins with SSH." and "Making Security Pay."

No 'A' Word In Time - Maintaining accurate time is required for security.
Many tools and devices exist to ensure that accurate time is maintained on
an organization's system. It makes the job of analysis and system
administration much easier to deal with, as well.


This week, advisories were released for bind, perl, canna, klisa,
cyrus-imapd, wget, kde, and fetchmail. The distributors include Caldera,
Debian, Gentoo, and SuSE.



CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.



If It Ain't Broke See If It's Fixed - Attackers are still compromising
servers with well-known attacks. General awareness can assist the busy
administrators and users to protect their systems from these kinds of
attacks. SANS provides a list of the Top 20 most common security
vulnerabilities, how to identify each, and what can be done to protect
against these vulnerabilities.


| Host Security News: | <<-----[ Articles This Week ]-------------

* Trojan Horses Plague Open Source
December 27th, 2002

At least three commonly used open source software packages were altered by
black-hat (bad-guy) hackers to contain "Trojan horse" code this year.
The three most commonly used packages affected were Sendmail, OpenSSH and
tcpdump/libpcap. Others to be modified included BitchX, a chat client, and
Fragrouter, a network security tool.


* Key to Secure Web Services
December 23rd, 2002

One of the most important issues addressed at Gartner's U.S.
Symposium/ITxpo 2002 was the security demands of evolving Web services
models.  SAML is an Extensible Markup Language (XML) based mechanism that
enables disparate entities to exchange identity-related security


* Who's Got Root? Find Out With Tripwire
December 23rd, 2002

Your network groans under the weight of monitors and alarms. Every packet,
every bit is inspected, scrutinized, sanitized, and organized. Surely it
is time to relax and take it easy. Except for one little nagging worry- if
an intruder slides through all the barriers, past all the traps, and
successfully cozies into a snug corner, how will you know?


| Network Security News: |

* Using ssh with public key authentication, AgentForward, and
December 27th, 2002

The idea is that you can engage in a "multi-machine ssh session" in which
all authentication is tunneled back to the first machine from which you
started your session.


* Government Agencies Plug Leaks In Wireless Networks
December 27th, 2002

Since anyone with the software could pry, cable is back in style. The
Meteorological Agency and the Tokyo metropolitan government stopped using
wireless local area networks (LAN) last week after learning data was wide
open to anyone with the will and the right software.


* Secure Passwordless Logins with SSH Part 2
December 26th, 2002

Setting up your accounts to allow identity-based authentication gives you
several new options to allow passwordless access to those accounts.  The
end goal is to allow passwordless access that can only run specific
commands, rather than full fettered login ability, but we'll start with
the more general solution as our first step.


* Security Year in Review by Mixter
December 24th, 2002

With the media hype generated about the possibility, I'm sure there will
be superworms (exploit-using platform independent worms) out relatively
soon. Also, Microsoft security continues to be a problem with MDAC- and
RPC-related vulnerabilities.


* 2003 Survivor's Guide to Security
December 24th, 2002

Consider stalled IT budgets and a lingering feeling of insecurity a
mandate to get a handle on new security technologies and products in 2003.
Of course, with vendors bombarding you with an ever-widening range of
gee-whiz security gizmos, that's easier said than done.


| Cryptography News:     |

* Encryption of Agency's Web Documents Probed
December 27th, 2002

Computer security followers are questioning the way the U.S.
transportation security administration, which oversees airport security
and other transportation issues, is protecting some restricted documents
on its Web site.


* Encrypting Your E-mail
December 24th, 2002

Afraid an unauthorized someone is reading your personal e-mail? Then
prevent it by encrypting your e-mail using a program such as PGP (Pretty
Good Privacy).


* Encryption in the Enterprise
December 24th, 2002

When it comes to computer security, the primary question is not whether
enterprises should be paranoid, but how paranoid they should be. To reduce
their risk, many companies are attempting to put encryption Latest News
about encryption to work.


| General News:          |

* Phrack #60 Released
December 29th, 2002

In this issue of phrack magazine, Smashing The Kernel Stack For Fun And
Profit, Big Loop Integer Protection, Burning the bridge: Cisco IOS
exploits, Static Kernel Patching, Basic Integer Overflows, SMB/CIFS By The
Root, Firewall Spotting with broken CRC, Low Cost and Portable GPS Jammer,
Phrack World News, and comments from the staff.


* FBI IT Falls Short
December 26th, 2002

The FBI is not effectively managing the costs, schedules and performance
of its information technology investments, including its
multimillion-dollar Trilogy program, according to the Justice Department's
Office of the Inspector General.


* Santa Considering Move to Linux
December 26th, 2002

North Pole - Citing concerns about security and licensing costs, Santa
Claus is considering migrating his computer systems from Microsoft Windows
to Linux.


* Is the Sky Really Falling?
December 26th, 2002

A CSO who spreads security paranoia is only making his own job harder. THE
SQUEAKY WHEEL doesn't always get the grease. Sometimes it gets replaced."
This fortune cookie quote nicely sums up the career cycles of security


* Making Security Pay
December 23rd, 2002

No company can expect to stay in business unless it sheds unnecessary
costs while also preserving value-added services. This is a major problem
for security, since it's typically seen as a "grudge spend" that doesn't
actually generate revenue or create immediate ROI.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-requestat_private
         with "unsubscribe" in the subject of the message.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

This archive was generated by hypermail 2b30 : Tue Dec 31 2002 - 08:01:46 PST