[ISN] Linux Security Week - February 3rd 2003

From: InfoSec News (isnat_private)
Date: Tue Feb 04 2003 - 02:47:41 PST

  • Next message: InfoSec News: "[ISN] Perspective: The first 'e-war'"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  February 3rd, 2003                            Volume 4, Number 5n  |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "rsync: A Backup
    Strategy for Modern Times," "Network Security: Best Practices,"
    "Developing A Security Policy," and "Rule Definition For Anomoly Based
    Intrusion Detection."
    This week, advisories were released for kdeutils, noffle, dhcp3, tomcat3,
    courier, mysql, fetchmail, vim, webalizer, postgresql, and cvs. The
    distributors include Debian, Guardian Digital's EnGarde Secure Linux,
    Mandrake, and Yellow Dog.
    Patching It Up - Patching and upgrading software requires more than
    running a few commands. Having a patch recovery plan, communicating with
    developers on that server, and knowing who to contact in case of a botched
    patch job is critical.
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    LINUXSECURITY.COM FEATURE: Newest Members of the Team Just to give
    everyone an idea about who writes these articles and feature stories that
    we spend so much of our time reading each day, I have decided to ask Brian
    Hatch and Duane Dunston, the newest members of the LinuxSecurity.com team,
    a few questions.
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Interview with Donald L. Pipkin
    January 31st, 2003
    I am an Information Security Architect at Hewlett-Packard. I've been with
    HP eighteen years; most of that time I have spent in the area of
    information security. I help customers before a security incident by
    evaluating their security and, after there has been a security breach. I
    help them in recovering their systems.
    * Cryptography Contest: Cracking an Algorithm bit by bit.
    January 29th, 2003
    This week, we begin to reverse engineer the home-grown encryption
    algorithm discussed last week. Last week I offered you five examples of
    "encrypted" text that were generated by a home-grown crypto system. Your
    job was to reverse engineer the algorithm.
    * MPEG-4 Consortium Keys on Security
    January 29th, 2003
    A streaming-media consortium set a schedule this week for finalizing
    technical specs for MPEG-4 security and rights management--components that
    are key to the open standard's adoption among content owners. The Internet
    Streaming Media Alliance (ISMA)--a global group of companies including
    Apple Computer, Cisco Systems and Sun Microsystems
    * rsync: A Backup Strategy for Modern Times
    January 27th, 2003
    The use of hard drives for backups is outpacing other forms of backup
    media by a country mile. The largest IDE drive available right now is 200
    gigabytes (Western Digital's Drivezilla, which gets my vote for best
    name). Tape backup has valiantly attempted to keep pace.
    | Network Security News: |
    * DNS Cache Poisoning - The Next Generation
    January 31st, 2003
    The old problem of DNS cache poisoning has again reared its ugly head.
    While some would argue that the domain name system protocol is inherently
    vulnerable to this style of attack due to the weakness of 16-bit
    transaction IDs, we cannot ignore the immediate threat while waiting for
    something better to come along.
    * Developing A Security Policy
    January 30th, 2003
    Ever since the provision of internet connections became a must-have for
    the vast majority of businesses, the threat from malicious hackers and
    viruses has been growing exponentially.
    * Network Security: Best Practices
    January 30th, 2003
    Believe it or not, best practices in network security begin with a
    top-down policy. Policy begins with understanding what it is you need to
    protect and what it is you need to protect against. The levels of
    responsibility need to be understood, and that implies that security is
    everyone's job, as each employee understands how he or she contributes to
    the organization.
    * Firewall Geeks Meet the Night Watchmen
    January 30th, 2003
    As the information-technology director for Indianapolis Motor Speedway,
    Jon Koskey keeps a close eye on computer security at the venerable
    Brickyard, home to the Indy 500. His three-person staff monitors 450
    networked devices including servers, desktops, and printers.
    * FAA Technologist Urges Better Security In Network Boxes
    January 29th, 2003
    In a keynote address at the Comnet 2003 conference here Tuesday (Jan. 28),
    the chief information officer of the U.S. Federal Aviation Administration
    urged networking equipment designers to add security capabilities to their
    systems earlier in the design process.
    * Remote Gkrellm Over SSH Mini-HOWTO
    January 29th, 2003
    It's nice to have a server, router or firewall tucked away in a closet or
    in a dark corner of a room and still be able to access it over your local
    network. But what about monitoring it? Keeping an eye on a local computer
    is easy with Gkrellm, so why not a remote computer?
    * Wireless Warriors Discover Cracks in Calgary's Corporate Security
    January 28th, 2003
    In his green Honda CRV, Jason Kaczor looks like any other commuter
    navigating his way through Calgary's downtown streets in the early hours
    of the morning.  Few realize he is a participant in a bizarre electronic
    scavenger hunt known as "war driving" -- a real life "game" that exposes
    companies and consumers who are vulnerable to a mobile hacker attack
    * What to look for when buying a VPN
    January 28th, 2003
    Virtual private networking is becoming an integral part of today's data
    networks. Virtual private network (VPN) drivers range from securing
    corporate communications to reducing costs by replacing leased lines. But
    for those who have not yet deployed a VPN, the options can be daunting.
    There are several approaches and dozens of products and services from
    which to choose, each with its own pros and cons.
    * Rule Definition For Anomoly Based Intrusion Detection
    January 27th, 2003
    Intrusion Detection Systems are one of the fastest growing technologies in
    the security space. Unfortunately, many companies find it hard to put it
    to use due to the complexity of deployment and or lack of information
    about it possible use.
    | General News:          |
    * Bush Approves Cybersecurity Strategy
    January 31st, 2003
    President Bush has approved the White House's long-awaited national
    cybersecurity strategy, a landmark document intended to guide government
    and industry efforts to protect the nation's most critical information
    systems from cyberattack.
    * DOD Looking Ahead On Security
    January 31st, 2003
    The Defense Department already is considering how to protect information
    in a network-centric environment, according to the department's deputy
    chief information officer. Priscilla Guthrie, DOD's deputy CIO, said a
    white paper is circulating within the department that attempts to lay out
    the department's information assurance (IA) requirements in the envisioned
    network-centric environment, in which data would be made available as
    quickly as possible to those in the organization or on the battlefield who
    need it.
    * Techie Rethinks Disclosing Flaws
    January 30th, 2003
    The British computer expert whose research was linked to the weekend's
    damaging Internet attack pledged Wednesday to reconsider publishing
    blueprints for attack programs that exploit flaws he discovers in popular
    * ID Management Takes A Leap Into Privacy Protection
    January 30th, 2003
    Identity management is more than just granting and revoking user access to
    business systems. With the introduction of new auditing practices and
    regulations by the federal government, businesses are being held
    accountable for the security of their users' personal information.
    * Net Security Chief to Quit
    January 29th, 2003
    Cybersecurity czar Richard Clarke will step down next month after he
    finishes a comprehensive Internet-security plan, industry and government
    sources said Tuesday. Clarke, a longtime White House aide who has led
    efforts to combat terrorism and bolster the security of the nation's
    computer systems, will look for work in the private sector rather than
    take a position in the new Department of Homeland Security, people close
    to the situation said.
    * Dept. of Homeland Security site switches to Linux from Windows 2000
    January 29th, 2003
    The United States Department of Homeland Security (www.dhs.gov) changed
    its servers over to Oracle on Linux last week, after running on Windows
    2000 for several months.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 05:39:53 PST