[ISN] Linux Security Week - August 25th 2003

From: InfoSec News (isnat_private)
Date: Tue Aug 26 2003 - 05:55:29 PDT

  • Next message: InfoSec News: "[ISN] Hackers cut off SCO Web site"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  August 25th, 2003                             Volume 4, Number 34n |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             daveat_private    |
    |                   Benjamin Thomas         benat_private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "Penetration
    Testing for Web Applications," "Pocket Wi-Fi Sniffers End Missing Hotspot
    Misery," "RISC Processor Takes Network Security Onboard," and "Don't Drive
    Your Security Staff Nuts."
    This week, advisories were released for openslp, zip, netris, autorespond,
    unzip, eroaster, and GDM. The distributors include Conectiva, Debian,
    Mandrake, and Red Hat.
    Basic Intrusion Prevention using Content-based Filtering
    This article will discuss a very useful but seemingly overlooked
    functionality of Netfilter, a firewall code widely used in Linux, that
    provides content matching and filtering capabilities.
    >> FREE Apache SSL Guide from Thawte <<
    Are you worried about your web server security?  Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
    Click Command:
    Expert vs. Expertise: Computer Forensics and the Alternative OS
    No longer a dark and mysterious process, computer forensics have been
    significantly on the scene for more than five years now. Despite this,
    they have only recently gained the notoriety they deserve.
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Penetration Testing for Web Applications (Part Three)
    August 21st, 2003
    In the first installment of this series we introduced the reader to web
    application security issues and stressed the significance of input
    validation. In the second installment, several categories of web
    application vulnerabilities were discussed and methods for locating these
    vulnerabilities were outlined.
    * Think Like a Hacker: The Best Scanning Tools
    August 18th, 2003
    A curious change has come over the image of computer security in the last
    few years. Whereas headlines once screamed the exploits of allegedly evil
    hackers, the story now is all about bad code -- unpatched software, poorly
    secured firewalls and computer passwords left in plain sight. The hackers
    are not the real culprits; the security holes are.
    * FreeBSD Access Control Lists
    August 18th, 2003
    Unix permissions are flexible and can solve almost any access control
    problem, but what about the ones they can't? Do you really want to make a
    group every time you want to share a file with another user? Perhaps you
    don't have root, and you can't create a group at will. Sometimes the
    limitations can cause security problems; it would be nice to be able to
    make a directory available to a web server or other user without making
    the files world-readable or world-writable.
    * Passive OS Fingerprinting
    August 18th, 2003
    If there's any way you could could contribute, I'd really appreciate this.
    I set up a very simple visit-to-fingerprint page to gather p0f signatures
    for the new version (which is getting more and more interesting, I never
    expected so much feedback).
    | Network Security News: |
    * Network Security - Submarine Warfare
    August 22nd, 2003
    Perimeter defense is a lost battle.  Like old generals, we're still
    fighting the last war, in which our network was a castle with impregnable
    walls, a well-defined entry point across the drawbridge (head-end router),
    portcullis (firewall) and guards (IDS).
    * Keeping out the intruders: Detecting and preventing
    August 22nd, 2003
    A recent report from research group Gartner, Inc. caused a ruckus in the
    intrusion detection/intrusion prevention system market. In the Information
    Security Hype Cycle, Richard Stiennon, research vice president for
    Gartner, concluded that IDSs has failed to offer up any value to companies
    relative to their associated costs, and would fall away by 2005.
    * ARTClass: An ANN-based Adaptive IDS Alert Classifier
    August 21st, 2003
    This whitepaper describes ARTClass, an IDS alert classifier based on
    Artificial Neural Networks and Adaptive Resonance Theory. ARTClass design
    relies upon novel domain-specific models and mechanisms allowing it to
    adapt to quasi-stable nature of the IDS event stream.
    * Wireless on Linux, Part 1
    August 21st, 2003
    For the harassed, overworked network admin, connecting new clients without
    having to run additional cabling is so much fun it feels wrong. Miles of
    pretty color-coded cables and tags are aesthetically pleasing and useful,
    of course, and who hasn't experienced the satisfaction of crimping
    connectors? There's nothing like the authoritative SNICK of a perfect
    crimp. (For some of us deskbound-geeks, grip strength is all we have.)
    * Pocket Wi-Fi Sniffers End Missing Hotspot Misery
    August 21st, 2003
    Road warriors know the frustration: you're in a foreign city and want to
    find a Wi-Fi access point. Normally that means looking on the Internet for
    site directories that can tell you where the nearest hotspots are located,
    such as WiFinder or WiFiMaps. Most of the time, it's trial and error.
    * Powerful Wireless Security Tools for Free
    August 20th, 2003
    Despite the best efforts of developers and standards bodies, wireless LANs
    (WLANs) are still the poster child for unsecured networks. Wireless
    network-security protocols contain enormous loopholes, coverage areas leak
    like a broken faucet, and many administrators do not even bother to turn
    on the security features that come with their systems.
    | General Security News: |
    * No Time To Relax
    August 22nd, 2003
    Security threats to business-technology systems keep growing. More than
    76,000 security incidents were reported in the first six months of this
    year, compared with about 82,000 reported for all of 2002.
    * The Concept of Security
    August 22nd, 2003
    As I sat one morning working on some loose ends, my e-mail inbox signaled
    the arrival of some new message. Experience is the best teacher, and my
    experience told me this was a new worm or virus. The attachment was
    zipped, so I saved it to my Windows desktop and then FTPed it to one of my
    Linux boxes.
    * Practical Unix & Internet Security 3/e
    August 22nd, 2003
    In 1991 "Practical Unix Security" was released and became an instant hit
    in the Information Security community. Back then in the post Morris worm
    era, there was a need for an informative guide, describing the security
    techniques for the UNIX operating system. Five years after the initial
    release, the Internet started to evolve quickly, so the book received a
    revamp as "Practical Unix and Internet Security".
    * Don't Drive Your Security Staff Nuts
    August 22nd, 2003
    Sometimes, in the course of an industry's growth, you miss the obvious
    until it's staring you in the face.  We have finally hit that point in
    information security. We expect our InfoSec staff to handle a massive
    amount of work, and when they fail we ask them "what went wrong?"  What
    went wrong is increasingly that we've asked them to not only be jacks of
    all trades, but masters of all trades too.
    * WS-Security Spec Nearing Completion
    August 21st, 2003
    Web services security is a huge issue for IT, with many companies holding
    off implementation of real-world Web services projects until there's a way
    to truly lock them down. WS-Security is the specification they're waiting
    * Hassled to Death: Rain Forest Puppy, Nerd Overlord
    August 20th, 2003
    If you think famed security researcher Rain Forest Puppy's (RFP) recent
    announcement that he's stepping away from the limelight means he's
    precious, think again -- the guy has just had enough, and the problems
    he's been confronted with are fairly familiar. Take this analogy.
    * RISC Processor Takes Network Security Onboard
    August 20th, 2003
    The SH7710 32bit RISC microprocessor features an IPsec accelerator for
    fast encryption and communication processing.  The device also offers two
    on-chip Ethernet controllers that enable connection to two Ethernet LANs.
    Both peripherals make it suitable for security-enabled devices designed
    for use in networks, such as VPN dedicated boxes, home gateway servers,
    surveillance cameras and IP phones.
    * The IT Security Spending Conundrum
    August 19th, 2003
    The market is growing, revenues are up, spending has not increased. Er,
    what's up?  Recent reports from across the pond suggest that 9/11 did not
    generate the spending surge that many analysts and vendors predicted, and
    it's all because organisations have lapsed back to the bad habits they
    practiced pre-9/11.
    * The Need To Know
    August 19th, 2003
    This just in from the knowledge-management front: Whatever your company is
    doing in this area, and it probably should be doing something, don't call
    it knowledge management.  Many people take a rather dim view of that term.
    OK, let's not mince words: Knowledge management might as well have
    promised to wash the dishes and mow the lawn for all the hard business
    benefits many companies believe they've gotten from it.
    * The Sad Tale of a Security Whistleblower
    August 18th, 2003
    Previous articles in this space have discussed whether security
    professionals can go to jail for doing things like demonstrating the
    insecurity of a wireless network, or conducting a throughput test on a
    system without permission. Now, a new and unwarranted extension of the
    U.S. computer crime law shows that you can go to jail for simply telling
    potential victims that their data is vulnerable.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 09:56:09 PDT