[ISN] Linux Security Week - September 22nd 2003

From: InfoSec News (isn@private)
Date: Tue Sep 23 2003 - 07:59:05 PDT

  • Next message: InfoSec News: "Re: [ISN] Ballmer to crackers: this PC ain't big enough for the both of us"

    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  September 22nd, 2003                          Volume 4, Number 38n |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             dave@private    |
    |                   Benjamin Thomas         ben@private     |
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    This week, perhaps the most interesting articles include "A Password
    Policy Primer," "Wireless Network Policy Development," "Demonstrating ROI
    for Penetration Testing," and "Have DoS Attacks Gone Out of Style?"
    ---- >> FREE Apache SSL Guide from Thawte << ----
    Are you worried about your web server security?  Click here to get a FREE
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security needs.
     Click Command:
    Folks, there are a lot of advisories this week. Be sure to check your
    distribution carefully, as many of them are significant. This week,
    advisories were released for mana, pine, gtkhtml, openssh, sendmail,
    MySQL, xfree86, buffer, kernel, and KDE.
    FEATURE: A Practical Approach of Stealthy Remote Administration
    This paper is written for those paranoid administrators who are looking
    for a stealthy technique of managing sensitive servers (like your
    enterprise firewall console or IDS).
    Basic Intrusion Prevention using Content-based Filtering
    This article will discuss a very useful but seemingly overlooked
    functionality of Netfilter, a firewall code widely used in Linux, that
    provides content matching and filtering capabilities.
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    | Host Security News: | <<-----[ Articles This Week ]-------------
    * Web Site Hackerproofing 101
    September 19th, 2003
    In recent weeks, high-profile arrests of hackers and malware authors have
    trained a spotlight on the sometimes-shadowy underworld of computer crime.
    The Internet may seem like a more dangerous place than ever before, but
    Web security administrators can greatly reduce the number of
    vulnerabilities that allow hackers to illegally enter, deface and destroy
    Web sites.
    * A Password Policy Primer
    September 17th, 2003
    We can build our fortress with towering fifty-foot high, four-foot thick
    walls. We can build a moat thirty feet wide to surround those walls. And
    we can even man the castellation with the finest archers. But all will be
    for naught if the enemy crosses the drawbridge in the guise of one of our
    fellows and gives a good password to the gatekeeper.
    * Fine-Tuning Linux Administration with ACLs
    September 17th, 2003
    Linux's venerable file and user permissions system is solid and
    dependable, but not very flexible, unfortunately. For users to share
    access to a particular document or resource, they must all be in the same
    group. It's an all-or-nothing deal, as all users within a group have all
    the same rights, which is most inconvenient when you wish to exclude
    someone, or include someone only on a limited basis.
    | Network Security News: |
    * Four Questions To Ask To Stay Secure In An Anywhere, Anytime World
    September 19th, 2003
    We live in an era that increasingly demands anywhere, anytime access to
    all of our business resources. What started with giving pagers to our most
    critical employees has evolved into ubiquitous use of cell phones and
    Wi-Fi access almost anywhere, even in McDonald's.
    * SSH on Edge Routers
    September 18th, 2003
    This is a paper describing security meassures one should take that are
    often overlooked at our Edge Routers. Securing routers with secure
    management protocols like SSH and filtering advise to prevent unwanted
    * Wireless Network Policy Development (Part One)
    September 18th, 2003
    The need for wireless policy has never been greater. 802.11/a/b/g wireless
    networks (WLANs) [1] have taken the Information Technology world by storm.
    With 35 million units expected to sell in 2003 and with a predicted growth
    rate of 50-200% compounded year over year through 2006, wireless is here
    to stay.
    * SSH Security Glitch Exposes Networks, Patch Re-released
    September 17th, 2003
    A critical security flaw in SSH has been revealed that threatens servers
    worldwide.  SSH is a widely used encrypted remote management shell for
    Unix, Linux and BSD platforms. Experts say attackers have been exploiting
    the vulnerability to gain access to systems illegally for months.
    * Wireless Security: Preventing Your Data From Vanishing Into Thin
    September 16th, 2003
    Despite its many exciting possibilities for new business opportunities,
    cost-savings, and user freedom, wireless technology presents serious
    challenges to information security.
    | General Security News: |
    * Have DoS Attacks Gone Out of Style?
    September 19th, 2003
    Less than two months after computer users sighed that the Year 2000 scare
    was only so much hubbub, the Internet world was racked by a series of
    attacks that made people question whether what had been touted as the most
    significant medium in history was as safe as they had thought.
    * Cybersecurity Forum Planned
    September 18th, 2003
    The Homeland Security Department now has the foundation for addressing
    cybersecurity vulnerabilities and response, but the details will be filled
    in at a summit later this year, Robert Liscouski, assistant secretary of
    infrastructure protection, testified before a House subcommittee today.
    * NSA, DOD Push Common Criteria For Civilians
    September 18th, 2003
    If civilian agencies join the national security community in limiting
    technology purchases to items that have gone through independent
    evaluation, it could spur vendors to submit more products for
    certification, officials testified today before a House subcommittee.
    * Survey Report: Taking Responsibility
    September 17th, 2003
    Call it job security for information security: More organizations are
    making security a primary job function for IT professionals. It's all
    about adding accountability to the process of securing data. Over the next
    two years, organizations will add more dedicated security personnel and
    invest more on security, according to a survey conducted in June by Secure
    Enterprise of 431 technology managers at U.S. companies and government
    * Demonstrating ROI for Penetration Testing (Part Three)
    September 17th, 2003
    Part one of this series provided a general discussion of ROSI (Return on
    Security Investment) and likened performing penetration testing to having
    a health physical. The key idea was to teach security professionals to
    think like business managers in regards to justifying expenditures for
    security initiatives and security investments.
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
         To unsubscribe email newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 23 2003 - 11:54:41 PDT