[ISN] Linux Security Week - November 17th 2003

From: InfoSec News (isn@private)
Date: Tue Nov 18 2003 - 04:07:39 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "Practical Cryptography", Bruce Schneier/Niels Ferguson"

    +---------------------------------------------------------------------+
    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  November 17th, 2003                           Volume 4, Number 46n |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             dave@private    |
    |                   Benjamin Thomas         ben@private     |
    +---------------------------------------------------------------------+
    
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    
    This week, perhaps the most interesting articles include "Profile, Nessus
    Vulnerability Scanner," "Securing Your Wireless Networks," "SSL networking
    heats up," and "Attacking the DNS Protocol."
    
    ---
    
    >> Get Thawte's NEW Step-by-Step SSL Guide for Apache <<
    
    In this guide you will find out how to test, purchase, install and use a
    Thawte Digital Certificate on you Apache web server. Throughout, best
    practices for set-up are highlighted to help you ensure efficient ongoing
    management of your encryption keys and digital certificates. Get you copy
    of this new guide now:
    
     Click Command:
     https://www.guardiandigital.com/cgi-bin/thawteguide.pl?guidetype=apache
    
    ---
    
    LINUX ADVISORY WATCH:
    This week, advisories were released for thhtpd, cups, ethereal, mpg123,
    xinetd, hylafax, postgresql, conquest, epic4, glibc, and and zebra.  The
    distributors include Conectiva, Debian, Mandrake, Red Hat, and SuSE.
    
    http://www.linuxsecurity.com/articles/forums_article-8332.html
    
    
    OpenVPN: An Introduction and Interview with Founder, James Yonan In this
    article, Duane Dunston gives a brief introduction to OpenVPN and
    interviews its founder James Yonan.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-152.html
    
    ---
    
    FEATURE: R00ting The Hacker
    
    Dan Verton, the author of The Hacker Diaries: Confessions of Teenage
    Hackers is a former intelligence officer in the U.S. Marine Corps who
    currently writes for Computerworld and CNN.com, covering national
    cyber-security issues and critical infrastructure protection.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-150.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------+
    | Host Security News: | <<-----[ Articles This Week ]-------------
    +---------------------+
    
    * How Not to Program in PHP -- Part I
    November 14th, 2003
    
    PHP has become an Open Source success for web development because of its
    ease of use and ubiquitous code. But PHP's very reputation for quick
    development could get you in trouble unless you take advantage of its
    built-in security precautions.  Just as there are tried and true rules for
    programming in PHP, there are also clear ways NOT to program in PHP. Most
    of the latter stem from carelessness.
    
    http://www.linuxsecurity.com/articles/security_sources_article-8331.html
    
    
    * Security by design beats retro-fitting
    November 13th, 2003
    
    Corporate network security is increasingly becoming a design consideration
    rather than a matter of "retro-fitting" security appliances and software,
    according to industry consultants. Alphawest's national business
    continuity manager Tim Smith said the company has seen a new trend this
    year in networks being designed to meet security concerns.
    
    http://www.linuxsecurity.com/articles/network_security_article-8321.html
    
    
    * Managing User Accounts in Lindows
    November 13th, 2003
    
    A special account called root can be found in any Linux or other
    UNIX-based system. The Lindows login manager calls this account
    Administrator. Sometimes the root account is called the Super-User
    account.  This account has full permission over the system--it can do
    almost anything.
    
    http://www.linuxsecurity.com/articles/host_security_article-8322.html
    
    
    * Data forensics
    November 13th, 2003
    
    Part of your security package should include forensic testing, and the
    process is as important as the tools you use. Jon Tullett identifies the
    right approach.  With incident response closely tied to business
    continuity and the bottom line, computer forensics has become a core
    component of corporate security, and a daily weapon in the arsenal of law
    enforcement agencies.
    
    http://www.linuxsecurity.com/articles/host_security_article-8327.html
    
    
    * Profile: Nessus Vulnerability Scanner
    November 10th, 2003
    
    The power and performance of Nessus, combined with the price- FREE- make
    it a compelling choice for a vulnerability scanner.  Nessus also makes no
    assumptions regarding what services are running on what ports and it
    actively attempts to exploit vulnerabilities rather than just comparing
    version numbers of the active services.
    
    http://www.linuxsecurity.com/articles/security_sources_article-8294.html
    
    
    
    +------------------------+
    | Network Security News: |
    +------------------------+
    
    * Security tops networking priority list
    November 14th, 2003
    
    According to a recent survey conducted by SearchNetworking.com, security
    products are at the top of many networking pros' wish lists. Forty-seven
    percent of respondents to SearchNetworking.com's 2003 Networking Report
    Card survey said that network security would be among the initiatives that
    receive the greatest resource commitments from their organizations next
    year.
    
    http://www.linuxsecurity.com/articles/network_security_article-8335.html
    
    
    * Securing Your Wireless Networks
    November 13th, 2003
    
    Wireless security has had more than its fair share of bad press. The
    failure of the wired equivalent privacy (WEP) encryption standard to
    withstand hacking attacks did nothing to help the situation.  And doubts
    linger over its successor, the Wi-Fi Protected Access (WPA), which will
    include the second version of WPA 2 and the 802.1x authentication
    standard.
    
    http://www.linuxsecurity.com/articles/network_security_article-8328.html
    
    
    * SSL networking heats up
    November 12th, 2003
    
    The market is heating up for products that allow secure access to
    corporate networks based on a widely used browser security technology
    known as secure sockets layer encryption.  Cisco Systems became the latest
    company to introduce a virtual private network (VPN) product based on
    secure sockets layer (SSL) encryption when it announced on Monday that it
    would add the feature to its 3000 series of network concentrators.
    
    http://www.linuxsecurity.com/articles/vendors_products_article-8320.html
    
    
    * Attacking the DNS Protocol
    November 12th, 2003
    
    DNS is a heavily used protocol on the Internet yet has numerous security
    considerations.  This paper whilst containing nothing new on DNS security
    brings together in one document many strands of DNS security which has
    been published and reported in many separate publications before. As such
    this document intends to act as a single point of reference for DNS
    security.
    
    http://www.linuxsecurity.com/articles/network_security_article-8318.html
    
    
    +------------------------+
    | General Security News: |
    +------------------------+
    
    * NIST posts security control guidelines for comment
    November 14th, 2003
    
    The National Institute of Standards and Technology yesterday released an
    initial public draft of recommended security controls for federal
    information systems. The guidelines for mandatory controls are expected to
    go into effect in two years.
    
    http://www.linuxsecurity.com/articles/documentation_article-8336.html
    
    
    * 2+2=5: Microsoft Prepares FUD Security Assault on Linux
    November 12th, 2003
    
    "Microsoft Corp. is preparing a major PR assault over Windows' perceived
    security failings in which it will criticize Linux for taking too long to
    fix bugs, we have learned.  In a sign that the inroads made by the Open
    Source community are starting to rattle the software giant, Microsoft has
    hired several analysts to review how fast holes are patched in the open
    source software and is expected to announce that Windows compares
    favorably."
    
    http://www.linuxsecurity.com/articles/forums_article-8308.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 07:01:50 PST