[ISN] Linux Security Week - December 29th 2003

From: InfoSec News (isn@private)
Date: Tue Dec 30 2003 - 07:28:39 PST

  • Next message: InfoSec News: "[ISN] Malaysian e-mail virus exploits terrorism fears"

    +---------------------------------------------------------------------+
    |  LinuxSecurity.com                            Weekly Newsletter     |
    |  December 29th, 2003                           Volume 4, Number 52n |
    |                                                                     |
    |  Editorial Team:  Dave Wreski             dave@private    |
    |                   Benjamin Thomas         ben@private     |
    +---------------------------------------------------------------------+
    
    Thank you for reading the LinuxSecurity.com weekly security newsletter.
    The purpose of this document is to provide our readers with a quick
    summary of each week's most relevant Linux security headlines.
    
    This week, perhaps the most interesting articles include "Reflecting On
    Linux Security In 2003," "Network Monitoring with Ethereal," "Terminating
    a Systems Administrator," and "Security Best Practices Should Come Top
    Down."
    
    ---
    
    >> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
    
    In this guide you will find out how to test, purchase, install and use a
    Thawte Digital Certificate on you Apache web server. Throughout, best
    practices for set-up are highlighted to help you ensure efficient ongoing
    management of your encryption keys and digital certificates.
    
    Get your copy of this new guide now:
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
    
    ---
    
    LINUX ADVISORY WATCH:
    This week, advisories were released for ethereal, XFree86, BIND, and
    apache. The distributors include Fedora, Mandrake, NetBSD, and Red Hat.
    
    http://www.linuxsecurity.com/articles/forums_article-8615.html
    
    
    OSVDB: An Independent and Open Source Vulnerability Database This article
    outlines the origins, purpose, and future of the Open Source Vulnerability
    Database project. Also, we talk to with Tyler Owen, a major contributor.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-156.html
    
    ---
    
    Guardian Digital Customers Protected From Linux Kernel Vulnerability
    As a result of the planning and secure design of EnGarde Secure Linux, the
    company's flagship product, Guardian Digital customers are securely
    protected from a vulnerability that lead to the complete compromise of
    several high-profile open source projects, including those belonging to
    the Debian Project.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-155.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------+
    | Host Security News: | <<-----[ Articles This Week ]-------------
    +---------------------+
    
    * Phishing Attacks Increase Fourfold
    December 26th, 2003
    
    E-mail phishing attacks jumped over 400 percent during the holidays,
    according to an analysis released Wednesday of scams reported to
    clearinghouse Anti-Phishing.org.  Phishing, the term used to describe
    malignant e-mail posing as legitimate messages from banks, retailers, and
    credit card companies, soared in November and December as scammers took
    advantage of the holiday rush to try to trick users into divulging
    personal and financial information.
    
    http://www.linuxsecurity.com/articles/host_security_article-8618.html
    
    
    * Reflecting On Linux Security In 2003
    December 24th, 2003
    
    When it comes to 2003 I think we can call it "the year of the patch" with
    the security community paying close attention to what is patched in what
    period of time. In an interesting column about security fixes,
    SecurityFocus columnist Hall Flynn notes that he doesn't understand why
    Linux vendors that put so much time and money into creating security
    patches distribute them for free.
    
    http://www.linuxsecurity.com/articles/host_security_article-8607.html
    
    
    * Progeny Transition Service
    December 23rd, 2003
    
    Beginning January 1, 2004, Progeny will offer software updates for users
    of Red Hat Linux 7.2, 7.3, and 8.0, with support for 9 starting May 1,
    2004. This service is based on Progeny's Platform Services technology and
    will provide a flexible migration path for RHL subscribers.
    
    http://www.linuxsecurity.com/articles/vendors_products_article-8599.html
    
    
    +------------------------+
    | Network Security News: |
    +------------------------+
    
    * Network Monitoring with Ethereal
    December 25th, 2003
    
    We all hope that our networks just do what they are supposed to but that
    often is not the case. Two systems that should talk to each other, don't;
    a network becomes saturated with traffic for no apparent reason; you need
    to know what some non-Linux device is doing. Ethereal may be the tool that
    saves the day.
    
    http://www.linuxsecurity.com/articles/network_security_article-8613.html
    
    
    * OpenSSL gets FIPS certification
    December 24th, 2003
    
    The National Institute of Standards and Technology has approved an
    open-source library of encryption algorithms for use on sensitive
    government networks, the Open Source Software Institute announced this
    month.
    
    http://www.linuxsecurity.com/articles/server_security_article-8609.html
    
    
    * The Survivor's Guide to 2004: Security
    December 22nd, 2003
    
    A spate of new security products promises to ward off every evil from spam
    to worms. But even while the IT security field has mushroomed, most of the
    products are either evolutionary, adding new features, or existing
    concepts under a new guise.
    
    http://www.linuxsecurity.com/articles/documentation_article-8595.html
    
    
    * SSL VPN Gateways: A New Approach to Secure Remote Access
    December 22nd, 2003
    
    Security is the cornerstone of any remote-access implementation; it is
    axiomatic that good security is easily managed security. SSL VPN
    appliances can quickly integrate into the network, providing companies
    with a rapid-deployment solution without modifications or interruptions to
    existing application servers and security mechanisms.
    
    http://www.linuxsecurity.com/articles/network_security_article-8586.html
    
    
    +------------------------+
    | General Security News: |
    +------------------------+
    
    * Pandoras Box is open
    December 26th, 2003
    
    I can't count how many times I've heard experts fault organizations for
    bending to the need to turn a profit by going live first and only trying
    to build security into their applications later. But, really, we're all
    guilty. The moment we decided to favor the benefits of the internet, we
    accepted its weaknesses by default, relegating security to the bottom of
    our priority lists.
    
    http://www.linuxsecurity.com/articles/general_article-8626.html
    
    
    * Updated Guides for Mapping Types of Information and Information
    Systems to Security Categories
    December 26th, 2003
    
    NIST has completed the first draft of NIST Special Publication 800-60,
    Guide for Mapping Types of Information and Information Systems to Security
    Categories. The purpose of the draft guideline is to assist Federal
    government agencies in identifying information types and information
    systems and assigning impact levels for confidentiality, integrity, and
    availability.
    
    http://www.linuxsecurity.com/articles/documentation_article-8616.html
    
    
    * Security Awareness Tip: Continuity
    December 26th, 2003
    
    Continuity is a key component to the success of any business. Single
    points of failure are a threat to continuity. Business depends on its
    employees to complete their duties. It also needs a reliable supply of
    goods and services. Its phone and IT systems must be highly available.
    Each employee must address continuity.
    
    http://www.linuxsecurity.com/articles/security_sources_article-8624.html
    
    
    * How do you stop the threat from within?
    December 26th, 2003
    
    Just ten years ago, security professionals had almost total control over
    what end-users ran on their computers. Today, the IT landscape looks very
    different and leading analysts and security experts are warning companies
    that, no matter what perimeter defenses and technologies they might
    implement, the biggest threat lies within the company - the system users,
    the human beings.
    
    http://www.linuxsecurity.com/articles/network_security_article-8619.html
    
    
    * Oh Dan Geer, where art thou?
    December 23rd, 2003
    
    As a scientist, one idea Geer hopes to pursue is studying file use on a
    statistical basis for live times and transit patterns, perhaps to be able
    to detect anomalies. Geer earlier was on the Verdasys board of advisors,
    which also includes Bob Blakley, chief scientist for security and privacy
    at IBM Tivoli Software and Dennis Devlin, vice president and chief
    security officer at Thomson Corp. The privately funded company was started
    earlier this year by its CEO Seth Birnbaum.
    
    http://www.linuxsecurity.com/articles/forums_article-8597.html
    
    
    * Terminating a systems administrator
    December 22nd, 2003
    
    Perhaps one of the most challenging situations in an IT organisation is to
    let a systems administrator go. This individual has the proverbial keys to
    the kingdom as a trusted member of your corporate team. If the time comes
    to part ways, it's imperative to do a thorough job of removing the
    employee's physical and logical access to your network and facilities.
    
    http://www.linuxsecurity.com/articles/server_security_article-8594.html
    
    
    * Security Best Practices Should Come Top Down
    December 22nd, 2003
    
    The federal government should leverage its legislative and purchasing
    power to force rapid improvement in the state of operating system and
    application security and quality. And it must quickly do a better job
    setting itself up as a model of IT security, as called for in the
    government's plan to secure cyberspace.
    
    http://www.linuxsecurity.com/articles/government_article-8591.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Dec 30 2003 - 09:55:18 PST