+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | December 29th, 2003 Volume 4, Number 52n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Reflecting On Linux Security In 2003," "Network Monitoring with Ethereal," "Terminating a Systems Administrator," and "Security Best Practices Should Come Top Down." --- >> Get Thawtes NEW Step-by-Step SSL Guide for Apache << In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on you Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29 --- LINUX ADVISORY WATCH: This week, advisories were released for ethereal, XFree86, BIND, and apache. The distributors include Fedora, Mandrake, NetBSD, and Red Hat. http://www.linuxsecurity.com/articles/forums_article-8615.html OSVDB: An Independent and Open Source Vulnerability Database This article outlines the origins, purpose, and future of the Open Source Vulnerability Database project. Also, we talk to with Tyler Owen, a major contributor. http://www.linuxsecurity.com/feature_stories/feature_story-156.html --- Guardian Digital Customers Protected From Linux Kernel Vulnerability As a result of the planning and secure design of EnGarde Secure Linux, the company's flagship product, Guardian Digital customers are securely protected from a vulnerability that lead to the complete compromise of several high-profile open source projects, including those belonging to the Debian Project. http://www.linuxsecurity.com/feature_stories/feature_story-155.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Phishing Attacks Increase Fourfold December 26th, 2003 E-mail phishing attacks jumped over 400 percent during the holidays, according to an analysis released Wednesday of scams reported to clearinghouse Anti-Phishing.org. Phishing, the term used to describe malignant e-mail posing as legitimate messages from banks, retailers, and credit card companies, soared in November and December as scammers took advantage of the holiday rush to try to trick users into divulging personal and financial information. http://www.linuxsecurity.com/articles/host_security_article-8618.html * Reflecting On Linux Security In 2003 December 24th, 2003 When it comes to 2003 I think we can call it "the year of the patch" with the security community paying close attention to what is patched in what period of time. In an interesting column about security fixes, SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. http://www.linuxsecurity.com/articles/host_security_article-8607.html * Progeny Transition Service December 23rd, 2003 Beginning January 1, 2004, Progeny will offer software updates for users of Red Hat Linux 7.2, 7.3, and 8.0, with support for 9 starting May 1, 2004. This service is based on Progeny's Platform Services technology and will provide a flexible migration path for RHL subscribers. http://www.linuxsecurity.com/articles/vendors_products_article-8599.html +------------------------+ | Network Security News: | +------------------------+ * Network Monitoring with Ethereal December 25th, 2003 We all hope that our networks just do what they are supposed to but that often is not the case. Two systems that should talk to each other, don't; a network becomes saturated with traffic for no apparent reason; you need to know what some non-Linux device is doing. Ethereal may be the tool that saves the day. http://www.linuxsecurity.com/articles/network_security_article-8613.html * OpenSSL gets FIPS certification December 24th, 2003 The National Institute of Standards and Technology has approved an open-source library of encryption algorithms for use on sensitive government networks, the Open Source Software Institute announced this month. http://www.linuxsecurity.com/articles/server_security_article-8609.html * The Survivor's Guide to 2004: Security December 22nd, 2003 A spate of new security products promises to ward off every evil from spam to worms. But even while the IT security field has mushroomed, most of the products are either evolutionary, adding new features, or existing concepts under a new guise. http://www.linuxsecurity.com/articles/documentation_article-8595.html * SSL VPN Gateways: A New Approach to Secure Remote Access December 22nd, 2003 Security is the cornerstone of any remote-access implementation; it is axiomatic that good security is easily managed security. SSL VPN appliances can quickly integrate into the network, providing companies with a rapid-deployment solution without modifications or interruptions to existing application servers and security mechanisms. http://www.linuxsecurity.com/articles/network_security_article-8586.html +------------------------+ | General Security News: | +------------------------+ * Pandoras Box is open December 26th, 2003 I can't count how many times I've heard experts fault organizations for bending to the need to turn a profit by going live first and only trying to build security into their applications later. But, really, we're all guilty. The moment we decided to favor the benefits of the internet, we accepted its weaknesses by default, relegating security to the bottom of our priority lists. http://www.linuxsecurity.com/articles/general_article-8626.html * Updated Guides for Mapping Types of Information and Information Systems to Security Categories December 26th, 2003 NIST has completed the first draft of NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The purpose of the draft guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. http://www.linuxsecurity.com/articles/documentation_article-8616.html * Security Awareness Tip: Continuity December 26th, 2003 Continuity is a key component to the success of any business. Single points of failure are a threat to continuity. Business depends on its employees to complete their duties. It also needs a reliable supply of goods and services. Its phone and IT systems must be highly available. Each employee must address continuity. http://www.linuxsecurity.com/articles/security_sources_article-8624.html * How do you stop the threat from within? December 26th, 2003 Just ten years ago, security professionals had almost total control over what end-users ran on their computers. Today, the IT landscape looks very different and leading analysts and security experts are warning companies that, no matter what perimeter defenses and technologies they might implement, the biggest threat lies within the company - the system users, the human beings. http://www.linuxsecurity.com/articles/network_security_article-8619.html * Oh Dan Geer, where art thou? December 23rd, 2003 As a scientist, one idea Geer hopes to pursue is studying file use on a statistical basis for live times and transit patterns, perhaps to be able to detect anomalies. Geer earlier was on the Verdasys board of advisors, which also includes Bob Blakley, chief scientist for security and privacy at IBM Tivoli Software and Dennis Devlin, vice president and chief security officer at Thomson Corp. The privately funded company was started earlier this year by its CEO Seth Birnbaum. http://www.linuxsecurity.com/articles/forums_article-8597.html * Terminating a systems administrator December 22nd, 2003 Perhaps one of the most challenging situations in an IT organisation is to let a systems administrator go. This individual has the proverbial keys to the kingdom as a trusted member of your corporate team. If the time comes to part ways, it's imperative to do a thorough job of removing the employee's physical and logical access to your network and facilities. http://www.linuxsecurity.com/articles/server_security_article-8594.html * Security Best Practices Should Come Top Down December 22nd, 2003 The federal government should leverage its legislative and purchasing power to force rapid improvement in the state of operating system and application security and quality. And it must quickly do a better job setting itself up as a model of IT security, as called for in the government's plan to secure cyberspace. http://www.linuxsecurity.com/articles/government_article-8591.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Dec 30 2003 - 09:55:18 PST