[ISN] Linux Security Week - July 5, 2004

From: InfoSec News (isn@private)
Date: Tue Jul 06 2004 - 02:33:20 PDT

|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 5, 2004                           Volume 5, Number 27n        |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin Thomas         ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Security: The
root of the problem", "Fighting Network threats with a Network Analyzer",
"Wireless endpoint security: Tie up the loose ends" and "Seven habits of
highly secure companies".

>>> Need to Secure Multiple Domain or Host Names?

Securing multiple domain or host names need not burden you with unwanted
administrative hassles. Learn more about how the cost-effective Thawte
Starter PKI program can streamline management of your digital
certificates. Click here to download our Free guide:



This week, advisories were released for apache, dhcp, kernel, mailman,
gzip, Pavuk, Esearch and libpng. The distributors include Debian, Fedora,
FreeBSD, Gentoo, Mandrake, Suse and Trustix.


Open Source Leaving Microsoft Sitting on the Fence?

The open source model, with special regard to Linux, has no doubt become a
formidable competitor to the once sole giant of the software industry,
Microsoft. It is expected when the market share of an industry leader
becomes threatened, retaliation with new product or service offerings and
marketing campaigns refuting the claims of the new found competition are
inevitable. However, in the case of Microsoft, it seems they have not
taken a solid or plausible position on the use of open source applications
as an alternative to Windows.



Interview with Brian Wotring, Lead Developer for the Osiris Project

Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc.He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author
of Mac OS X Security and a long-standing member of the Shmoo Group, an
organization of security and cryptography professionals.



Guardian Digital Launches Next Generation Secure Mail Suite

Guardian Digital, the premier open source security company, announced the
availability of the next generation Secure Mail Suite, the industry's most
secure open source corporate email system. This latest edition has been
optimized to support the changing needs of enterprise and small business
customers while continually providing protection from the latest in email
security threats.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Host Security News: | <<-----[ Articles This Week ]----------

* Another big Apache hole found
June 30th, 2004

Linux and Unix vendors are releasing fixes for a critical bug in the
popular Web server Apache that could allow attackers to crash the system
or execute malicious code. The bug affects Apache 1.3.x installations
configured to act as proxy servers, which relay requests between a Web
browser and the Internet.


* Security: The root of the problem
June 29th, 2004

It doesn't seem that a day goes by without someone announcing a critical
flaw in some crucial piece of software or other. Is software that bad? Are
programmers so inept? What the heck is going on, and why is the problem
getting worse instead of better? One distressing aspect of software
security is that we fundamentally don't seem to "get it."


* ISO endorses key security certification
June 29th, 2004

The International Standards Organization last week gave its stamp of
approval to the CISSP security certification for IT workers, and a
half-dozen security managers said the endorsement should help enhance the
certification's legitimacy and acceptance.


| Network Security News: |

* Fighting Network threats with a Network Analyzer
July 2nd, 2004

This article shows how a network analyzer, historically used for network
troubleshooting, can also be used to defend against the security threats.
Certain features of a network analyzer can be set to monitor for virus and
attack signatures and offer quick ways of isolating infected systems. For
those organizations that are looking to invest in a network analyzer there
are certain key features that should be considered.


* Cookie Path Best Practice
July 1st, 2004

Cookies provide a method for creating a stateful HTTP session and their
recommended use is formally defined within RFC2965 and BCP44. Although
they are used for many purposes, they are often used to maintain a Session
ID (SID), through which an individual user can be identified throughout
their interaction with the site. For a site that requires authentication,
this SID is typically passed to the user after they have authenticated and
effectively maintains the authentication state.


* 802.11 Wireless LAN Fundamentals - Book Review
June 30th, 2004

Wireless networks and technologies are no longer a new concept. The
freedom of flexibility, increase of productivity and the much sought-after
mobility are only few of the benefits that 802.11-based networks provide.
This appeals to the enterprise and home users to take the next step and
deploy a wireless network onto their network and business infrastructure.


* Wireless endpoint security: Tie up the loose ends
June 28th, 2004

Endpoint security transcends the use of personal firewalls and antivirus
software. Endpoint devices such as laptops, home-office and remote
desktops, and Internet-enabled handhelds are some of the biggest headache
sources for security managers.It's hard enough keeping your in-house
workstations and servers secure with up-to-date antivirus software and the
latest patches and updates.


| General Security News: |

* Usenix: Experts debate security through diversity
July 2nd, 2004

The sheer number of worms and viruses directed at Microsoft Corp.'s
Windows operating system and Internet Explorer browser have many in the
computer industry wondering whether the cyberworld would be more secure if
more users relied on alternatives to Microsoft's products. That
description appeared to fit about two-thirds of the few hundred system
administrators and engineers attending a debate between two prominent
security experts at the Usenix 2004 conference in Boston yesterday.


* E-Mail Snooping Ruled Permissible
July 1st, 2004

E-mail privacy suffered a serious setback on Tuesday when a court of
appeals ruled that an e-mail provider did not break the law in reading his
customers' communications without their consent. The First Court of
Appeals in Massachusetts ruled that Bradford C. Councilman did not violate
criminal wiretap laws when he surreptitiously copied and read the mail of
his customers in order to monitor their transactions.


* Seven habits of highly secure companies
June 30th, 2004

Companies, like the humans who make them run, are creatures of habit. Some
of those habits can make information systems more secure, rather than
less. There's no such thing as absolute security, of course. But the seven
best practices of highly secure companies are a standard against which
CEOs can measure their organizations.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Tue Jul 06 2004 - 08:56:36 PDT