[ISN] Linux Security Week - July 12, 2004

From: InfoSec News (isn@private)
Date: Tue Jul 13 2004 - 01:25:33 PDT

|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 12, 2004                           Volume 5, Number 28n       |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin Thomas         ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Windows vs.
Linux security: No unbiased reports", "Are You Prepared For Disaster?  Is
Your Data Really Protected?", "Automate backups on Linux" and "Surviving
Distributed Denial of Service Attacks"


>> Bulletproof Virus Protection <<

Protect your network from costly security breaches with Guardian Digital's
multi-faceted security applications.  More then just an email firewall, on
demand and scheduled scanning detects and disinfects viruses found on the



This week, advisories were released for webmin, pavuk, kernel, mailman,
rsync, Esearch, Apache, XFree86, libpng, Shorewall, tripwire and httpd.
The distributors include Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red
Hat and Suse.



Catching up with Wietse Venema, creator of Postfix and TCP Wrapper

Wietse Venema is best known for the software TCP Wrapper, which is still
widely used today and is included with almost all unix systems.  Wietse is
also the author of the Postfix mail system and the co-author of the very
cool suite of utilities called The Coroner's Toolkit or "TCT".  He is
currently working at the Thomas J. Watson Research Center and he has
gratiously agreed to allow us to catch up with him and and see what he's
been up to lately.



Open Source Leaving Microsoft Sitting on the Fence?

The open source model, with special regard to Linux, has no doubt become a
formidable competitor to the once sole giant of the software industry,
Microsoft. It is expected when the market share of an industry leader
becomes threatened, retaliation with new product or service offerings and
marketing campaigns refuting the claims of the new found competition are
inevitable. However, in the case of Microsoft, it seems they have not
taken a solid or plausible position on the use of open source applications
as an alternative to Windows.



Interview with Brian Wotring, Lead Developer for the Osiris Project

Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc.He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author
of Mac OS X Security and a long-standing member of the Shmoo Group, an
organization of security and cryptography professionals.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Host Security News: | <<-----[ Articles This Week ]----------

* Windows vs. Linux security: No unbiased reports
July 12th, 2004

Forrester Research published a report last March that came to the unlikely
conclusion that Linux is no more secure than Windows. Last month, Danish
security firm Secunia compared security across operating systems and
concluded that Windows was more secure than many people think. Both
studies are easy to counter with a little research and common sense, but
that still leaves us without any meaningful third-party operating system
security assessment.


* Are You Prepared For Disaster? Is Your Data Really Protected?
July 7th, 2004

Whether it be hurricane, flood, fire or simply a member of staff
accidentally hitting the delete key, your company's data is constantly at
risk from being permanently wiped out. Companies need to ask themselves,
`Do we have the strategy in place to cope with a disaster?'


* HNS Audio Learning Session: SQL Injection Attacks
July 5th, 2004

SQL injection is a technique for exploiting web applications that use
client-supplied data in SQL queries without stripping potentially harmful
characters first. Despite being remarkably simple to protect against,
there is an astonishing number of production systems connected to the
Internet that are vulnerable to this type of attack.


| Network Security News: |

* Mozilla Patches Security Hole
July 9th, 2004

According to the Mozilla Foundation, the vulnerability was posted on
Thursday to Full Disclosure, a public security mailing list. The same day,
the foundation's security team confirmed the report and developed a fix.


* HNS Audio Learning Session: Digital Certificates Explained
July 9th, 2004

In this 3:43 minutes long audio learning session, Dr. Phillip
Hallam-Baker, Principle Scientist and Web Services Security Architect at
Verisign, talks about Public Key Cryptography and introduces the listeners
to the importance of digital certificates.


* 5 Steps to Setting Up a Wireless Network
July 8th, 2004

Wireless networks are becoming faster, more affordable and easier to adopt
than ever. Growing small businesses that have adopted a wireless solution
are already reporting immediate paybacks in higher productivity, flexible
application mobility and greater worker satisfaction.


* Securing the Mobile Real-Time Enterprise
July 8th, 2004

Mobile technologies have ushered in sweeping productivity gains at
enterprises across the globe. In many cases, they have been central to the
creation of the so-called "real-time enterprise." These same technologies,
however, have also increased enterprises' exposure to security risks that
are frequently underestimated or misunderstood.


* SSH Users beware: The hazards of X11 forwarding
July 6th, 2004

The last two articles have discussed the security model of X11, the guts
behind Linux window managers and all things graphical. Essentially, if you
can contact the X11 server process, you can do anything you want to it,
such as sniffing all keystrokes, dumping or manipulating windows, etc.


| General Security News: |

* Automate backups on Linux
July 12th, 2004

The loss of critical data can prove devastating. Still, millions of
professionals ignore backing up their data. While individual reasons vary,
one of the most common explanations is that performing routine backups can
be a real chore. Because machines excel at mundane and repetitive tasks,
the key to reducing the inherent drudgery and the natural human tendency
for procrastination, is to automate the backup process.


* The Allure and Curse of Complexity
July 8th, 2004

The Microsoft columnists have it easy. Scott Granneman wrote a great
article a few weeks back titled Time to Dump Internet Explorer, which (in
case you've been living in a cave for the past few weeks) talks about the
recent mass exploitation of some un-patched vulnerabilities in Internet


* INDUCE Act targets P2P application creators
July 7th, 2004

US Senator Orrin Hatch (R-UT), a long-time ally of the RIAA and MPAA, has
formally introduced the INDUCE Act to the US Senate Judiciary Committee.
Following in the footsteps of the Pirate Act, the INDUCE Act would give
the green light for copyright holders to sue the creators of peer-to-peer


* Hacker college
July 7th, 2004

"It's an amazing thing how insecure the big corporations are," said
Echemendia during a break in the weeklong seminar. "It's just amazing how
easy it is."  Hackers are believed to cost global businesses billions of
dollars every year, and the costs to defend against them are soaring.


* Surviving Distributed Denial of Service Attacks
July 6th, 2004

Distributed denial of service (DDoS) attacks aim to disrupt the service of
information systems by overwhelming the processing capacity of systems or
by flooding the network bandwidth of the targeted business. Recently,
these attacks have been used to deny service to commercial web sites that
rely on a constant Internet presence for their business.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Tue Jul 13 2004 - 03:03:22 PDT