[ISN] Linux Security Week - July 26th 2004

From: InfoSec News (isn@private)
Date: Wed Jul 28 2004 - 00:49:21 PDT

|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 26, 2004                           Volume 5, Number 30n       |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin Thomas         ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "A consideration
of what it means to be secure", "Network security at risk from user
negligence, report says", "An eye opener on open source Internet security"
and "E-commerce attack is imminent, warn security experts".


 >> Bulletproof Virus Protection <<

Protect your network from costly security breaches with Guardian Digital's
multi-faceted security applications.  More then just an email firewall, on
demand and scheduled scanning detects and disinfects viruses found on the




This week, advisories were released for MMDF, Mozilla, kernel, php4,
webmin, samba, ethereal, l2tpd, mailman, httpd, libxml2, wv, php, Unreal,
Opera, mod_ssl and freeswan. The distributors include SCO Group,
Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware and Suse.



Security Expert Dave Wreski Discusses Open Source Security

LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian
Digital, Inc. and respected author of various hardened security and Linux
publications, to talk about how Guardian Digital is changing the face of
IT security today. Guardian Digital is perhaps best known for their
hardened Linux solution EnGarde Secure Linux, touted as the premier
secure, open-source platform for its comprehensive array of general
purpose services, such as web, FTP, email, DNS, IDS, routing, VPN,
firewalling, and much more.



Catching up with Wietse Venema, creator of Postfix and TCP Wrapper

Duane Dunston speaks at length with Wietse Venema on his current research
projects at the Thomas J. Watson Research Center, including his forensics
efforts with The Coroner's Toolkit. Wietse Venema is best known for the
software TCP Wrapper, which is still widely used today and is included
with almost all unix systems.  Wietse is also the author of the Postfix
mail system and the co-author of the very cool suite of utilities called
The Coroner's Toolkit or "TCT".



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

Top Articles This Week:

| Host Security News: | <<-----[ Articles This Week ]----------

* A consideration of what it means to be secure
July 23rd, 2004

Only the paranoid survive, and that is no less true when securing Linux=AE
systems as any other. Fortunately, a host of security features are built
into the kernel, are packaged with one of the many Linux distributions, or
are available separately as open source applications.


* Network security at risk from user negligence, report says
July 21st, 2004

Evans Data Corporation's just-published Security Development Survey found
that one in four developers believes that the biggest hurdle to computing
security is end users who refuse to adhere to, or circumvent, polices. In
the study, Evans found that "a quarter of developers found social
engineering and lack of adherence to policies to be the biggest problem,
while another 15 percent cite lack of qualified personnel."


* Developers Blame Users For Security Problems
July 21st, 2004

Users are the weak link in security and Linux is inherently more secure
than Windows, said developers polled by Evans Data in a survey released
Tuesday.  One in four developers think that the biggest hurdle to security
is end users refusing to adhere to polices, a nice way to pass the buck
for potentially-flawed code.


* Cryptography and the Open Source Security Debate
July 20th, 2004

I've been reading Bruce Schneier's Book on cryptography for the last
couple of days, and one of the main concepts in the text struck me as
interesting. One of the points of discussion when looking at the security
of a given algorithm is its exposure to scrutiny.


| Network Security News: |

* An eye opener on open source Internet security
July 26th, 2004

Opening the eyes of the private and public sectors to the pros and cons of
using open source software for Internet security is the SECRETS project,
which evaluated two protocols in a series of trials covering e-commerce,
mobile communications, network monitoring and intelligent networks.


* Best Practices For Securing Your WLAN
July 23rd, 2004

The steady growth of Wi-Fi in the enterprise demands that corporate IT
teams learn and adopt new security methodologies tailored to the unique
requirements and weaknesses of wireless networks. Network and security
staff must first evaluate a potentially confusing set of authentication
and encryption mechanisms to be used in the network.


* PHP Zaps Security Leaks
July 19th, 2004

The open-source PHP Group has released a fix for a pair of security holes
that could be exploited to execute arbitrary code on remote PHP servers.
The flaws affect PHP versions 4.3.7 and prior and version 5.0.0RC3 and
prior. The final version of PHP 5.0, which was released earlier this week,
is not affected.


| General Security News: |

* E-commerce attack is imminent, warn security experts
July 26th, 2004

A surge in internet scanning activity in the past week could indicate a
fresh wave of attacks on e-commerce servers, UK-based web services company
Netcraft warned.  The firm has detected a surge in scans of port 443, used
by Secure Sockets Layer (SSL), a technology designed for securely
transmitting financial data such as e-commerce transactions.


* Supporting development on demand: Open, cross-platform standards
July 22nd, 2004

In the coming days, we may reveal additional aspects of these claims that
don't reflect the facts. In any case, perhaps instead of creating yet more
FUD (fear, uncertainty, and decepti-- er, doubt) with such comments,
Microsoft would better serve the industry (and maybe even its own bottom
line) by redirecting its energies on minimizing the fearsome -- and real
-- vulnerabilities in its own products.


* E-mail security problems reported at Los Alamos National Lab
July 22nd, 2004

Security troubles continue at the Los Alamos National Laboratory, where
officials have confirmed that workers recently sent out an undisclosed
number of classified e-mails over a nonsecure e-mail system. The new
disclosure comes less than two weeks after the New Mexico-based lab
announced that two removable computer disks containing classified nuclear
weapons data were missing.


* Guest Editorial: Thoughts on secure operating systems
July 21st, 2004

Remarks attributed to Gene Spafford and Cynthia Irvine by the EE Times and
a marketing offensive by Green Hills against Linux don't provide an
accurate picture of software security issues for operating systems and, in
fact, add to the confusion.


* IRS admits security flaw
July 20th, 2004

Private contractors revamping IRS computers committed security violations
that significantly increased the possibility that private taxpayer
information might be disclosed, Treasury Department inspectors say.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Wed Jul 28 2004 - 02:17:49 PDT