[ISN] Linux Security Week - March 14th 2005

From: InfoSec News (isn@private)
Date: Mon Mar 14 2005 - 23:09:50 PST

|  LinuxSecurity.com                         Weekly Newsletter        |
|  March 14th, 2005                           Volume 6, Number 11n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin D. Thomas      ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Digital
encryption standard flawed," " An Illustrated Guide to Cryptographic
Hashes," "Will SELinux Become More Widely Adopted?"


>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been
designed with such robust security features.  Engineered with
security as a main focus, the Guardian Digital Internet Productivity
Suite is the cost-effective solution small businesses have been
waiting for.




This week, advisories were released for clamav, kernel, squid, kppp,
helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim,
libexif, gimp, yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm,
dcoidlng, curl, gftp, cyrus-imapd, unixODBC, and mc.  The distributors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and



Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.



The Tao of Network Security Monitoring: Beyond Intrusion Detection

The Tao of Network Security Monitoring is one of the most
comprehensive and up-to-date sources available on the subject. It
gives an excellent introduction to information security and the
importance of network security monitoring, offers hands-on examples
of almost 30 open source network security tools, and includes
information relevant to security managers through case studies,
best practices, and recommendations on how to establish training
programs for network security staff.



Encrypting Shell Scripts

Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure?  If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Researchers: Digital encryption standard flawed
  9th, March, 2005

In a three-page research note, three Chinese scientists -- Xiaoyun
Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a
visiting researcher at Princeton University -- stated they have found
a way to significantly reduce the time required to break a algorithm,
known as the Secure Hashing Algorithm, or SHA-1, widely used for
digital fingerprinting data files.  Other cryptographers who have
seen the document said that the results seemed to be genuine.


* Crypto suite supports Linux-based devices
  7th, March, 2005

Cryptography specialist Certicom has launched a security software
suite aimed at helping device makers create secure, Web-based user
interfaces based on elliptic curve cryptography. The Certicom
Security Architecture (CSA) for Embedded supports Linux, and includes
SSL, IPSec, PKI, DRM, and Embedded Trust Services.


* IBM releases Linux 2005 Software Evaluation Kit
  10th, March, 2005

This is the easiest way to get all of the fresh releases of IBM
middleware for Linux. Take a look at what you get.


* An Illustrated Guide to Cryptographic Hashes
  13th, March, 2005

With the recent news of weaknesses in some common security algorithms
(MD4, MD5, SHA-0), many are wondering exactly what these things are:
They form the underpinning of much of our electronic infrastructure,
and in this Guide we'll try to give an overview of what they are and
how to understand them in the context of the recent developments.But
note: though we're fairly strong on security issues, we are not
crypto experts. We've done our best to assemble (digest?) the best
available information into this Guide, but we welcome being pointed
to the errors of our ways.


* E-mail firewalls: A vital defense layer
  8th, March, 2005

The exponential rise in spam and e-mail-borne viruses has pushed
must-have network security layers beyond traditional firewalls and
intrusion-detection appliances. E-mail firewalls have emerged as a
complementary appliance for detecting and protecting against threats
in the inbound e-mail stream.


* Review: Astaro Security Linux 5.1
  9th, March, 2005

One of the more popular uses for Linux is as a router/firewall to
secure a local area network (LAN) against intruders and share an
Internet connection. Several specialized distributions have sprung up
to simplify this task. These range from small, diskette-based distros
like the Linux Router Project and FREESCO to larger systems requiring
a hard disk installation. Among the latter is Astaro Corp.'s Astaro
Security Linux (ASL) 5.1, which I recently reviewed as part of
ongoing research into content filtering products. ASL is an RPM-based
distribution that allows an administrator to easily turn an x86 PC or
server into a router/firewall appliance.


* Informix: the good news and the bad news
  9th, March, 2005

There is both good news and bad news for Informix users. The good
news is that Informix Dynamic Server (IDS) 10, which represents a
major new release of the database, is now available. The bad news is
that future versions of SAP (with NetWeaver) will no longer be
available on the Informix platform, with this support to be phased
out starting with the next SAP release.


* DNS-Based Phishing Attacks on The Rise
  8th, March, 2005

Phishing  fraudsters are using a pair of DNS exploits to help give
them the illusion of credible domains, the latest ploy to dupe people
into handing over their sensitive information.


* HITBSecConf2004: Conference Videos Released
  7th, March, 2005

We are proud to announce the immediate availability of the Hack In
The Box Security Conference 2004 videos.


* Hosting Your Own Web Server: Things to Consider
  10th, March, 2005

When being your own web host you should be technically inclined and
have basic knowledge of operating systems, understand technical
terms, understand how to setup a server environment (such as: DNS,
IIS, Apache, etc.) have basic knowledge of scripting languages and
databases (PHP, Perl, MySQL, etc.), be familiar with current
technologies, and have a basic understanding of hardware and server


* OpenSSH 4.0 released
  9th, March, 2005

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.


* Novell's Linux desktop migration enters phase two
  10th, March, 2005

The Waltham, Massachusetts-based software vendor's Linux desktop
migration began in 2004 and overachieved on its phase-one goals, the
company's chief information officer, Debra Anderson told


* Alternative browser spyware infects IE
  13th, March, 2005

Some useful citizen has created an installer that will nail IE with
spyware, even if a surfer is using Firefox (or another alternative
browser) or has blocked access to the malicious site in IE
beforehand. The technique allows a raft of spyware to be served up to
Windows users in spite of any security measures that might be in
place. Christopher Boyd, a security researchers at Vitalsecurity.org,
said the malware installer was capable of working on a range of
browsers with native Java support. "The spyware installer is a Java
applet powered by the Sun Java Runtime Environment, which allows them
to whack most browsers out there, including Firefox, Mozilla,
Netscape and others.


* More-Secure Linux Still  Needs To Win Users
  7th, March, 2005

The National Security Agency built a version of Linux with more
security tools that its technologists believe could help make the
country's computing infrastructure less vulnerable. They've won over
the Linux developer community with the changes. But success depends
on its adoption by U.S. companies and government agencies, something
that remains very much in doubt.


* Will SELinux Become More Widely Adopted?
  7th, March, 2005

"The National Security Agency built a version of Linux with more
security tools that its technologists believe could help make the
country's computing infrastructure less vulnerable. They've won over
the Linux developer community with the changes. But success depends
on its adoption by U.S. companies and government agencies, something
that remains very much in doubt. (ed: not to mention adoption by Joe
User, who is depending on his vendor to make this thing


* Nuclear cyber security debate hots up
  8th, March, 2005

Two companies that make digital systems for nuclear power plants have
come out against a government proposal that would attach cyber
security standards to plant safety systems.


* Sensible IT Security for Small Businesses
  8th, March, 2005

This is a frequent question asked by owners of small businesses
concerned about growing security threats infesting the Internet.


* Exploit Out For CA Bugs, Eval Users Also At Risk
  10th, March, 2005

Users of Computer Associates' products are now at an even greater
risk, a security firm said Wednesday, because exploit code has
appeared that takes advantage of vulnerabilities disclosed last week.


* Application protection
  11th, March, 2005

Teros Gateway, developed by Teros, digs deep. In contrast to a Layer
3 or 4 firewall that may only identify problems in the primitive
transport layers of the IP stack, Teros Gateway will dissect outgoing
and incoming packets to examine compliance with security policies.
Although a firewall may detect anomalies such as a port scan or other
reconnaissance attempts, the Teros Gateway learns your critical
applications' normal behavior. Based on that information, it can
block any deviant behavior.


* Combating "Cardholder Not Present" Fraud
  13th, March, 2005

Of the security issues facing banks everywhere, prevention of card
fraud has always been a high priority, and is set to grow even
further in importance. The level of card fraud has risen
significantly over recent years, caused in the main, by the explosion
in the number and usage of payment cards and the associated high
level of organised card crime activity. For example, over the past
decade, fraud losses on UK-issued plastic cards have risen from
96.8m to a staggering 402.4m a year. And these figures do not take
into account the soft costs related to card fraud, such as tarnish
to reputation and potential legal costs.


* Infection Vectors
  13th, March, 2005

The other day I was browsing through the top virus threats for
February and March 2005, looking at the assorted nastiness, when a
funny thought occurred to me: is it possible to pick a favorite virus
(or virus family)? I think it is. We can look at their innovations
and evolution with a source of envy, even if we universally despise
them all. All viruses are malicious, nasty little programs written by
misguided people. In my book, they are all manifestations of bad
intentions by programmers who are well on the road to becoming evil.
However... The best viruses are the ones that infect without any
human error or intervention at all. And most interesting to me are
the ones that innovate with new infection vectors.


* High Profile, Low Security
  13th, March, 2005

I'll tell you a secret. If you're looking for a security consultant
during the day and he's not in the office, you might find him in a
neighborhood coffee shop consuming large doses of caffeine, and using
a laptop with wireless net access. It's nice to people watch, catch
up on the news, review technical articles and yes, even work, while
enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I
find it a great way to take a break. You can imagine my
disappointment early last week when I swung by one of my favorite
haunts, grabbed a latte, opened up a terminal and watched my SSH
attempt fail. Shoot -- their Internet connection must be down.


* Reliability and availability: What's the difference?
  13th, March, 2005

How do you design a computing system to provide continuous service
and to ensure that any failures interrupting service do not result in
customer safety issues or loss of customers due to dissatisfaction?
Historically, system architects have taken two approaches to answer
this question: building highly reliable, fail-safe systems with low
probability of failure, or building mostly reliable systems with
quick automated recovery. The RAS (Reliability, Availability,
Serviceability) concept for system design integrates concepts of
design for reliability and for availability along with methods to
quickly service systems that can't be recovered automatically.


* 'Highly critical' security bugs listed for Linux products
  13th, March, 2005

Information about several vulnerabilities in Linux and Linux-based
applications that are deemed to be "highly critical" were recently
posted on the security Web site Secunia.com. Debian was cited as a
system with operating system vulnerabilities that could be exploited.
Meanwhile, users running RealNetworks' open-source Helix browser, the
open-source phpWebSite manager utility, as well as users with a
network backup product from Arkeia, were warned of software flaws
that could leave systems potentially open to attack.


* The National Security Agency Declassified
  13th, March, 2005

Internet wiretapping mixes "protected" and targeted messages, Info
Age requires rethinking 4th Amendment limits and policies, National
Security Agency told Bush administration "Transition 2001" report
released through FOIA, Highlights collection of declassified NSA
documents Posted on Web by National Security Archive, GWU National
Security Archive Electronic Briefing Book No. 24


* Hacked data boots identity theft to critical issue
  11th, March, 2005

The computer breach at consumer data broker Seisint raised identity
theft in the United States to crisis proportions Thursday, a day
after the second major data broker disclosed that its database
containing a plethora of private information on virtually every
American was compromised.


* Online Banking Industry Very Vulnerable to Cross-Site Scripting
  13th, March, 2005

Phishing Attacks reported by members of the Netcraft Toolbar
community show that many large banks are neglecting to take
sufficient care with the development and testing of their online
banking facilities.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Tue Mar 15 2005 - 04:48:43 PST