+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | March 14th, 2005 Volume 6, Number 11n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Digital encryption standard flawed," " An Illustrated Guide to Cryptographic Hashes," "Will SELinux Become More Widely Adopted?" --- >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH This week, advisories were released for clamav, kernel, squid, kppp, helixplayer, tzdata, libtool, firefox, ipsec-tools, dmraid, gaim, libexif, gimp, yum, grip, libXpm, xv, ImageMagick, Hashcash, mlterm, dcoidlng, curl, gftp, cyrus-imapd, unixODBC, and mc. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. http://www.linuxsecurity.com/content/view/118550/150/ --------------- Getting to Know Linux Security: File Permissions Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. http://www.linuxsecurity.com/content/view/118181/49/ --- The Tao of Network Security Monitoring: Beyond Intrusion Detection The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff. http://www.linuxsecurity.com/content/view/118106/49/ --- Encrypting Shell Scripts Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output). http://www.linuxsecurity.com/content/view/117920/49/ -------- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Researchers: Digital encryption standard flawed 9th, March, 2005 In a three-page research note, three Chinese scientists -- Xiaoyun Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting researcher at Princeton University -- stated they have found a way to significantly reduce the time required to break a algorithm, known as the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting data files. Other cryptographers who have seen the document said that the results seemed to be genuine. http://www.linuxsecurity.com/content/view/118359 * Crypto suite supports Linux-based devices 7th, March, 2005 Cryptography specialist Certicom has launched a security software suite aimed at helping device makers create secure, Web-based user interfaces based on elliptic curve cryptography. The Certicom Security Architecture (CSA) for Embedded supports Linux, and includes SSL, IPSec, PKI, DRM, and Embedded Trust Services. http://www.linuxsecurity.com/content/view/118524 * IBM releases Linux 2005 Software Evaluation Kit 10th, March, 2005 This is the easiest way to get all of the fresh releases of IBM middleware for Linux. Take a look at what you get. http://www.linuxsecurity.com/content/view/118549 * An Illustrated Guide to Cryptographic Hashes 13th, March, 2005 With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments.But note: though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) the best available information into this Guide, but we welcome being pointed to the errors of our ways. http://www.linuxsecurity.com/content/view/118560 * E-mail firewalls: A vital defense layer 8th, March, 2005 The exponential rise in spam and e-mail-borne viruses has pushed must-have network security layers beyond traditional firewalls and intrusion-detection appliances. E-mail firewalls have emerged as a complementary appliance for detecting and protecting against threats in the inbound e-mail stream. http://www.linuxsecurity.com/content/view/118530 * Review: Astaro Security Linux 5.1 9th, March, 2005 One of the more popular uses for Linux is as a router/firewall to secure a local area network (LAN) against intruders and share an Internet connection. Several specialized distributions have sprung up to simplify this task. These range from small, diskette-based distros like the Linux Router Project and FREESCO to larger systems requiring a hard disk installation. Among the latter is Astaro Corp.'s Astaro Security Linux (ASL) 5.1, which I recently reviewed as part of ongoing research into content filtering products. ASL is an RPM-based distribution that allows an administrator to easily turn an x86 PC or server into a router/firewall appliance. http://www.linuxsecurity.com/content/view/118539 * Informix: the good news and the bad news 9th, March, 2005 There is both good news and bad news for Informix users. The good news is that Informix Dynamic Server (IDS) 10, which represents a major new release of the database, is now available. The bad news is that future versions of SAP (with NetWeaver) will no longer be available on the Informix platform, with this support to be phased out starting with the next SAP release. http://www.linuxsecurity.com/content/view/118540 * DNS-Based Phishing Attacks on The Rise 8th, March, 2005 Phishing fraudsters are using a pair of DNS exploits to help give them the illusion of credible domains, the latest ploy to dupe people into handing over their sensitive information. http://www.linuxsecurity.com/content/view/118532 * HITBSecConf2004: Conference Videos Released 7th, March, 2005 We are proud to announce the immediate availability of the Hack In The Box Security Conference 2004 videos. http://www.linuxsecurity.com/content/view/118513 * Hosting Your Own Web Server: Things to Consider 10th, March, 2005 When being your own web host you should be technically inclined and have basic knowledge of operating systems, understand technical terms, understand how to setup a server environment (such as: DNS, IIS, Apache, etc.) have basic knowledge of scripting languages and databases (PHP, Perl, MySQL, etc.), be familiar with current technologies, and have a basic understanding of hardware and server components. http://www.linuxsecurity.com/content/view/118546 * OpenSSH 4.0 released 9th, March, 2005 OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. http://www.linuxsecurity.com/content/view/118541 * Novell's Linux desktop migration enters phase two 10th, March, 2005 The Waltham, Massachusetts-based software vendor's Linux desktop migration began in 2004 and overachieved on its phase-one goals, the company's chief information officer, Debra Anderson told ComputerWire. http://www.linuxsecurity.com/content/view/118545 * Alternative browser spyware infects IE 13th, March, 2005 Some useful citizen has created an installer that will nail IE with spyware, even if a surfer is using Firefox (or another alternative browser) or has blocked access to the malicious site in IE beforehand. The technique allows a raft of spyware to be served up to Windows users in spite of any security measures that might be in place. Christopher Boyd, a security researchers at Vitalsecurity.org, said the malware installer was capable of working on a range of browsers with native Java support. "The spyware installer is a Java applet powered by the Sun Java Runtime Environment, which allows them to whack most browsers out there, including Firefox, Mozilla, Netscape and others. http://www.linuxsecurity.com/content/view/118566 * More-Secure Linux Still Needs To Win Users 7th, March, 2005 The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. http://www.linuxsecurity.com/content/view/118511 * Will SELinux Become More Widely Adopted? 7th, March, 2005 "The National Security Agency built a version of Linux with more security tools that its technologists believe could help make the country's computing infrastructure less vulnerable. They've won over the Linux developer community with the changes. But success depends on its adoption by U.S. companies and government agencies, something that remains very much in doubt. (ed: not to mention adoption by Joe User, who is depending on his vendor to make this thing workable) http://www.linuxsecurity.com/content/view/118525 * Nuclear cyber security debate hots up 8th, March, 2005 Two companies that make digital systems for nuclear power plants have come out against a government proposal that would attach cyber security standards to plant safety systems. http://www.linuxsecurity.com/content/view/118529 * Sensible IT Security for Small Businesses 8th, March, 2005 This is a frequent question asked by owners of small businesses concerned about growing security threats infesting the Internet. http://www.linuxsecurity.com/content/view/118531 * Exploit Out For CA Bugs, Eval Users Also At Risk 10th, March, 2005 Users of Computer Associates' products are now at an even greater risk, a security firm said Wednesday, because exploit code has appeared that takes advantage of vulnerabilities disclosed last week. http://www.linuxsecurity.com/content/view/118547 * Application protection 11th, March, 2005 Teros Gateway, developed by Teros, digs deep. In contrast to a Layer 3 or 4 firewall that may only identify problems in the primitive transport layers of the IP stack, Teros Gateway will dissect outgoing and incoming packets to examine compliance with security policies. Although a firewall may detect anomalies such as a port scan or other reconnaissance attempts, the Teros Gateway learns your critical applications' normal behavior. Based on that information, it can block any deviant behavior. http://www.linuxsecurity.com/content/view/118551 * Combating "Cardholder Not Present" Fraud 13th, March, 2005 Of the security issues facing banks everywhere, prevention of card fraud has always been a high priority, and is set to grow even further in importance. The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. For example, over the past decade, fraud losses on UK-issued plastic cards have risen from 96.8m to a staggering 402.4m a year. And these figures do not take into account the soft costs related to card fraud, such as tarnish to reputation and potential legal costs. http://www.linuxsecurity.com/content/view/118559 * Infection Vectors 13th, March, 2005 The other day I was browsing through the top virus threats for February and March 2005, looking at the assorted nastiness, when a funny thought occurred to me: is it possible to pick a favorite virus (or virus family)? I think it is. We can look at their innovations and evolution with a source of envy, even if we universally despise them all. All viruses are malicious, nasty little programs written by misguided people. In my book, they are all manifestations of bad intentions by programmers who are well on the road to becoming evil. However... The best viruses are the ones that infect without any human error or intervention at all. And most interesting to me are the ones that innovate with new infection vectors. http://www.linuxsecurity.com/content/view/118561 * High Profile, Low Security 13th, March, 2005 I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of WiFi. I find it a great way to take a break. You can imagine my disappointment early last week when I swung by one of my favorite haunts, grabbed a latte, opened up a terminal and watched my SSH attempt fail. Shoot -- their Internet connection must be down. http://www.linuxsecurity.com/content/view/118562 * Reliability and availability: What's the difference? 13th, March, 2005 How do you design a computing system to provide continuous service and to ensure that any failures interrupting service do not result in customer safety issues or loss of customers due to dissatisfaction? Historically, system architects have taken two approaches to answer this question: building highly reliable, fail-safe systems with low probability of failure, or building mostly reliable systems with quick automated recovery. The RAS (Reliability, Availability, Serviceability) concept for system design integrates concepts of design for reliability and for availability along with methods to quickly service systems that can't be recovered automatically. http://www.linuxsecurity.com/content/view/118564 * 'Highly critical' security bugs listed for Linux products 13th, March, 2005 Information about several vulnerabilities in Linux and Linux-based applications that are deemed to be "highly critical" were recently posted on the security Web site Secunia.com. Debian was cited as a system with operating system vulnerabilities that could be exploited. Meanwhile, users running RealNetworks' open-source Helix browser, the open-source phpWebSite manager utility, as well as users with a network backup product from Arkeia, were warned of software flaws that could leave systems potentially open to attack. http://www.linuxsecurity.com/content/view/118565 * The National Security Agency Declassified 13th, March, 2005 Internet wiretapping mixes "protected" and targeted messages, Info Age requires rethinking 4th Amendment limits and policies, National Security Agency told Bush administration "Transition 2001" report released through FOIA, Highlights collection of declassified NSA documents Posted on Web by National Security Archive, GWU National Security Archive Electronic Briefing Book No. 24 http://www.linuxsecurity.com/content/view/118563 * Hacked data boots identity theft to critical issue 11th, March, 2005 The computer breach at consumer data broker Seisint raised identity theft in the United States to crisis proportions Thursday, a day after the second major data broker disclosed that its database containing a plethora of private information on virtually every American was compromised. http://www.linuxsecurity.com/content/view/118552 * Online Banking Industry Very Vulnerable to Cross-Site Scripting Frauds 13th, March, 2005 Phishing Attacks reported by members of the Netcraft Toolbar community show that many large banks are neglecting to take sufficient care with the development and testing of their online banking facilities. http://www.linuxsecurity.com/content/view/118567 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Tue Mar 15 2005 - 04:48:43 PST