+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 15th, 2005 Volume 6, Number 34n |
| |
| Editorial Team: Dave Wreski dave@private |
| Benjamin D. Thomas ben@private |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Real World
Open Source: Security," "Why the computing world chose PKI,"Dump Your
DMZ," and "OS exploits are old hat."
---
## Internet Productivity Suite: Open Source Security ##
Trust Internet Productivity Suite's open source architecture to
give you the best security and productivity applications available.
Collaborating with thousands of developers, Guardian Digital
security engineers implement the most technologically advanced
ideas and methods into their design.
Click to find out more!
http://store.guardiandigital.com/html/eng/products/software/ips_overview.shtml
---
LINUX ADVISORY WATCH
This week, advisories were released for yaboot, ttmkfdir, Netpbm,
ruby, squirrelmail, sysreport, xpdf, kdegraphics, cups, ucd-snmp,
gaim, ethereal, and gpdf. The distributors include Fedora, Gentoo,
and Red Hat.
http://www.linuxsecurity.com/content/view/120075/150/
---
Hacks From Pax: PHP Web Application Security
By: Pax Dickinson
Today on Hacks From Pax we'll be discussing PHP web application
security. PHP is a great language for rapidly developing web
applications, and is very friendly to beginning programmers, but
some of its design can make it difficult to write web apps that
are properly secure. We'll discuss some of the main security
"gotchas" when developing PHP web applications, from proper
user input sanitization to avoiding SQL injection
vulnerabilities.
http://www.linuxsecurity.com/content/view/120043/49/
---
Network Server Monitoring With Nmap
Portscanning, for the uninitiated, involves sending connection requests
to a remote host to determine what ports are open for connections and
possibly what services they are exporting. Portscanning is the first step
a hacker will take when attempting to penetrate your system, so you should
be preemptively scanning your own servers and networks to discover
vulnerabilities before someone unfriendly gets there first.
http://www.linuxsecurity.com/content/view/119864/150/
---
>> The Perfect Productivity Tools <<
WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week ]----------
+---------------------+
* Why the computing world chose PKI
11th, August, 2005
In Phil Zimmermann's response to "Does Phil Zimmermann need a clue on
VoIP", Zimmermann offered a blistering attack on PKI based solutions
and offered his own PGP solution as the superior alternative. There
is just one little problem: the computing world chose PKI for the
most part while PGP barely makes a dent in the email
world.
http://www.linuxsecurity.com/content/view/120064
* OSSEC v0.2 Available
12th, August, 2005
OSSEC HIDS is a self-contained system for Host-based intrusion
detection. It performs log extraction, integrity checking and health
monitoring. All this information is correlated and analyzed by a
single engine, creating a very powerfull detection tool.
http://www.linuxsecurity.com/content/view/120079
* Dump Your DMZ!
9th, August, 2005
DMZs (short for demilitarized zones) have been a standard component
of network design ever since firewalls were invented. A DMZ is a
network segment that contains all resources, such as Web servers and
mail servers, accessible from the Internet. Implementing a DMZ allows
you to limit network traffic from the Internet to these resources in
the DMZ, while preventing any network traffic from the Internet to
your internal network. As a general rule, a DMZ server should never
contain any valuable data, so even if someone managed to break into a
server in the DMZ, the damage would be
minor.
http://www.linuxsecurity.com/content/view/120047
* OS exploits are 'old hat'
9th, August, 2005
Security issues involving Cisco kit highlighted in Michael Lynn.s
presentation at Black Hat are characteristic of networking vendors in
general. Cisco is just the most visible of these vendors to target as
hackers raise their sights from attacking operating systems towards
attacking network infrastructure and database systems, security
researchers warn.
http://www.linuxsecurity.com/content/view/120048
* Real World Open Source: Security
12th, August, 2005
Security breaches in software applications and networks are one of
the biggest threats organizations currently face. But unless you pack
your computers into boxes and go back to pencils, paper, and
typewriters, being mindful of electronic security is an unavoidable
reality and business expense. Because security vulnerabilities are
such a high stakes issue, the subject has become a political hot
potato between open source and commercial software advocates, with
each pointing a finger at the other. Some commercial software vendors
claim that their model promotes security while the open source model
weakens it; some open source developers claim the exact
opposite.
http://www.linuxsecurity.com/content/view/120077
* Red Hat bangs the security drum
9th, August, 2005
Red Hat has unveiled an initiative dubbed 'Security in a Networked
World' at the LinuxWorld tradeshow in San Francisco.
As part of the programme, the Linux vendor showcased its Red Hat
Certificate System that allows organisations to manage security
certificates used to sign emails, or authenticate users for online
banking applications. It also supports authentication through the use
of smartcards.
http://www.linuxsecurity.com/content/view/120046
* Linux Providers Partner To Address Security And Support
10th, August, 2005
Companies that sell software and hardware around the Linux
open-source operating system have known for some time that they've
tapped into a gold mine, an area of the IT market with plenty of
customer interest and enormous growth potential. The growth will
continue as long as Linux and other open-source software are
considered secure and are sold and serviced as bundles rather than as
individual products.
http://www.linuxsecurity.com/content/view/120057
* Is Firefox's Notification Lag Necessary?
11th, August, 2005
In a previous post about Firefox I proposed that the lack of
automatic deployment of Firefox software updates is a disservice to
the vast majority of Firefox users who may not bother to check in for
updates. Today I found out another interesting tidbit: the Mozilla
Foundation doesn't turn on Firefox's automatic notification feature
for several hours after a new Firefox version is available.
http://www.linuxsecurity.com/content/view/120063
* LinuxWorld Focus Turns to Security
8th, August, 2005
Looking to counter Microsoft Corp.'s claims of security superiority,
open-source software vendors are giving the battle against
vulnerabilities top billing at this week's LinuxWorld Conference &
Expo in San Francisco.
http://www.linuxsecurity.com/content/view/120044
* Security still underfunded
8th, August, 2005
Companies and governments secure their networks because they have
massive financial resources, intellectual property and assets that
need protection. Security for most companies, particularly the
Fortune 100, does not exist in a vacuum -- most do something other
than make hardware or software for their customers. Spending on
security is up dramatically over where it was five years ago, but
it's still much lower than it needs to be. Why? Because we're losing
the battle.
http://www.linuxsecurity.com/content/view/120045
* A CSO's Guide to the World
10th, August, 2005
I'm usually not one who gets into bumper sticker logic, but I like
the idea of a CSO acting globally but thinking locally. By that I
mean a CSO needs to devise and enforce global security policies, but
also put some thought into how those policies will be implemented
locally around the world. Otherwise, variations in national customs
and culture can short-circuit even the most well-intentioned security
policies.
http://www.linuxsecurity.com/content/view/120058
* Torvalds: How to Keep Linux Kernel on Course
10th, August, 2005
The rapid pace of Linux development appeared to hit a roadblock last
year with the industry's decision to forestall development of the
Linux 2.7 kernel. Linux vendors and developers wondered if tweaking a
single, stable 2.6 kernel could work in practice.
http://www.linuxsecurity.com/content/view/120059
* GPL3 first public draft due early 2006
10th, August, 2005
The first draft of the next version of the General Public License
should be released for public comments in early 2006, according to a
key player in the effort to modernize the foundation of the free and
open-source programming movements.
http://www.linuxsecurity.com/content/view/120060
* Open-source allies go on patent offensive
11th, August, 2005
Two Linux allies are taking a leaf out of their opponents' book as
they try to prevent software patents from putting a crimp in open
source.
Red Hat will finance outside programmers' efforts to obtain patents
that may be used freely by open-source developers, the top Linux
seller said Tuesday at the LinuxWorld Conference and Expo here. At
the same time, the Open Source Developer Labs launched a patent
commons project, which will provide a central list of patents that
have been donated to the collaborative programming community.
http://www.linuxsecurity.com/content/view/120065
* E-mail wiretap case can proceed, court says
12th, August, 2005
In a closely watched case governing Internet privacy, a federal
appeals court has reinstated a criminal case against an e-mail
provider accused of violating wiretap laws.
The 1st Circuit Court of Appeals, in a 5-2 vote, ruled on Thursday
that an e-mail provider who allegedly read correspondence meant for
his customers could be tried on federal criminal charges.
http://www.linuxsecurity.com/content/view/120078
* Sean Moshir on Wireless Security and Compliance
8th, August, 2005
In this interview, Sean Moshir, PatchLink Chief Executive Officer
discusses security patching, vulnerability and compliancy management
for wireless phones and PDA devices and talks about the current state
and future of wireless security in the enterprise.
http://www.linuxsecurity.com/content/view/120029
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
_________________________________________
Attend ToorCon
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org
This archive was generated by hypermail 2.1.3 : Mon Aug 15 2005 - 23:32:49 PDT