[ISN] Linux Security Week - January 16th 2006

From: InfoSec News (isn@private)
Date: Mon Jan 16 2006 - 22:31:09 PST

|  LinuxSecurity.com                         Weekly Newsletter        |
|  January 16th, 2006                         Volume 7, Number 3n     |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@private    |
|                   Benjamin D. Thomas      ben@private     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Advancing
Firewall Protection," "Five mistakes of vulnerability management,"
and "A Step-By-Step Guide to Computer Attacks and Effective Defenses."


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home




This week, perhaps the most interesting articles include hylafax,
hal, poppler, pdftohtml, libpaperl, xpdf, gpdf, and apache2. The
distributors include Gentoo and Mandriva.



* EnGarde Secure Community 3.0.3 Released
  6th, December, 2005

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.3 (Version 3.0, Release 3). This release
includes several bug fixes and feature enhancements to the
Guardian Digital WebTool, the SELinux policy, and the LiveCD



Hacks From Pax: SELinux Administration

This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux.



Hacks From Pax: SELinux And Access Decisions

Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.

SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Review: Advancing Firewall Protection
  9th, January, 2006

With more than one million users, U.K.-based SmoothWall's Firewall
may just be the most popular software firewall that has yet to become
a household name. Test Center engineers recently took at look at
products from SmoothWall to see what all the buzz is about and to see
exactly why one million users have chosen the product.


* A better VNC with FreeNX for remote desktop control
  9th, January, 2006

VNC is well-known for allowing the remote control of another desktop
machine via your own computer. For instance, using VNC you can easily
control your home PC from work, and vice versa. The problem with VNC
is that it's not overly secure and it can be quite slow, particularly
if you have a lot of fancy graphics or backgrounds on the remote
computer. Other solutions also exist for remote control of a GUI,
such as running X over ssh, proprietary tools like Apple's Remote
Desktop, etc., but they all tend to have the same drawbacks; they are
either insecure or tend to be slow.


* Hackers are ready for IPv6=E2..are you?
  10th, January, 2006

One of the arguments for moving to version 6 of the Internet
Protocols is that it will offer more security.

This may well be true in the long run. But for the time being, IPv6
is likely to introduce more complexity and create more problems than
it solves.


* It's time to take IPS seriously
  13th, January, 2006

Fear unites us. We used to be afraid of network problems, such as
bandwidth and broken switches. Now we're afraid of the bad guys. Our
networks must be connected to the Internet, yet the Internet is a
cesspool of attackers constantly hammering on our defences, looking
for that chink in the armour. It's not just the Internet: we fear our
own users, lest their indispensable laptops acquire some vagrant
affliction while driving by a Starbucks Wi-Fi hot spot.


* Security flaws on the rise, questions remain
  11th, January, 2006

After three years of modest or no gains, the number of publicly
reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs
in web applications. Yet, questions remain about the value of
analyzing current databases, whose data rarely correlates easily.

A survey of four major vulnerability databases found that the number
of flaws counted by each in the past five years differed
significantly. However, three of the four databases exhibited a
relative plateau in the number of flaws publicly disclosed in 2002
through 2004. And, every database saw a significant increase in their
count of the flaws disclosed in 2005.


* Five mistakes of vulnerability management
  12th, January, 2006

Vulnerability management is viewed by some as an esoteric security
management activity. Others see it as a simple process that needs to
be done with Microsoft Corp.'s monthly patch update. Yet another
group considers it a marketing buzzword made up by vendors.

This article will look at common mistakes that organizations make on
the path to achieving vulnerability management perfection, both in
process and technology areas.


* Linux Command Reference: Linux Shortcuts and Commands
  13th, January, 2006

This is a practical selection of the commands we use most often.
Press <Tab> to see the listing of all available command (on your
PATH). On my small home system, it says there are 2595 executables on
my PATH.  Many of these "commands" can be accessed from your
favourite GUI front-end (probably KDE or Gnome) by clicking on the
right menu or button. They can all be run from the command line.
Programs that require GUI have to be run from a terminal opened under
a GUI.


* Apache shot with security holes
  9th, January, 2006

Companies running Apache and a PostgreSQL database are at risk from
serious Internet intrusion.

Red Hat warned of a flaw late last week in mod_auth_pgsql, an Apache
module that allows authentication against information in popular
open-source database PostgreSQL.


* Novell delivers security shield for Linux computers
  10th, January, 2006

Novell plans to release software on Tuesday that is designed to make
it harder for new attacks to compromise existing Linux-based

The software, called AppArmor, is one of several products in the
security realm based on the idea of mandatory access controls. The
technology limits a running software program's privileges only to
those absolutely necessary.


* A Step-By-Step Guide to Computer Attacks and Effective Defenses
  9th, January, 2006

Five years after writing one of the original books in the hack attack
and countermeasures genre of books, Ed Skoudis has teamed up with Tom
Liston to create a revised and updated version. Counter Hack Reloaded
brings Counter Hack up to date with new technologies and attack types
as well as providing the informaion you need to protect your computer
and network from being targeted by these attacks.


* Information Security Salaries Rise
  10th, January, 2006

 A new study released today confirms that there is indeed a growing
market for IS expertise.

Alan Paller, director of research at The SANS Institute, a respected
IT research and education organization, suggests that people "are
waking up to the fact that there's a shortage of security talent."


* Rising to a Higher Standard Isn't Easy
  10th, January, 2006

 Some employees are held to a higher standard of behavior than most.
Anyone in a position with broad powers or influence falls into this
group, including accountants, managers, systems administrators -- and
information security professionals.

Like systems administrators, information security professionals
generally have access to a great deal of data and information. Even
if they don't have direct access, they generally know how to obtain
it by exploiting a weakness (like hackers, but with the opposite
intent) or by simply giving themselves elevated privileges.


* Debate Looms for GPL 3 Draft
  10th, January, 2006

The first draft of GNU General Public License Version 3 will be
unveiled next week at the Massachusetts Institute of Technology in
Cambridge, Mass., but that milestone is likely to be more of a
beginning than an ending.


* Feds to banks: Put security policies in writing
  11th, January, 2006

Even if federal law doesn't explicitly say so, all companies that
handle personal information for their customers should have written
security policies, a computer security attorney said Tuesday.

Last month, the Federal Reserve Board, which governs the U.S. banking
industry, issued a new guide stating that all banks and other
financial institutions must take certain steps to safeguard the
personal data they handle.


* Establishing Information Security Standards
  11th, January, 2006

This Small-Entity Compliance Guide1 is intended to help financial
institutions2 comply with the Interagency Guidelines Establishing
Information Security Standards (Security Guidelines).3 The guide
summarizes the obligations of financial institutions to protect
customer information and illustrates how certain provisions of the
Security Guidelines apply to specific situations. The appendix lists
resources that may be helpful in assessing risks and designing and
implementing information security programs.


* Homeland Security Extends Scope To Open Source Software
  11th, January, 2006

Through its Science and Technology Directorate, the Homeland Security
Department has given $1.24 million in funding to Stanford University,
Coverity and Symantec to hunt for security bugs in open-source
software and to improve Coverity's commercial tool for source code


* FBI says attacks succeeding despite security investments
  11th, January, 2006

Despite investing in a variety of security technologies, enterprises
continue to suffer network attacks at the hands of malware writers
and inside operatives, according to an annual FBI report released
today. Many security incidents continue to go unreported.


* Linux Security: A Good Thing Keeps Getting Better
  12th, January, 2006

A tech expert explains why Linux has remained a bright spot in an
increasingly grim IT security picture, and how businesses can ensure
effective, reliable security for their own Linux-based systems.
Linux has never had to face the challenges that Microsoft Windows
faces now (and in the past) in those areas of security that we are
most familiar with today. Specifically those relating to client use
of an OS.


* Linux Security HOWTO Updated
  12th, January, 2006

The Linux Security HOWTO has been revised and updated.
The HOWTO provides a great overview of all issues involved in
securing a Linux system, with links to software and other great
sources of information on practical methods of enhancing the security
of any Linux-based system.


* Mozilla Releases Thunderbird 1.5
  13th, January, 2006

 Mozilla Corp. on Thursday released the 1.5 version of its
Thunderbird e-mail client, building and improving on automated spam
and security control as well as offering easy access to podcasts.

Based on a year of feedback from its user base, Thunderbird said it
has improved its updating procedures in the release for automatic
downloading of some updates in background mode while prompting users
when the updates are ready for installation.


* RSS malware plague predicted for 2006
  13th, January, 2006

The fast growing popularity of RSS (really simple syndication) means
that the technology will pose increasingly significant problems for
IT security professionals this year, new research has warned.

ScanSafe's latest web security report notes an explosive growth in
the use of RSS feeds to pull updated content via HTTP and XML rather
than having it being pushed to them by SMTP.


* Three more states add laws on data breaches
  9th, January, 2006

 Companies struggling to keep up with a patchwork of state laws
related to data privacy and information security have three more to
contend with, as new security-breach notification laws went into
effect in Illinois, Louisiana and New Jersey on Jan. 1.

Like existing statutes in more than 20 other states, the new laws
prescribe various actions that companies are required to take in the
event of a security breach involving the compromise of personal data
about their customers.


* Nine city hotspots will offer wireless internet use
  12th, January, 2006

From=20March, residents in nine urban centres across Britain will be
able to access the internet from their laptops outdoors, without
cables, and use their mobile phones to make calls over the web after
a small technology firm launches the first part of a nationwide WiFi

The move to roll out wireless internet technology will threaten the
revenues of Britain's mobile phone operators.


* Preventing Buffer Overflow Exploits Using the Linux Distributed
Security Module
  13th, January, 2006

The sad thing about buffer overflow exploits is that good programming
practices could wipe out even potential exploits, however, that
simply has not happened. The own defence against such exploits should
revolve around controlling access to sensitive systems, installing
software updates that replace exploitable software, and being aware
of what a buffer overflow exploit looks like when your system is the
intended victim.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@private
         with "unsubscribe" in the subject of the message.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Mon Jan 16 2006 - 22:42:32 PST