[ISN] Linux Security Week - December 27th 2004

InfoSec News isn at c4i.org
Wed Dec 29 01:32:39 EST 2004

|  LinuxSecurity.com                         Weekly Newsletter        |
|  December 27th, 2004                        Volume 5, Number 51n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Survivor's
Guide to 2005: Security," "Security Starts from the Inside Out,"
" and "Linux lasting longer against Net attacks."


>> Internet Productivity Suite: Open Source Security <<

Trust Internet Productivity Suite's open source architecture to give
you the best security and productivity applications  available.
Collaborating with thousands of developers, Guardian Digital security
engineers implement the most technologically advanced ideas and
methods into their design.



Happy Holidays!  This week, advisories were released for
cscope,htget, a2ps, ethereal, xzgv, debmake, xcdroast, udev,
cups, postgresql, namazu, pam, samba, glibc, krb5, php,
gnumeric, abiword, libtiff, kfax, abcm2ps, phpMyAdmin, WordPress,
NASM, mplayer, mpg123, wget, urpmi, aspell, krb5, logcheck, samba,
Linux kernel, kerberos5, libxml, gd, XFree86, and nfs-utils.
The distributors include Debian, Fedora, Gentoo, Mandrake,
NetBSD, Trustix, Red Hat, and SuSE.



State of Linux Security 2004

In 2004, security continued to be a major concern. The beginning of
the year was plagued with several kernel flaws and Linux vendor
advisories continue to be released at an ever-increasing rate.
This year, we have seen the reports touting Window's security
superiority, only to be debunked by other security experts
immediately after release. Also, Guardian Digital launched the
new LinuxSecurity.com, users continue to be targeted by automated
attacks, and the need for security awareness and education
continues to rise.



Vincenzo Ciaglia Speaks Security 2004

Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux
Security.  A full immersion in the world of Linux Security from many
sides and points of view.



Open Letter to the Linux Security Community

With an all new look & feel, organizational  changes, security events,
and additions to our staff, we hope to better serve  the Linux and open
source community. Although there are many aesthetic improvements, a major
part of our development has focused on creating a content structure and
backend system that is easy to update.



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Host Security News: | <<-----[ Articles This Week ]----------

* The Linux Year
  24th, December, 2004

Was it because the march on the server space continued at a
relentless pace? Because there were big announcements around desktop
installments? Because there was finally some realistic perspective
about the threat from SCO, or the threat to Microsoft? However you
look at it, the penguin's tux has never looked more pristine or ready
for business.


* Adding strong security from day one
  22nd, December, 2004

Adding security to constrained devices is not an easy task for
developers who need to accommodate a range of new features without
compromising usability. Experience has shown that building security
in at the design stage yields better results from a security and
performance perspective.


* LDAP Server Administration with GOsa
  20th, December, 2004

A flaw in two popular Unix and Linux administration consoles could
lead to systems being compromised, according to an alert from
security firm Secunia. The bug in Usermin, a widely used
administration console for Unix and Linux, could allow the
introduction of rogue shell code when a user views a particular
e-mail via the web.


* Special Report: Database Security
  24th, December, 2004

Databases control most of the business world's valuable information.
Pick a vital application--credit-card processing, EDI, financial
analysis, just-in-time production--and you'll find a database under


* Tools Block Code-Busting Crooks
  20th, December, 2004

The concept of adding security to the coding phase of application
development is catching on, with new companies delivering tools to
help developers test for vulnerabilities early in the process.


* Why Your Data Is At Risk
  21st, December, 2004

Your data is vulnerable no matter where it resides. While most
companies take security precautions, many of those precautions turn
out to be insufficient to protect valuable corporate assets. The key
lies in knowing where vulnerabilities exist and making appropriate
risk-based decisions.


* Security Starts from the Inside Out
  21st, December, 2004

Patrick Angle, 34, was charged with intentionally damaging a
protected computer. The charge alleged that Angle, who had worked for
Varian, had become disgruntled with his employment by September 2003
and had been told by the company that his employment contract would
be terminated in October of that same year.


* How ITIL Can Improve Information Security
  24th, December, 2004

ITIL - the Information Technology Infrastructure Library - is a set
of best practices and guidelines that define an integrated,
process-based approach for managing information technology services.
ITIL can be applied across almost every type of IT environment.


* Linux in Government: Security Enhanced Linux - The Future is Now
  20th, December, 2004

If a must-have, must-know innovation exists for Linux's future
viability, you might place all bets on Security Enhanced Linux.
Vastly misunderstood and underrated, SELinux provides a marketing
differentiator that could carry Linux deep into infrastructures that
so far have shown lukewarm acceptance of the open-source operating


| Network Security News: |

* Survivor's Guide to 2005: Security
  20th, December, 2004

Intrusion detection systems--the primary source of warnings that
attacks are under way--are critical pieces of network-security
infrastructure, providing detailed records of attacks, intrusions and
unexpected network activity. For most enterprises, the IDS has become
the central piece of security hardware, certainly the most visible
piece to the staff. Without an IDS, the security staff must gather
forensics information from firewall, server and router log files.


* Linux lasting longer against Net attacks
  24th, December, 2004

Unpatched Linux systems are surviving longer on the Internet before
being compromised, according to a report from the Honeynet Project
released this week. The data, from a dozen networks, showed that the
average Linux system lasts three months before being compromised, a
significant increase from the 72 hours life span of a Linux system in


* Will 2005 Bring a Safer Internet?
  24th, December, 2004

Sometimes writing about security is just too easy. Making predictions
about next year is like this in some ways. Let's pick some of the
low-hanging fruit early. Even though most spam-tracking companies
show that spam already comprises 75 percent or more of all e-mail,
that proportion will go up in 2005.


* Linux holds out against attackers
  24th, December, 2004

A recent 'honeynet' experiment showed that unpatched Linux systems
held up for an average of three months before succumbing to
Internet-based attacks.


* Know Your Enemy: Trends
  22nd, December, 2004

This paper documents how the life expectancy of unpatched or
vulnerable deployments of common Linux systems has increased
from 3 days to 3 months.  This is surprising based on the
increase of malicious activity seen in the past 18 months.


| General Security News: |

* GPL to get a makeover
  23rd, December, 2004

The General Public License hasn't had a proper update for 13 years,
and it's starting to show its age. It looks set to be updated though,
to ensure it's more in tune with today's software models and
potential legal battles.


* NASA hacker jailed for six months
  20th, December, 2004

A US man has been jailed for six months for a 2001 attack on the web
systems of space agency NASA which cost $200,000 to fix.


Groups fight Internet wiretap push
  24th, December, 2004

Companies and advocacy groups opposed to the FBI's plan to make the
Internet more accommodating to covert law enforcement surveillance
are sharpening a new argument against the controversial proposal:
that law enforcement's Internet spying capabilities are just fine as
it is.


* Army focuses on cyber protection
  24th, December, 2004

A recently issued Army white paper, "Fight the Network," provides a
new framework for the Signal Regiment, the service's communications
organization, as it changes to support lighter, more mobile
warfighting units.


* Banks test ID device for online security
  24th, December, 2004

For years, banks gave away toasters to people who opened checking
accounts; soon they may be distributing a more modern kind of
appliance. Responding to an increase in Internet fraud, some banks
and brokerage firms plan to begin issuing small devices that would
help their customers prove their identities when they log on to
online banking, brokerage and bill-payment programs.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list