[ISN] Linux Security Week - November 15th 2004

InfoSec News isn at c4i.org
Tue Nov 16 08:34:06 EST 2004

|  LinuxSecurity.com                         Weekly Newsletter        |
|  November 15th, 2004                        Volume 5, Number 45n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Sloppy Sysadmins
Leave Linux Security Lacking," "CLASS 5 Automated Vulnerability
Remediation," and "Building a LAMP Server w/ LDAP Authentication."


>> LinuxSecurity.com Version 2 <<

Get ready ... the new LinuxSecurity.com site will soon be revealed. The
same great content you've come to expect with a whole new look and great
new features. A sneak preview is coming soon!


This week, advisories were released for xpdf, libtiff3, sasl, shadow,
ruby, freeam, gzip, libgd1, gnats, libgd2, Gallery, ImageMagick, zgv,
mtink, Apache, pavuk, samba, libxml, webmin, and speedtouch. The
distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, and


Mass deploying Osiris

Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system.  A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people.  The communication is all done over an encrypted
communication channel.


>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Host Security News: | <<-----[ Articles This Week ]----------

* Sloppy Sysadmins Leave Linux Security Lacking
November 12th, 2004

Linux has gaping security holes caused by systems administrators who
either can't or won't keep up with the latest patches, according to a
report from British security firm mi2g.


* Say hello to the 'time bomb' exploit
November 12th, 2004

Prepare yourself for "time bomb" exploits that attack web-based systems at
a pre-determined time.


* Security pros bemoan need for tactical focus
November 12th, 2004

Operational and tactical considerations continue to dominate the IT
security agenda, despite a growing need for more strategic approaches to
data protection, said attendees at the Computer Security Institute's
annual conference here this week.


* Exclusive interview of DK Matai with Linux/Security Pipeline
November 12th, 2004

This exclusive interview with Mitch Wagner and Tom Dunlap at Security
Pipeline in California succeeded the mi2g Intelligence Unit's response to
Matthew McKenzie and Scott Finnie on 6th November to the Linux Pipeline
article "Experts Challenge mi2g security study" authored by Tom Dunlap and
published on 5th November.


* CLASS 5 Automated Vulnerability Remediation
November 11th, 2004

CLASS 5 AVR (Automated Vulnerability Remediation) is a tiered architecture
platform that provides customizable and automated remediation capabilities
based on user-defined action policies when vulnerabilities are reported.


* Guardian Digital Offers Free Sarbanes Assessment
November 10th, 2004

Guardian Digital, Inc., the world's premier provider of open source
security solutions, today announced the launch of a new initiative aimed
at helping companies assess their network-readiness in meeting
Sarbanes-Oxley (SOX) legislation requirements.


* The reality of virtual servers
November 9th, 2004

Server virtualization is one of those rare technologies that sounds too
good to be true, but it's real. Its earliest use was to consolidate
underutilized server hardware onto a smaller number of machines. Since
those early days, it has grown into a multipurpose solution that enables
greater reliability, improved management, and other benefits that make it
an all-but-indispensable tool for enterprise datacenter administrators.


* Recovering From an Attack
November 8th, 2004

No matter the size of your network, sooner or later you'll have to clean
up an infected machine. Recovery from an attack can be daunting, but
following some simple steps will make it less painful.


| Network Security News: |

* Cisco Beefs Up WLAN Security
November 10th, 2004

Cisco Systems Wednesday unveiled a line of enterprise-grade multi-band
wireless access points that include beefed up security. It also said it is
adding intrusion detection capabilities for its entire Structured
Wireless-Aware Network (SWAN) wireless LAN framework.


* Is Gap Growing Between Security Haves and Have-Nots?
November 9th, 2004

Patch management, compliance and vulnerability management all vied for the
attention of attendees on Monday at the Computer Security Institute's
annual Computer Security conference here. However, some security
professionals worried about a new digital divide: large enterprises that
can afford security and small companies that can't.


* Building a LAMP Server w/ LDAP Authentication
November 9th, 2004

This tutorial is designed to guide you through the initial steps of
setting up an Apache, MySQL, and PHP server on Linux which will utilize an
external LDAP server for authenticating users. The server will be able to
use either Apache's authentication process (i.e. via httpd.conf), or PHP's
(i.e. coded into your app).


* Interview: The men behind ettercapNG
November 9th, 2004

In 2001 two Italians released the first beta version of ettercap, a
network protocol analyzer. This summer they released ettercapNG, which was
completely rewritten from scratch with better, modular code, making it
easier to add new features and write and submit patches. Ettercap is now
covered in most security books.


* Prevention Methods Shore Up Wireless LAN Defenses
November 8th, 2004

Security developers took more than a decade to move from intrusion
detection to intrusion prevention in the world of wired networking. But in
the fast-paced wireless space, vendors are already jumping on prevention
as the first step in security.


| General Security News: |

* IT Managers Have False Sense Of Security
November 15th, 2004

Corporate IT managers are a bit bi-polar when it comes to network
security, said a survey released this week at the Computer Security
Institute's annual conference in Washington, D.C. Just as an overwhelming
majority of IT execs think that their networks are safer than they were a
year ago, an even larger percentage admit in that attacks are on the rise.


* Security company defends Linux-is-vulnerable survey
November 11th, 2004

A UK security company has published an open letter following a furore in
the Linux camp after a study claimed that nearly two thirds of successful
Internet-based attacks occurred on the open source operating system.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list