[ISN] Linux Security Week - October 4th 2004

InfoSec News isn at c4i.org
Tue Oct 5 07:29:29 EDT 2004

|  LinuxSecurity.com                         Weekly Newsletter        |
|  October 4th, 2004                         Volume 5, Number 39n     |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Gaim Encryption:
Simple encryption for instant messages," "Authentication methods in
OpenBSD," and "Defending Your IT Infrastructure Through Effective Patch
Management," and "Defeating Honeypots."


>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with the
ability to securely access corporate email from any computer, collaborate
with co-workers and set-up comprehensive addressbooks to consistently keep
employees organized and connected.



This week, advisories were released for kernel, imlib, getmail, sendmail,
vnc, CUPS, cadaver, tcpdump, freenet6, apache, subversion, sharutils,
webmin, and NetPBM. The distributors include Conectiva, Debian, Fedora,
Gentoo, Mandrake, and Trustix.



Network security is continuing to be a big problem for companies and home
users. The problem can be resolved with an accurate security analysis. In
this article I show how to approach security using aide and chkrootkit.



An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code

Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with the
ability to securely access corporate email from any computer, collaborate
with co-workers and set-up comprehensive addressbooks to consistently keep
employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Host Security News: | <<-----[ Articles This Week ]----------

* Ten Steps to E-Mail Security
October 1st, 2004

More than 10,000 students depend on Jill Cherveny-Keough for trustworthy
computing systems. As director of academic computing at the New York
Institute of Technology (NYIT), Cherveny-Keough must ensure that dozens of
computing centers across the college's campuses run without a hitch. The
centers, located throughout Long Island and Manhattan, support the
college's undergraduate and graduate students.


* Gaim-Encryption: Simple encryption for instant messages
October 1st, 2004

Instant messaging is everywhere nowadays, but people who use it may be
surprised to know how trivial it is to listen in on their private
conversations. Snoopers can use tools like tcpdump and aimsniff to tap
into the contents of the messages. But with a little free software, IMers
can be secure in the knowledge their conversations are, well, secure.


* Tipping the Scales Toward Secure Code
October 1st, 2004

Everybody can use more secure code--and sometimes the best way to hone
your skills is to listen to other programmers. Here are 18 concise tips
offered by your fellow developers, each a specific (and opinionated!)
piece of advice that you can put to work immediately. You may not agree
with all these suggestions, but each is worth contemplating.


* 'Cybernapping' danger of unprotected systems
October 1st, 2004

Hackers stealing company data and holding it to ransom is a growing trend,
warn security experts. 'Cybernappers' take confidential data such as
customer lists from backend systems unprotected by the necessary security


* Authentication methods in OpenBSD
September 30th, 2004

OpenBSD supports several authentication methods besides a simple password.
Here are some ways you can keep your systems safe. To use these alternate
login methods, the username is changed and OpenBSD processes the
authentication in the background. By default, the only authentication
methods that are allowed are simple passwords and S/Key.


* Secure Linux Competition Heats Up
September 30th, 2004

The race is on to deliver a version of the Linux open-source operating
system that will be more secure than any of its predecessors but also
manageable and affordable enough to garner widespread acceptance. Linux
developer MandrakeSoft SA and a consortium of European software makers
have tossed their hat into the ring, as has Trusted Computer Solutions
Inc., a maker of software used by government agencies and businesses to
securely transfer sensitive data.


* Defending Your IT Infrastructure Through Effective Patch Management
September 28th, 2004

Imagine that you are the IT Director of a large retail bank with an active
and highly visible Internet banking service. While driving into the
office, half-listening to the radio news, you hear your bank's name being
announced, immediately followed by the words "hacker", "massive system
failure" and "identity theft".


* USB--short for 'ultimate security breakdown'?
September 28th, 2004

For the average corporate or home PC user, the initialism "USB" refers to
a computer port that makes it very easy to connect devices directly to a
machine. With this connection, a person can transfer or copy information
to and from a computer with little trouble.


* Security Log
September 27th, 2004

Trusted Computer Solutions Inc. has announced that it is developing a
product called TCS Trusted Linux, a multilevel-secure version of the Linux
operating system.


* Biometrics: A Security Makeover
September 27th, 2004

One year ago, the prospects for developing biometrics as a reliable
security device for computers were viewed by many industry watchers as a
nice idea with little applicable potential. After all, biometric security
devices have been available in one form or another for 30 years.


| Network Security News: |

* Protecting the Perimeter With OpenBSD
September 30th, 2004

The Unix operating system has so many descendants and variations that
organizations navigating the maze of choices can quickly become
disoriented. Many of these projects were launched to offer operating
systems unencumbered by the commercial and proprietary licenses tied to
the original AT&T UNIX.


* Defeating Honeypots: Network Issues, Part 1
September 30th, 2004

To delude attackers and improve security within large computer networks,
security researchers and engineers deploy honeypots. As this growing
activity becomes a new trend in the whitehat community, the blackhats
study how to defeat these same security tools.


* Intrusion Detection Trumps Prevention In Health Care
September 30th, 2004

Many health-care organizations are going beyond firewall and
intrusion-detection technologies and counting on intrusion-prevention
products to safeguard their systems.


* Web Services Management, Security Converge
September 30th, 2004

In a deal that could signal a trend, Web services-management vendor
Digital Evolution has acquired fledgling Web services management/ security
vendor Flamenco Networks. Some consolidation in this market was
inevitable, given the number of players, and it should have a positive
impact on options.


* 'Know Your Enemy': Everything you need to know about honeypots
September 28th, 2004

Honeypots are a relatively new and highly dynamic technology. Because they
are so dynamic, it is difficult to define just what they are. Honeypots
are unique in that they are not a solution in and of themselves; they do
not solve a specific security problem. Instead, they are highly flexible
tools with many different information security applications.


| General Security News: |

* Smart Users Are Dangerous
October 1st, 2004

The more technologically sophisticated non-IT employees become, the bigger
their potential threat to the enterprise. A little knowledge has always
been a dangerous thing, and when it comes to employees and technology, a
little technology knowledge can add up to big dangers.


* Network Physics Releases Distributed Network Intelligence Tool
September 30th, 2004

Network Physics has introduced NetSensory Enterprise Architecture, a
distributed intelligence tool that promises to provide global applications
infrastructure visibility, troubleshooting and reporting. The architecture
is built on a new distributed operating system, the NetSensoryT OS 4.0,
which runs on the company's NP-2000 appliance and a new hardware
appliance, the NP-DirectorT.


* IT managers are putting security at top of their wish list
September 29th, 2004

At a roundtable discussion this week at an International Data Corp.
technology conference in Paris, the International Herald Tribune spoke
with some of the executives in charge of putting technology to work in
Europe. Edited excerpts from their conversation with Jennifer L. Schenker
and Victoria Shannon follow.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list