[ISN] Linux Security Week - April 25th 2005

InfoSec News isn at c4i.org
Tue Apr 26 01:49:08 EDT 2005

|  LinuxSecurity.com                         Weekly Newsletter        |
|  April 25th, 2005                           Volume 6, Number 18n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Five Linux
Security Myths You Can Live Without," "Configurations that keep your
Linux System safe from attack," and "Linux Distribution Tames Chaos."


DEMYSTIFY THE SPAM BUZZ: Roaring Penguin Software

Understanding the anti-spam solution market and its various choices and
buzzwords can be daunting task. This free whitepaper from Roaring
Penguin Software helps you cut through the hype and focus on the basics:
determining what anti-spam features you need, whether a solution you are
considering includes them, and to what degree.

Find out more!



This week, advisories were released for MySQL, PHP, libexif, gtkhtml,
info2www, geneweb, f2c, XFCE, vixie-cron, at, nasm, aspell, urw-fonts,
htdig, alsa-lib, curl, HelixPlayer, cvs, foomatic, monkeyd, mplayer,
xloadimage, logwatch, kernel, OpenOffice, and PostgreSQL. The
distributors include Conectiva, Debian, Fedora, Gentoo, Red Hat,
and SuSE.



Introduction: Buffer Overflow Vulnerabilities

Buffer overflows are a leading type of security vulnerability. This
paper explains what a buffer overflow is, how it can be exploited,
and what countermeasures can be taken to prevent the use of buffer
overflow vulnerabilities.



Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.



The Tao of Network Security Monitoring: Beyond Intrusion Detection

The Tao of Network Security Monitoring is one of the most
comprehensive and up-to-date sources available on the subject. It
gives an excellent introduction to information security and the
importance of network security monitoring, offers hands-on examples
of almost 30 open source network security tools, and includes
information relevant to security managers through case studies,
best practices, and recommendations on how to establish training
programs for network security staff.



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Quantum cryptography: Your security holy grail?
  19th, April, 2005

Quantum cryptography . using a private communication channel to lock
down the exchange of sensitive data between two points . has to date
created much more discussion than it has practical applications.


* Five Linux Security Myths You Can Live Without
  20th, April, 2005

All distributions are not created equal: Some distros, by default,
are very secure; others install with virtually no default security. A
good source of independent information on the quality of distro
security is www.distrowatch.com, a site that supports the idea that
some distros offer better security than others.

* Network Scanner Includes Linux Security Checks
  21st, April, 2005

GFI Software Ltd., recently announced the release of a new version of
its network security scanner, GFI LANguard Network Security Scanner
(N.S.S.) 6 that can detect all machines and devices connected to the
network via a wireless link. It also alerts administrators when
suspicious USB devices are connected to the network.


* Can this man save the Net?
  22nd, April, 2005

VeriSign is the world's largest digital certificate authority and is
steward of the A and J root servers (two of the 13 computers
representing the top of the Internet's hierarchy). With 40 percent of
North American e-commerce payments going through its gateways, 100
percent of .com registrars running 15 billion queries a day through
its system, and 50 percent of North American cellular roamings going
through its servers, VeriSign has a significant role in seeing that
the Internet infrastructure runs securely.


* Cybercrime Wars
  20th, April, 2005

In the ethereal world of the Internet, an underground crime war is
being silently waged between the cyber-criminals and those trying to
stop them. A war that is undermining the interests of corporations
and governments worldwide and one that bears no regard for innocent
victims. In fact, the victims are purposely targeted, unwittingly
press-ganged into becoming foot-soldiers helping to spread spam,
attack large companies and unknowingly distribute illegal porn and
copyrighted materials. Nowadays, cyber-attacks and automated hacking
tools work so fast and efficiently that the enemy is winning.
Something needs to be done, as Nick Ray, CEO of Prevx explains.


* Cyber attack early warning center begins pilot project
  21st, April, 2005

A fledgling nonprofit group working to develop an automated
cyber-attack early warning system, the Cyber Incident Detection Data
Analysis Center (CIDDAC), is about to begin a pilot project to
collect data on network intrusions from a group of companies in
national-infrastructure industries.


* Configurations that keep your Linux System safe from attack
  20th, April, 2005

In this series of articles, learn how to plan, design, install,
configure, and maintain systems running Linux in a secure way. In
addition to a theoretical overview of security concepts, installation
issues, and potential threats and their exploits, you'll also get
practical advice on how to secure and


* US Government helps Bastille Linux gain assessment functionality
  20th, April, 2005

We've just finished adding a major new mission to Bastille Linux --
it now does hardening assessment! The US Government's TSWG helped us
add this functionality.


* The Five Ps of Patch Management
  20th, April, 2005

Security and vulnerability patching has become one of the top
concerns for IT managers, but has also left many IT teams fighting a
losing battle as the job of patching competes with day-to-day system
maintenance and security tasks.


* Microsoft to support Linux
  21st, April, 2005

Microsoft head Steve Ballmer has promised to add Linux support for
the first time in one of its products because, he explained, users
need to manage heterogeneous networks.


* Mozilla flaws could allow attacks, data access
  18th, April, 2005

Multiple vulnerabilities that could allow an attacker to install
malicious code or steal personal data have been discovered in the
Mozilla Suite and the Firefox open-source browser.


* PHP falls down security hole
  20th, April, 2005

Servers running PHP are vulnerable to a number of serious security
exploits, including some which could allow an attacker to execute
malicious code, and denial-of-service exploits, according to the PHP


* Linux Distribution Tames Chaos
  19th, April, 2005

Chaos, a Linux distribution developed by Australian Ian Latter,
harnesses the unused processing power of networked PCs, creating a
distributed supercomputer that can crack passwords at lightning


*  Linux receives pat on the back for security
  18th, April, 2005

A recent survey carried out by Evans Data Corporation has revealed
that development managers have more faith in Linux as an operating
system to guard them against internal attacks than they have in
Windows. Over 6,000 development managers were interviewed in the
Evans Data Corporation's new Spring 2005 Linux and Development
survey. They considered open source software to be more secure with
client operating systems; web servers; server operating systems and
components and libraries.


* Guidelines for Choosing to Outsource Security Management
  21st, April, 2005

Outsourcing security is not appropriate for every organization. Some
organizations will be better served by deploying and running security
management and monitoring solutions. Your organization should use
Gartner's Decision Framework to determine whether it is a candidate
for MSSP services. It is important to be clear about your
organization's expectation of a security outsourcing engagement, and
to structure a service-level agreement that reflects those


* Ameritrade Shows Peril of Backup Tapes
  22nd, April, 2005

For the second time this year, a high-profile financial company has
lost a backup tape containing customer data while shipping the tape
to an off-site storage facility.


* Retailers feel security heat
  22nd, April, 2005

Following several high-profile incidents of data theft, retailers are
under increased pressure to clean up their computer security act.


* Tackling identity theft
  18th, April, 2005

The only way to control today's identity theft epidemic is for
consumers, Congress and corporate America to team up.
Jim Lewis, director of the Technology and Public Policy Program at
the Center for Strategic and International Studies in Washington,
D.C., today told a panel of security experts from eBay, eTrade, RSA
Security, Forrester Research and BITS that protecting data is a
shared responsibility. "Consumers have to become more perceptive
about risks, but companies that use and hold data have a greater
responsibility to put procedures and safeguards in place," he said.
"Government's responsibility is to make sure this happens and to
prosecute the criminals."


* Flash Player Worries Privacy Advocates
  21st, April, 2005

Macromedia's Flash media player is raising concerns among privacy
advocates for its little-known ability to store computer users'
personal information and assign a unique identifier to their


* Teenagers struggle with privacy, security issues
  22nd, April, 2005

High-schools students have a message for their parents: Trust us with
technology. Security and privacy? We have it covered.


* U.S. Military's Elite Hacker Crew
  18th, April, 2005

The U.S. military has assembled the world's most formidable hacker
posse: a super-secret, multimillion-dollar weapons program that may
be ready to launch bloodless cyberwar against enemy networks -- from
electric grids to telephone nets.


* NY AG Spitzer Targets Hackers
  19th, April, 2005

New York Attorney General Eliot Spitzer has called for tougher
penalties on computer criminals. He wants to prosecute people who
gain access to computers surreptitiously, but who do not do any harm.
The proposed legislation would also make encrypting information a
crime if it concealed some other crime.


* DSW data theft much larger than estimated
  19th, April, 2005

Thieves who accessed a DSW Shoe Warehouse database obtained 1.4
million credit card numbers and the names on those accounts - 10
times more than investigators estimated last month.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list