[ISN] Linux Security Week - August 29th 2005

InfoSec News isn at c4i.org
Mon Aug 29 14:06:55 EDT 2005

|  LinuxSecurity.com                         Weekly Newsletter        |
|  August 29th, 2005                          Volume 6, Number 36n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Storm brewing
over SHA-1 as further breaks are found," "Linux Kernel Denial of
Service and IPsec Policy Bypass," and "Information Security in Campus
and Open Environments.


## Master of Science in Information Security ##

Earn your Master of Science in Information Security online from Norwich
University. Designated a "Center of Excellence", the program offers a
solid education in the management of information assurance, and the
unique case study method melds theory into practice.  Using today's
e-Learning technology, you can earn this esteemed degree, without
disrupting your career or home life.




This week, advisories were releaed for bluez-utils, thunderbird, mysql,
epiphany, system-config-netboot, kdbg, doxygen, kdeedu, ncpfs, gaim,
system-config-bind, tar, vnc, metacity, cups, pygtk, slocate, myodbc,
xpdf, libgal2, dhcpv, diskdumputils, kdebase, cvs, hwdata, eject,
pcre, kismet, wikiwiki, apache, tor, netpbm, vim, and elm.  The
distributors include Debian, Fedora, Gentoo, and Red Hat.



Hacks From Pax: PHP Web Application Security
By: Pax Dickinson

Today on Hacks From Pax we'll be discussing PHP web application
security. PHP is a great language for rapidly developing web
applications, and is very friendly to beginning programmers, but
some of its design can make it difficult to write web apps that
are properly secure. We'll discuss some of the main security
"gotchas" when developing PHP web applications, from proper
user input sanitization to avoiding SQL injection



Network Server Monitoring With Nmap

Portscanning, for the uninitiated, involves sending connection requests
to a remote host to determine what ports are open for connections and
possibly what services they are exporting. Portscanning is the first step
a hacker will take when attempting to penetrate your system, so you should
be preemptively scanning your own servers and networks to discover
vulnerabilities before someone unfriendly gets there first.



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Storm brewing over SHA-1 as further breaks are found
  24th, August, 2005

Three Chinese researchers have further refined an attack on the
encryption standard frequently used to digitally sign documents,
making the attack 64 times faster and leaving cryptographers to
debate whether the standard, known as the Secure Hash Algorithm,
should be phased out more quickly than planned.


* Storage and data encryption
  25th, August, 2005

Data security is a major concern for all CIOs. This has been
addressed from access and identity controls through encrypting data
in transmission through to securing data at rest, on disk or on tape.


* Host Integrity Monitoring Using Osiris and Samhain
  22nd, August, 2005

Host integrity monitoring is the process by which system and network
administrators validate and enforce the security of their systems.
This can be a complex suite of approaches, tools, and methodologies,
and it can be as simple as looking at loggin output. In the past,
tools like Tripwire were used to check the configurations on hosts.
The freeware version of this tool was limited in its manageability,
which was available mainly in the commercial version.


* Why You Need To Add .Protect Domain Name. To The Security Checklist
  25th, August, 2005

Domain name hijacking broadly refers to acts where a registered
domain name is misused or stolen from the rightful name holder. A
domain hijacking is a security risk many organizations overlook when
they develop security policy and business continuity plans. While
name holders can take measures to protect their domain names against
theft and loss, many measures are not generally known.


* Linux/Unix e-mail flaw leaves system open to attack
  26th, August, 2005

Two serious security flaws have turned up in software widely
distributed with Linux and Unix. The bugs affect Elm (Electronic Mail
for Unix), a venerable e-mail client still used by many Linux and
Unix sysadmins, and Mplayer, a cross-platform movie player that is
one of the most popular of its kind on Linux.


* Linux Kernel Denial of Service and IPsec Policy Bypass
  25th, August, 2005

Two vulnerabilities have been reported in the Linux kernel, which can
be exploited by malicious, local users to cause a DoS (Denial of
Service) or bypass certain security restrictions.


* Flexible, safe and secure?
  24th, August, 2005

<a href="http://www.net-security.org/article.php?id=812">This
article</a> looks beyond the hype of mobile working to consider some
of the practical issues of an organisation implementing an ICT
strategy that ensures data security wherever employees connect to
corporate systems.


* Information Security in Campus and Open Environments
  23rd, August, 2005

This article is geared towards techies at libraries and schools and
will attempt to address common security problems that may pop up at
these institutions. The author gears the solutions towards Open
Source, freeware, and base operating system security in a Windows
XP/2k environment.


* Legal disassembly
  23rd, August, 2005

The question for security researchers going forward is modeled by the
Lynn saga. Is it legal to decompile source code to find
vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe
it's not.


* Be prepared to pay for security
  24th, August, 2005

When one million of your customers have their IP addresses added to a
spam blacklist, there is clearly something wrong with your security
systems. Just ask Telewest, this is exactly what it experienced in
May after 17,000 of its users saw their computers turn into spam


* Banks Abandoning SSL On Home Page Log-Ins
  24th, August, 2005

Some of the biggest banks have abandoned the practice of posting
their online account log-in screens on SSL-protected pages in an
effort to boost page response time and guide users to more memorable
URLs, a U.K. Web performance firm said Tuesday.


* The Real Problem of Linux: The Userbase?
  25th, August, 2005

True, a normal Linux installation and setting up basic internet
access and email settings is proven to be equally easy under Windows
as under Linux- if not easier under Linux. But I've been using Linux
distributions for several years now, and I must say that for advanced
problems it's harder to get things worked out under


* Industry Survey Shows SMBs Lack Minimal Security
  25th, August, 2005

Sean Stenovich often sees his small and midsize business clients pick
and choose their security solutions based on what they think they
need and can afford.


* Sarbanes-Oxley will be 2005's biggest time waster
  23rd, August, 2005

The Sarbanes-Oxley rules will be the biggest waste of IT resources
for public companies this year, according to a poll of 444 US
companies by IBM user group Share.


* Hacker underground erupts in virtual turf wars
  24th, August, 2005

In the early days of computer attacks, when bright teens could bring
down corporate systems, the point was often to trumpet a hacker's
success. No longer.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list