[ISN] Linux Security Week - January 31st 2005

InfoSec News isn at c4i.org
Tue Feb 1 04:01:35 EST 2005

|  LinuxSecurity.com                         Weekly Newsletter        |
|  January 31st, 2005                          Volume 6, Number 5n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Introduction
to Troubleshooting Linux Firewalls," "Common Criteria  Salvation For
Email Security," and "Do 'irresponsible' security researchers help or


>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been
designed with such robust security features.  Engineered with
security as a main focus, the Guardian Digital Internet Productivity
Suite is the cost-effective solution small businesses have been
waiting for.



This week, articles were released for libtiff, ethereal, xpdf, squid,
xtrlock, sword, unarj, enscript, zhcon, vdr, xine-lib, libpam-radius,
kdebase, f2c, cups, alsa-lib, grep, kernel-utils, hal, im-sdk, gphoto,
apr, tetex, koffice, kdegraphics, kdelibs, gaim, procps, mailman,
mysql, awstats, less, kernel, and xpdf.  The distributors include
Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, and



The Tao of Network Security Monitoring: Beyond Intrusion Detection

The Tao of Network Security Monitoring is one of the most
comprehensive and up-to-date sources available on the subject. It
gives an excellent introduction to information security and the
importance of network security monitoring, offers hands-on examples
of almost 30 open source network security tools, and includes
information relevant to security managers through case studies,
best practices, and recommendations on how to establish training
programs for network security staff.



Encrypting Shell Scripts

Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure?  If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).



A 2005 Linux Security Resolution

Year 2000, the coming of the new millennium, brought us great joy
and celebration, but also brought great fear.  Some believed it would
result in full-scale computer meltdown, leaving Earth as a nuclear
wasteland.  Others predicted minor glitches leading only to
inconvenience.  The following years (2001-2004) have been tainted
with the threat of terrorism worldwide.



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Host Security News: | <<-----[ Articles This Week ]----------

* The encryption factor
  27th, January, 2005

Quantum computing is set to revolutionise the way we work. Trouble
is, it could crack any of today's security codes in a fraction of a
second, says Charles Arthur.When bankers and spies begin to worry
about advances in computing, the rest of us would do well to take
notice. What makes them edgy are the advances being made in "quantum
computing", which is, as might be expected from the name, as
entangled and confusing a field to understand as the branch of
physics on which it is based - quantum mechanics.


* Introduction to Troubleshooting Linux Firewalls
  25th, January, 2005

Oh no you say not more management speak! Please, I get enough of that
already! Fear not; we promise that we won't waste your time with YAUM
(Yet Another Useless Methodology). We want you to find your problem
and fix it quickly. So you can call this a process, a method, a way,
or if you like, call it a methodology whatever works for you. What we
don't want to do is fill your head with some useless babble. This
methodology is hard won from years of solving problems.


* Patching up problems
  28th, January, 2005

The race to plug network holes before attackers use them is running
system managers ragged--so they're throwing up more barriers to stop


* SELinux: Playing with fire
  26th, January, 2005

One of the much-talked-about features in Fedora Core 3 (FC3) is
Security-Enhanced Linux, which some people believe will make Linux a
truly military-grade secure operating system. But SELinux is
available to secure many other distributions as well.


* Common Criteria  Salvation For Email Security
  26th, January, 2005

With the increasing threat of far more sophisticated attacks than
just spam and viruses, email security is taking a leap forward. But
in implementing new solutions, organisations open up the risk to
additional vulnerabilities, because the products they have chosen may
not provide an adequate level of security.


* The Role Of Email Security In Meeting Regulatory Requirements
  27th, January, 2005

Corporate governance and regulation were one of the dominant themes
of 2004 and look set to continue to be so throughout 2005. Corporate
governance relates to how an organisation is run, and has
repercussions for almost every department  particularly Finance, HR,
Auditing, Procurement and IT. Due to the nature of the potential
content of email, ranging from a simple customer query to financial
projections, the use of this application demands particular attention
to ensure that its management helps to secure regulatory compliance.


* Developer Raps Linux Security

Developer Raps Linux Security
  26th, January, 2005

Brad Spengler of grsecurity characterized the Linux Security Model,
or LSM, as merely a way to allow the National Security Agency's
SELinux to be used as a module. "The framework is unfit for any
security system that does anything remotely innovative, such as
grsecurity and RSBAC [Rule Set-Based Access Control]," he


| Network Security News: |

* 'Evil twin' could pose Wi-Fi threat
  26th, January, 2005

Researchers at Cranfield University are warning that "evil twin" hot
spots, networks set up by hackers to resemble legitimate Wi-Fi hot
spots, present the latest security threat to Web users.


* Hackers targeted by high-level system
  25th, January, 2005

Running on Windows, Linux or Sun, Defiance TMS was made up of four
elements.  Defiance Monitor acted as the intrusion detection system
(IDS), which would let IT staff monitor for threats. Defiance Gateway
was the core IPS protection element, backed up by A Defiance
Management Server to store logs and other security data, and the
Defiance Security Console for system unified administration.


| General Security News: |

* Coyotos, A New Security-focused OS & Language
  25th, January, 2005

For those who haven't been following the EROS project, it has now
migrated to the Coyotos project.  EROS, the Extremely Reliable
Operating System, was a project to create an operating system whose
security relied on capabilities rather than the traditional Unix
model of root or non-root.


* Open and safe?
  25th, January, 2005

TRUE or false? Open source software like Linux is more secure than
Microsoft Windows, a proprietary operating system because there seem
to be more virus attacks against it.


* No end to security sector growth
  27th, January, 2005

The South African IT security industry, worth R1.082 billion, is
still growing, according to research firm BMI-TechKnowledge.
According to the firm's latest findings on the local security market,
the industry grew by about 16% in 2003, with that level of growth
expected to continue throughout the forecast period 2003 to 2008.


* Do 'irresponsible' security researchers help or hinder?
  27th, January, 2005

To many software makers and security consultants, flaw finder David
Aitel is irresponsible. The 20-something founder of vulnerability
assessment company Immunity hunts down security problems in widely used
software products. But unlike an increasing number of researchers, he
does not share his findings with the makers of the programs he


* Run information security like you run your busines
  28th, January, 2005

Do your CSO, CIO, information security professionals and software
developers have measurable quotas  and compensation for meeting or
exceeding their information security numbers? Chances are, your firm
is not running information security like a business unit with a
tightly focussed strategy on customers, market and competitors.
Without well-defined, standard, vendor-neutral threat models and
performance metrics. there cannot be improvement; and improvement is
what our customers want.


* US to tighten nuclear cyber security
  26th, January, 2005

The US Nuclear Regulatory Commission (NRC) quietly launched a public
comment period late last month on a proposed 15-page update to its
regulatory guide "Criteria for Use of Computers in Safety Systems of
Nuclear Power Plants." The current version, written in 1996, is three
pages long and makes no mention of security.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list