[ISN] Linux Security Week - February 7th 2005

InfoSec News isn at c4i.org
Tue Feb 8 03:52:11 EST 2005

|  LinuxSecurity.com                         Weekly Newsletter        |
|  February 7th, 2005                          Volume 6, Number 6n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Getting to
Know Linux Security: File Permissions," "Reporting Kernel Security
Issues," and "Linux software can secure an entire network."


  Tuesday, February 8th 2005 from 11am-12pm EST.

  Title: Real World Linux Security
  Featured Guest: Bob Toxen

    Visit: http://www.linuxsecurity.com
    for information on how to participate!


This week, advisories were released for squirrelmail, prozilla, cpio,
openswan, enscript, zlib, gaim, cvs, openssl, curl, ruby, rhgh, file,
net-tools, gimp, squid, dump, mc, dbus, kdepim, xpdf, kernel, ngIRCd,
tikiwiki, f2c, ncfs, clamav, imap, chbg, vim, perl-dbi, and
ethereal.  The distributors include Debian, Fedora, Gentoo,
Mandrake, and Red Hat.



Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.



The Tao of Network Security Monitoring: Beyond Intrusion Detection

The Tao of Network Security Monitoring is one of the most
comprehensive and up-to-date sources available on the subject. It
gives an excellent introduction to information security and the
importance of network security monitoring, offers hands-on examples
of almost 30 open source network security tools, and includes
information relevant to security managers through case studies,
best practices, and recommendations on how to establish training
programs for network security staff.



Encrypting Shell Scripts

Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure?  If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Linux Security Cookbook
  3rd, February, 2005

I read this book from cover to cover and consider it a great effort
by the authors to cover many security issues related to not just
Linux, but most *nix operating systems. Here's a chapter by chapter
review of what I've observed in the book.


* Microsoft Claims Linux Security a Myth
  31st, January, 2005

Microsoft bigwig Nick McGrath claims that Linux security is highly
exaggerated, and that the open source development model is
'fundamentally flawed.' The gist of his argument appears to be his
claim of lack of accountability among distributors, coupled with
generic statements short on facts. 'Who is accountable for the
security of the Linux kernel? Does Red Hat, for example, take
responsibility? It cannot, as it does not produce the Linux kernel.
It produces one distribution of Linux.'


* Home User Security Guide
  1st, February, 2005

I know many of you have received some nice to tech toys for Christmas
recently, so its time to talk about making them secure and keeping
them that way.


*  Reporting Kernel Security Issues
  2nd, February, 2005

A lengthy and interesting thread was started on the lkml by Chris
Wright looking to define a centralized place to report security
issues in the Linux Kernel.  Chris offered his services in getting
things set up, addressing his email to Linus Torvalds, Andrew Morton
[interview], Alan Cox [interview] and Marcelo Tosatti [interview].
He explained that he wanted to centralize the information "to help
track it, make sure things don't fall through the cracks, and make
sure of timely fix and disclosure".  The resulting discussion was
joined by numerous members of the kernel hacking community, exposing
a wide range of opinions.


* Linux can secure entire network
  3rd, February, 2005

Tested over three months at IBM's Linux Test Integration Center
(LTIC) by a seven-person team, the 87-page report [pdf] titled "Linux
Security: exploring open source security for a Linux server
environment" set out to test a wide range of open-source Linux
products supported by IBM to see whether they could adequately
protect a middleware environment. Only open source products were us


* Linux software can secure an entire network
  3rd, February, 2005

An IBM report that tested the suitability of Linux software to secure
an network its entirety has come to light months after it was
originally published.


* Linux is mission critical for Czechs
  31st, January, 2005

The Czech postal service is putting its faith in open source, by
migrating a vital application onto SuSE Linux


* Penguins at the Gate
  2nd, February, 2005

Only a few open-source vendors have borne the time and expense of
having their software EAL-certified. Red Hat and Novell's SuSE Linux
attained EAL3+ ratings in the last year, but many other vendors have
yet to do the same. This raises a fundamental question:  Does
open-source software need security certifications to win global


* IBM study tests Linux security
  31st, January, 2005

To test open source security products, a study was conducted over a
period of three months at the IBM Linux Test Integration Center. The
goal for the security study was to deploy and compare various open
source security tools that were available for free in the industry,
and provide solution recommendations.


* Linux security is a 'myth', claims Microsoft
  1st, February, 2005

A senior Microsoft executive, speaking exclusively to vnunet.com, has
dismissed Linux's reputation as a secure platform as a "myth",
claiming that the open source development process creates fundamental
security problems.


* Best Security Software Solution
Live Voting
  2nd, February, 2005

SYS-CON's Readers' Choice Awards program is considered to be the most
prestigious award program of the software industry and is often
referred to as "the Oscars of the software industry." The products
participating in the program are nominated by their vendors,
customers, users, or SYS-CON readers. This year a record number of
companies and products were nominated. Below is a list of all
companies and products participating in the 2005 Readers' Choice
Awards in each category.


* Identity Management: Controlling the Costs of Continuous Compliance
  3rd, February, 2005

There are a number of technologies that can streamline your
compliance effort so that your company remains compliant without
incurring burdensome recurring costs. One such technology is identity
management, which can help to establish repeatable, sustainable,
cost-effective processes that respond quickly to organizational
changes, enable continuous compliance and security, and create
auditable histories of who had access to what information.


* MS Security Program No Threat to Linux, Advocate Says
  4th, February, 2005

Bruce Perens, co-founder of the Open Source Initiative and leader of
the Debian GNU/Linux distribution, said he believes Linux is simply
more secure and can respond to potential threats at any time since it
has an international developer base.


* RFID Vulnerability Expose
  1st, February, 2005

A vulnerability in radio-frequency ID  chips  could put millions of
users of  wireless  car key tags or speed pass payment devices at
risk, according to a recent study by researchers at Johns Hopkins
University and RSA Laboratories.


* Manhunt for Filipino hacker ensues
  1st, February, 2005

A manhunt for the alleged Filipino hacker of the government portal
"gov.ph" and other government websites was launched after the suspect
went into hiding, the police said Tuesday.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list