[ISN] Linux Security Week - February 21st 2005

InfoSec News isn at c4i.org
Tue Feb 22 09:14:51 EST 2005

|  LinuxSecurity.com                         Weekly Newsletter        |
|  February 21st, 2005                         Volume 6, Number 8n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Securing
Linux with Mandatory Access Controls," " Providing Database
Encryption," and "Wi-Fi Alliance to Beef up Security."


>> Enterprise Security for the Small Business <<
Never before has a small business productivity solution been
designed with such robust security features.  Engineered with
security as a main focus, the Guardian Digital Internet Productivity
Suite is the cost-effective solution small businesses have been
waiting for.




This week, advisories were released for libXpm, evolution, mailman,
hztty, xpcd, sympa, netkit-rwho, toolchain, htdig, synaestheia,
awstats, typespeed, emacs, gftp, python, openoffice, kernel, kdeedu,
gallery, webmin, perl-squid, ht/dig, opera, vmware, lighttpd, kstars,
midnight commander, drakextools, cpio, enscript, mysql, rwho, kdelibs,
xpdf, libtiff, vim, ethereal, thunderbird, and squid. The vendors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat,
and SuSE.



Getting to Know Linux Security: File Permissions

Welcome to the first tutorial in the 'Getting to Know Linux Security'
series.  The topic explored is Linux file permissions.  It offers an
easy to follow explanation of how to read permissions, and how to set
them using chmod.  This guide is intended for users new to Linux
security, therefore very simple.



The Tao of Network Security Monitoring: Beyond Intrusion Detection

The Tao of Network Security Monitoring is one of the most
comprehensive and up-to-date sources available on the subject. It
gives an excellent introduction to information security and the
importance of network security monitoring, offers hands-on examples
of almost 30 open source network security tools, and includes
information relevant to security managers through case studies,
best practices, and recommendations on how to establish training
programs for network security staff.



Encrypting Shell Scripts

Do you have scripts that contain sensitive information like
passwords and you pretty much depend on file permissions to keep
it secure?  If so, then that type of security is good provided
you keep your system secure and some user doesn't have a "ps -ef"
loop running in an attempt to capture that sensitive info (though
some applications mask passwords in "ps" output).



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* What's The Best VoIP System For SMBs?
  15th, February, 2005

Making phone calls using a broadband Internet connection, more fondly
known as VoIP (Voice over Internet Protocol), is becoming more and
more popular with corporations of every size. The prospect of paying
a flat fee for unlimited long-distance phone calls is appealing to
every company that has struggled to balance the need to conduct
business phone calls with the price of those calls. Calling plans are
now available that provide unlimited minutes to any U.S. or Canadian
phone number by routing the voice traffic over an existing broadband
connection shared with the company's Internet access.


* Why Not Truth?
  14th, February, 2005

Ultimately cryptographers want some form of quantum repeater--in
essence, an elementary form of quantum computer that would overcome
distance limitations. A repeater would work through what Albert
Einstein famously called "spukhafte Fernwirkungen," spooky action at
a distance.


* Researchers: Digital encryption standard flawed
  17th, February, 2005

In a three-page research note, three Chinese scientists -- Xiaoyun
Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a
visiting researcher at Princeton University -- stated they have found
a way to significantly reduce the time required to break a algorithm,
known as the Secure Hashing Algorithm, or SHA-1, widely used for
digital fingerprinting data files.  Other cryptographers who have
seen the document said that the results seemed to be genuine.


* Researchers find security flaw in SHA-1
  17th, February, 2005

Security experts are warning that a security flaw has been found in a
powerful data encryption algorithm, dubbed SHA-1, by a team of
scientists from Shandong University in China. The three scientists
are circulating a paper within the cryptographic research community
that describes successful tests of a technique that could greatly
reduce the speed with which SHA-1 could be compromised.


* How To Shop For A VPN
  14th, February, 2005

Get clued in on what to look for in enterprise-class products,
including the ins and outs of software vs. appliances, LAN-to-LAN vs.
remote access, SSL, IPsec, and other decisions you need to make. With
a virtual private network creating safe access for your
Internet-connecting users, you can rip out expensive frame relay,
leased lines and modem dial-up banks in favor of a secure WAN
connection. For any network that connects remote users to the
Internet, a VPN gateway provides three essentials for your data:
authentication, confidentiality and integrity.


* Linux Magazine: mod_perl, Part Two
  14th, February, 2005

As I mentioned last month, having persistent Perl code means that
some steps of your application can be reused rather than repeated.
One very easy optimization is keeping your database handles open
between web hits, rather than reopening them on each new hit. The
Apache::DBI module (found in the CPAN) does the work for you by
altering the way normal DBI connections are processed. If your
application is like most, you simply add PerlModule Apache::DBI to
the configuration file, and it just magically works.


* Deploy an application with Cerise Web server
  16th, February, 2005

Use Ruby as your programming language to create a simple application.
This article shows you how to create a guestbook Web application with
the Cerise Web server and the Ruby programming language. You'll use
RSS 1.0 as the file format for the guestbook entries and XSLT for
transforming files to HTML.


* HITB E-Zine: Issue #36 Released
  20th, February, 2005

After a nice Chinese New Year break we are pleased to bring you Issue
#36 of the HITB e-zine. This is a pretty interesting issue with an
exclusive article on Red Hat PIE Protection written by Zarul Shahrin
as well as an article on building a simple wireless authenticated
gateway using OpenBSD by Rosli Sukri (member of the HITB CTF


* Evaluating Your Firewall
  14th, February, 2005

Are you an administrator or security analyst who watches over a
firewall with a hundred or more rules? Or perhaps a hired gun who
must review a firewall with years of crusty buildup? Are you creating
a test lab that involves a wide variety of networks, servers, and
risks? If you're interested in enterprise-level firewalls, this
article will help you make sense of common failures in processes and
tools. We'll focus on enterprise-grade business and networking issues
that affect firewalls. (Penetration studies and piercing firewalls
from the outside will be covered in a later article.)


* SWsoft Unveils Virtuozzo 2.6.1 for Linux
  15th, February, 2005

The latest version of the Virtuozzo server virtualization solution
features several new enhancements, including a new Virtuozzo control
center, automatic update utility, stateful firewall support and VPN


* Clever service has key to e-mail security
  14th, February, 2005

How can you be sure your e-mails are safe from prying eyes? To most
of us e-mailing mom or even sending work-related e-mails, security
really isn't of great concern.	 But for people to whom security is
of great importance, sending sensitive documents over the Internet
carries an extremely high degree of risk.


* More advisories, more security
  15th, February, 2005

More and more, we see articles questioning the security of a given
platform based solely on the number of advisories published - and
this approach is simply wrong, writes Thierry Carrez, of Gentoo


* Is Linux Security A Myth?
  17th, February, 2005

There are rare occasions in IT when a particular architecture reaches
a point where it stops being purely IT driven and takes on a life of
its own.  The last year has seen the open source movement reach such
a cult status and at the vanguard of open source fashion can be found
the Linux operating system. Whilst the platform appeals at several
levels for potential users, some of a philosophical nature and others
far more concrete, it is noticeable that a couple of its qualities
have recently been called into question.


* Why VoIP is raising new security concerns
  16th, February, 2005

New technology often leads to improved productivity, but it also
arrives with new IT challenges, often centering on security. "With
any new technology, security functions tend to be the last area that
matures," noted Pete Lindstrom, Research Director at Spire Security
LLC, a market research firm focusing on security issues. Voice over
IP (VoIP) has begun to make significant inroads in the enterprise, so
IT managers need to be aware of the unique security challenges it


* Security firms show united front
  16th, February, 2005

A joint system for reporting and grading security vulnerabilities is
going to be launched today. With an eye to guiding companies on which
software problems to patch first, Cisco, Symantec and Qualys plan to
launch a joint grading system for security vulnerabilities. The
ratings will consist of three numbers, Gerhard Eschelbeck, the chief
technology officer at security information provider Qualys said on
Tuesday. The first will be a baseline estimate of the severity of the
flaw. The second will rate the bug depending on how long it has been
around, and therefore how likely it is that companies have patched
against it.


* Securing Linux with Mandatory Access Controls
  15th, February, 2005

Some in the security industry say that Linux is inherently insecure,
that the way Linux enforces security decsions is fundamentally
flawed, and the only way to change this is to redesign the kernel.
Fortunately, there are a few projects aiming to solve this problem by
providing a more robust security model for Linux by adding Mandatory
Access Control (MAC) to the kernel.


* Is Linux Security A Myth?
  16th, February, 2005

There are rare occasions in IT when a particular architecture reaches
a point where it stops being purely IT driven and takes on a life of
its own.The last year has seen the open source movement reach such a
cult status and at the vanguard of open source fashion can be found
the Linux operating system. Whilst the platform appeals at several
levels for potential users, some of a philosophical nature and others
far more concrete, it is noticeable that a couple of its qualities
have recently been called into question.<p>{mos_sb_discuss:13}<P>


* Defense picks two for PKI
  16th, February, 2005

Defense Department officials selected two companies to provide
digital certificate validation for the department's public-key
infrastructure (PKI), a decision that some officials feel could spur
a faster move to paperless e-government. After a yearlong, worldwide
pilot test, military officials chose Tumbleweed Communications and
CoreStreet as the two certificate validation providers for its
Identity Protection and Management Program, which includes the Common
Access Card smart card program.


* Novell taps open source for security
  15th, February, 2005

For Novell, security and open source belong together.

 The Waltham, Mass.-based company said Monday that it will submit the
programming interfaces for eDirectory to two open-source projects,
allowing developers to use Novell's directory program to authenticate
network access. Novell also detailed a partnership with Linux
security company Astaro to create a security appliance that runs
Novell's SuSE Linux operating system.


* Novell boosts its Linux security credentials
  16th, February, 2005

Novell has unveiled a SuSE Linux-based soft appliance designed to
protect businesses against security threats from hackers, viruses,
worms and spam.


* SuSE Linux awarded government security cert
  18th, February, 2005

IBM and Novell announced at LinuxWorld today that SuSE Linux
Enterprise Server 9 has become the first distribution to complete
Evaluation Assurance Level (EAL) 4+.


* Security show tackles online threats
  14th, February, 2005

The security industry, in the business of paranoia, will be looking
over its shoulders more frequently at the annual RSA Security
Conference this week.


* Liberty Alliance Releases ID Standard For Web Services
  14th, February, 2005

The Liberty Alliance Project on Friday unveiled the public draft
release of a framework for identity-based web services. The latest
release of ID-WSF 2.0 is the first of three that will each add
greater depth to the identity-management framework. The final
specification including all three releases is expected to be
available by end of the year. Phase one extends ID-WSF 2.0 to include
support for SAML 2.0 from the Organization for Advancement of
Structured Information Sciences, an international standards body.


* The Threat Within - Why Businesses Need To Manage And Monitor
Employee Email Usage
  14th, February, 2005

In a few short years, email has become a major part of the national
psyche and a business-critical tool of communication. However, while
companies have been more than willing to embrace the business
benefits of email, they continue to remain oblivious to many of the
responsibilities this new form of communication brings, particularly
as it affects their employees. It is a commonly held misconception,
due to the informal traditions of electronic communication, that
e-mails carry less weight than letters on headed notepaper.


* Security firms show united front
  16th, February, 2005

With an eye to guiding companies on which software problems to patch
first, Cisco, Symantec and Qualys plan to launch a joint grading
system for security vulnerabilities.  The ratings will consist of
three numbers, Gerhard Eschelbeck, the chief technology officer at
security information provider Qualys said on Tuesday.The first will
be a baseline estimate of the severity of the flaw. The second will
rate the bug depending on how long it has been around, and therefore
how likely it is that companies have patched against it. The third
will measure the threat a vulnerability poses to a specific corporate
network. Each will take five or six factors into account for the


* Providing Database Encryption
  16th, February, 2005

As databases become networked in more complex multi-tiered
applications, their vulnerability to external attack grows. We
address scalability as a particularly vital problem and propose
alternative solutions for data encryption as an enterprise IT
infrastructure component. In this paper, we explore a new approach
for data privacy and security in which a security administrator
protecting privacy at the level of individual fields and records, and
providing seamless mechanisms to create, store, and securely access


* Novell makes open source security moves
  18th, February, 2005

The Waltham, Massachusetts-based company has released the APIs to the
open source community to enable open source developers to make use of
Novell's eDirectory identity management platform.


* Watch Out for Spies With Friendly Faces
  18th, February, 2005

As tech-savvy people, we know by now that we have to worry about
technology being used to invade our privacy. But we tend to focus on
the stuff that's deliberately snooping on us: spyware, keyloggers,
Trojan horses, and other software and hardware designed with
malicious intent. An even bigger risk, though, can come from the
tools we usually trust--helpful gadgets and programs that weren't
built to spy on us but can be used that way.


* Passwords? We don't need no stinking passwords
  16th, February, 2005

RSA 2005: Concerns over online security are continuing to slow
consumer e-commerce growth. A quarter of the respondents in a recent
survey have reduced their online purchases in the past year and 21
per cent refuse to conduct business with their financial institutions
online because of security fears. More than half (53 per cent) of the
1,000 consumers quizzed believe that basic passwords fail to provide
sufficient protection for sensitive personal information.


* F-Secure exploit patched
  14th, February, 2005

F-Secure has become the latest security firm to be embarrassed by a
flaw in its flagship security product line, but the company manged to
patch the flaw while it was still only 'theoretical'  F-Secure has
released a patch for a serious flaw in its antivirus products, the
second time in a week a security company has warned of a risk in its


* WLAN Users Lack Support
  14th, February, 2005

Setting up a wireless LAN can be as easy as sticking a plug into an
outlet. But even technology-savvy customers are complaining that
security can be a hassle due to problems with documentation and
support. While industry standards bodies are making strides to ensure
that even consumer-level WLAN hardware is effective and secure, the
user manuals that come with the hardware continue to leave a lot to
be desired. "The biggest challenge is inconsistent nomenclature and
presentation of the basic components," said Christopher Bell, a
software developer in Los Angeles whose home-office WLAN has included
wireless routers from Linksys Inc. and Microsoft Corp. as well as
myriad PC brands.


* Wi-Fi Alliance to beef up security
  14th, February, 2005

Security remains the key issue deterring enterprise users from making
major investments in Wi-Fi, despite all the improvements over the
past year. Whether real or perceived, the security risks of wireless
LANs are still holding deployments back. Conscious of this, the Wi-Fi
Alliance is trying to beef up standard security still further. It has
already agreed to a dual-layer security approach, with WPA2 (the
brand name for the 802.11i standard) supporting advanced functions
including AES encryption, while the more basic WPA originally an
interim standard en route to 802.11i will be kept for devices that
require less stringent security and lower costs, particularly in the
consumer space.


* Teething problems for wireless LANs
  17th, February, 2005

WIRELESS LAN is an emerging trend, but as with most young
technologies, it is plagued by insecurities.  John Martin, IBM
principal security specialist and security practice leader, spends
his days advising corporate enterprises on risk management.  The
whole end-to-end process must be secure, regardless of the type of
industry, he says.


* Mesh Networking Soars to New Heights
  19th, February, 2005

Mesh Networking and community  wireless broadband reached new heights
with a world first for Locustworld MeshAP  PRO when a Shadow
microlight aircraft flew over Lincolnshire UK and successfully
tested air to ground mesh networking and voice over broadband. South
Witham	broadband (Lincolnshire UK) joined forces with Make Me
Wireless (Australia) and  using LocustWorld MeshAP PRO and Asterisk
VoIP equipment, seamlessly created air	to ground voice
communications at 2000 feet with the 16 node South Witham  community
broadband network.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list