[ISN] Linux Security Week - January 23rd 2006
InfoSec News
isn at c4i.org
Tue Jan 24 01:28:08 EST 2006
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| January 23rd, 2006 Volume 7, Number 4n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Five Mistakes
of Vulnerability Management," "Tips For Staying Secure in 2006," and
"Stallman Speaks on the Future of GPL 3.0."
---
Earn an NSA recognized IA Masters Online
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.
http://www.msia.norwich.edu/linsec
---
LINUX ADVISORY WATCH
This week, advisories were released for httpd, mod_auth_pgsql,
auth_ldap, ethereal, struts, cups, gpdf, apache, and the kernel.
The distributor for this week is Red Hat.
http://www.linuxsecurity.com/content/view/121242/150/
---
EnGarde Secure Community 3.0.3 Released
Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.3 (Version 3.0, Release 3). This release
includes several bug fixes and feature enhancements to the
Guardian Digital WebTool, the SELinux policy, and the LiveCD
environment.
http://www.linuxsecurity.com/content/view/121150/65/
---
Hacks From Pax: SELinux Administration
This week, I'll talk about how an SELinux system differs from a
standard Linux system in terms of administration. Most of what
you already know about Linux system administration will still
apply to an SELinux system, but there are some additions and
changes that are critical to understand when using SELinux.
http://www.linuxsecurity.com/content/view/120700/49/
---
Hacks From Pax: SELinux And Access Decisions
Hi, and welcome to my second of a series of articles on Security
Enhanced Linux. My previous article detailed the background of
SELinux and explained what makes SELinux such a revolutionary
advance in systems security. This week, we'll be discussing how
SELinux security contexts work and how policy decisions are made
by SELinux.
SELinux systems can differ based on their security policy, so
for the purposes of this article's examples I'll be using an
EnGarde Secure Linux 3.0 system, which by default uses a tightly
configured policy that confines every included application.
http://www.linuxsecurity.com/content/view/120622/49/
---
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week ]----------
+---------------------+
* Cisco squashes VoIP, router bugs
19th, January, 2006
Flaws in Cisco Systems software for routers and IP telephony could
be a conduit for attacks on enterprise networks, the company has
warned.
On Wednesday, it released two security alerts along with fixes for
Cisco CallManager, which runs Internet-based phone calling. Two flaws
exist in the software: One could allow an attacker to paralyze a
Cisco IP telephony installation, the other could allow someone with
read-only access to the system to gain full privileges, according to
the alerts.
http://www.linuxsecurity.com/content/view/121238
* Five Mistakes of Vulnerability Management
18th, January, 2006
Vulnerability management is viewed by some as an esoteric security
management activity. Others see it as a simple process that needs to
be done in conjunction with Microsoft Corp.'s monthly patch update.
"Yet another group considers it a marketing buzzword made up by the
vendors. This article will look at common mistakes that organizations
make on the path to achieving vulnerability management perfection,
both in process and technology areas.
http://www.linuxsecurity.com/content/view/121233
* Hey, hey it's Oracle patching day
19th, January, 2006
Wednesday became a busy day for database administrators after Oracle
released its quarterly patch update which, this time around, tackles
more than 80 vulnerabilities in different Oracle software packages
and components. Various flavours of Oracle database (37 security
bugs), Oracle E-Business Suite and Applications (27), Oracle
Collaboration Suite (20) and Oracle Application Server (17) are most
in need of update.
http://www.linuxsecurity.com/content/view/121236
* Novell opens AppArmour source code
17th, January, 2006
Looking to spread the usage of the AppArmour application security
software it acquired when it bought Immunix, Novell announced last
week that it would release the software's source code under the GNU
General Public License (GPL) and sponsor a project to maintain and
improve it.
http://www.linuxsecurity.com/content/view/121229
* D-Link Fortifies Security With Checkpoint Partnership
18th, January, 2006
D-Link jumped aboard the unified threat management (UTM) bandwagon
this week with a partnership with security vendor Checkpoint Software
to develop a new line of small business-focused security appliances.
Under the agreement, D-Link will weave Checkpoint's firewall and VPN
technology into two new additions to its NetDefend line of SMB
security appliances. Slated to be available sometime this quarter,
the appliances are aimed at businesses of up to 100 seats and 25 VPN
users.
http://www.linuxsecurity.com/content/view/121231
* Users take a shine to Fedora Directory Server 1.0
19th, January, 2006
Putting on its fedora hat, Red Hat last month released the first
version of its free, open-source Directory Server.
The Fedora Project is Red Hat's pure open-source arm, with all
product releases and source code being freely available without the
company's licensing, or "subscription" restrictions, which are
required for running Red Hat's enterprise product offerings.
http://www.linuxsecurity.com/content/view/121239
* Tips For Staying Secure in 2006
16th, January, 2006
Securing data while it travels between applications, business
partners, suppliers, customers, and other members of an extended
enterprise is crucial. As enterprise networks continue to become
increasingly accessible, so do the risks that information will be
intercepted or altered in transmission.
http://www.linuxsecurity.com/content/view/121212
* Draft of GPL Version 3 now available for comment
16th, January, 2006
The Free Software Foundation has published <a
href="http://gplv3.fsf.org/draft">the first draft of the
much-anticipated version 3 of the GNU General Public License</a>.
The draft of the new version is almost twice as long as version 2:
It weighs in at more than 4,500 words, versus 2,900 for the earlier
version.
http://www.linuxsecurity.com/content/view/121216
* Tracking the Attackers
17th, January, 2006
It has become increasingly important for security professionals to
deploy new detection mechanisms to track and capture an attacker's
activities. Third Generation (GenIII) Honeynets provide all the
components and tools required to gather this information at the
deepest level. Sebek is the primary data capture tool for GenIII
Honeynets.
http://www.linuxsecurity.com/content/view/121217
* Security Pros Get Their Due
17th, January, 2006
There's a growing market for information security expertise, and
salaries are reflecting heightened demand. But beware--when it comes
to pay, there's essentially no difference between IS workers with
high school diplomas and bachelor's degrees, according to the SANS
Institute's 2005 Information Security Salary and Career Advancement
survey of more than 4,250 IS pros. People with grad degrees can
expect to earn significantly more, however.
http://www.linuxsecurity.com/content/view/121218
* IT security industry 'to be professionalised'
18th, January, 2006
An organisation is being set up to ensure that IT security officers
are competent, but it won't have the power to stop people working if
they make mistakes IT security officers are to get their own
professional body in the UK with the launch of the Institute of
Information Security Professionals (IISP) next month.
The IISP, which was given the go-ahead by the Department for Trade
and Industry at the end of last year, is due to officially launch in
February.
http://www.linuxsecurity.com/content/view/121232
* Hackers blackmail milliondollar site
18th, January, 2006
The FBI is investigating the hijacking of milliondollarhomepage.com -
the website that earned $1m 566,000 for its British creator Alex
Tew by hosting micro-advertisements - by hackers who demanded a
ransom to restore the site.
Mr Tew was sent a demand for $50,000 by e-mail by a hacker, believed
to be Russian. When he refused, the website crashed.
http://www.linuxsecurity.com/content/view/121234
* New FBI Computer Crime Survey
19th, January, 2006
Want insight into the cyber attacks that U.S. organizations are
facing, what defenses they're using against these assaults, and the
implications for industry and government? You'll be interested in
reading the new <a
href="http://www.fbi.gov/publications/ccs2005.pdf">2005 FBI Computer
Crime Survey (PDF)</a>, their largest survey on these issues to
date.
http://www.linuxsecurity.com/content/view/121235
* Has Corporate Info Security Gotten Out of Hand?
19th, January, 2006
What is the right balance between security and productivity, in the
corporate IT environment? Looking back at my company, 10 years ago,
our machines were connected directly to the Internet, no proxy, no
firewall, no antivirus software. Today, my company's proxy server
blocks access to: 'bad' web sites (such as Google Groups; our
'antivirus' software prevents our machines (even machines that host
production applications) from carrying out legitimate functions, such
as the sending of email via SMTP; and individual employees are forced
to apply security patches with little or no notice, under threat of
their machines loosing network access, if they do not comply by the
deadline.
http://www.linuxsecurity.com/content/view/121237
* PC virus celebrates 20th birthday
20th, January, 2006
Today, 19 January is the 20th anniversary for the appearance of the
first PC virus. Brain, a boot sector virus, was let loose in January
1986. Brain spread via infected floppy disks and was a relatively
innocuous nuisance in contrast with modern Trojan, rootkits and other
malware. The appearance of the first Windows malware nonetheless set
in train a chain of events that led up to today's computer virus
landscape.
http://www.linuxsecurity.com/content/view/121243
* Computer crime costs $67 billion, FBI says
20th, January, 2006
Dealing with viruses, spyware, PC theft and other computer-related
crimes costs U.S. businesses a staggering $67.2 billion a year,
according to the FBI.
The FBI calculated the price tag by extrapolating results from a
survey of 2,066 organizations. The survey, released Thursday, found
that 1,324 respondents, or 64 percent, suffered a financial loss from
computer security incidents over a 12-month period.
http://www.linuxsecurity.com/content/view/121244
* Stallman Speaks on the Future of GPL 3.0
20th, January, 2006
Q&A: Richard Stallman, founder of the FSF, talks about his goals for
the GPL and the hopes and fears of free software advocates. The
update to the GNU General Public License 2.0, which was some five
years in the making, was released this week for a year of public
commentary.
http://www.linuxsecurity.com/content/view/121245
* Flaw researcher offers ad space in report
20th, January, 2006
A security researcher who previously tried to auction off a
vulnerability in Microsoft Excel plans to sell ad space in the public
report about the flaw, SecurityFocus has learned.
http://www.linuxsecurity.com/content/view/121246
* Novell urged to build open source around AppArmor Linux
20th, January, 2006
On Jan. 10 2005, Novell announced the creation of the AppArmor
project, an open-source project designed to develop Linux application
security using Novell's AppArmor technology. AppArmor technology has
previously been available with SUSE Linux 10.0 and Novell's SUSE
Linux Enterprise Server 9 Service Pack 3.
However, Gartner warned that the move does not guarantee that the
AppArmor project will be successful.
http://www.linuxsecurity.com/content/view/121247
* US tests e-Passports
16th, January, 2006
The US government has started testing electronic passports which
contain an RFID chip holding information and a digital photo of the
passport's carrier.
The tests started yesterday at San Francisco airport, Changi Airport
in Singapore and Sydney Airport in Australia. Singapore Airlines
crew, some US diplomats and some citizens from Australia and New
Zealand are carrying the new passports.
http://www.linuxsecurity.com/content/view/121214
* DOD Eyes Network Revamp
17th, January, 2006
The U.S. Military's point man for global network operations says that
a total overhaul of the government's classified and unclassified
information networks may be necessary to ward off legions of hackers
and adequately protect the military from crippling attacks in future
conflicts.
http://www.linuxsecurity.com/content/view/121219
* Hackers: If You Can't Beat 'em, Recruit 'em
16th, January, 2006
In the days of increased reliance on the Internet, hackers are making
computers increasingly unsafe. To counter that, IT security firms are
turning around and hiring talented hackers to find security system
holes.
Sebastian Schreiber's face lights up with a mischievous grin and his
eyes gleam with excitement as he talks about computer hack attacks.
http://www.linuxsecurity.com/content/view/121215
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list