Security News > 2002 > October > Linux Security Week - October 21st 2002
+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 21st, 2002 Volume 3, Number 41n | | | | Editorial Team: Dave Wreski dave () linuxsecurity com | | Benjamin Thomas ben () linuxsecurity com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Embedding security into servers," "Detecting Cyberattacks By Profiling "Normal" Computer Habits," "Using CFS, the Cryptographic Filesystem," and "Fear Factor: Reporting Security Incidents." ** FREE SSL Guide from Thawte ** Are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. --> http://www.gothawte.com/rd407.html LINUX SECURITY WEEK: This week, advisories were released for heatbeat, syslog-ng, gv, heimdal, unzip, tar, apache, squirrelmail, dvips, xinetd, Red Hat kernal, nss_ldap, sendmail, tomcat, fetchmail, XFree86, glibc, postgresql, python, and ppp. Then vendors include Conectiva, Debian, EnGarde, Gentoo, Mandrake, Red Hat, SuSE and Trustix. http://www.linuxsecurity.com/articles/forums_article-5949.html BOOK REVIEW: Honeypots: Tracking Hackers Tracking Hackers by Lance Spitzner is fantastically written. The detailed definitions and descriptions make it a great book even for the honeypot novice to understand. It grabs your attention right from the very beginning, holds it to the end and leaves you wanting more. http://www.linuxsecurity.com/feature_stories/feature_story-121.html Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Update: New Linux Kernel Exploit? / ABFrag October 19th, 2002 An early version of a new software system developed by University at Buffalo researchers that detects cyberattacks while they are in progress by drawing highly personalized profiles of users has proven successful 94 percent of the time in simulated attacks. http://www.linuxsecurity.com/articles/intrusion_detection_article-5933.html * OpenBSD Systrace October 18th, 2002 OpenBSD's systrace now has privilege elevation support. This means binaries no longer need to be suid or sgid an longer. Applications can be executed completely unprivileged. Systrace raises the privileges for a single system call depending on the configured policy. http://www.linuxsecurity.com/articles/host_security_article-5957.html * Security Expert Gives Operating Systems Poor Security Grade October 17th, 2002 Is open source software more secure? To most Linux enthusiasts, the answer is obvious: open source means more people can look for bugs and a faster dissemination of bug fixes. Obviously, yes. But noted security expert Gene Spafford says that this may not necessarily be true. http://www.linuxsecurity.com/articles/forums_article-5938.html * Embedding security into servers October 16th, 2002 Embedded systems control much of the world's critical infrastructure, which makes them a prime target for attack by everyone from hackers to terrorists. Embedded systems, however, have at their disposal an impressive set of defenses, mechanisms and procedures that are in common use for operations other than security, but that result in security mechanisms that prove stronger in some cases than traditional enterprise systems like Windows or Linux. http://www.linuxsecurity.com/articles/server_security_article-5922.html * Openwall Linux (Owl) 1.0 Release October 16th, 2002 For those who don't know yet, Openwall GNU/*/Linux (or Owl) is a security-enhanced operating system with Linux and GNU software as its core, intended as a server platform. And, of course, it's free. More detailed information is available on the web site. http://www.linuxsecurity.com/articles/vendors_products_article-5928.html * Detecting Cyberattacks By Profiling "Normal" Computer Habits October 15th, 2002 An early version of a new software system developed by University at Buffalo researchers that detects cyberattacks while they are in progress by drawing highly personalized profiles of users has proven successful 94 percent of the time in simulated attacks. The "user-level anomaly detection system" was described Oct. 10, 2002 at the military communications conference known as MILCOM 2002 in Anaheim, CA. http://www.linuxsecurity.com/articles/intrusion_detection_article-5913.html * Chroot Jails Made Easy with the Jail Chroot Project October 14th, 2002 So what is a "chroot jail"? Essentially it is a security method for creating a safe user enviroment on systems that allow remote access accounts. The "jail" locks users into a virtual directory structure and grants access only to applications created for the jailed users by the administrator. http://www.linuxsecurity.com/articles/server_security_article-5912.html +------------------------+ | Network Security News: | +------------------------+ * Cyber chief speaks on Data network security October 18th, 2002 President Bush's point man on computer security says that the nation has a long way to go in securing its data networks but that new federal regulations would be a step in the wrong direction. Richard Clarke, head of the White House Office of Cyber Security, also said the government should modify a controversial law designed to prevent exploitation of software security flaws because it can be used to stifle research to improve computer security. http://www.linuxsecurity.com/articles/government_article-5958.html * Linux firewalls: IT Manager's top picks October 15th, 2002 Linux firewalls--it's one of the hot topics for CIOs and IT managers at the moment. ZDNet Australia takes a look at some of the options available for IT departments. http://www.linuxsecurity.com/articles/firewalls_article-5916.html * Firewalling /proc Entries October 15th, 2002 The Linux Kernel can be configured using iptables or ipchains to enforce strong network protections. However there are several useful kernel flags you can set to increase your default network security posture without any complicated rules. http://www.linuxsecurity.com/articles/host_security_article-5921.html * Intel beefs up network security October 15th, 2002 Intel plans to announce a new network processor on Tuesday that will handle security functions, a move it expects will reduce the cost and improve the performance of networking equipment. The company will also delay a similar product that does not offer security features. http://www.linuxsecurity.com/articles/vendors_products_article-5919.html +------------------------+ | Cryptography News: | +------------------------+ * UK Firm Touts Alternative To Digital Certs October 18th, 2002 Two factor authentication, using secure tokens is being backed as an alternative to digital certificates by a UK company, which is enjoying support from the Parliamentary All Party Export Group. http://www.linuxsecurity.com/articles/cryptography_article-5952.html * Voiceprints Provide Mobile Encryption Keys October 18th, 2002 The uniqueness of everyone's voice can now be used to lock up data extra securely on mobile phones and portable computers, thanks to a prototype system developed by US researchers. The system could render stolen devices useless. Existing voice identification systems rely on a person's voiceprint alone before granting security clearance. http://www.linuxsecurity.com/articles/cryptography_article-5960.html * Government Security Experts Urge Whitehall To Adopt US Cryptography Standards October 18th, 2002 The Government's leading IT security advisors are to recommend that Whitehall departments adopt a US cryptography standard that many commercially available security products fail to meet. http://www.linuxsecurity.com/articles/government_article-5951.html * Using CFS, the Cryptographic Filesystem October 16th, 2002 If you want to keep private your personal files, such as those containing phone numbers, correspondence or journals, you could keep them in a hidden directory named ~/.private with mode 0700, so only you could read the files. Are you chuckling yet? Then let's consider employing a stronger privacy technique: cryptography. http://www.linuxsecurity.com/articles/cryptography_article-5929.html +------------------------+ | Vendors/Products News: | +------------------------+ * Backdoor LAN October 18th, 2002 Veterans of past Cellular Telecommunications & Internet Association (CTIA) shows tell us one major security problem they faced was having their analog phones cloned. Happened all the time apparently. http://www.linuxsecurity.com/articles/general_article-5956.html * Book Review: The Art of Deception October 16th, 2002 Kevin Mitnick says "the term 'social engineering' is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through." http://www.linuxsecurity.com/articles/documentation_article-5924.html * Linux Security Protection System Released October 16th, 2002 LinSec team is proud to announce the first stable release of LinSec. LinSec, as the name says, is Linux Security Protection System. The main aim of LinSec is to introduce Mandatory Access Control (MAC) mechanism into Linux (as opposed to existing Discretionary Access Control mechanism. http://www.linuxsecurity.com/articles/server_security_article-5932.html +------------------------+ | General News: | +------------------------+ * Senate Approves Almost $1B for Cybersecurity Research October 18th, 2002 The U.S. Senate Wednesday night unanimously passed legislation that would more than triple the federal funding commitment to cybersecurity research, to about $978 million over five years. The bill authorizes grants for basic research and industry partnership programs. http://www.linuxsecurity.com/articles/government_article-5959.html * Reduce Risks and Eliminate Headaches Through Sensible Account Management October 17th, 2002 Security is a big, challenging topic, but everyone with server-side responsibilities should know the basic steps. Cameron outlines a number of ways to keep your user accounts clean and safe. Security is hard. http://www.linuxsecurity.com/articles/documentation_article-5941.html * Firms 'must do better' On IT Security October 17th, 2002 The British government has urged companies to take IT security more seriously, amid concern that almost three-quarters of firms have no policy on information security. Speaking at an event in London on Tuesday, e-commerce minister Stephen Timms said it is unacceptable that just 27 percent of companies have an IT security policy, according to a recent official survey. http://www.linuxsecurity.com/articles/government_article-5940.html * The Tech Industry Rescue Squad October 17th, 2002 What makes CERT/CC unique is that it functions as an independent security reporting center that assumes anonymity with each client unless it receives permission to use the client's identity. http://www.linuxsecurity.com/articles/organizations_events_article-5936.html * Fear Factor: Reporting Security Incidents October 16th, 2002 The NIPC, is placing the agency's emphasis on preventing crime rather than on catching perpetrators. "Now if I call Ron's people up and say I've got a problem, I'm not necessarily going to have a guy with a gun and badge here tomorrow," says Jarocki. "He's changed things. http://www.linuxsecurity.com/articles/security_sources_article-5931.html * NIST Drafts Security Buying Guides October 14th, 2002 The National Institute of Standards and Technology's Computer Security Division has released three new draft guides for agencies on buying security technologies and services. http://www.linuxsecurity.com/articles/government_article-5906.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.