Security News > 2002 > October > Linux Security Week - October 28th 2002
+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 28th, 2002 Volume 3, Number 42n | | | | Editorial Team: Dave Wreski dave () linuxsecurity com | | Benjamin Thomas ben () linuxsecurity com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Tool Unmasks Web Server Vulnerabilities," "Controlling Access To Your Services With xinetd," "Exposing the Underground: Adventures of an Open Proxy Server," and "Reverse Engineering Hostile Code." ** FREE SSL Guide from Thawte ** Are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. --> http://www.gothawte.com/rd408.html LINUX ADVISORY WATCH: This week, advisories were released for webalizer, ethereal, ggv, mod-ssl, tetex, NetBSD kernel, heimdal, groff, new, Linux kernel, unzip, xinetd, php, nss_ldap, gaim, fetchmail, glibc, apache, xfree, zope, ypserv, postgresql, and kdegraphics. The vendors include Caldera, Debian, EnGarde, Gentoo, Mandrake, NetBSD, Red Hat, SuSE, and Yellow Dog. http://www.linuxsecurity.com/articles/forums_article-6013.html FEATURE: Designing Shellcode Demystified This paper is about the fundamentals of shellcode design and totally Linux 2.2 on IA-32 specific architectures. The base principles apply to all architectures, whereas the details might obviously not. http://www.linuxsecurity.com/feature_stories/feature_story-122.html Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 +---------------------+ | Host Security News: | <<-----[ Articles This Week ]------------- +---------------------+ * Tool Unmasks Web Server Vulnerabilities October 25th, 2002 In response to increasingly militant attacks carried out by hackers, system administrators across the spectrum of IT have worked diligently in recent months to remove telltale signs that can classify their Web servers. However, this may fashion a false sense of confidence. http://www.linuxsecurity.com/articles/vendors_products_article-6016.html * Passwords: Poor Excuse for Security October 25th, 2002 Cut costs. Save money. Maintain the status quo. With that mantra in mind, many network managers figure they've got authentication covered. As long as there's a password policy in place, who needs to spend money on authentication tools? http://www.linuxsecurity.com/articles/server_security_article-6015.html * Top Linux/UNIX Security Threats October 24th, 2002 It's depressing for security professionals to see just how many of the vulnerabilities on the new SANS/FBI Top 20 List have CVE numbers in the 1999-xxxx range--meaning that they were identified and fixed years ago on some systems. Newer problems appear in each category, but far too many bear old CVE numbers http://www.linuxsecurity.com/articles/server_security_article-6010.html * Reverse Engineering Hostile Code October 24th, 2002 Computer criminals are always ready and waiting to compromise a weakness in a system. When they do, they usually leave programs on the system to maintain their control. We refer to these programs as "Trojans" after the story of the ancient Greek Trojan horse. Often these programs are custom compiled and not widely distributed. http://www.linuxsecurity.com/articles/documentation_article-6004.html * Build a Secure Webmail Service Supporting IMAP and SSL October 23rd, 2002 This article describes how you can set up your Linux computer to be a web-based e-mail system for yourself or a group of friends. It will work best, of course, if you are on a dedicated internet connection, like a cable modem or a DSL line at home. http://www.linuxsecurity.com/articles/server_security_article-5995.html * Controlling Access To Your Services With xinetd October 22nd, 2002 Whenever you learn about controlling access to a Linux box, one "creature" you usually encounter is the "superdaemon." A superdaemon is a daemon that controls other daemons--and daemons are typically network service control programs that run long-term behind the scenes, waiting for when they need to step into action. http://www.linuxsecurity.com/articles/documentation_article-5980.html +------------------------+ | Network Security News: | +------------------------+ * Wireless: Wide Open To Attack October 23rd, 2002 You may be enjoying the convenience of a newly installed wireless solution, but how many strangers are doing the same with your network? Not so long ago, war driving was the latest hacking method, consisting of driving a car around areas populated by business, equipped with laptops and 802.11b NICs that would detect wireless access points. http://www.linuxsecurity.com/articles/forums_article-5994.html * Exposing the Underground: Adventures of an Open Proxy Server October 22nd, 2002 "This paper discusses the abuse of misconfigured HTTP proxy servers, taking a detailed look at the types of traffic that flow through this underground network. Also discussed is the use of a "honeyproxy", a server designed to look like a misconfigured HTTP proxy. Using such a tool we can spy on the Internet underground without the need for a full-blown honeypot." http://www.linuxsecurity.com/articles/server_security_article-5988.html +------------------------+ | Cryptography News: | +------------------------+ * Images get distortion-proof crypto marks October 24th, 2002 Researchers have created a new way to encrypt information in a digital image and extract it later without any distortion or loss of information. A team of scientists from Xerox and the University of Rochester said that the technique, called reversible data hiding, could be used in situations that require proof that an image has not been altered. http://www.linuxsecurity.com/articles/cryptography_article-5998.html * Using GnuPG October 24th, 2002 The GNU Privacy Guard is a free replacement for the PGP PKI (Public Key Infrastructure) encryption tool. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard. http://www.linuxsecurity.com/articles/cryptography_article-6000.html * PGP Poised For Major Comeback October 24th, 2002 PGP encryption products will be back on the market by the end of the year, with a raft of new releases in the pipeline. PGP 8.0 will be out by the end of December and will include a freeware version for non-commercial use, a single user personal package and an enterprise version. http://www.linuxsecurity.com/articles/cryptography_article-6011.html * "Critical" Kerberos flaw revealed October 24th, 2002 Kerberos has lost some of its bite, according to the US government, which on Wednesday warned of a critical flaw that could allow hackers to circumvent the secure networking system. http://www.linuxsecurity.com/articles/hackscracks_article-6012.html * Net Guru: Encrypt Everything October 22nd, 2002 Ray Ozzie believes in shared workspaces. The inventor of Lotus Notes collaboration software founded Groove Networks Inc. in 1997 because server-based architectures "fundamentally could not address the dynamic collaboration requirements of a decentralized business environment." http://www.linuxsecurity.com/articles/security_sources_article-5987.html +------------------------+ | General News: | +------------------------+ * Certifiably Certified October 24th, 2002 A recent issue of SC Magazine, one of the information security industry's cheerleading trade rags, featured a full-page advertisement with the following emblazoned across the top of the page: "How to increase your salary by 21.39% in 7 days or less." http://www.linuxsecurity.com/articles/forums_article-6003.html * HIPAA A Hardship For Health Care Companies October 23rd, 2002 A difficult economic climate may make it harder for health care providers to comply with provisions of the Health Insurance Portability and Accountability Act (HIPAA) in time for deadlines next year, according to a report by the consulting company Frost & Sullivan. http://www.linuxsecurity.com/articles/general_article-5992.html * Guidelines for Reporting Security Incidents October 21st, 2002 CIO magazine, in conjunction with the Secret Service and FBI, has put together a set of guidelines for businesses to follow when notifying law enforcement agencies and other authorities of security incidents. The report covers what kind of events should be reported, the data that should be collected, and who to send it to. http://www.linuxsecurity.com/articles/government_article-5966.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.