![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: InfoSec News <isn@c4i.org>
To: isn@attrition.org
Subject: [ISN] Linux Security Week - August 13th 2001
Date: Tue, 14 Aug 2001 04:58:00 -0500 (CDT)
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 13th, 2001 Volume 2, Number 32n |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, the most interesting articles include "Your Network's Secret
Life, Part 5," "Triple your remote office protection: The Layered
Approach," and "Linux IPsec Gateways Using FreeS/Wan." Also this week, if
you are in the information security field, Computerworld has released an
excellent summary of statistics for year 2000 and projected 2001.
This week, advisories were released for xmcd, tomcat, squid, zope, FreeBSD
kernel, openldap, xloadimage, and kerberos. The vendors include Caldera,
Debian, FreeBSD, and Red Hat and SuSE.
http://www.linuxsecurity.com/articles/forums_article-3475.html
PacketStorm Security named EnGardeLinux.com, the Official Site for the
Engarde Secure Linux distribution, "Site of The Week". PacketStorm
Security is known as one of the largest and highly regarded security sites
on the Internet, offering the latest security exploits, articles and
tools. We would like to thank our friends at PacketStorm for the
prestigious honor.
http://www.linuxsecurity.com/articles/projects_article-3478.html
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------+
| Host Security News: | <<-----[ Articles This Week ]-------------
+---------------------+
* IPFilter on OpenBSD
August 8th, 2001
What is IPFilter? Very simply, a package for permitting (or passing) and
denying IP packets based on a range of criteria. It can also provide
Network Address Translation (NAT) services, if desired. The IPFilter web
site has more details.
http://www.linuxsecurity.com/articles/firewalls_article-3463.html
* Introduction to Input Validation with Perl
August 8th, 2001
How can we make software that withstands malicious input attacks? We can
start by minimizing the set of entities our software trusts and by
vigorously validating all input. A very important, well known, yet too
often lightly dismissed problem in software security is that of trust
management.
http://www.linuxsecurity.com/articles/general_article-3462.html
* Blame it on the buffer overflows
August 7th, 2001
It used to be that buffer overflows were just a nagging 40-year-old glitch
in the software development process. Today, as illustrated by Code Red,
they are the No. 1 reason hackers can slice through corporate networks
like Swiss cheese.
http://www.linuxsecurity.com/articles/host_security_article-3458.html
+------------------------+
| Network Security News: |
+------------------------+
* Hacking the hacker
August 12th, 2001
You're a hot shot. You know how to use Linux and hey, you even got that
modem working. People think you're smart because you know how to use
Linux. But then one night, you're sitting in front of your computer (the
one that has the always-on cable modem or DSL connection) and being the
smart person that you are, you said that you didn't need security.
http://www.linuxsecurity.com/articles/host_security_article-3489.html
* Your Network's Secret Life, Part 5
August 12th, 2001
Other than my little excursion into xinetd, I've used this series to show
you ways in which you can make some sense of the packets flying around
your network, and the tools that can help you do that. I started this
article by giving you the dictionary definition for "ethereal". Ethereal
also happens to be the name of an excellent network protocol analyzer, a
powerful tool that lets you see what is happening on your network right
now.
http://www.linuxsecurity.com/articles/network_security_article-3490.html
* WLANs Cause Widespread Security Concerns
August 10th, 2001
By the end of 2002, 30 percent of all enterprises will risk security
breaches because they've deployed 802.11b wireless local area networks
(WLANs) without proper security, research and advisory firm Gartner, Inc.
said Thursday. About 50 percent of all enterprises plan to install WLANs,
according to Gartner, but at least 20 percent of large businesses already
have "rogue" WLANs in place that were installed by users, not information
technology (IT) shops, the firm claims.
http://www.linuxsecurity.com/articles/network_security_article-3476.html
* Triple your remote office protection: The Layered Approach
August 9th, 2001
We all know that two-thirds of corporate hacks come from inside the
firewall, making internal security as important as external. But what
about your remote offices and SOHO workers? Are they as vulnerable to
attacks as your corporate workers?
http://www.linuxsecurity.com/articles/network_security_article-3468.html
* Linux IPsec Gateways Using FreeS/Wan
August 9th, 2001
By far the most viable VPN solution is an IPsec variant Not only is IPsec
built in to IPV6, but also all the major vendors and software consortiums
are gearing their products towards this standard. There's only one real
choice here for IPsec and open-source on Linux and that is FreeS/WAN.
http://www.linuxsecurity.com/articles/network_security_article-3474.html
+------------------------+
| Cryptography News: |
+------------------------+
* Encryption cores ramp for pervasive security
August 10th, 2001
With subtle distinctions, intellectual-property (IP) core vendors are
readying implementations of the Advanced Encryption Standard (AES)
security algorithm. The vendors, established and startup, are banking on
applications from miniature wireless devices to massively parallel Web
servers to support the rapid and pervasive deployment of
encryption-enabled devices and systems.
http://www.linuxsecurity.com/articles/cryptography_article-3477.html
* 128 Bit Wireless Encryption Cracked
August 10th, 2001
We implemented an attack against WEP, the link-layer security protocol for
802.11 networks. The attack was described in a recent paper by Fluhrer,
Mantin, and Shamir. With our implementation, and permission of the network
administrator, we were able to recover the 128 bit secret key used in a
production network, with a passive attack.
http://www.linuxsecurity.com/articles/cryptography_article-3479.html
* Cryptographer: Sklyarov case shows business outweighs First
Amendment
August 10th, 2001
Noted cryptographer Bruce Schneier has produced a damning critique of the
way the Digital Millennium Copyright Act was used to jail Russian software
researcher Dmitry Sklyarov. Schneier, chief technology officer of
Counterpane Internet Security, and inventor of the Blowfish algorithm,
will argue in the next issue of his Crypro-Gram email newsletter that the
Sklyarov case shows the DMCA is being used to restrict basic freedoms of
speech.
http://www.linuxsecurity.com/articles/cryptography_article-3480.html
+------------------------+
| Vendors/Tools |
+------------------------+
* Shrink-Wrapped Security
August 11th, 2001
In a sense, there is no reason why testing a security solution should not
be as simple as point and click. Most of the other things we do on a daily
basis are done the same way. Perhaps the bigger issue is that while the
software to test our security solutions may be simple and easy to use, are
those doing the pointing and clicking able to effectively test, and (just
as important) interpret the information produced from such a test?
http://www.linuxsecurity.com/articles/general_article-3482.html
* EnGardeLinux.com Named Site of the Week!
August 10th, 2001
PacketStorm Security named EnGardeLinux.com, the Official Site for the
Engarde Secure Linux distribution, "Site of The Week". PacketStorm
Security is known as one of the largest and highly regarded security sites
on the Internet, offering the latest security exploits, articles and
tools.
http://www.linuxsecurity.com/articles/projects_article-3478.html
* ComputerWorld: Security Statistics
August 6th, 2001
A nice account of the costs associated with attacks and computer security.
" The threat from computer crimes and other online security breaches has
barely slowed, never mind stopped, according to a recent survey of 538
security professionals in U.S. corporations that was conducted by the
Computer Security Institute and the FBI?s Computer Intrusion Squad."
http://www.linuxsecurity.com/articles/server_security_article-3455.html
+------------------------+
| General Security News: |
+------------------------+
* Tech watch: Hackers get no respect -- but they might be marketable
August 11th, 2001
Hackers are a misunderstood lot. And they're more powerful than they
realize. So says John Lee. "They can destroy, steal or corrupt valuable
information if they want to," Lee said. He should know. In 1992, he earned
the distinction of making Wired magazine's "Rogue's Gallery" after he and
four cronies (his code name was "Corrupt") were convicted of hacking the
networks of AT&T, Bank of America, TRW and the National Security Agency
and stealing confidential information from credit reports.
http://www.linuxsecurity.com/articles/general_article-3485.html
* Who is responsible for security?
August 9th, 2001
Board members could face criminal proceedings if security systems are
inadequate, writes Ian Murphy. For companies that are publicly quoted,
poor or non-existent security measures can become a legal issue that could
see the board of directors charged with negligence if the company suffers
a material loss.
http://www.linuxsecurity.com/articles/general_article-3469.html
* Taking Steps Toward a Security Posture
August 9th, 2001
In order to approach security comprehensively, what steps should a company
take? Following are a number of processes fundamental to maintaining a
security posture-all of which must be addressed if you want to manage risk
company-wide.
http://www.linuxsecurity.com/articles/security_sources_article-3467.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.