Date: Mon, 29 Jan 2001 00:19:08 -0500 From: newsletter-admins@LINUXSECURITY.COM Subject: [ISN] Linux Security Week - January 29th 2001 To: ISN@SECURITYFOCUS.COM +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | January 29, 2001 Volume 2, Number 5n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. A few good papers were released this week. Some of the best include "Linux security basics," "Top Ten Secure Shell FAQs," and "GnuPG: An Open Solution to Data Protection." If you are just getting started in security these articles may prove to be very helpful. Benjamin Thomas just released a product review covering the Arkeia backup solution for Linux. The review covers a combination of the Arkia software and the Ecrix rakpak dual 66G drive, discussion of the features, security, usage, documentation, and support. http://www.linuxsecurity.com/feature_stories/feature_story-74.html This week, advisories were released for icecast, MySQL, kdesu, glibc, splitvt, micq, sash, wu-ftpd, jazip, tinyproxy, squid, php, apache, exmh, ipfw, ip6fw, XFree86, crontab, and bind. The vendors include Conectiva, Caldera, Debian, FreeBSD, Mandrake, Red Hat, SuSE, and Trustix. http://www.linuxsecurity.com/articles/forums_article-2383.html # FREE VISOR with purchase of Guardian Digital's Linux Lockbox # Guardian Digital has just announced an offer for a free Handspring Visor with the purchase of any secure Linux Lockbox. The Lockbox is an Open Source network server appliance engineered to be a complete secure e-business solution. It can be used as a commerce server, web server, DNS, mail, and database server. Please see Guardian Digital's website for details. http://www.guardiandigital.com/visoroffer.html ** OpenDoc Publishing ** Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version available: http://www.linuxsecurity.com/newsletter.html +---------------------+ | Host Security News: | <<-----[ Articles This Week ]-----------------+ +---------------------+ * Linux security basics January 26th, 2001 Here is a defensive driving course for the information superhighway. Learn to develop a threat model, to implement security measures, and to find out what the newest threats may be. There seem to be two kinds of people in the world: those who think computer security is fun and exciting, and those who think it is arcane and scary. http://www.linuxsecurity.com/articles/host_security_article-2382.html * NFS and NIS Security January 25th, 2001 Why is it that when you read almost any book or paper about Solaris security it will explicitly say: turn off the NFS and NIS services. Some system administrators, though, cannot just turn off these services, as they are already key services implemented across their enterprises. http://www.linuxsecurity.com/articles/host_security_article-2374.html +------------------------+ | Network Security News: | +------------------------+ * SSL is not a magic bullet January 28th, 2001 Unfortunately, SSL has a checkered past and present. Like other security problems involving encryption packages, the issues lie not so much in SSL as in the software used to implement and support it. Instead of guaranteeing security, SSL may provide a false sense of security through its occasional failings. http://www.linuxsecurity.com/articles/cryptography_article-2386.html * Top Ten Secure Shell FAQs January 28th, 2001 SSH, the Secure Shell, is a set of protocols and software that provide secure, remote terminal sessions between networked computers. In addition to a simple remote command prompt, most SSH implementations also provide secure forwarding of X Window traffic as well as forwarding of connections to arbitrary TCP ports. These features can protect otherwise insecure protocols such as POP, IMAP, SMTP, and so on. http://www.linuxsecurity.com/articles/cryptography_article-2387.html +------------------------+ | Cryptography News: | +------------------------+ * GnuPG: An Open Solution to Data Protection January 24th, 2001 Gnu Privacy Guard (GnuPG or GPG), is an open, patent-free encryption application whose main purpose is to protect communication and secure data archives. It achieves this goal by implementing a hybrid cipher system that utilizes both a symmetric cipher system and a public-key cipher system. http://www.linuxsecurity.com/articles/cryptography_article-2364.html * Top WWII code cracker dies January 24th, 2001 Leo Marks, WWII codemaker and codebreaker, and later playwright, has died aged 80. He was chief cryptographer of Special Operations Executive during WWII, having trained as a cryptographer in Bedford when called up for National Service. http://www.linuxsecurity.com/articles/cryptography_article-2363.html * EFF asks court for relief in DVD encryption ban January 22nd, 2001 The Electronic Frontier Foundation (EFF), an online civil liberties group, said it has petitioned a federal appeals court to overturn a lower court's interpretation of the Digital Millennium Copyright Act (DMCA). The group said in a statement that the decision created an unconstitutional restraint on free expression. http://www.linuxsecurity.com/articles/government_article-2352.html +-------------------------+ | Vendors/Tools/Products: | +-------------------------+ * Some Thoughts on the Occasion of the NSA Linux Release January 27th, 2001 There are two things I am sure of after all these years: there is a growing societal need for high assurance software, and market forces are never going to provide it. Superficially, I'm going to offer a few comments on the technology underlying the NSA release. http://www.linuxsecurity.com/articles/server_security_article-2385.html +------------------------+ | General News: | +------------------------+ * Internet Exploits Defined January 26th, 2001 Start with the basics. "No longer does a hacker have to huddle in front of a glowing monitor. Today's hacker has at his disposal a literal arsenal of fully automated tools, through which he can gain access to your system without lifting so much as a finger. These are known as "exploits." http://www.linuxsecurity.com/articles/hackscracks_article-2380.html * Security patches aren't being applied January 24th, 2001 As a result, this easily avoidable problem has reached near-epidemic proportions. Making matters more frustrating is knowing that so many losses could have been easily avoided with a few mundane but crucial steps. "I would put patching in the top two things an admin can do to secure their computers," said Lance Spitzner, coordinator for the security group Honeynet Project. http://www.linuxsecurity.com/articles/hackscracks_article-2369.html * Reverse Engineering: Necessary Function Or Illegal Activity? January 23rd, 2001 A key ruling last October by the 9th U.S. Circuit Court of Appeals, located in San Mateo, Calif., affecting the home video game sector is having a direct impact on the entire software industry. The ruling, which upholds engineers' rights to reverse-engineer other companies' proprietary hardware for purposes of research, flies in the face of federal legislation passed two years ago banning most forms of reverse engineering. http://www.linuxsecurity.com/articles/hackscracks_article-2362.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".