[ISN] Linux Security Week - August 29th 2005
InfoSec News
isn at c4i.org
Mon Aug 29 14:06:55 EDT 2005
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| August 29th, 2005 Volume 6, Number 36n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Storm brewing
over SHA-1 as further breaks are found," "Linux Kernel Denial of
Service and IPsec Policy Bypass," and "Information Security in Campus
and Open Environments.
---
## Master of Science in Information Security ##
Earn your Master of Science in Information Security online from Norwich
University. Designated a "Center of Excellence", the program offers a
solid education in the management of information assurance, and the
unique case study method melds theory into practice. Using today's
e-Learning technology, you can earn this esteemed degree, without
disrupting your career or home life.
LEARN MORE:
http://www.msia.norwich.edu/linux_en
---
LINUX ADVISORY WATCH
This week, advisories were releaed for bluez-utils, thunderbird, mysql,
epiphany, system-config-netboot, kdbg, doxygen, kdeedu, ncpfs, gaim,
system-config-bind, tar, vnc, metacity, cups, pygtk, slocate, myodbc,
xpdf, libgal2, dhcpv, diskdumputils, kdebase, cvs, hwdata, eject,
pcre, kismet, wikiwiki, apache, tor, netpbm, vim, and elm. The
distributors include Debian, Fedora, Gentoo, and Red Hat.
http://www.linuxsecurity.com/content/view/120226/150/
---
Hacks From Pax: PHP Web Application Security
By: Pax Dickinson
Today on Hacks From Pax we'll be discussing PHP web application
security. PHP is a great language for rapidly developing web
applications, and is very friendly to beginning programmers, but
some of its design can make it difficult to write web apps that
are properly secure. We'll discuss some of the main security
"gotchas" when developing PHP web applications, from proper
user input sanitization to avoiding SQL injection
vulnerabilities.
http://www.linuxsecurity.com/content/view/120043/49/
---
Network Server Monitoring With Nmap
Portscanning, for the uninitiated, involves sending connection requests
to a remote host to determine what ports are open for connections and
possibly what services they are exporting. Portscanning is the first step
a hacker will take when attempting to penetrate your system, so you should
be preemptively scanning your own servers and networks to discover
vulnerabilities before someone unfriendly gets there first.
http://www.linuxsecurity.com/content/view/119864/150/
---
>> The Perfect Productivity Tools <<
WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <<-----[ Articles This Week ]----------
+---------------------+
* Storm brewing over SHA-1 as further breaks are found
24th, August, 2005
Three Chinese researchers have further refined an attack on the
encryption standard frequently used to digitally sign documents,
making the attack 64 times faster and leaving cryptographers to
debate whether the standard, known as the Secure Hash Algorithm,
should be phased out more quickly than planned.
http://www.linuxsecurity.com/content/view/120200
* Storage and data encryption
25th, August, 2005
Data security is a major concern for all CIOs. This has been
addressed from access and identity controls through encrypting data
in transmission through to securing data at rest, on disk or on tape.
http://www.linuxsecurity.com/content/view/120211
* Host Integrity Monitoring Using Osiris and Samhain
22nd, August, 2005
Host integrity monitoring is the process by which system and network
administrators validate and enforce the security of their systems.
This can be a complex suite of approaches, tools, and methodologies,
and it can be as simple as looking at loggin output. In the past,
tools like Tripwire were used to check the configurations on hosts.
The freeware version of this tool was limited in its manageability,
which was available mainly in the commercial version.
http://www.linuxsecurity.com/content/view/120181
* Why You Need To Add .Protect Domain Name. To The Security Checklist
25th, August, 2005
Domain name hijacking broadly refers to acts where a registered
domain name is misused or stolen from the rightful name holder. A
domain hijacking is a security risk many organizations overlook when
they develop security policy and business continuity plans. While
name holders can take measures to protect their domain names against
theft and loss, many measures are not generally known.
http://www.linuxsecurity.com/content/view/120214
* Linux/Unix e-mail flaw leaves system open to attack
26th, August, 2005
Two serious security flaws have turned up in software widely
distributed with Linux and Unix. The bugs affect Elm (Electronic Mail
for Unix), a venerable e-mail client still used by many Linux and
Unix sysadmins, and Mplayer, a cross-platform movie player that is
one of the most popular of its kind on Linux.
http://www.linuxsecurity.com/content/view/120230
* Linux Kernel Denial of Service and IPsec Policy Bypass
25th, August, 2005
Two vulnerabilities have been reported in the Linux kernel, which can
be exploited by malicious, local users to cause a DoS (Denial of
Service) or bypass certain security restrictions.
http://www.linuxsecurity.com/content/view/120212
* Flexible, safe and secure?
24th, August, 2005
<a href="http://www.net-security.org/article.php?id=812">This
article</a> looks beyond the hype of mobile working to consider some
of the practical issues of an organisation implementing an ICT
strategy that ensures data security wherever employees connect to
corporate systems.
http://www.linuxsecurity.com/content/view/120085
* Information Security in Campus and Open Environments
23rd, August, 2005
This article is geared towards techies at libraries and schools and
will attempt to address common security problems that may pop up at
these institutions. The author gears the solutions towards Open
Source, freeware, and base operating system security in a Windows
XP/2k environment.
http://www.linuxsecurity.com/content/view/120186
* Legal disassembly
23rd, August, 2005
The question for security researchers going forward is modeled by the
Lynn saga. Is it legal to decompile source code to find
vulnerabilities? Of course, the answer is mixed. Maybe it is, maybe
it's not.
http://www.linuxsecurity.com/content/view/120188
* Be prepared to pay for security
24th, August, 2005
When one million of your customers have their IP addresses added to a
spam blacklist, there is clearly something wrong with your security
systems. Just ask Telewest, this is exactly what it experienced in
May after 17,000 of its users saw their computers turn into spam
bots.
http://www.linuxsecurity.com/content/view/120198
* Banks Abandoning SSL On Home Page Log-Ins
24th, August, 2005
Some of the biggest banks have abandoned the practice of posting
their online account log-in screens on SSL-protected pages in an
effort to boost page response time and guide users to more memorable
URLs, a U.K. Web performance firm said Tuesday.
http://www.linuxsecurity.com/content/view/120201
* The Real Problem of Linux: The Userbase?
25th, August, 2005
True, a normal Linux installation and setting up basic internet
access and email settings is proven to be equally easy under Windows
as under Linux- if not easier under Linux. But I've been using Linux
distributions for several years now, and I must say that for advanced
problems it's harder to get things worked out under
Linux.
http://www.linuxsecurity.com/content/view/120210
* Industry Survey Shows SMBs Lack Minimal Security
25th, August, 2005
Sean Stenovich often sees his small and midsize business clients pick
and choose their security solutions based on what they think they
need and can afford.
http://www.linuxsecurity.com/content/view/120215
* Sarbanes-Oxley will be 2005's biggest time waster
23rd, August, 2005
The Sarbanes-Oxley rules will be the biggest waste of IT resources
for public companies this year, according to a poll of 444 US
companies by IBM user group Share.
http://www.linuxsecurity.com/content/view/120187
* Hacker underground erupts in virtual turf wars
24th, August, 2005
In the early days of computer attacks, when bright teens could bring
down corporate systems, the point was often to trumpet a hacker's
success. No longer.
http://www.linuxsecurity.com/content/view/120199
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
More information about the ISN
mailing list