[ISN] Linux Security Week - October 10th 2005

InfoSec News isn at c4i.org
Tue Oct 11 00:01:38 EDT 2005


+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  October 10th, 2005                         Volume 6, Number 42n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave at linuxsecurity.com    |
|                   Benjamin D. Thomas      ben at linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Details from
the Anti-Phishing Act of 2005," "Nessus security tool closes its
source," and "A legal shield for pen-test results."

---

## EnGarde Secure Linux 3.0 - Download Now! ##

* Linux 2.6 kernel featuring SELinux Mandatory Access Control
* Guardian Digital Secure Network features free access to all
  system and security updates (to be available shortly through
  an updated release)
* Support for new hardware, including 64-bit AMD architecture
* Web-based management of all functions, including the ability
  to build a complete web presence with FTP, DNS, HTTP, SMTP and
  more.
* Apache v2.0, BIND v9.3, MySQL v5.0(beta)
* Completely new WebTool, featuring easier navigation and
  greater ability to manage the complete system
* Integrated firewall with ability to manage individual firewall
  rules, control port forwarding, and creation of IP blacklists
* Built-in UPS configuration provides ability to manage an entire
  network of battery-backup devices
* RSS feed provides ability to display current news and immediate
  access to system and security updates
* Real-time access to system and service log information

LEARN MORE:
http://www.guardiandigital.com/products/software/community/esl.html

---

LINUX ADVISORY WATCH

This week, advisories were released for gtkdiskfree, util-linux,
ClamAV, loop-aes, helix-player, backupninja, squid, mysql, ntlmaps,
mysql-dfsg, gopher, prozilla, cfengine, mozilla-firefox, apachetop,
drupal, mailutils, egroupware, arc, mod-auth-shadow, mason,
slocate, vixie-cron, net-snmp, kernel, openssh, binutils, perl, and
gdb. The distributors include Debian, Gentoo, and Red Hat.

http://www.linuxsecurity.com/content/view/120542/150/


---

Hacks From Pax: PHP Web Application Security
By: Pax Dickinson

Today on Hacks From Pax we'll be discussing PHP web application
security. PHP is a great language for rapidly developing web
applications, and is very friendly to beginning programmers, but
some of its design can make it difficult to write web apps that
are properly secure. We'll discuss some of the main security
"gotchas" when developing PHP web applications, from proper
user input sanitization to avoiding SQL injection
vulnerabilities.

http://www.linuxsecurity.com/content/view/120043/49/

---

Network Server Monitoring With Nmap

Portscanning, for the uninitiated, involves sending connection requests
to a remote host to determine what ports are open for connections and
possibly what services they are exporting. Portscanning is the
first step a hacker will take when attempting to penetrate your
system, so you should be preemptively scanning your own servers
and networks to discover vulnerabilities before someone unfriendly
gets there first.

http://www.linuxsecurity.com/content/view/119864/150/

---

>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.

http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------+
| Security News:      | <<-----[ Articles This Week ]----------
+---------------------+

* 2005 Semi-Annual Web Security Trends Report
  3rd, October, 2005

Websense released the 2005 Semi-Annual Web Security Trends
Report issued by Websense Security Labs. The new report
summarizes findings for the first half of 2005 and presents
projections for the upcoming year.

http://www.linuxsecurity.com/content/view/120504


* Details from the Anti-Phishing Act of 2005
  5th, October, 2005

California is the first US state to pass anti phishing laws. Finally
someone went a step further into, at least, trying to create a more
secure cyberspace are some of the most important snippets from
the act.

http://www.linuxsecurity.com/content/view/120525


* Common Malware Enumeration Initiative
  6th, October, 2005

The Common Malware Enumeration Initiative was just
announced. Headed by the United States Computer Emergency
Readiness Team US-CERT and supported by an editorial board of
anti-virus vendors and related organizations it should provide
a neutral, shared identification method for malware outbreaks.

http://www.linuxsecurity.com/content/view/120526


* Check Point to Acquire Makers of Snort
  6th, October, 2005

Check Point Software Technologies Ltd. and Sourcefire, Inc.,
developers of Snort, today announced that they have signed a
definitive agreement for Check Point to acquire privately held
Sourcefire for a total consideration of approximately $225 million.

http://www.linuxsecurity.com/content/view/120538


* What is the most challenging Sarbanes-Oxley issue facing
Enterprises today?
  7th, October, 2005

Companies are now finding that log management is a cornerstone best
practice in their compliance efforts. Sarbanes-Oxley 404 Internal IT
Control requirements infer rigorous end-to-end Log Management and
Archival. Net Report helps companies face this
issue.

http://www.linuxsecurity.com/content/view/120527


* But Wait, There's More
  4th, October, 2005

The ink is barely dry on all of the Red Hat Enterprise Linux 4
materials, and the company is already gearing up for the launch of
RHEL 5. While Red Hat is not being terribly specific about what is in
RHEL 5 just yet, the company did announce last week that it is
working with server maker IBM and security expert Trusted Computer
Solutions to begin the Common Criteria security certification for the
forthcoming RHEL 5, which is due in late 2006.

http://www.linuxsecurity.com/content/view/120509


* Pass on Passwords with scp
  7th, October, 2005

In this article, I show you how to use the scp (secure copy) command
without needing to use passwords. I then show you how to use this
command in two scripts. One script lets you copy a file to multiple
Linux boxes on your network, and the other allows you to back up all
of your Linux boxes easily.

http://www.linuxsecurity.com/content/view/120543


* Firefox 1.5 gets the sniff test
  3rd, October, 2005

First came all the praise about Firefox 1.0 being more secure than
Internet Explorer (IE). Then came headlines about mega-downloads
chipping away at Microsoft's market share. Then came months of
uncovered flaws and security updates that now has Firefox up to
version 1.0.7.

http://www.linuxsecurity.com/content/view/120503


* RealNetworks Fixes Linux RealPlayer Flaw
  4th, October, 2005

RealNetworks has patched the Linux media players that were
susceptible to a  zero-day attack for much of last week.

http://www.linuxsecurity.com/content/view/120513


* SanDisk embeds DRM engine in Flash cards
  5th, October, 2005

Flash memory pioneer SanDisk has embedded DRM and copy protection
functions into several flash card form factors. "TrustedFlash" will
allow users to buy music, movies, and games on flash cards for use
interchangeably in mobile phones, PDAs, laptops, and other devices,
according to the company.

http://www.linuxsecurity.com/content/view/120522


* Nessus security tool closes its source
  7th, October, 2005

The source code of one of the world's most popular free security
tools will no longer be available to all, its creator has announced,
saying the software's open-source license was fueling competition.

http://www.linuxsecurity.com/content/view/120546


* The Open Source Highway
  4th, October, 2005

Open source is the foundation for the future. By definition, open
source is code accessible to all. The free re-distribution of code
allows anyone to download code and take advantage of it. The
community of open source contributors depicts a truely collaborative
environment. Developers around the globe donate to the code
repository resulting in accelerated advancement and cleanliness of
the available code. The Internet encouraged this open source movement
by providing a breeding ground for
collaboration.

http://www.linuxsecurity.com/content/view/120511


* PortAuthority Updates Data-Fingerprinting Technology
  5th, October, 2005

While no two fingerprints are alike for people, the same cannot be
said for digital data. But new data-fingerprinting technologies have
cropped up to take traditional watermarking strategies to the next
level in preventing theft of intellectual property.

PortAuthority 3.5 is one such technology. The newly updated
data-fingerprinting software from PortAuthority Technologies examines
the content of documents to give customers the ability to prevent
information leaks and data theft.

http://www.linuxsecurity.com/content/view/120523


* A legal shield for pen-test results
  7th, October, 2005

Routine network penetration testing may shed light on exposures to
external threats, but it can also put damning evidence in the hands
of competitors and plaintiffs who sue your organization.

Attorneys caution that pen tests generate lengthy reports of system
inaccuracies and vulnerabilities that could be used in court against
a company.

http://www.linuxsecurity.com/content/view/120544


* Court Rules in Favor of Anonymous Blogger
  7th, October, 2005

In a decision hailed by free-speech advocates, the Delaware Supreme
Court on Wednesday reversed a lower court decision requiring an
Internet service provider to disclose the identity of an anonymous
blogger who targeted a local elected official.

http://www.linuxsecurity.com/content/view/120545


* Learning To Hack Just Got Easier
  4th, October, 2005

Now you can learn hacking in the comfort of your own home. Training
company Learn Security Online (LSO) teaches hacking techniques online
at a low cost. LSO teaches computer security with interactive
simulators, hacking games, and security challenges that require
students to break into real servers.

http://www.linuxsecurity.com/content/view/12051

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------





More information about the ISN mailing list