Information Security News mailing list archives
Linux Security Week, October 9th, 2000
From: newsletter-admins () linuxsecurity com
Date: Mon, 9 Oct 2000 10:25:13 -0400
+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | October 9, 2000 Volume 1, Number 23n | | | | Editorial Team: Dave Wreski dave () linuxsecurity com | | Benjamin Thomas ben () linuxsecurity com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, a few interesting papers were released: "Cryptography, PGP and Pine," "Square one: Paring down your network services," and the humorous, "Top Ten Reasons Why You Shouldn't Log in as Root." Each of these articles provide useful information that can help you secure your system. Effective today, CERT will now follow a new policy of disclosing vulnerability information to the public 45 days after an initial report, regardless of the availability of patches or workarounds. The purpose of releasing vulnerability information is to better inform the public while still giving vendors adequate time fix problems. Our feature this week, Dave Wreski conducted an interesting interview with Paul Vixie and David Conrad, developers of BIND. They discuss the Internet Software Consortium, the changes in the latest major version of bind, the security features designed into it, and the future of Internet security. http://www.linuxsecurity.com/feature_stories/conrad_vixie-1.html Webmasters, our advisory and news feed is now available in RDF format. We invite you to use and customize our feed to provide up-to-date security content on your website. http://www.linuxsecurity.com/linuxsecurity_articles.rdf http://www.linuxsecurity.com/linuxsecurity_advisories.rdf ** FREE Apache SSL Guide from Thawte ** Planning Web Server Security? Find out how to implement SSL! Get the free Thawte Apache SSL Guide and find the answers to all your Apache SSL security issues and more at: http://ads.linuxsecurity.com/cgi-bin/thawte.pl HTML Version available: http://www.linuxsecurity.com/newsletter.html +---------------------+ | Host Security News: | <<-----[ Articles This Week ]-----------------+ +---------------------+ * Securing a default Linux installation October 8th, 2000 This article is written for a linux newbie or anybody who cares, at least a bit about the data stored on his hard drive. You'll notice that it's aimed mainly for home-users, not for large network administration or similar. You might wonder why would anybody want to access your data? http://www.linuxsecurity.com/articles/host_security_article-1714.html * Top Ten Reasons Why You Shouldn't Log in as Root October 3rd, 2000 I've had some requests in the past about access to the root password on some systems. I understand the attraction of using the root account; one gets instant access to any file on the system, without the annoying access rights problems. It's also convenient to use when installing new software, because those programs generally need to go into directories where only root can write. http://www.linuxsecurity.com/articles/host_security_article-1685.html * Tutorial - Lesson 129: Proxy Servers October 2nd, 2000 First, the proxy server acts as an intermediary, helping users on a private network get information from the Internet when they need it, while ensuring that network security is maintained. Second, a proxy server may store frequently requested information in a local disk cache, rapidly delivering it to multiple users without having to go back to the Internet to get it. http://www.linuxsecurity.com/articles/network_security_article-1678.html * Hardening the BIND DNS Server October 2nd, 2000 This paper presents the risks posed by an insecure DNS server and walks through compiling, installing, configuring and optionally, chroot'ing BIND 8. The test environment is Solaris 2.5, 2.6, 7 and 8. Many configuration and troubleshooting tips are provided, along with up-to-date references on BIND and alternatives for NT, Linux and Solaris. http://www.linuxsecurity.com/articles/server_security_article-1673.html +------------------------+ | Network Security News: | +------------------------+ * Square one: Paring down your network services October 7th, 2000 Security experts recommend turning off all network services you don't need in order to guard against possible attacks. But how do you know which services you don't need -- and which ones you do? http://www.linuxsecurity.com/articles/host_security_article-1712.html * .comment: Are We Asking for It? October 4th, 2000 The cable modem was configured and stable. The little black box was, I assumed, protecting my machine from intrusion, at least reasonably well. I'd dragged Cat 5 cable throughout the house, so that all the machines would now have access to the cable and, to some degree, each other. We were now online all the time. http://www.linuxsecurity.com/articles/host_security_article-1692.html * Why We Don't Need Perfectly Secure Systems October 4th, 2000 Security is never black and white - rather it's one big ugly shade of gray. A machine running ancient software with poor passwords that is physically secured and not attached to any networks can be far more secure then an up to date machine with all the latest security software, on a public network. Security is about risk management. http://www.linuxsecurity.com/articles/host_security_article-1695.html * ICMP Stands For Trouble October 2nd, 2000 The Internet Control Message Protocol (ICMP) is simple, as Internet protocols go. Originally described in RFC 792 by Jon Postel, ICMP provides a way for IP stacks to send simple messages containing information or errors. ICMP is important for the Internet (and IP networks) to function correctly; however, ICMP can also have a negative effect on your network's security. http://www.linuxsecurity.com/articles/network_security_article-1677.html +------------------------+ | Cryptography News: | +------------------------+ * Cryptography, PGP and Pine October 5th, 2000 This article starts out with a nice description of cryptography then goes into how to incorporate PGP for use with Pine. "Encryption is the transformation of data into a form that is (hopefully) impossible to read without the knowledge of a key." http://www.linuxsecurity.com/articles/cryptography_article-1700.html * FIPS 140-1: Security Requirements for Cryptographic Modules October 4th, 2000 Federal Information Processing Standard 140-1(FIPS 140-1) is entitled "Security Requirements for Cryptographic Modules". It's a standard that describes government requirements that hardware and software products should meet for Sensitive, but Unclassified (SBU) use. http://www.linuxsecurity.com/articles/cryptography_article-1697.html * AES (rijndael) support in NetBSD-current IPsec code October 4th, 2000 NetBSD-current IPsec (from KAME) now supports rijndael algorithm for ESP encryption, thanks to the integration work of Jun-ichiro itojun Hagino. rijndael is the finalist of AES contest, and will be standardized in FIPS standard suite, to replace DES. http://www.linuxsecurity.com/articles/cryptography_article-1698.html +-------------------------+ | Vendors/Tools/Products: | +-------------------------+ * WatchGuard buys Qiave for Web security October 7th, 2000 WatchGuard Technologies is beefing up its security offerings with content-protection software from Qiave Technologies. WatchGuard snapped up the Waltham, Mass., company for $66 million in stock and plans initially to sell Qiave's QSecure software to current WatchGuard customers. http://www.linuxsecurity.com/articles/vendors_products_article-1713.html * Carnivore FOIA Documents October 5th, 2000 These documents have been released through a lawsuit EPIC filed against the FBI and the Department of Justice. The next installment of Carnivore documents is scheduled to be released to EPIC in mid-November. More information on EPIC's lawsuit is available atCarnivore FOIA Litigation page. http://www.linuxsecurity.com/articles/privacy_article-1704.html * Secure SHell now in NetBSD mainline October 4th, 2000 An OpenSSH-based Secure Shell is now available in the main NetBSD sources. And it will be pulled into the netbsd-1-5 branch, so it will be available in NetBSD 1.5. (ssh-1.2.27 and OpenSSH were already available in the NetBSD packages collection.) http://www.linuxsecurity.com/articles/network_security_article-1694.html * TRUSTING BSD - Ultra-High Security for FrBSD October 3rd, 2000 While most Freenix admins are used to the normal concerns of Unix security, there is a higher world of security that has never been touched by Freenixes. The realm of trusted operating systems, long the province only of military and other ultra-secure environments, represents a security level beyond that of all but a few commercial operating systems. http://www.linuxsecurity.com/articles/server_security_article-1683.html +------------------------+ | General News: | +------------------------+ * OpenBSD plugs a rare security leak October 6th, 2000 For most open source projects, news of an overlooked security hole is simply part of the debugging process. But for the developers of OpenBSD, an operating system whose design motto is "secure by default," it's nothing short of an affront. http://www.linuxsecurity.com/articles/host_security_article-1711.html * Clock ticking to fix security holes October 6th, 2000 A leading security warning body will next week take the controversial step of alerting the world to security vulnerabilities in products whether or not vendors have corrected the problems. All vulnerabilities reported to Cert will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. http://www.linuxsecurity.com/articles/security_sources_article-1709.html * The CERT Coordination Center Vulnerability Disclosure Policy October 4th, 2000 Effective October 9, 2000, the CERT Coordination Center will follow a new policy with respect to the disclosure of vulnerability information. All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. http://www.linuxsecurity.com/articles/security_sources_article-1699.html * Computer security expert gives advice on protection from hackers October 3rd, 2000 The driving force for hackers usually isn't malice, but rather curiosity. Most hackers are young males, and some are harmless. It's the so-called "crackers" who are more malicious. However, a distinction between the two usually isn't made except in hacker culture. http://www.linuxsecurity.com/articles/hackscracks_article-1688.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Security Week, October 9th, 2000 newsletter-admins (Oct 10)