Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Security Week - November 19th 2001

From: InfoSec News <isn () c4i org>
Date: Wed, 21 Nov 2001 04:26:21 -0600 (CST)
+---------------------------------------------------------------------+
|  LinuxSecurity.com                            Weekly Newsletter     |
|  November 19th, 2001                         Volume 2, Number 46n   |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave () linuxsecurity com    |
|                   Benjamin Thomas         ben () linuxsecurity com     |
+---------------------------------------------------------------------+
 
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "On the Security
of PHP," "Brute-Forcing Web Session IDs," and "Public Key Infrastructure
Nuts and Bolts."  Also this week, vsftpd-1.0.0 was released.

This week advisories were released for webalizer, ssh-nonfree, ssh-socks,
postix, and the Korean release of Red Hat.  The vendors include Conectiva,
Debian, and Red Hat.

http://www.linuxsecurity.com/articles/forums_article-4028.html


### SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION ###
 
Guarantee transmitted data integrity, secure all communication sessions
and more with SSL encryption from Thawte - a leading global certificate
provider for the Open Source community. Learn more in our FREE
GUIDE--click here to get it now:
 
   --> http://www.gothawte.com/rd89.html
 
 
* Don't Risk your network installing an insecure OS *
 
EnGarde was designed from the ground up as a secure solution, starting
with the principle of least privilege, and carrying it through every
aspect of its implementation.
 
* http://www.engardelinux.org 
  
 
+---------------------+
| Host Security News: | <<-----[ Articles This Week ]-------------
+---------------------+


* Overview of LIDS, Part Three
November 16th, 2001

This is the third part of a four-part article devoted to the exploration
of LIDS, a Linux kernel patch that will allow users to take away the
all-powerful nature of root. The first article in this series offered an
overview of LIDS.

http://www.linuxsecurity.com/articles/projects_article-4031.html


* On the Security of PHP, Part 2
November 14th, 2001

The way to secure PHP scripts is through a carefully selected combination
of configuration settings and safe programming practices. Based on the
vulnerabilities that we have studied so far, we will now set forth to
establish some rules that can help avoid dangerous situations.

http://www.linuxsecurity.com/articles/server_security_article-4019.html


* Brute-Forcing Web Session IDs
November 13th, 2001

Almost all of today's "stateful" web-based applications use session IDs to
associate a group of online actions with a specific user. This has
security implications because many state mechanisms that use session IDs
also serve as authentication and authorization mechanisms -- purposes for
which they were not well designed.

http://www.linuxsecurity.com/articles/network_security_article-4012.html



+------------------------+
| Network Security News: |
+------------------------+
 
* An Analysis of the RADIUS Authentication Protocol
November 12th, 2001

RADIUS is a widely used protocol in network environments. It is commonly
used for embedded network devices such as routers, modem servers,
switches, etc. This analysis deals with some of the characteristics of the
base RADIUS protocol and of the User-Password attribute.


http://www.linuxsecurity.com/articles/network_security_article-4011.html


 
+------------------------+
| Cryptography News:     |
+------------------------+

* Crypto-Gram November 15, 2001
November 15th, 2001

This month's crypto-gram includes comments on security full disclosure,
great comments on GOVNET, Microsoft on XP, and news. "Microsoft is leading
the charge to restrict the free flow of computer security vulnerabilities.  
Last month Scott Culp, manager of the security response center at
Microsoft, published an essay describing the current practice of
publishing security vulnerabilities to be "information anarchy."

http://www.linuxsecurity.com/articles/cryptography_article-4025.html


* Strategies & Issues: Public Key Infrastructure Nuts and Bolts
November 12th, 2001

Like a successful public works project, a good Public Key Infrastructure
(PKI) should also be invisible to its end users, whether they're company
employees, business partners, or customers.  Similarly, PKI and the
digital certificates that are its stock in trade can be complex and
complicated-the potential for messy mishaps is high.

http://www.linuxsecurity.com/articles/cryptography_article-4008.html



+------------------------+
|  Vendors/Products:     |
+------------------------+
 
* vsftpd-1.0.0 Released
November 12th, 2001

A search for one kind of problem led analysts at the CERT Coordination
Center to find another. In August, the security organization had begun to
contact vendors to get lpd codes from the makers of various printers in an
attempt to create a clearer picture of vulnerabilities surrounding the
software packages known as Internet Security Scanners, said Jason Rafail,
a security analyst at CERT, which is based at Carnegie Mellon University
in Pittsburgh.


http://www.linuxsecurity.com/articles/server_security_article-4010.html



+------------------------+
|  General News:         |
+------------------------+

* Watchfire, PwC unveil tools to help with privacy
November 17th, 2001

While pushing a joint privacy management product to enterprises Monday,
Watchfire Corp. and PricewaterhouseCoopers LLP (PwC) also raised a new
specter for the holiday e-buying season. New York-based PwC along with
Watchfire, in Ottawa, said their product, WebCPO, can help companies
comply with a new privacy-related standard called P3P (Platform for
Privacy Preferences).

http://www.linuxsecurity.com/articles/privacy_article-4033.html


* House OKs Bill With Cyber-Security Funding
November 16th, 2001

Brian Krebs and Robert MacMillan, Newsbytes. The House of Representatives
today passed a spending bill that contains funding for a raft of
cyber-security and online crime-fighting initiatives.

http://www.linuxsecurity.com/articles/government_article-4029.html


* Do-it-yourself Internet anonymity
November 14th, 2001

Along with the recent government hysteria over terrorists, we've seen
legislative measures and 'emergency powers' inviting law-enforcement
agencies worldwide to conduct Internet surveillance on an unprecedented
scale.

http://www.linuxsecurity.com/articles/privacy_article-4018.html


* Bug secrecy vs. full disclosure
November 13th, 2001

[Culp] claimed that we'd all be a lot safer if researchers would keep
details about vulnerabilities to themselves, and stop arming hackers with
offensive tools. Last week, at Microsoft's Trusted Computing Forum, Culp
announced a new coalition to put these ideas into practice.

http://www.linuxsecurity.com/articles/forums_article-4017.html


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: