Linux Security Week - February 16th 2004

[InfoSec News <isn () c4i org>]

+---------------------------------------------------------------------+
|  LinuxSecurity.com                            Weekly Newsletter     |
|  February 16th, 2004                            Volume 5, Number 7n |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave () linuxsecurity com    |
|                   Benjamin Thomas         ben () linuxsecurity com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Choosing and
Protecting Passwords," "Safely Creating Temporary Files in Shell Scripts,"
and "The Information Security Process."

----

> > Internet Productivity Suite:  Open Source Security <<
Trust Internet Productivity Suites open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.

http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn08

----

LINUX ADVISORY WATCH:
This week, advisories were released for vim, gaim, mailman, cgiemail, PHP,
XFree86, monkeyd, gallery, mutt, netpbm, kernel, IPv6, and NetPBM. The
distributors include Conectiva, Debian, Gentoo, Mandrake, OpenBSD, and Red
Hat.

http://www.linuxsecurity.com/articles/forums_article-8903.html

----

Guardian Digital Launches Next Generation EnGarde Secure Linux

Guardian Digital, Inc., the world's premier open source security company,
announced an update to the next generation, award-winning platform that
delivers features designed to ease the process of building a complete
Internet presence and the level of security necessary to prevent system
compromise. EnGarde Secure Linux leverages the best open source
applications available to provide secure Internet connectivity, user
privacy, Web and email functions, and intrusion detection.

http://www.linuxsecurity.com/feature_stories/feature_story-159.html

--------------------------------------------------------------------

Introduction to Netwox and Interview with Creator Laurent Constantin

In this article Duane Dunston gives a brief introduction to Netwox, a
combination of over 130 network auditing tools.  Also, Duane interviews
Laurent Constantin, the creator of Netwox.

http://www.linuxsecurity.com/feature_stories/feature_story-158.html


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------+
| Host Security News: | <<-----[ Articles This Week ]-------------
+---------------------+

* Security-Enhanced Linux provides a locked down OS
February 13th, 2004

Normal Linux system security relies on the kernel and the dependencies
created through the setuid/setgid binaries. Under the conventional
security mechanism, an exploit of a flaw with any privileged application,
configuration, or process running usually leads to a total system
compromise. This problem is consistent with most modern operating systems
due to their complexity and interoperability with other applications.

http://www.linuxsecurity.com/articles/host_security_article-8904.html


* Choosing and Protecting Passwords
February 12th, 2004

There are several programs attackers can use to help guess or "crack"
passwords, but by choosing good passwords and keeping them confidential,
you can make it more difficult for an unauthorized person to access your
information.

http://www.linuxsecurity.com/articles/documentation_article-8900.html


* Guardian Digital Launches Next Generation EnGarde Secure Linux
February 10th, 2004

Guardian Digital, Inc., the world's premier open source security company,
today announced an update to the next generation, award-winning platform
that delivers features designed to ease the process of building a complete
Internet presence and the level of security necessary to prevent system
compromise.

http://www.linuxsecurity.com/articles/projects_article-8882.html


* Safely Creating Temporary Files in Shell Scripts
February 10th, 2004

This paper discusses how a programmer can write shell scripts that
securely create temporary files in world/group writable directories. After
explaining why it is important to be careful with temporary files I give
some hints on how to identify and fix vulnerable shell scripts. This paper
concentrates on how things are done.

http://www.linuxsecurity.com/articles/documentation_article-8886.html



+------------------------+
| Network Security News: |
+------------------------+

* SSL VPNs - You Can't Afford to Ignore Them
February 12th, 2004

Amidst the cacophony about VPNs and whether IPsec or SSL is the better
solution, and which vendor has done the most to satisfy the journalists
and analysts, one "minor" issue seems to be falling by the wayside - You
the user - Irrelevant maybe to most vendors, but nevertheless a problem
they need to resolve in order to achieve those quarterlies!

http://www.linuxsecurity.com/articles/network_security_article-8898.html


* Network security specialists seek seamless defense
February 11th, 2004

Day and night, the war of attrition rages in the beleaguered world of
network security. Defenders throw up firewalls, download patches, and
scramble to fend off the hundreds of thousands of attempted intrusions
into worldwide enterprise data.

http://www.linuxsecurity.com/articles/network_security_article-8889.html


* Updated: fwall 1.4-6rc1
February 11th, 2004

fwall is a simple user-friendly firewall script for iptables. It is based
on bash. It includes a configuration for 1-2 interfaces, port forwarding,
DoS protection, and so on.

http://www.linuxsecurity.com/articles/firewalls_article-8894.html


* Book Review: Securing Wireless LANs
February 10th, 2004

A couple of days ago the WI-FI Alliance finally announced that after
almost one year of detailed testing, more than 175 products from some of
the leading wireless manufacturers, received WPA certifications. The
majority of wireless users won't immediately buy the new hardware, so they
are stuck with the equipment they are currently using. The current state
of wireless security is the topic of the book I'm taking a look at this
time.

http://www.linuxsecurity.com/articles/documentation_article-8885.html



+------------------------+
| General Security News: |
+------------------------+

* New Computer Security Incident Handling Guide from NIST.gov
February 15th, 2004

There's a new version of the Computer Security Incident Handling Guide
from NIST (Jan 2004).  The guide (148 pages, 2.8MB) covers the complete
range of the Incident Handling process and includes chapters about:
organizing an Incident Response Capability, handling an actual Incident,
handling Denial of Service Incidents, handling Malicious Code Incidents,
handling Inappropriate Usage Incidents, and much more. It also features
checklists, FAQs and other resources.

http://www.linuxsecurity.com/articles/documentation_article-8910.html


* Linux v2.6 Scales the Enterprise
February 13th, 2004

Other goodies in the v2.6 kernel include integrated IPSec support, with
the inclusion of the Kame Project; enhanced support for network file
systems, including support for mounting Novell NetWare shares; initial
NFSv4 (Network File System Version 4) support; and performance and
compatibility enhancements with SMB (Server Message Block) shares,
including support for CIFS (Common Internet File System).

http://www.linuxsecurity.com/articles/server_security_article-8908.html



* The Information Security Process
February 12th, 2004

A key element that isn't always spelled out, but is vital to the process
is the Business Decision.  This is really the intersection point between
Risk Management and Information Security practices. Inherent in risk
management is weighing cost vs. benefit. Unfortunately, in the real world,
this important step is frequently performed by either a business decision
maker unequipped to understand the technical risks or by IT personnel
unequipped to understand the bottom line.

http://www.linuxsecurity.com/articles/general_article-8897.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.