Internet
Productivity Suite: Open Source Security - Trust Internet Productivity Suite's
open source architecture to give you the best security and productivity applications
available. Collaborating with thousands of developers, Guardian Digital security
engineers implement the most technologically advanced ideas and methods into their
design. Click
to find out more!
LINUX ADVISORY
WATCH - This week, advisories were released for squirrelmail, prozilla,
cpio, openswan, enscript, zlib, gaim, cvs, openssl, curl, ruby, rhgh, file,
net-tools, gimp, squid, dump, mc, dbus, kdepim, xpdf, kernel, ngIRCd, tikiwiki,
f2c, ncfs, clamav, imap, chbg, vim, perl-dbi, and ethereal. The distributors
include Debian, Fedora, Gentoo, Mandrake, and Red Hat.
LinuxSecurity.com
Feature Extras:
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple.
The
Tao of Network Security Monitoring: Beyond Intrusion Detection
- The Tao of Network Security Monitoring is one of the most comprehensive
and up-to-date sources available on the subject. It gives an excellent introduction
to information security and the importance of network security monitoring,
offers hands-on examples of almost 30 open source network security tools,
and includes information relevant to security managers through case studies,
best practices, and recommendations on how to establish training programs
for network security staff.
Encrypting
Shell Scripts - Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn't have a "ps -ef" loop running in an attempt to capture
that sensitive info (though some applications mask passwords in "ps" output).
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Linux Security Cookbook
3rd, February, 2005
I read this book from cover to cover and consider it a great
effort by the authors to cover many security issues related to not just
Linux, but most *nix operating systems. Here's a chapter by chapter review
of what I've observed in the book.
Microsoft bigwig Nick McGrath claims that Linux security is
highly exaggerated, and that the open source development model is 'fundamentally
flawed.' The gist of his argument appears to be his claim of lack of accountability
among distributors, coupled with generic statements short on facts. 'Who
is accountable for the security of the Linux kernel? Does Red Hat, for
example, take responsibility? It cannot, as it does not produce the Linux
kernel. It produces one distribution of Linux.'
I know many of you have received some nice to tech toys for
Christmas recently, so its time to talk about making them secure and keeping
them that way. I know many of you have new computers in your homes, but
how many of you realize that this computer is already vulnerable? How
can this be? How can a brand new computer be vulnerable? There are many
reasons for this.
A lengthy and interesting thread was started on the lkml by
Chris Wright looking to define a centralized place to report security
issues in the Linux Kernel. Chris offered his services in getting things
set up, addressing his email to Linus Torvalds, Andrew Morton [interview],
Alan Cox [interview] and Marcelo Tosatti [interview]. He explained that
he wanted to centralize the information "to help track it, make sure things
don't fall through the cracks, and make sure of timely fix and disclosure".
The resulting discussion was joined by numerous members of the kernel
hacking community, exposing a wide range of opinions.
Tested over three months at IBMĂ•s Linux Test Integration Center
(LTIC) by a seven-person team, the 87-page report [pdf] titled "Linux
Security: exploring open source security for a Linux server environment"
set out to test a wide range of open-source Linux products supported by
IBM to see whether they could adequately protect a middleware environment.
Only open source products were us
An IBM report that tested the suitability of Linux software
to secure an network its entirety has come to light months after it was
originally published. Tested over three months at IBM's Linux Test Integration
Center (LTIC) by a seven-person team, the 87-page report set out to test
a wide range of open-source Linux products supported by IBM to see whether
they could adequately protect a middleware environment. Only open source
products were used.
The Czech postal service is putting its faith in open source,
by migrating a vital application onto SuSE Linux The Czech postal service
has moved a mission-critical application used by 3,400 post offices across
the country to Linux.
Only a few open-source vendors have borne the time and expense
of having their software EAL-certified. Red Hat and Novell's SuSE Linux
attained EAL3+ ratings in the last year, but many other vendors have yet
to do the same. This raises a fundamental question: Does open-source software
need security certifications to win global acceptance?
To test open source security products, a study was conducted
over a period of three months at the IBM Linux Test Integration Center.
The goal for the security study was to deploy and compare various open
source security tools that were available for free in the industry, and
provide solution recommendations.v
A senior Microsoft executive, speaking exclusively to vnunet.com,
has dismissed Linux's reputation as a secure platform as a "myth", claiming
that the open source development process creates fundamental security
problems. Nick McGrath, head of platform strategy for Microsoft in the
UK, said that the myths surrounding the open source operating system are
rapidly being exploded, and that customers are dismissing Linux as too
immature to cope with mission-critical computing.
SYS-CON's Readers' Choice Awards program is considered to be
the most prestigious award program of the software industry and is often
referred to as "the Oscars of the software industry." The products participating
in the program are nominated by their vendors, customers, users, or SYS-CON
readers. This year a record number of companies and products were nominated.
Below is a list of all companies and products participating in the 2005
Readers' Choice Awards in each category.
Identity Management: Controlling the Costs of Continuous Compliance
3rd, February, 2005
There are a number of technologies that can streamline your
compliance effort so that your company remains compliant without incurring
burdensome recurring costs. One such technology is identity management,
which can help to establish repeatable, sustainable, cost-effective processes
that respond quickly to organizational changes, enable continuous compliance
and security, and create auditable histories of who had access to what
information.
MS Security Program No Threat to Linux, Advocate Says
4th, February, 2005
Bruce Perens, co-founder of the Open Source Initiative and leader
of the Debian GNU/Linux distribution, said he believes Linux is simply
more secure and can respond to potential threats at any time since it
has an international developer base.
A vulnerability in radio-frequency ID chips could put millions
of users of wireless car key tags or speed pass payment devices at risk,
according to a recent study by researchers at Johns Hopkins University
and RSA Laboratories. Using a relatively simple electronic device, criminals
could wirelessly probe a car key tag or payment tag and then use the information
obtained from the probe to crack the cryptographic key on the tag, Ari
Juels, principal research scientist at RSA, explained.
A manhunt for the alleged Filipino hacker of the government
portal "gov.ph" and other government websites was launched after the suspect
went into hiding, the police said Tuesday. Judge Antonio Eugenio of the
Manila Regional Trial Court ordered the arrest of a certain JJ Maria Giner
on January 24, 2005 for violating section 33a of the Electronic Commerce
Law. Giner remains at large to date however.
