Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Linux Security Week: February 21st 2005 Print E-mail
User Rating:      How can I rate this item?
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Securing Linux with Mandatory Access Controls," " Providing Database Encryption," and "Wi-Fi Alliance to Beef up Security."

Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!

LINUX ADVISORY WATCH - This week, advisories were released for libXpm, evolution, mailman, hztty, xpcd, sympa, netkit-rwho, toolchain, htdig, synaestheia, awstats, typespeed, emacs, gftp, python, openoffice, kernel, kdeedu, gallery, webmin, perl-squid, ht/dig, opera, vmware, lighttpd, kstars, midnight commander, drakextools, cpio, enscript, mysql, rwho, kdelibs, xpdf, libtiff, vim, ethereal, thunderbird, and squid. The vendors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE. Feature Extras:

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple.

The Tao of Network Security Monitoring: Beyond Intrusion Detection - The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff.

Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).


Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  What's The Best VoIP System For SMBs?
  15th, February, 2005

Making phone calls using a broadband Internet connection, more fondly known as VoIP (Voice over Internet Protocol), is becoming more and more popular with corporations of every size. The prospect of paying a flat fee for unlimited long-distance phone calls is appealing to every company that has struggled to balance the need to conduct business phone calls with the price of those calls. Calling plans are now available that provide unlimited minutes to any U.S. or Canadian phone number by routing the voice traffic over an existing broadband connection shared with the company's Internet access.
  Why Not Truth?
  14th, February, 2005

Ultimately cryptographers want some form of quantum repeater--in essence, an elementary form of quantum computer that would overcome distance limitations. A repeater would work through what Albert Einstein famously called "spukhafte Fernwirkungen," spooky action at a distance.
  Researchers: Digital encryption standard flawed
  17th, February, 2005

In a three-page research note, three Chinese scientists -- Xiaoyun Wang and Hongbo Yu of Shandong University and Yiqun Lisa Yin, a visiting researcher at Princeton University -- stated they have found a way to significantly reduce the time required to break a algorithm, known as the Secure Hashing Algorithm, or SHA-1, widely used for digital fingerprinting data files. Other cryptographers who have seen the document said that the results seemed to be genuine.
  Researchers find security flaw in SHA-1
  17th, February, 2005

Security experts are warning that a security flaw has been found in a powerful data encryption algorithm, dubbed SHA-1, by a team of scientists from Shandong University in China. The three scientists are circulating a paper within the cryptographic research community that describes successful tests of a technique that could greatly reduce the speed with which SHA-1 could be compromised.
  How To Shop For A VPN
  14th, February, 2005

Get clued in on what to look for in enterprise-class products, including the ins and outs of software vs. appliances, LAN-to-LAN vs. remote access, SSL, IPsec, and other decisions you need to make. With a virtual private network creating safe access for your Internet-connecting users, you can rip out expensive frame relay, leased lines and modem dial-up banks in favor of a secure WAN connection. For any network that connects remote users to the Internet, a VPN gateway provides three essentials for your data: authentication, confidentiality and integrity.
  Linux Magazine: mod_perl, Part Two
  14th, February, 2005

As I mentioned last month, having persistent Perl code means that some steps of your application can be reused rather than repeated. One very easy optimization is keeping your database handles open between web hits, rather than reopening them on each new hit. The Apache::DBI module (found in the CPAN) does the work for you by altering the way normal DBI connections are processed. If your application is like most, you simply add PerlModule Apache::DBI to the configuration file, and it just magically works.
  Deploy an application with Cerise Web server
  16th, February, 2005

Use Ruby as your programming language to create a simple application. This article shows you how to create a guestbook Web application with the Cerise Web server and the Ruby programming language. You'll use RSS 1.0 as the file format for the guestbook entries and XSLT for transforming files to HTML.

  HITB E-Zine: Issue #36 Released
  20th, February, 2005

After a nice Chinese New Year break we are pleased to bring you Issue #36 of the HITB e-zine. This is a pretty interesting issue with an exclusive article on Red Hat PIE Protection written by Zarul Shahrin as well as an article on building a simple wireless authenticated gateway using OpenBSD by Rosli Sukri (member of the HITB CTF Crew).
  Evaluating Your Firewall
  14th, February, 2005

Are you an administrator or security analyst who watches over a firewall with a hundred or more rules? Or perhaps a hired gun who must review a firewall with years of crusty buildup? Are you creating a test lab that involves a wide variety of networks, servers, and risks? If you're interested in enterprise-level firewalls, this article will help you make sense of common failures in processes and tools. We'll focus on enterprise-grade business and networking issues that affect firewalls. (Penetration studies and piercing firewalls from the outside will be covered in a later article.)
  SWsoft Unveils Virtuozzo 2.6.1 for Linux
  15th, February, 2005

The latest version of the Virtuozzo server virtualization solution features several new enhancements, including a new Virtuozzo control center, automatic update utility, stateful firewall support and VPN support. The company also announced that Australian firm SMS Central has purchased Virtuozzo for installation in its data center.
  Clever service has key to e-mail security
  14th, February, 2005

How can you be sure your e-mails are safe from prying eyes? To most of us e-mailing mom or even sending work-related e-mails, security really isn't of great concern. But for people to whom security is of great importance, sending sensitive documents over the Internet carries an extremely high degree of risk.
  More advisories, more security
  15th, February, 2005

More and more, we see articles questioning the security of a given platform based solely on the number of advisories published - and this approach is simply wrong, writes Thierry Carrez, of Gentoo Linux.
  Is Linux Security A Myth?
  17th, February, 2005

There are rare occasions in IT when a particular architecture reaches a point where it stops being purely IT driven and takes on a life of its own. The last year has seen the open source movement reach such a cult status and at the vanguard of open source fashion can be found the Linux operating system. Whilst the platform appeals at several levels for potential users, some of a philosophical nature and others far more concrete, it is noticeable that a couple of its qualities have recently been called into question.
  OsAudit v0.1 (log gathering, monitoring and analysis) Available
  18th, February, 2005

OsAudit version 0.1 is available for download. OsAudit is a complete system for log gathering, monitoring and analysis. It has two different running modes: server and client. In client mode, OsAudit will read the logs and forward them (encrypted) to the server station. In server mode, OsAudit will receive external logs from the clients or from any other device that can send remote syslog messages and analyze them. OsAudit uses (right now) 3 different methods to analyze the logs...
  Why VoIP is raising new security concerns
  16th, February, 2005

New technology often leads to improved productivity, but it also arrives with new IT challenges, often centering on security. "With any new technology, security functions tend to be the last area that matures," noted Pete Lindstrom, Research Director at Spire Security LLC, a market research firm focusing on security issues. Voice over IP (VoIP) has begun to make significant inroads in the enterprise, so IT managers need to be aware of the unique security challenges it presents.
  Security firms show united front
  16th, February, 2005

A joint system for reporting and grading security vulnerabilities is going to be launched today. With an eye to guiding companies on which software problems to patch first, Cisco, Symantec and Qualys plan to launch a joint grading system for security vulnerabilities. The ratings will consist of three numbers, Gerhard Eschelbeck, the chief technology officer at security information provider Qualys said on Tuesday. The first will be a baseline estimate of the severity of the flaw. The second will rate the bug depending on how long it has been around, and therefore how likely it is that companies have patched against it.
  Securing Linux with Mandatory Access Controls
  15th, February, 2005

Some in the security industry say that Linux is inherently insecure, that the way Linux enforces security decsions is fundamentally flawed, and the only way to change this is to redesign the kernel. Fortunately, there are a few projects aiming to solve this problem by providing a more robust security model for Linux by adding Mandatory Access Control (MAC) to the kernel.
  Is Linux Security A Myth?
  16th, February, 2005

There are rare occasions in IT when a particular architecture reaches a point where it stops being purely IT driven and takes on a life of its own.The last year has seen the open source movement reach such a cult status and at the vanguard of open source fashion can be found the Linux operating system. Whilst the platform appeals at several levels for potential users, some of a philosophical nature and others far more concrete, it is noticeable that a couple of its qualities have recently been called into question.
  Defense picks two for PKI
  16th, February, 2005

Defense Department officials selected two companies to provide digital certificate validation for the department's public-key infrastructure (PKI), a decision that some officials feel could spur a faster move to paperless e-government. After a yearlong, worldwide pilot test, military officials chose Tumbleweed Communications and CoreStreet as the two certificate validation providers for its Identity Protection and Management Program, which includes the Common Access Card smart card program.
  Novell taps open source for security
  15th, February, 2005

For Novell, security and open source belong together. The Waltham, Mass.-based company said Monday that it will submit the programming interfaces for eDirectory to two open-source projects, allowing developers to use Novell's directory program to authenticate network access. Novell also detailed a partnership with Linux security company Astaro to create a security appliance that runs Novell's SuSE Linux operating system.
  Novell boosts its Linux security credentials
  16th, February, 2005

Novell has unveiled a SuSE Linux-based soft appliance designed to protect businesses against security threats from hackers, viruses, worms and spam. The company said that its Novell Security Manager, which is powered by security software from network security firm Astaro, features six perimeter security applications with an integrated management platform.
  SuSE Linux awarded government security cert
  18th, February, 2005

IBM and Novell announced at LinuxWorld today that SuSE Linux Enterprise Server 9 has become the first distribution to complete Evaluation Assurance Level (EAL) 4+. The high security rating will enable the operating system to be adopted by governments and government agencies for mission-critical operations, according to the firms.
  Security show tackles online threats
  14th, February, 2005

The security industry, in the business of paranoia, will be looking over its shoulders more frequently at the annual RSA Security Conference this week. With phishing attacks plaguing consumers, viruses showing no signs of abating, and regulations such as Sarbanes-Oxley worrying clients, business has been brisk for security firms.
  Liberty Alliance Releases ID Standard For Web Services
  14th, February, 2005

The Liberty Alliance Project on Friday unveiled the public draft release of a framework for identity-based web services. The latest release of ID-WSF 2.0 is the first of three that will each add greater depth to the identity-management framework. The final specification including all three releases is expected to be available by end of the year. Phase one extends ID-WSF 2.0 to include support for SAML 2.0 from the Organization for Advancement of Structured Information Sciences, an international standards body.
  The Threat Within - Why Businesses Need To Manage And Monitor Employee Email Usage
  14th, February, 2005

In a few short years, email has become a major part of the national psyche and a business-critical tool of communication. However, while companies have been more than willing to embrace the business benefits of email, they continue to remain oblivious to many of the responsibilities this new form of communication brings, particularly as it affects their employees. It is a commonly held misconception, due to the informal traditions of electronic communication, that e-mails carry less weight than letters on headed notepaper.
  Security firms show united front
  16th, February, 2005

With an eye to guiding companies on which software problems to patch first, Cisco, Symantec and Qualys plan to launch a joint grading system for security vulnerabilities. The ratings will consist of three numbers, Gerhard Eschelbeck, the chief technology officer at security information provider Qualys said on Tuesday.The first will be a baseline estimate of the severity of the flaw. The second will rate the bug depending on how long it has been around, and therefore how likely it is that companies have patched against it. The third will measure the threat a vulnerability poses to a specific corporate network. Each will take five or six factors into account for the measurement.
  Providing Database Encryption
  16th, February, 2005

As databases become networked in more complex multi-tiered applications, their vulnerability to external attack grows. We address scalability as a particularly vital problem and propose alternative solutions for data encryption as an enterprise IT infrastructure component. In this paper, we explore a new approach for data privacy and security in which a security administrator protecting privacy at the level of individual fields and records, and providing seamless mechanisms to create, store, and securely access databases.

  Novell makes open source security moves
  18th, February, 2005

The Waltham, Massachusetts-based company has released the APIs to the open source community to enable open source developers to make use of Novell's eDirectory identity management platform. The code has been posted to two open source groups: the Samba file and print server project, and the FreeRadius remote user authentication project, enabling the Samba CIFS and SMB clients and the FreeRadius wireless authentication technologies to be supported by eDirectory.
  Watch Out for Spies With Friendly Faces
  18th, February, 2005

As tech-savvy people, we know by now that we have to worry about technology being used to invade our privacy. But we tend to focus on the stuff that's deliberately snooping on us: spyware, keyloggers, Trojan horses, and other software and hardware designed with malicious intent. An even bigger risk, though, can come from the tools we usually trust--helpful gadgets and programs that weren't built to spy on us but can be used that way.
  Passwords? We don't need no stinking passwords
  16th, February, 2005

RSA 2005: Concerns over online security are continuing to slow consumer e-commerce growth. A quarter of the respondents in a recent survey have reduced their online purchases in the past year and 21 per cent refuse to conduct business with their financial institutions online because of security fears. More than half (53 per cent) of the 1,000 consumers quizzed believe that basic passwords fail to provide sufficient protection for sensitive personal information.
  F-Secure exploit patched
  14th, February, 2005

F-Secure has become the latest security firm to be embarrassed by a flaw in its flagship security product line, but the company manged to patch the flaw while it was still only 'theoretical' F-Secure has released a patch for a serious flaw in its antivirus products, the second time in a week a security company has warned of a risk in its software.
  WLAN Users Lack Support
  14th, February, 2005

Setting up a wireless LAN can be as easy as sticking a plug into an outlet. But even technology-savvy customers are complaining that security can be a hassle due to problems with documentation and support. While industry standards bodies are making strides to ensure that even consumer-level WLAN hardware is effective and secure, the user manuals that come with the hardware continue to leave a lot to be desired. "The biggest challenge is inconsistent nomenclature and presentation of the basic components," said Christopher Bell, a software developer in Los Angeles whose home-office WLAN has included wireless routers from Linksys Inc. and Microsoft Corp. as well as myriad PC brands.
  Wi-Fi Alliance to beef up security
  14th, February, 2005

Security remains the key issue deterring enterprise users from making major investments in Wi-Fi, despite all the improvements over the past year. Whether real or perceived, the security risks of wireless LANs are still holding deployments back. Conscious of this, the Wi-Fi Alliance is trying to beef up standard security still further. It has already agreed to a dual-layer security approach, with WPA2 (the brand name for the 802.11i standard) supporting advanced functions including AES encryption, while the more basic WPA originally an interim standard en route to 802.11i will be kept for devices that require less stringent security and lower costs, particularly in the consumer space.
  Teething problems for wireless LANs
  17th, February, 2005

WIRELESS LAN is an emerging trend, but as with most young technologies, it is plagued by insecurities. John Martin, IBM principal security specialist and security practice leader, spends his days advising corporate enterprises on risk management. "The whole end-to-end process must be secure, regardless of the type of industry," he says.
  Mesh Networking Soars to New Heights
  19th, February, 2005

Mesh Networking and community wireless broadband reached new heights with a world first for Locustworld MeshAP PRO when a Shadow microlight aircraft flew over Lincolnshire UK and successfully tested air to ground mesh networking and voice over broadband. South Witham broadband (Lincolnshire UK) joined forces with Make Me Wireless (Australia) and using LocustWorld MeshAP PRO and Asterisk VoIP equipment, seamlessly created air to ground voice communications at 2000 feet with the 16 node South Witham community broadband network.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Feds Charged With Stealing Money During Silk Road Investigation
EFF questions US government's software flaw disclosure policy
Hotel Router Vulnerability A Reminder Of Untrusted WiFi Risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.