DEMYSTIFY
THE SPAM BUZZ: Roaring Penguin Software Understanding the anti-spam solution
market and its various choices and buzzwords can be daunting task. This free whitepaper
from Roaring Penguin Software helps you cut through the hype and focus on the
basics: determining what anti-spam features you need, whether a solution you are
considering includes them, and to what degree. Find
out more!
LINUX ADVISORY
WATCH - This week packages were released for axel, gftp, wireless-tools,
glibc, selinux-policy-targeted, kernel, autofs, GnomeVFS, phpMyAdmin, shorewall,
gtk, shareutils, gdk-buf, kdegraphics, dhcp, and gaim. The distributors include
Debian, Fedora, Gentoo, Mandrake, Red Hat, and SuSE.
LinuxSecurity.com
Feature Extras:
Introduction:
Buffer Overflow Vulnerabilities - Buffer overflows are a leading type
of security vulnerability. This paper explains what a buffer overflow is,
how it can be exploited, and what countermeasures can be taken to prevent
the use of buffer overflow vulnerabilities.
Getting
to Know Linux Security: File Permissions - Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple.
The
Tao of Network Security Monitoring: Beyond Intrusion Detection
- The Tao of Network Security Monitoring is one of the most comprehensive
and up-to-date sources available on the subject. It gives an excellent introduction
to information security and the importance of network security monitoring,
offers hands-on examples of almost 30 open source network security tools,
and includes information relevant to security managers through case studies,
best practices, and recommendations on how to establish training programs
for network security staff.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
A federated crypto guy
14th, April, 2005
WHEN budgets get tight, R&D is often one of the first departments to feel the squeeze.
But at RSA Security, vice-president of research Burt Kaliski and his team are considered the heart and soul of the business. RSA puts about 18-20 per cent of its revenue into applied research and standards development at its research centre, RSA Laboratories.
As we rely more on computers, the potential for hackers to hurt us and destroy our personal records has grown. Corporates and public networks, instead of individuals face the brunt of hackers’ ingenuity. However, there are ways to build unhackable network.
Today, it's hard to imagine an organization operating without taking advantage of the vast resources and opportunities that the Internet provides. The Internet's role has become so significant that no organization can afford to have its Net connection going down for too long. Consequently, most organizations have some form of a secondary or backup connection ready (such as a leased line) in case their primary Net connection fails.
In the 1970s, Martin Hellman and Whitfield Diffie wrote the recipe for one of today's most widely used security algorithms in a paper called "New Directions in Cryptography. The paper mapped out the Diffie-Hellman key exchange, a major advancement in Public Key Infrastructure (PKI) technology that allows for secure online transactions and is used in such popular protocols as the Secure Sockets Layer (SSL) and Secure Shell (SSH). In 2000, they received the prestigious Marconi Foundation award for their contributions.
How can a system administrator monitor a large number of machines and services to proactively address problems before anyone else suffers from them?
The answer is Nagios.
Nagios is an open source network monitoring tool. It is free, powerful and flexible. It can be tricky to learn and implement, but can reduce enormously the amount of time required to keep track of how your organization's IT infrastructure is performing.
From SATAN to OVAL: The Evolution of Vulnerability Assessment
15th, April, 2005
With the growing reliance and dependence on our inter-connected world, security vulnerabilities are a real world issue requiring focus and attention. Security vulnerabilities are the path to security breaches and originate from many different areas - incorrectly configured systems, unchanged default passwords, product flaws, or missing security patches to name a few. The comprehensive and accurate identification and remediation of security vulnerabilities is a key requirement to mitigate security risk for enterprises.
Developers Rate Linux More Secure Than Windows In Survey
14th, April, 2005
A new study addressing security issues finds that software-development managers generally rate Linux as a more secure operating system than Windows. The study, which will be released by the end of the month, was conducted by BZ Research, the research subsidiary of publisher BZ Media LLC. It was not funded by any vendors.
One reason software security vulnerabilities are so tough to fix is because they are so hard to find. Unlike other bugs that become apparent when an application acts up, security holes tend to hide from normal view. And that's just how the hacker underground likes it.
A German court has granted a preliminary injunction against security firm Fortinet for allegedly violating the general public licence (GPL) and hiding Linux in its code.
The ruling could prevent the security appliance vendor from further distributing its products until it complies with the open source licence.
Cisco: Malicious ICMP messages could cause denial of service
15th, April, 2005
A publicly available document on how to use how the Internet Control Message Protocol (ICMP) to launch denial-of-service attacks has prompted Cisco Systems to issue an advisory outlining a variety of vulnerable products.
An essay in an April trade magazine maintains two-factor authentication can't counter emerging threats, and that the industry would be wise to come up with a better solution to the nation's biggest cyberproblem: identity theft.
Most readers of Bruce Schneier's popular blog on security got a sneak preview last month when he posted the essay online under the heading "The Failure of Two-Factor Authentication." It led to a strong response from those who agree the solution has limited appeal and others who argue it works well when done right.
HIPAA. We are all sick of the acronym by now, and the April 20 compliance deadline for the Health Insurance Portability and Accountability Act is looming.
At the state agency where I work, the information security officer (ISO), who is responsible for HIPAA security rule compliance, has spent the past seven months or so writing policies and procedures. He divided them into two groups: "required" (stuff we have to do) and "addressable" (stuff we'd better be thinking about doing).
Christofer Hoff is on a mission. As the director of information security at Western Corporate Federal Credit Union (WesCorp), Hoff has launched an initiative to quantify the benefits of information security spending for business executives at the San Dimas, Calif.-based company.
Software development managers rate Linux significantly higher than Windows server products for security, according to the latest research.
Over 6000 software development managers were asked in a survey conducted by BZ Media to rate the security of server operating systems against hacks and exploits. Linux was rated as 'secure' or 'very secure' by 74 percent of respondents, while Microsoft Windows Server was given one of these ratingd by 38 percent of respondents. Thirteen percent of respondents rated Linux as insecure or very insecure, a figure that rose to 58 percent for Windows server products.
The two-edged sword: Legal computer forensics and open source
12th, April, 2005
Ryan Purita of Totally Connected Security is one of the leading computer forensic experts in private practice in Canada. He is a Certified Information Systems Security Professional, holding one of the most advanced security qualifications in the world. Working for both the prosecution and the defence in legal cases, Purita has also taught computer security to law enforcement agencies, probation officers and social workers, and is currently developing programs for the Justice Institute of British Columbia. Much of his daily work is an extension of a system administrator's activities. A good part of it involves the advanced use of open source tools, including several standard system tools. His work methods offer fresh perspectives on security, privacy issues and the relative merits of Windows and GNU/Linux -- to say nothing of a niche industry where open source is more than holding its own.
A Virginia judge sentenced a spammer to nine years in prison Friday in the nation's first felony prosecution for sending junk e-mail, though the sentence was postponed while the case is appealed.
Experts from a consortium of colleges will lead a far-reaching effort to keep the nation's computer data safe from cyberattack, the National Science Foundation announced Monday.
The effort comes after a flurry of security breaches have dramatized the vulnerability of a society that increasingly entrusts its secrets to computers.
A Linux programmer reported a new victory in a German court Thursday in enforcing the General Public License, which governs countless projects in the free and open-source software realms.
A Munich district court on Tuesday issued a preliminary injunction barring Fortinet, a maker of multipurpose security devices, from distributing products that include a Linux component called "initrd" that Harald Welte helped write.
Data broker LexisNexis said Tuesday that personal information may have been stolen on 310,000 U.S. citizens, or nearly 10 times the number found in a data breach announced last month.
An investigation by the firm's Anglo-Dutch parent Reed Elsevier determined that its databases had been fraudulently breached 59 times using stolen passwords, leading to the possible theft of personal information such as addresses and Social Security numbers.
Data apparently stolen from the popular clothing retailer Polo Ralph Lauren Inc. is forcing banks and credit card issuers to notify thousands of consumers that their credit-card information may have been exposed.
