Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: May 27th, 2008
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
"After Debian's Epic SSL Blunder, a World of Hurt for Security Pros," "Test Case Optimizer for Automated Security Testing," and "Auditing PHP: Understanding register_globals."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Review: The Book of Wireless - “The Book of Wireless” by John Ross is an answer to the problem of learning about wireless networking. With the wide spread use of Wireless networks today anyone with a computer should at least know the basics of wireless. Also, with the wireless networking, users need to know how to protect themselves from wireless networking attacks.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.19 (Version 3.0, Release 19). This release includes many updated packages and bug fixes and some feature enhancements to the EnGarde Secure Linux Installer and the SELinux policy.
SAN FRANCISCO - May 20, 2008 - CoverityT, Inc., the leader in improving software quality and security, today announced the availability of the Scan Report on Open Source Software 2008. The Coverity Scan site was developed with support from the U.S. Department of Homeland Security as part of the federal government's 'Open Source Hardening Project.' The report is based on 2 years of analysis of more than 55 million lines of code on a recurring basis from over 250 popular open source projects with Coverity PreventT, the industry-leading static source code analysis solution.
This projects seems to be on the right track in improving open-source security. What do you think? Will this project make a big impact on code quality and security?
After Debian's Epic SSL Blunder, a World of Hurt for Security Pros (May 22)
It's been more than a week since Debian patched a massive security hole in the library the operating system uses to create cryptographic keys for securing email, websites and administrative servers. Now the hard work begins, as legions of admins are saddled with the odious task of regenerating keys too numerous for anyone to estimate.
What do you think is the state of computer security after the OpenSSL flaw was found and patched?
Tmin - Test Case Optimizer for Automated Security Testing (May 21)
Tmin is a simple utility meant to make it easy to narrow down complex test cases produced through fuzzing. It is closely related to another tool of this type, delta, but meant specifically for unknown, underspecified, or hard to parse data formats (without the need to tokenize and re-serialize data), and for easy integration with external UI automation harnesses.
Give this fuzzer a go and let us know what you think! Included in the article is a sample "hello world" script to fuzz "hello world" code, if that makes any sense. Why not check out the article to see what I mean?
Homeland Security Helps Reduce Open Source Flaws (May 21)
According to a report from code analysis vendor Coverity, the DHS sponsored effort has helped to reduce the defect density in 250 open source projects by 16 percent over the past two years. That defect reduction translates into the elimination of over 8,500 defects. The report on the benefits of the DHS open source security efforts comes at a time when open source software is increasingly becoming part of critical infrastructure both in the government and in US enterprises.
From this article it looks like the US government is helping make open source more secure. What do you think about this after reading this article?
Devil-Linux is a distribution which boots and runs completely from CD. The configuration can be saved to a floppy diskette or a USB pen drive. It was originally intended to be a dedicated firewall/router but now Devil-Linux can also be used as a server for many applications. Attaching an optional hard drive is easy, and many network services are included in the distribution.
Have you used any Linux distributions which are design to be used as a firewall or router? This article looks at the Devil-Linux distribution with some useful links to learn more about this Linux distro.
Conduct your audit on an exact copy of your production environment. You don't need to duplicate the hardware, but you want to make sure the software versions are as close as possible. The PHP configuration must match exactly, as specified in the php.ini file, the Apache directives in .htaccess files, or httpd.conf. You need a separate environment because you will display and log errors that might reveal sensitive passwords and other information. Also, you will try to break the security of the site, which is something you want to avoid with live applications.
Preforming security audits on you our PHP application is an important skill to have. This article will show you this in great detail, where any PHP developer can increase their web application security.
Popular Open Source Spam Filter Gets Boost (May 19)
SpamAssassin, popular open source spam-filtering software, will have deadlier aim thanks to an add-on tool that is being offered free of charge to small businesses and individuals by MailChannels.
The tool -- called Traffic Control 3 -- is an e-mail traffic-shaping package that slows down the transmission of spam into corporate e-mail systems. (Compare Messaging Security products.) MailChannels officials say Traffic Control 3 will reduce spam volumes by 50% to 75% for SpamAssassin users.
Traffic Control 3 uses a tarpitting technique that greatly reduces the speed at which spam can be transmitted to its target, hitting spammers at their one great vulnerability - their pockets. Reduced speed means less money, and spammers just aren't willing to make the compromise. What have you heard about Traffic Control 3 - anyone else know any good open source spam tar pits?
