Linux Security Week - December 27th 2004
Source: Contributors - Posted by Benjamin D. Thomas   
Linux Security Week This week, perhaps the most interesting articles include "Survivor's Guide to 2005: Security," "Security Starts from the Inside Out," " and "Linux lasting longer against Net attacks."

Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!

LINUX ADVISORY WATCH - Happy Holidays! This week, advisories were released for cscope,htget, a2ps, ethereal, xzgv, debmake, xcdroast, udev, cups, postgresql, namazu, pam, samba, glibc, krb5, php, gnumeric, abiword, libtiff, kfax, abcm2ps, phpMyAdmin, WordPress, NASM, mplayer, mpg123, wget, urpmi, aspell, krb5, logcheck, samba, Linux kernel, kerberos5, libxml, gd, XFree86, and nfs-utils. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Trustix, Red Hat, and SuSE. Features:

State of Linux Security 2004 - In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new, users continue to be targeted by automated attacks, and the need for security awareness and education
continues to rise.

Vincenzo Ciaglia Speaks Security 2004 - Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux Security. A full immersion in the world of Linux Security from many sides and points of view.


Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to with "subscribe" as the subject.

Thank you for reading the weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

  The Linux Year
  24th, December, 2004
The year of the penguin, some people hailed 2004 at the turn of the year. And in many ways it was. Was it because the march on the server space continued at a relentless pace? Because there were big announcements around desktop installments? Because there was finally some realistic perspective about the threat from SCO, or the threat to Microsoft? However you look at it, the penguin's tux has never looked more pristine or ready for business. So here we'll take a stroll though the last 12 months that sharpened the creases and quickened the pace of the Linux-based platforms.
  Adding strong security from day one
  22nd, December, 2004
Adding security to constrained devices is not an easy task for developers who need to accommodate a range of new features without compromising usability. Experience has shown that building security in at the design stage yields better results from a security and performance perspective. Therein lies the challenge. ItÕs no secret that most cryptographic systems are computationally taxing. Such is not the case with Elliptic Curve Cryptography, or ECC, which has the most strength per bit of any known public key system today and consequently is ideally suited for resource-constrained devices.
  LDAP Server Administration with GOsa
  20th, December, 2004
A flaw in two popular Unix and Linux administration consoles could lead to systems being compromised, according to an alert from security firm Secunia. The bug in Usermin, a widely used administration console for Unix and Linux, could allow the introduction of rogue shell code when a user views a particular e-mail via the web.
  Survivor's Guide to 2005: Security
  20th, December, 2004

Intrusion detection systems--the primary source of warnings that attacks are under way--are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.

  Linux Advisory Watch - December 24th 2004
  23rd, December, 2004
Happy Holidays! This week, advisories were released for cscope, htget, a2ps, ethereal, xzgv, debmake, xcdroast, udev, cups, postgresql, namazu, pam, samba, glibc, krb5, php, gnumeric, abiword, libtiff, kfax, abcm2ps, phpMyAdmin, WordPress, NASM, mplayer, mpg123, wget, urpmi, aspell, krb5, logcheck, samba, Linux kernel, kerberos5, libxml, gd, XFree86, and nfs-utils. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Trustix, Red Hat, and SuSE.
  GPL to get a makeover
  23rd, December, 2004

The General Public License hasn't had a proper update for 13 years, and it's starting to show its age. It looks set to be updated though, to ensure it's more in tune with today's software models and potential legal battles.

  Security Flaw Found In Multiple Linux Distro
  23rd, December, 2004
iDEFENSE has discovered a flaw in Xpdf, an open-source viewer for Portable Document Format (PDF) files included in most Linux distros. iDEFENSE has confirmed the existence of this vulnerability in version 3.00 of xpdf. It is suspected that previous versions may also be vulnerable. Remote exploitation of the buffer overflow vulnerability in the xpdf PDF viewer could allow attackers to execute arbitrary code as the user viewing a PDF file.
  Special Report: Database Security
  24th, December, 2004

Databases control most of the business world's valuable information. Pick a vital application--credit-card processing, EDI, financial analysis, just-in-time production--and you'll find a database under it.

  Know Your Enemy: Trends
  22nd, December, 2004
New Honeynet Project KYE paper released "Know Your Enemy: Trends". This paper documents how the life expectancy of unpatched or vulnerable deployments of common Linux systems has increased from 3 days to 3 months. This is surprising based on the increase of malicious activity seen in the past 18 months.
  Tools Block Code-Busting Crooks
  20th, December, 2004

The concept of adding security to the coding phase of application development is catching on, with new companies delivering tools to help developers test for vulnerabilities early in the process.

  Why Your Data Is At Risk
  21st, December, 2004
Your data is vulnerable no matter where it resides. While most companies take security precautions, many of those precautions turn out to be insufficient to protect valuable corporate assets. The key lies in knowing where vulnerabilities exist and making appropriate risk-based decisions.
  Security Starts from the Inside Out
  21st, December, 2004

Patrick Angle, 34, was charged with intentionally damaging a protected computer. The charge alleged that Angle, who had worked for Varian, had become disgruntled with his employment by September 2003 and had been told by the company that his employment contract would be terminated in October of that same year.

  Defacement Of Indian Websites On The Rise
  24th, December, 2004

The Indian Computer Emergency Response Team (CERT-In) has compiled a report that speaks on how with the global rise in cyber terrorism activity, Indian websites too have come under fire by attackers, some of them being opportunists while others targeting specific sites and domains.

  Linux holds out against attackers
  24th, December, 2004

A recent 'honeynet' experiment showed that unpatched Linux systems held up for an average of three months before succumbing to Internet-based attacks.

  How ITIL Can Improve Information Security
  24th, December, 2004

ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment.

  Linux lasting longer against Net attacks
  24th, December, 2004
Unpatched Linux systems are surviving longer on the Internet before being compromised, according to a report from the Honeynet Project released this week. The data, from a dozen networks, showed that the average Linux system lasts three months before being compromised, a significant increase from the 72 hours life span of a Linux system in 2001. Unpatched Windows systems continue to be compromised more quickly, sometimes within minutes, the Honeynet Project report stated.
  Will 2005 Bring a Safer Internet?
  24th, December, 2004
Sometimes writing about security is just too easy. Making predictions about next year is like this in some ways. Let's pick some of the low-hanging fruit early. Even though most spam-tracking companies show that spam already comprises 75 percent or more of all e-mail, that proportion will go up in 2005. We are approaching the situation in which, I have always assumed, users will begin to withdraw from e-mail because it is so unpleasant.
  Banks test ID device for online security
  24th, December, 2004
For years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable.
  Linux in Government: Security Enhanced Linux - The Future is Now
  20th, December, 2004
If a must-have, must-know innovation exists for Linux's future viability, you might place all bets on Security Enhanced Linux. Vastly misunderstood and underrated, SELinux provides a marketing differentiator that could carry Linux deep into infrastructures that so far have shown lukewarm acceptance of the open-source operating system. SELinux transforms standard Linux from a cost-effective and secure operating system into a behemoth.
  NASA hacker jailed for six months
  20th, December, 2004

A US man has been jailed for six months for a 2001 attack on the web systems of space agency NASA which cost $200,000 to fix.

  Groups fight Internet wiretap push
  24th, December, 2004

Companies and advocacy groups opposed to the FBI's plan to make the Internet more accommodating to covert law enforcement surveillance are sharpening a new argument against the controversial proposal: that law enforcement's Internet spying capabilities are just fine as it is.

  Army focuses on cyber protection
  24th, December, 2004

A recently issued Army white paper, "Fight the Network," provides a new framework for the Signal Regiment, the service's communications organization, as it changes to support lighter, more mobile warfighting units. Army information technology officials devised the document to help foster a different mind-set for communications personnel in defending and managing the service's networks, said Gordon Van Vleet, public affairs officer for the service's Network Enterprise Technology Command/Ninth Army Signal Command at Fort Huachuca, Ariz. Netcom officials oversee the operation, management and protection of the Army's networks.
  Exploits released for new Windows flaws
  24th, December, 2004

A Chinese security group has released sample code to exploit two new unpatched flaws in Microsoft Windows. The advisory comes in the week before Christmas, a time when many companies and home users are least prepared to deal with the problems. Security firm Symantec warned its clients of the vulnerabilities on Thursday, after the Chinese company that found the flaws published them to the Internet. One vulnerability, in the operating system's LoadImage function, could enable an attacker to compromise a victim's PC when the computer displays a specially crafted image placed on a Web site or in an e-mail. The other vulnerability, in the Windows Help program, likewise could affect any program that opens a Help file.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!