[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Linux Security Week - October 17th 2005

|  LinuxSecurity.com                         Weekly Newsletter        |
|  October 17th, 2005                         Volume 6, Number 43n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@xxxxxxxxxxxxxxxxx    |
|                   Benjamin D. Thomas      ben@xxxxxxxxxxxxxxxxx     |

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week, perhaps the most interesting articles include "Web
Application Firewall Evaluation Criteria Announced," "Perform due
diligence with RFID security," and "Government must push on IT


## EnGarde Secure Linux 3.0 - Download Now! ##

* Linux 2.6 kernel featuring SELinux Mandatory Access Control
* Guardian Digital Secure Network features free access to all
  system and security updates (to be available shortly through
  an updated release)
* Support for new hardware, including 64-bit AMD architecture
* Web-based management of all functions, including the ability
  to build a complete web presence with FTP, DNS, HTTP, SMTP and
* Apache v2.0, BIND v9.3, MySQL v5.0(beta)
* Completely new WebTool, featuring easier navigation and
  greater ability to manage the complete system
* Integrated firewall with ability to manage individual firewall
  rules, control port forwarding, and creation of IP blacklists
* Built-in UPS configuration provides ability to manage an entire
  network of battery-backup devices
* RSS feed provides ability to display current news and immediate
  access to system and security updates
* Real-time access to system and service log information




This week, advisories were released for mason, cpio, dia, masqmail,
shorewall, tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play,
graphviz, xloadimage, xli, xine-lib, hylafax, Ruby, SVG, hexlix player,
uw-imap, openssl, thunderbird, binutils, and libuser.  The distributors
include Debian, Gentoo, and Red Hat.



Hacks From Pax: PHP Web Application Security
By: Pax Dickinson

Today on Hacks From Pax we'll be discussing PHP web application
security. PHP is a great language for rapidly developing web
applications, and is very friendly to beginning programmers, but
some of its design can make it difficult to write web apps that
are properly secure. We'll discuss some of the main security
"gotchas" when developing PHP web applications, from proper
user input sanitization to avoiding SQL injection



Network Server Monitoring With Nmap

Portscanning, for the uninitiated, involves sending connection requests
to a remote host to determine what ports are open for connections and
possibly what services they are exporting. Portscanning is the
first step a hacker will take when attempting to penetrate your
system, so you should be preemptively scanning your own servers
and networks to discover vulnerabilities before someone unfriendly
gets there first.



>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with
the ability to securely access corporate email from any computer,
collaborate with co-workers and set-up comprehensive addressbooks to
consistently keep employees organized and connected.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

| Security News:      | <<-----[ Articles This Week ]----------

* Guardian Digital launches new edition of award-winning EnGarde
Secure Linux platform
  10th, October, 2005

Guardian Digital, Inc., the
world's premier provider of open source security solutions, today
announced the latest innovation of its product portfolio with the
launch of EnGarde Secure Linux: Community Edition, a freely-available
version of its award-winning enterprise product. EnGarde is the first
product to bring complete Web-based management capability,

Security-Enhanced Linux functionality, and the ability to control
a complete Internet presence in one platform.


* How to keep instant messaging off the record
  13th, October, 2005

Sometimes encryption isn't enough to keep your conversations private.
With standard encryption, it's theoretically possible for someone to
steal your secret encryption keys and decipher the conversation. For
conversations that need to be kept confidential, the Off-the-Record
(OTR) plugin for Gaim saves the day. It leaves no trace of a
conversation ever having taken place.


* What Are Digital Vaults?
  11th, October, 2005

A major challenge that is faced by all organisations selecting IT
technology is trying to clearly understand how a particular solution
may address the challenges they are tasked with solving. And this
often involves trying to understand what various vendors mean when
using generic terminology.


* Insider Security Threats Q&A
  12th, October, 2005

We conducted a brief Q&A session with David Lynch, CMO at Apani
Networks, a global network security software provider focused on
securing inside the network perimeter. He discusses the security
breach in White House, internal security attacks in general and how
to prevent them.


* Red Hat Certified Security Specialist
  14th, October, 2005

Red Hat yesterday announced the availability of a new security
certification for IT professionals: Red Hat Certified Security
Specialist (RHCSS). The announcement of the RHCSS certification is
the Company's latest milestone in its "Security in a Networked World"
initiative lanched in August.


* Web Application Firewall Evaluation Criteria Announced
  10th, October, 2005

The Web Application Firewall Evaluation Criteria project announced
its first public release. The goal of the project is to develop a
testing methodology that can be used by any reasonably skilled
technician to independently assess quality of a web application


* Playing Nice With Physical Security
  10th, October, 2005

At a small company, the information security manager is sometimes
also responsible for physical security. At very large corporations,
the physical security - sometimes called safety and security - is a
completely separate department, responsible for hardware such as
biometric ID or badge systems, security cameras and the management of
guards. Safety and security departments handle investigations of
physical breaches, such as theft, and workplace


* Google fixes Web site security bug
  11th, October, 2005

Google has fixed a security flaw on its Web site that opened the door
to phishing scams, account hijacks and other attacks, security
researchers said Monday.


* Perform due diligence with RFID security
  12th, October, 2005

Most notably, EPCglobal Gen 2 standards currently lack over-the-air
data-stream encryption between passive RFID tags and readers, though
there are provisions for locking RFID tag memory and disabling tags.
EPCglobal Gen 2 is the current standard for how passive tags affixed
to items and encoded with information about them communicate
wirelessly with readers, which collect that information and pass it
to upstream applications.


* Developers 'should be liable' for security holes
  12th, October, 2005

Security expert Howard Schmidt wants coders to be held responsible
for vulnerabilities in their code, but others say their employers
should be held to account


* I get a right good fisking
  13th, October, 2005

Is Windows inherently less secure than Linux, or just more popular?
Presently available data is inconclusive, because Windows still holds
the bulk of consumer and small business market


* Government must push on IT security
  14th, October, 2005

IT security has matured significantly over the past few years.

An increase in the number of viruses such as Slammer, the advent of
phishing, and a spate of high-profile attacks on organisations such
as Sumitomo Bank, have pushed security to the top of many company


* Hacking for Dollars
  11th, October, 2005

Threats to information security come in all shapes and sizes, and
from all directions: blended threats, mass-mailer worms, Trojans,
phishing attacks, spyware, keystroke loggers, etc. Every day, one or
more of these threats put critical information at risk in
Internet-connected corporations and businesses around the globe.


* Basic Bluetooth Security
  14th, October, 2005

Bluetooth has been around since the 90s, and even today, most mobile
devices come with the technology embedded in them. Bluetooth provides
a wireless, point-to-point, "personal area network" for personal
digital assistants (PDAs), notebooks, printers, mobile phones, audio
components, and other devices.

The wireless technology can be used anywhere if you have two or more
devices that are Bluetooth-enabled. And as with any wireless
connectivity, there are bound to be security issues since data is
being sent over the air invisibly from device to device.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.

InfoSec News v2.0 - Coming Soon!