+---------------------------------------------------------------------+
|  LinuxSecurity.com                           Weekly Newsletter      |
|  September 11, 2000                         Volume 1, Number 19n    |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@linuxsecurity.com    |
|                   Benjamin Thomas         ben@linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines.

This week, several interesting articles appeared surrounding the
Carnivore issue.  A group of developers from Network ICE released
their own open-source version, Altivore.  The purpose of it is
to "allow ISPs to respond to court ordered e-mail surveillance
without FBI help, thus allowing them to be self-regulated
instead of government regulated."  Also, a group of Universities
were unwilling to review Carnivore because of the FBI's list of
strict requirements and restrictions given to researchers.

Another hot issue this week was RSA's decision to release their
algorithm into the public domain early.  Some were skeptical, but
others believe that this is for the good of the community.


Our sponsor this week is WebTrends.  Their Security Analyzer has the
most vulnerability tests available for Red Hat & VA Linux.  It uses
advanced agent-based technology, enabling you to scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.

http://www.webtrends.com/redirect/linuxsecurity1.htm


HTML Version available:
http://www.linuxsecurity.com/newsletter.html


+---------------------+
| Host Security News: | <<-----[ Articles This Week ]-----------------+
+---------------------+


* Help & How-To: Two SuSE Linux Apache Vulnerabilities Identified
September 8th, 2000

One vulnerability allows a malicious user to  read passwords and
discern network  structure while the other allows a malicious  user
to create or browse file directories on a  Web server. Both
vulnerabilities provide a malicious user with  access to sensitive
data on a Web server running  Apache 1.3.9 (Apache 1.3.12 in SuSE
6.4). Apache is  the default Web server in SuSE Linux.

http://www.linuxsecurity.com/articles/server_security_article-1530.html


* An Introduction to Unix Permissions
September 8th, 2000

This Part 1 of a two part article discusses the basics of unix
filesystem permissions. "Unix uses three base permissions: read
(r), write (w), and execute (x). To view the  permissions of the root
directory on your FreeBSD system, use the ls command with the  l
(show long listing) and a (show all files)

http://www.linuxsecurity.com/articles/host_security_article-1532.html


* Using Postfix: A basic guide on configuring and installing
September 6th, 2000

If it's speed and security you're looking for, Postfix is a very
nominal choice for a MTA. The MTA uses multiple layers of defense to
protect the local system against intruders, as well as having the
ability to run in a chroot jail.

http://www.linuxsecurity.com/articles/server_security_article-1505.html



* Booting without all the extras
September 6th, 2000

A default Linux distro boots with a lot of services that you probably
don't need. The Geek shows you how to turn off those extras and
provides tips on tuning a Linux system for every situation. Now,
there are a couple of ways you can remove a service. The first is to
remove the software package that runs the service.

http://www.linuxsecurity.com/articles/host_security_article-1504.html



* Firewalls - Common Configuration Problems
September 5th, 2000

There are many common configuration problems with firewalls, ranging
in severity and scope. By far the most common problems relate to what
should be blocked or allowed. This is often problematic because needs
change; you may need to allow video-streaming, for example, and
unless done properly, the addition of new firewall rules can
seriously undermine the security provided by a firewall.

http://www.linuxsecurity.com/articles/firewalls_article-1493.html



+------------------------+
| Network Security News: |
+------------------------+

* Amateur Fortress Building in Linux
September 8th, 2000

Here's a pretty good introductory article on Linux security. It
discusses configuring TCPserver as a replacement for inetd, Dan
Bernstein and the crypto code that he's contributed to the community,
and explanations of the security implications of many of the common
network services.

http://www.linuxsecurity.com/articles/host_security_article-1522.html


* Authentication: Patterns of Trust
September 7th, 2000

There are plenty of options for user authentication, but none is a
"one-size-fits-all" solution. With so many available technologies,
how do you select the right one for your organization's needs?
Systems architects sometimes get stuck on security planning, because
it's hard to choose among all the competing products and
technologies.

http://www.linuxsecurity.com/articles/network_security_article-1520.html


* Unix, Linux computers vulnerable to damaging new attacks
September 7th, 2000

Security experts have uncovered a new class of vulnerabilities in
Unix and Linux systems that let attackers take full control of
computers.   These "format string" vulnerabilities started surfacing
about two months ago, said Elias Levy, a moderator of the Bugtraq
computer security mailing list. Some of them have lurked for years in
basic Unix programs, but security experts only now have begun to find
and fix them.

http://www.linuxsecurity.com/articles/network_security_article-1517.html


* null_session's TCP/IP for kids
September 5th, 2000

A nice intro to TCP/IP. "This file was written to take the kids who
are still stuck in the "1 n33d s0m3 w4r3z d00d!" mode and bring them
up to about the same level as your average system admin. That is to
say that this is a quick hit, usable as an introduction but NOT
intended for someone with experience in these matters (unless, of
course, you want to critique me)."

http://www.linuxsecurity.com/articles/documentation_article-1498.html


* How to perform a secure remote backup
September 4th, 2000

What do you do when your site is attacked or your system fails?
Backup, Avi Rubin argues, is the most reliable way to ensure that
what you've lost can be recovered. Here he takes a look at protecting
your backup and recommends some products that can help.

http://www.linuxsecurity.com/articles/server_security_article-1487.html




+--------------------+
| Cryptography News: |
+--------------------+


* RSA Algorithm Released: Update
September 8th, 2000

The release of the algorithm is a good thing because you can now
create cryptographic software using one RSA implementation and
distribute it worldwide without having to license anything from  RSA.
 This is good news  because you can, for example, download OpenSSL
and OpenSSH  Solaris 8.0 packages I created and use them now. I never
 bothered to compile them against RSAREF, so you would have had  to
wait another two weeks to download them.

http://www.linuxsecurity.com/articles/cryptography_article-1523.html


* RSA Security's Crypto May Spur More Competitive PKI Tools
September 8th, 2000

RSA's competitors' reactions to the  expiration are mixed. Baltimore
Technologies Inc. responded with its own  announcement of new
products and  initiatives. It's eliminating its runtime  licensing
for its PKI development suite  KeyTools and will switch to a flat
fee, and  it's also offering a free KeyTools Lite, which  includes
cryptographic and digital  certificate functions, including
communication with a certificate authority  or a Lightweight
Directory Access Protocol  directory.

http://www.linuxsecurity.com/articles/cryptography_article-1524.html


* Open RSA: The Patent Expires
September 8th, 2000

The end of the patent means that companies  who want to use the RSA
encryption  algorithm in the United States no longer have  to license
it from the firm, RSA Security. The  patent hasn't extended to
products sold outside the United States, because the  algorithm was
published in 1977 before the Massachusetts Institute of  Technology
applied for its patent

http://www.linuxsecurity.com/articles/general_article-1533.html


* GPG vs. PGP?
September 7th, 2000

What are the relative merits and drawbacks of using Gnu Privacy Guard
vs. Network Associates' PGP. I am not referring to the fact that GPG
doesn't use any restricted implemtations or algorithems; or that GPG
was not affected by the recent PGP hole; but other more everyday
issues.

http://www.linuxsecurity.com/articles/cryptography_article-1513.html


* Zimmermann responds to PGP flap
September 5th, 2000

Phil Zimmermann, the creator of Pretty Good Privacy  (PGP), responds
to the recent flaw discovered in  Network Associates implementation
of the Additional  Decryption Key (ADK) feature. This is a key escrow
 account that allows a responsible third-party to gain access to
encrypted messages when the original key is  lost. Many believe the
feature is the result of a  government conspiracy. Here's the
explanation of the  problem and rebuttal to the conspiracy argument
sent  by Zimmermann to Senior Editor Ellen Messmer

http://www.linuxsecurity.com/articles/cryptography_article-1500.html



+----------------------------+
| Vendor/Product/Tools News: |
+----------------------------+

* Solar Designer's 2.2.17 Kernel Patch
September 10th, 2000

Solar's kernel security enhancement patch is now available for the
recently-released 2.2.17 Linux kernel. "This patch is a collection of
security-related features for the Linux kernel, all configurable via
the new 'Security options' configuration section

http://www.linuxsecurity.com/articles/projects_article-1535.html


* Network ICE Releases Open-source Carnivore
September 8th, 2000

Network ICE is disclosing the source code to  a new e-mail sniffing
program called "Altivore." This software provides a potential
alternative to ISPs  who do not want to install the FBI's secretive
black-box known as "Carnivore." Altivore will allow ISPs  to respond
to court ordered e-mail surveillance without FBI help, thus allowing
them to be self-regulated  instead of government regulated.

http://www.linuxsecurity.com/articles/network_security_article-1529.html


* "Web Security Is Our Bag, Baby"
September 7th, 2000

In response to the skyrocketing number of security breaches, vicious
virus  attacks and severe financial losses plaguing North America's
digital economy, CRYPTOCard Corp., leaders in strong user
authentication (SUA) systems, has launched CRYPTOAdmin 5.0.

http://www.linuxsecurity.com/articles/vendors_products_article-1519.html


* Linux Internet security tool
September 6th, 2000

Security firms Intrusion and Check Point Software will this month
launch a sub-L1300 Linux-based Internet security appliance. The
small device is aimed at medium-sized firms and branch offices,  and
will have Check Point's VPN-1/FireWall-1 security software
preinstalled. It will also be available as a managed service.


http://www.linuxsecurity.com/articles/vendors_products_article-1511.html



+---------------+
| General News: |
+---------------+

* Researchers refuse Carnivore review
September 8th, 2000

Five groups of researchers have bowed out of the  competition to
evaluate the so-called Carnivore  Internet surveillance system. And
that likely will  dash Justice Department hopes that a major
university would validate its controversial  eavesdropping device,
participants said Tuesday.

http://www.linuxsecurity.com/articles/privacy_article-1521.html


* RSA Security Releases RSA Encryption Algorithm into Public Domain
September 6th, 2000

RSA Security Inc.   today announced it has released the RSA public
key encryption algorithm into the  public domain, allowing anyone to
create products that incorporate their own  implementation of the
algorithm. This means that RSA Security has waived its rights to
enforce the patent for any development activities that include the
RSA  algorithm occurring after September 6, 2000.

http://www.linuxsecurity.com/articles/vendors_products_article-1506.html


* Universities unwilling to review FBI's 'Carnivore' system
September 6th, 2000

Academic institutions will  likely pass up the chance to audit the
federal government's Internet monitoring  system, citing strict
controls that would  prevent an independent review,  researchers said
Wednesday. Known as "Carnivore," the FBI's e-mail monitoring system
has drawn fire from  electronic freedom activists who see it as an
excessive intrusion on individual  privacy.

http://www.linuxsecurity.com/articles/privacy_article-1510.html


* Can open source save the day?
September 5th, 2000

Because the new inter-component security flaws differ so
substantially from more traditional holes, a different sort of
programmer is likely to find them. Open source allows the widest
variety of coders to search the source for the flaws that they know
best. This can only improve security.

http://www.linuxsecurity.com/articles/general_article-1491.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".