+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 11, 2000 Volume 1, Number 19n | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, several interesting articles appeared surrounding the Carnivore issue. A group of developers from Network ICE released their own open-source version, Altivore. The purpose of it is to "allow ISPs to respond to court ordered e-mail surveillance without FBI help, thus allowing them to be self-regulated instead of government regulated." Also, a group of Universities were unwilling to review Carnivore because of the FBI's list of strict requirements and restrictions given to researchers. Another hot issue this week was RSA's decision to release their algorithm into the public domain early. Some were skeptical, but others believe that this is for the good of the community. Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version available: http://www.linuxsecurity.com/newsletter.html +---------------------+ | Host Security News: | <<-----[ Articles This Week ]-----------------+ +---------------------+ * Help & How-To: Two SuSE Linux Apache Vulnerabilities Identified September 8th, 2000 One vulnerability allows a malicious user to read passwords and discern network structure while the other allows a malicious user to create or browse file directories on a Web server. Both vulnerabilities provide a malicious user with access to sensitive data on a Web server running Apache 1.3.9 (Apache 1.3.12 in SuSE 6.4). Apache is the default Web server in SuSE Linux. http://www.linuxsecurity.com/articles/server_security_article-1530.html * An Introduction to Unix Permissions September 8th, 2000 This Part 1 of a two part article discusses the basics of unix filesystem permissions. "Unix uses three base permissions: read (r), write (w), and execute (x). To view the permissions of the root directory on your FreeBSD system, use the ls command with the l (show long listing) and a (show all files) http://www.linuxsecurity.com/articles/host_security_article-1532.html * Using Postfix: A basic guide on configuring and installing September 6th, 2000 If it's speed and security you're looking for, Postfix is a very nominal choice for a MTA. The MTA uses multiple layers of defense to protect the local system against intruders, as well as having the ability to run in a chroot jail. http://www.linuxsecurity.com/articles/server_security_article-1505.html * Booting without all the extras September 6th, 2000 A default Linux distro boots with a lot of services that you probably don't need. The Geek shows you how to turn off those extras and provides tips on tuning a Linux system for every situation. Now, there are a couple of ways you can remove a service. The first is to remove the software package that runs the service. http://www.linuxsecurity.com/articles/host_security_article-1504.html * Firewalls - Common Configuration Problems September 5th, 2000 There are many common configuration problems with firewalls, ranging in severity and scope. By far the most common problems relate to what should be blocked or allowed. This is often problematic because needs change; you may need to allow video-streaming, for example, and unless done properly, the addition of new firewall rules can seriously undermine the security provided by a firewall. http://www.linuxsecurity.com/articles/firewalls_article-1493.html +------------------------+ | Network Security News: | +------------------------+ * Amateur Fortress Building in Linux September 8th, 2000 Here's a pretty good introductory article on Linux security. It discusses configuring TCPserver as a replacement for inetd, Dan Bernstein and the crypto code that he's contributed to the community, and explanations of the security implications of many of the common network services. http://www.linuxsecurity.com/articles/host_security_article-1522.html * Authentication: Patterns of Trust September 7th, 2000 There are plenty of options for user authentication, but none is a "one-size-fits-all" solution. With so many available technologies, how do you select the right one for your organization's needs? Systems architects sometimes get stuck on security planning, because it's hard to choose among all the competing products and technologies. http://www.linuxsecurity.com/articles/network_security_article-1520.html * Unix, Linux computers vulnerable to damaging new attacks September 7th, 2000 Security experts have uncovered a new class of vulnerabilities in Unix and Linux systems that let attackers take full control of computers. These "format string" vulnerabilities started surfacing about two months ago, said Elias Levy, a moderator of the Bugtraq computer security mailing list. Some of them have lurked for years in basic Unix programs, but security experts only now have begun to find and fix them. http://www.linuxsecurity.com/articles/network_security_article-1517.html * null_session's TCP/IP for kids September 5th, 2000 A nice intro to TCP/IP. "This file was written to take the kids who are still stuck in the "1 n33d s0m3 w4r3z d00d!" mode and bring them up to about the same level as your average system admin. That is to say that this is a quick hit, usable as an introduction but NOT intended for someone with experience in these matters (unless, of course, you want to critique me)." http://www.linuxsecurity.com/articles/documentation_article-1498.html * How to perform a secure remote backup September 4th, 2000 What do you do when your site is attacked or your system fails? Backup, Avi Rubin argues, is the most reliable way to ensure that what you've lost can be recovered. Here he takes a look at protecting your backup and recommends some products that can help. http://www.linuxsecurity.com/articles/server_security_article-1487.html +--------------------+ | Cryptography News: | +--------------------+ * RSA Algorithm Released: Update September 8th, 2000 The release of the algorithm is a good thing because you can now create cryptographic software using one RSA implementation and distribute it worldwide without having to license anything from RSA. This is good news because you can, for example, download OpenSSL and OpenSSH Solaris 8.0 packages I created and use them now. I never bothered to compile them against RSAREF, so you would have had to wait another two weeks to download them. http://www.linuxsecurity.com/articles/cryptography_article-1523.html * RSA Security's Crypto May Spur More Competitive PKI Tools September 8th, 2000 RSA's competitors' reactions to the expiration are mixed. Baltimore Technologies Inc. responded with its own announcement of new products and initiatives. It's eliminating its runtime licensing for its PKI development suite KeyTools and will switch to a flat fee, and it's also offering a free KeyTools Lite, which includes cryptographic and digital certificate functions, including communication with a certificate authority or a Lightweight Directory Access Protocol directory. http://www.linuxsecurity.com/articles/cryptography_article-1524.html * Open RSA: The Patent Expires September 8th, 2000 The end of the patent means that companies who want to use the RSA encryption algorithm in the United States no longer have to license it from the firm, RSA Security. The patent hasn't extended to products sold outside the United States, because the algorithm was published in 1977 before the Massachusetts Institute of Technology applied for its patent http://www.linuxsecurity.com/articles/general_article-1533.html * GPG vs. PGP? September 7th, 2000 What are the relative merits and drawbacks of using Gnu Privacy Guard vs. Network Associates' PGP. I am not referring to the fact that GPG doesn't use any restricted implemtations or algorithems; or that GPG was not affected by the recent PGP hole; but other more everyday issues. http://www.linuxsecurity.com/articles/cryptography_article-1513.html * Zimmermann responds to PGP flap September 5th, 2000 Phil Zimmermann, the creator of Pretty Good Privacy (PGP), responds to the recent flaw discovered in Network Associates implementation of the Additional Decryption Key (ADK) feature. This is a key escrow account that allows a responsible third-party to gain access to encrypted messages when the original key is lost. Many believe the feature is the result of a government conspiracy. Here's the explanation of the problem and rebuttal to the conspiracy argument sent by Zimmermann to Senior Editor Ellen Messmer http://www.linuxsecurity.com/articles/cryptography_article-1500.html +----------------------------+ | Vendor/Product/Tools News: | +----------------------------+ * Solar Designer's 2.2.17 Kernel Patch September 10th, 2000 Solar's kernel security enhancement patch is now available for the recently-released 2.2.17 Linux kernel. "This patch is a collection of security-related features for the Linux kernel, all configurable via the new 'Security options' configuration section http://www.linuxsecurity.com/articles/projects_article-1535.html * Network ICE Releases Open-source Carnivore September 8th, 2000 Network ICE is disclosing the source code to a new e-mail sniffing program called "Altivore." This software provides a potential alternative to ISPs who do not want to install the FBI's secretive black-box known as "Carnivore." Altivore will allow ISPs to respond to court ordered e-mail surveillance without FBI help, thus allowing them to be self-regulated instead of government regulated. http://www.linuxsecurity.com/articles/network_security_article-1529.html * "Web Security Is Our Bag, Baby" September 7th, 2000 In response to the skyrocketing number of security breaches, vicious virus attacks and severe financial losses plaguing North America's digital economy, CRYPTOCard Corp., leaders in strong user authentication (SUA) systems, has launched CRYPTOAdmin 5.0. http://www.linuxsecurity.com/articles/vendors_products_article-1519.html * Linux Internet security tool September 6th, 2000 Security firms Intrusion and Check Point Software will this month launch a sub-L1300 Linux-based Internet security appliance. The small device is aimed at medium-sized firms and branch offices, and will have Check Point's VPN-1/FireWall-1 security software preinstalled. It will also be available as a managed service. http://www.linuxsecurity.com/articles/vendors_products_article-1511.html +---------------+ | General News: | +---------------+ * Researchers refuse Carnivore review September 8th, 2000 Five groups of researchers have bowed out of the competition to evaluate the so-called Carnivore Internet surveillance system. And that likely will dash Justice Department hopes that a major university would validate its controversial eavesdropping device, participants said Tuesday. http://www.linuxsecurity.com/articles/privacy_article-1521.html * RSA Security Releases RSA Encryption Algorithm into Public Domain September 6th, 2000 RSA Security Inc. today announced it has released the RSA public key encryption algorithm into the public domain, allowing anyone to create products that incorporate their own implementation of the algorithm. This means that RSA Security has waived its rights to enforce the patent for any development activities that include the RSA algorithm occurring after September 6, 2000. http://www.linuxsecurity.com/articles/vendors_products_article-1506.html * Universities unwilling to review FBI's 'Carnivore' system September 6th, 2000 Academic institutions will likely pass up the chance to audit the federal government's Internet monitoring system, citing strict controls that would prevent an independent review, researchers said Wednesday. Known as "Carnivore," the FBI's e-mail monitoring system has drawn fire from electronic freedom activists who see it as an excessive intrusion on individual privacy. http://www.linuxsecurity.com/articles/privacy_article-1510.html * Can open source save the day? September 5th, 2000 Because the new inter-component security flaws differ so substantially from more traditional holes, a different sort of programmer is likely to find them. Open source allows the widest variety of coders to search the source for the flaws that they know best. This can only improve security. http://www.linuxsecurity.com/articles/general_article-1491.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV@SecurityFocus.com with a message body of "SIGNOFF ISN".