******* You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! ******* Vendor Corner ******* Sponsored by Baseline WRITE YOUR INFORMATION SECURITY POLICIES IN A DAY! INFORMATION SECURITY POLICIES MADE EASY is a kit, text and CD, of 1000+ already-written security policies by internationally-known consultant Charles Cresson Wood. ISPME has JUST BEEN UPDATED and is now available in Version 7! ISPME v7 is the most comprehensive collection of policies available covering the latest technology developments and infosec topics. Each of these policies is accompanied by commentary detailing policy intention, audience, and the circumstances where it applies. Save weeks of time and thousands of dollars developing policies for information security manuals, systems standards, etc. with no consultant fees. Go to - http://www.baselinesoft.com ******* What's New With SecurityPortal ******* A New Feature Coming to SecurityPortal A new section will be coming to SecurityPortal next week, the "AnswerGuy". Send in your security related questions, and the best/most interesting ones will be answered by our panel of experts. Send your questions to: [EMAIL PROTECTED] Linux Distribution Security Report How are the various Linux distributions doing in terms of general security? In this article, I make a few observations on the results of a quasi-statistical analysis of the security fixes issued by Linux distributions. We will look at response time and total number of bugs, as well as how often a distribution is released and how popular it is. A second primary concern is what software a vendor ships, and how it is configured. The article is not meant so much as a comparison of the various distributions as a general industry report. Links to other related articles on this topic are provided at the end of this page. My examination is divided into three sections. The first and longest looks at past and present performance on releasing security fixes; the next section compares the distributions' reactions to serious bugs; the final section compares current distribution security features, what software they ship, install issues, etc. I've also come up with a list of "best practices," or what I consider a minimum level that all vendors should strive for. I also have a few ideas for the future. Read the full story here: http://securityportal.com/cover/coverstory20000724.html Personal Firewalls / Intrusion Detection Systems Following a great deal of feedback on this article from last Monday, Sean Boran has updated his survey of personal firewalls to include a brief rundown on formerly unreviewed software, plus some other timely updates. Read the full story here: http://securityportal.com/cover/coverstory20000717.html ******* Vendor Corner ******* How to Test Your Firewall Enterprise Security Manager (ESM) and NetRecon assessment solutions deliver scalable security policy compliance and assessment while checking for vulnerabilities from inside and outside your firewall. Now through August 6, download your FREE evaluation copy of NetRecon to test your firewall at http://www.axent.com/email/2446/ AXENT is the leading provider of e-security solutions for your business, delivering integrated products and expert services to 45 of the Fortune 50 companies. ******* Top News ******* Welcome to SecurityPortal - The Focal Point for Security on the Net(tm) Recent postings in our top news http://www.securityportal.com/topnews: Jul 24, 2000 Weekly Axent Security Roundup - Lluis Mora launched a second successful attack on the Open Hack website. See the details in the news section. The Raptor List remained caught in the trough of the mid-summer siesta; not many people are posting to the list. The good news is that the questions that were asked received plenty of answers from the most committed listees. Read about coupling the firewall with High Availability solutions, the best place to enable redundancy with ISPs, and how to enable the MMC in the Raptor List in Review section. In our Technical Tip this week, we revisit firewall licensing issues. http://securityportal.com/topnews/weekly/axent20000724.html Weekly BSD Security Roundup - It looks like the ISC DHCP client was finally fixed -- you should upgrade immediately if you are using it. Also, as noted by FreeBSD, chances are that if you have an older system with any Kerberos support, it needs to be updated! INN 2.2.3 was also released, and a number of security-related bugfixes (mostly preventive, like removing the setuid root bit on rnews). http://securityportal.com/topnews/weekly/bsd20000724.html Weekly Checkpoint Security Roundup - Over the last few weeks, trends in the Firewall-1 mailing list have resolved three major points: 1) There is an increasing need for firewall load balancing and/or highly available firewall configurations. 2) There are many available HA solutions, which may include software, hardware, or both, depending on precise requirements and budgetary constraints. 3) There are virtually no networked systems which are 100% safe from all types of Denial-of-Service attacks, and Firewall-1 is no exception to this assumption. This week, many threads revolved around these issues. Also discussed were numerous methodologies and suggestions for basic firewall troubleshooting. http://securityportal.com/topnews/weekly/checkpoint20000724.html Weekly Executive Digest - A new law is being proposed allowing employees to sue employers for secretly monitoring them; a treaty on cybercrime has some very bad language; and surprise - we have a problem with credit card fraud on the Internet. With news reports publicizing the FBI's "Carnivore" email monitoring system, the White House decides they might as well propose updating wiretapping laws to make it legal. We also shed some light on a vital topic to ask your techies about - Home PC security for your employees. http://securityportal.com/topnews/weekly/exec20000724.html Weekly Linux Security Roundup - Quite a few patches issued this week. On several distributions, rpc.statd (embodied as nfs-utils usually) was found to have some holes (remote root access), and also in usermod, a package that lets non-root users reboot or halt the system (you'd think they would have taken special care with this one - apparently not). It looks like the ISC DHCP client was finally fixed - you should upgrade immediately if you are using it. More cvsweb updates - a lot of sites use this package, many of which are "public," meaning there is a decent risk a user might want shell access on the server (which cvsweb is nice enough to provide). Also, INN 2.2.3 was released, and a number of security-related bugfixes (mostly preventive, like removing the setuid root bit on rnews). http://securityportal.com/topnews/weekly/linux20000724.html Weekly Microsoft Security Roundup - A huge hole was reported in all versions of Outlook and Outlook Express this week. There is a buffer overflow that can be exploited via the GMT section of the date field in the header of an email. Security Bulletins and patches have been released to fix this problem. Two other Microsoft Security Bulletins were released this week, and fortunately, through one process, you can eliminate all 3 problems. Only one NTBugtraq thread of interest this week wasn't related to the Outlook/Outlook Express issue. It involves a problem with being able to discover a little too much info on the metabase. Read the tip of the week for details on Winetd, an implementation of Inetd for Windows. http://securityportal.com/topnews/weekly/microsoft20000724.html Weekly Solaris Security Roundup - Tools updated: Yassp, OpenSSH, LSH, nmap-web. Interesting articles on Routing, C2 in Solaris, DNS hijacking, hackers' revenge, security processes, the ICAT database, installing snort. Vulnerabilities: Java Webserver, wu-pop2d, listserv. Tip of the Week presents a script for easy Solaris audits. http://securityportal.com/topnews/weekly/solaris20000724.html Jul 21, 2000 NetRadarEWS: PayPal Lookalike Scam Site - PayPal is an online system people use to send each other money electronically. One user enters a credit card number, selects an amount and who to send it to, and another user has money deposited into their account. After the money has switched accounts, the recipient can have a check mailed to them, and clear their account. A scam artist, apparently based in Russia, has been emailing PayPal users, and telling them they have a large payment waiting. The email contained a link to "Paypai.com" (note: in many fonts a capitalized "i" looks very much like a lowercase "l"), which was the scam artist's web site. Unsuspecting users went to the site, which was made to look identical to the real site, and entered their logon information, which was then transmitted back to the scam artist. http://admin.securityportal.com/topnews/netradarews/paypal20000721.html InfoWorld: U.S. lawmakers Introduce Workplace Privacy Measure - Legislation introduced on Thursday in both houses of Congress would require companies to tell employees if they monitor their computer, Internet or telephone use. http://www.infoworld.com/articles/hn/xml/00/07/20/000720hnprivacybill.xml Risks-Forum Digest Volume 20: Issue 95 - This is the latest issue of the RISKS digest, a public forum that discusses various risks from aviation software failures and power grid problems to google allowing anonymous spam. http://catless.ncl.ac.uk/Risks/20.95.html The Standard: Paranoia Runs Deep at Hacker Convention - The 'phreaks' and geeks at H2K wore disguises and used code names while listening to talks about not selling out to 'The Man.' http://www.thestandard.com/article/display/0,1151,17002,00.html Murder Via the Internet - Computer crime originated in the popular imagination as the manipulating of program code or the illegal penetrating of a computer system. The crime was a nonviolent trick by someone who understood the incantations of COBOL, C, C++, or Perl. No one ever got hurt, no blood got spilled. It was a new arena for wayward electrons, not for common-law crimes like murder, robbery, or sexual assault. A new alchemy of crime had emerged. http://securityportal.com/topnews/murdervia20000721.html SCO Advisory: Patched WU-FTPd - Open Server enhancement for /etc/ftpd. Vulnerability in WU-FTPD can allow unprivileged users to obtain "root" permissions. http://www.sco.com/security/ Jul 20, 2000 IDG: AutoCAD Virus Detected - What seems to be the first virus affecting the popular CAD (computer-aided design) software program, AutoCAD, has been discovered, according to Hispasec, a Spanish security company. http://www.idg.net/ic_203376_2058_1-1474.html ZDNet: Biggest German Free E-mailer Hacked - The third major problem in several weeks hit the biggest German free e-mail provider GMX, when a hacker changed 1,625 passwords of users. http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2605773,00.html?chkpt=p1 bn ZDNet: IE Will Warn Users About 'Cookies' - Microsoft Corp. will announce a major change to the newest version of its dominant Internet browser, unveiling a feature that will better warn consumers when Web sites attempt to implant "cookies," which can be used in some circumstances to track Web surfing by consumers. http://www.zdnet.com/zdnn/stories/news/0,4586,2605551,00.html IDG: EU to Regulate Spam and Cookies - The commission's move is part of a proposal for a new regulatory framework for telecommunications, which will pave the way to tighter data privacy protection for all electronic communications, commission officials explained Thursday during a technical briefing. http://idg.net/ic_203436_1773_1-483.html Why Do I Have to Tighten Security on My System? (Why Can't I Just Patch?) - Again and again, when considering system security, people tell me, "I already patch my system." I try to explain to them, as I will here, why they're still vulnerable, even if they patch and read BugTraq regularly. http://securityportal.com/topnews/tighten20000720.html SJ Mercury: Check Point Surpasses Results, Sees Gains - Surging demand for secure Internet connections helped online security company Check Point Software Technologies Ltd. (CHKP.O) more than double its earnings in the latest quarter, beating forecasts, the company said on Wednesday. http://www.sjmercury.com/svtech/news/breaking/internet/docs/215956l.htm FCW: GSA Rethinks FIDNet Solution - The General Services Administration this week decided to delay its acquisition of a governmentwide system to detect cyberattacks so that the agency can better align the request for proposals with commercial market solutions. http://www.fcw.com/fcw/articles/2000/0717/web-fidnet-07-19-00.asp Cauce News: House Passes Anti-spam Bill - At about 3:45 PM on July 18th, the US House of Representatives passed HR 3113, the "the Unsolicited Commercial Electronic Mail Act of 2000", introduced by Rep. Heather Wilson, Rep. Gary Miller, and Rep. Gene Green. The bill enjoyed an overwhelming margin of 427-1. http://www.cauce.org/newsletter/v4n1.shtml ComputerWorld: Critics Bash U.S. Plan For Surveillance Standards - Privacy advocates yesterday said they're deeply disappointed with a White House proposal intended to strengthen legal requirements for Internet surveillance by law enforcement agencies, although the Clinton Administration vigorously defended the measures it put forward. http://www.computerworld.com/cwi/story/0,1199,NAV47_STO47320,00.html?OpenDoc ument&~f NAI: LISTSERV Web Archive Remote Overflow - The L-Soft LISTSERV web archive (wa,wa.exe) component contains an unchecked buffer allowing remote execution of arbitrary code with the privileges of the LISTSERV daemon. http://securityportal.com/topnews/nai20000720.html SCO Advisory: OpenServer 5.0.X Fix - fix for /etc/sysadm.d/bin/user0sa, that could allow user to overwrite any file with group auth (i.e. /etc/shadow). http://sco.com/security/ ComputerWorld: Microsoft Scrambling to Fix New Outlook Security Hole - Microsoft Corp. is once again scrambling to fix a newly discovered vulnerability in its software that security experts warn is every bit as dangerous as an earlier one, for which a workaround was posted less than a week ago (see July 19th Top News). http://www.computerworld.com/cwi/story/0,1199,NAV47_STO47323,00.html?OpenDoc ument&~f Jul 19, 2000 Iris Scanning At Airports - Ostensibly to streamline ticketing prodcedures iris scanners will be installed at Charlotte/ Douglas International Airport in North Carolina and Flughafen Frankfurt Airport in Germany. They are not (yet) using the long distance methods available, instead using a B&W camera and having the passenger 6 to 36 inches away. As a note; other technologies are available using very high quality, high speed cameras capable of taking a picture of a person iris while moving. http://www.cnn.com/2000/TECH/computing/07/19/iris.scan.idg/index.html FCW: Bureau Names New eFBI Chief - The FBI has named a new assistant director to oversee the design and launch of eFBI, a recently renamed and resurrected program that will give bureau agents the ability to share and sift through information via the World Wide Web. http://www.fcw.com/fcw/articles/2000/0717/web-efbi-07-18-00.asp ZDNet: Earthlink Offers DSL Users Free Security - Internet service provider EarthLink (Nasdaq: ELNK) will offer its high-speed users more security in the form of personal firewall software, the company said Tuesday. http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2605118,00.html?chkpt=p1 bn The Convention on Cybercrime: Why It Will Do Far More Harm Than Good - The creators of this document surely work from the best of intentions, but they do not fully comprehend the gravity of some of their proposals. Given the lack of technical awareness on the part of most politicians, lawyers, etc., the present circumstance is unsurprising. While to non-technical parties the proposals presented in the convention may appear reasonable, close examination makes it obvious they will do a great deal of damage to computer security efforts. http://securityportal.com/topnews/cybercrime20000719.html CNN: Pssssst ... Someone May be Following You on the Internet - There is a good chance that when you surf the Web you are being tracked, because information about where you go on the Internet and what sites catch your interest is worth billions of dollars to Web advertisers. http://www.cnn.com/2000/TECH/computing/07/18/web.bugging/index.html Jul 18, 2000 MSNBC: 'Huge' E-mail Hole Allows Access to PCs - A new method for attacking computers connected to the Internet allows vandals to take control of a PC simply by sending it an e-mail. The vulnerability in Microsoft's Outlook e-mail program has widespread implications: Until now, victims had to willingly open an e-mail attachment, or at least view a specially formed e-mail message, to be attacked. Now, a computer vandal could conceivably take control of thousands of computers with a single mass e-mail. Intruders can have their way with a target machine once it begins to download the ill-formed message to its hard drive. http://www.msnbc.com/msn/432208.asp FCW: Pakistan Group Defaces NOAA Web Pages - Hackers calling for the United States to mediate the territorial conflict in Kashmir attacked and defaced 11 National Oceanic and Atmospheric Administration World Wide Web pages over the weekend. http://www.fcw.com/fcw/articles/2000/0717/web-hack-07-18-00.asp Wired: Yesmail Fights Blacklist Threat - Did the Mail Abuse Prevention System overstep its boundaries by threatening to put a permissive email marketer on its blacklist? Yesmail says it did, and went to court to prevent it from happening. http://wired.com/news/politics/0,1283,37621,00.html Securing Your Home Network - if you don't take an active part in securing your home network, then you' re at risk. Don't dismiss the likelihood of a stranger accessing your computers. If you have a high-speed connection to the Internet, then you're probably scanned for common vulnerabilities much more frequently than you would expect. If you're still on an old clunky analog connection, don't think you're not at risk either. You may not be targeted as frequently, but if an attacker has reason to believe you have something of value, she will take the time to target you. http://securityportal.com/topnews/secure20000718.html ComputerUser: Delaware Governor Signs Digital Signature Bill - The First State is the first state to enact legislation that recognizes digital notarization and time stamping in electronic-commerce transactions. Delaware Gov. Thomas R. Carper digitally signed and electronically notarized the Uniform Electronic Transactions Act, which recognizes the legal validity of digital signatures and notarization for e-commerce. http://currents.net/news/00/07/18/news15.html InformationWeek: The Politics of Privacy Protection - Momentum for online privacy regulation is building-and odds are good that the government will step in. http://web.lexis-nexis.com/more/cahners-chicago/11407/6077921/1 Wired: Signing Up to Be Surveilled - Forget the pager number and don't bother calling. One company is making it easier for folks to "track" anyone, by allowing them to pull up a map of the person's location on a personal digital assistant (PDA) or computer. http://wired.com/news/technology/0,1282,37559,00.html TechWeb: E-tailers Hit Hard By Credit Card Fraud - Credit card fraud is 12 times higher for online merchants than their offline, brick-and-mortar counterparts, according to a survey of more than 160 online retailers by market researcher GartnerGroup, Stamford, Conn. http://www.techweb.com/wire/story/TWB20000717S0009 Jul 17, 2000 CNN: White House proposes updated wiretapping laws - The White House proposed legislation Monday to update wiretapping rules so that legal protections currently applied to telephone calls are extended to new forms of electronic communication, like e-mail. http://www.cnn.com/2000/TECH/computing/07/17/clinton.wiretaps.ap/index.html CNN: ACLU: Block FBI E-snoops - The American Civil Liberties Union on July 11 appealed to Congress to protect Americans from unreasonable searches and seizures on the Internet in light of recent revelations that a new monitoring tool could enable the FBI to intercept the e-mail of law-abiding citizens. In a letter to the House Judiciary Committee's Constitution Subcommitte, ACLU director Laura Murphy argued that the FBI's new Carnivore e-mail surveillance system gives federal law enforcement officers access to the e-mail of every customer of an Internet service provider and the e-mail of every person who communicates with them. http://www.cnn.com/2000/TECH/computing/07/17/aclu.v.snoops.idg/index.html LinuxGazette: Building a Secure Gateway System - In issue 51 of the Linux Gazette, the article titled "Private Networks and RoadRunner using IP masquerading", explains how to setup a Linux based gateway with good security in mind. The authors suggest starting with a clean install of Linux, which is an excellent idea, as security starts with a secure install, and that is what this article is about. When finished this will be a very lean install, weighing in at about 130 MB plus swap, there will be no X Windows, though I like to install Midnight Commander for file management. http://www.linuxgazette.com/issue54/stoddard.html Register: Reno DoJ Pressures Journalist to Nail Hackers - The US Department of Justice (DoJ) has taken its hacker witch-hunt to new lows by ordering Forbes Magazine reporter Adam Penenberg to testify before a federal grand jury in connection with a 1998 article he wrote on computer enthusiasts 'Slut Puppy' and 'Master Pimp', who allegedly broke into the New York Times Web site and disabled it for nine hours. http://www.theregister.co.uk/content/6/11986.html IDG: U.S. Updates Encryption Export Policy - The U.S. on Monday announced an update to its encryption export policy affecting companies that sell encryption software to users in the 15 European Union nations and in eight other countries that are U.S. allies. http://idg.net/ic_202475_1773_1-483.html TechWeb: Jello Biafra Issues Call To Arms For Hackers - Jello Biafra, former lead instigator of the Dead Kennedys, still knows how to lob a metaphorical Molotov cocktail. In a two-hour keynote address at the Hackers on Planet Earth (HOPE) convention in New York, Biafra ranted against "corporate rule," the cult of celebrity, and what he sees as the cozy relationship between the media and business interests. http://techweb.com/wire/finance/story/INV20000717S0001 IDG: New Media Firm Gets Hit on Privacy Concerns - A new media company offering access to photo, video and music clips may also be providing some unauthorized access to multimedia files on unsuspecting users' hard drives. http://idg.net/ic_201682_1794_9-10000.html ZDNet: Hackers Flexing Political Muscles - Will the GOP National Convention be the next hacktivism target? Inspired by the Seattle protests, hackers and activists make plans at H2K. http://www.zdnet.com/zdnn/stories/news/0,4586,2604179,00.html ******* What's New With SecurityPortal ******* IPSec - We've Got a Ways to Go (Part I) IPSec, supposedly the next great thing that will fix most (if not all) our network security problems. No longer will attackers be able to sniff network traffic, hijack connections or spoof servers. Hijacking domain names will be impossible with DNSSEC, and redirecting people to fake Websites will be a thing of the past. Or will it? There are currently a lot of problems and shortcomings with IPSec that prevent the majority of network traffic from being encrypted. Right now IPSec is being deployed primarily in two environments. The first is gateway to gateway, behind which are normal IPv4 LANs moving unencrypted data around. In order to connect them securely over the Internet, IPSec gateways are deployed to encrypt traffic going through them. This is very useful for connecting branch offices together, and in other similar situations. Read the full story at: http://securityportal.com/closet/closet20000719.html ******* New at SecurityPR.com, a Vendor Press Release Site ******** Datalink.net and Certicom to Provide High Performance Wireless Security - Certicom's Elliptic Curve Cryptography (ECC) to Ensure Secure Communications for Wireless Access to Enterprise Data and M-Commerce Transactions. http://securityportal.com/pr/pr.20000721235034.html Microsoft Announces New Cookie Management Features For Internet Explorer 5.5 - Latest Commitment to Privacy Further Empowers Consumers To Protect Their Personal Information on the Internet. http://securityportal.com/pr/pr.20000722000648.html New Management Features in WatchGuard SOHO Deliver Powerful Protection for Small Offices and Telecommuters - WatchGuard SOHO now offers Web blocking and control over instant messaging services. http://securityportal.com/pr/pr.20000722003633.html Enter your own Press Releases directly at SecurityPR.com. http://securitypr.com ******************************************* You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! Tell us how we are doing. Send any other questions or comments to [EMAIL PROTECTED] Michael McCrea and Tony Chapman SecurityPortal -- The Focal Point for Security on the Net [EMAIL PROTECTED] [EMAIL PROTECTED] -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
