******* You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! ******* Vendor Corner ******* Sponsored by Finjan Software YES, THERE ARE ALTERNATIVES TO REACTIVE ANTI-VIRUS TECHNOLOGY Finjan Software offers proactive security solutions using real-time behavior monitoring technology to block malicious code WITHOUT relying on database updates. Get proactive protection for VB Script,.exe Trojans and worms like ILOVEYOU, ExploreZip and LifeStages. Why rely on security products that offer updates AFTER you've been hit when you can block first-strike attacks before damage occurs? Find out more, and download Finjan's personal security freeware, at: http://www.finjan.com/firststrike.cfm?security=2 ******* What's New With SecurityPortal ******* In my last article, "Why do I have to harden?", I discussed how security exploits develop and why you must do more than just patch. Here, I explain what that "do more" bit means. "Hardening" a system is the practice of making that system much harder to crack. I like to think that this involves steps not only to prevent break-ins, but also to detect them when they happen. To this end, I use the following steps/guidelines in tightening security on a Linux/UNIX system: Firewall the box! Patch, patch, patch! Perform a Set-UID root audit of the system Deactivate all unnecessary network daemons/services Tighten the configurations of all remaining network daemons Harden the core O/S itself (A little) Intrusion Detection Educate the SysAdmin and end-users Read the full story here: http://securityportal.com/cover/coverstory20000731.html ******* Vendor Corner ******* Sending the wrong kind of e-mail can get you fired. The New York Times recently fired more than 20 employees for sending inappropriate and offensive e-mail and Xerox recently let 40 workers go for violating its policy on Internet use. As Internet usage becomes more pervasive at companies, stories like these are becoming more common and anxiety about the potential liabilities of electronic communications is soaring. It's true: uncontrolled e-mail and Internet traffic cannot only damage your workplace environment... it can cost your company in network downtime, and millions of dollars in lawsuits. Visit <http://www.conqwest.com/policy/sp2> to learn more about how you can strengthen your company's computer usage policies and protect both yourself and your company's assets. ******* Top News ******* Welcome to SecurityPortal - The Focal Point for Security on the Net(tm) Recent postings in our top news http://www.securityportal.com/topnews: Jul 31, 2000 Weekly Axent Security Roundup - If you haven't heard already, AXENT has been bought by Symantec. Read the news section for the skinny. On the list this week: a comprehensive discussion on passing Microsoft's Outlook Web Access through the firewall, a question regarding antivirus software running with the firewall, and an explanation on running SSL on non-standard ports. In our technical tip this week, Chris Poulin ([EMAIL PROTECTED]) discusses care and feeding of the hardware on which you run your firewall. http://securityportal.com/topnews/weekly/axent20000731.html Weekly BSD Security Roundup - A minor problem in OpenLDAP, one program is installed mode 775; apart from that, not much. This does bring up the topic, however, of finding files and directories with improper permissions. Generally speaking a file should only be writeable by the owner, very rarely the group, and almost never any other. You can use find -perm to locate these files and directories. The other problem this week is in Netscape - there is a potential vulnerability in the jpg handling code. http://securityportal.com/topnews/weekly/bsd20000731.html Weekly Checkpoint Security Roundup - It was a fairly light week for the list, in general. There were numerous postings, but most of them dealt with traditional firewall administration questions. Of some import, however, is Check Point's announcement regarding the much-anticipated release of version 4.1's second Service Pack. Several of the list members have already downloaded and installed this patch set, and we would strongly recommend that you do the same, what with the numerous product enhancements and security fixes it provides. Although the Service Pack was not explicitly discussed on the list, this week's digest contains a special section detailing its importance, as well as crucial and diligent configuration practices. http://securityportal.com/topnews/weekly/checkpoint20000731.html Weekly Executive Digest - The U.S. Congress is in an uproar over the privacy implications of the FBI's "Carnivore" email monitoring system. At the same time, the White House pressures Internet advertisers to protect consumer privacy. Microsoft feels that the answer to its security woes is simply more testing. Governments seek to better coordinate their response to electronic crime. Also, make sure your techies are monitoring our Top20 virus list. http://securityportal.com/topnews/weekly/exec20000731.html Weekly Linux Security Roundup - Conectiva Linux sure was busy this week, issuing a half dozen advisories. There was also a minor problem in OpenLDAP - one program is installed mode 775 - apart from that, not much. This does bring up the topic, however, of finding files and directories with improper permissions. Generally speaking, a file should only be writeable by the owner, very rarely the group, and almost never any other. You can use find -perm to locate these files and directories. The other problem is in Netscape - there is a potential vulnerability in the jpg handling code. http://securityportal.com/topnews/weekly/linux20000731.html Weekly Microsoft Security Roundup - Microsoft has been fairly busy the last few weeks, churning out new Security Bulletins and fixes. This week there were four new bulletins, as well as an older one being updated. Problems with Windows 2000, Windows NT 4.0, Excel 97, and Excel 2000. On the NTBugtraq list there were some interesting posts involving a logon problem DoS with EFS in Windows 2000, disabling Netlogon A registrations, and an Executable Path Searching Vulnerability in Windows NT/2000. If you are interested in Smart card support in Windows, read the tip of the week. http://securityportal.com/topnews/weekly/microsoft20000731.html Weekly Solaris Security Roundup - Vulnerabilities: Roxen, Websphere and Navigator require attention. Tools updated: Snort. Articles: Forensics, IPFilter, Sendmail. The Tip of the Week presents The Coroner's Toolkit (TCT). http://securityportal.com/topnews/weekly/solaris20000731.html Jul 28, 2000 The Standard: Cybersecurity Project Threatened - A lack of funding is threatening a public-private initiative aimed at preventing cyberattacks similar to the denial-of-service attacks against Yahoo (YHOO) , eBay (EBAY) and others in February http://www.thestandard.net/article/display/0,1151,17209,00.html UK Email Monitoring Bill (RIP) Passes - The UK government can now monitor any and all email. If you encrypt it they can demand your encryption keys, it is illegal to not hand them over. "innocent until prooven guilty" seems to be a passing fad in law enforcement. http://www.thestandard.com/article/display/0,1151,17179,00.html FCW: Security Education in Crisis - The information technology industry has become saturated with 20-something whiz kids who lack adequate training, education and professional discipline, creating a significant knowledge deficit when it comes to information security, a panel of top educators warned http://www.fcw.com/fcw/articles/2000/0724/web-secrity-07-27-00.asp CERT Tech Tip: How the FBI Investigates Computer Crime - This guide provides information about the federal investigative and prosecutive process for computer related crimes. It will help you understand some of the guidelines, policies, and resources used by the Federal Bureau of Investigation (FBI) when it investigates computer crime http://www.cert.org/tech_tips/FBI_investigates_crime.html Wired: Privacy Sleuthing Goes Pro - Richard Smith, the man who exposed many a privacy breach online, takes his hobby to a new level, joining the University of Denver's Privacy Center. Its newborn mission: to sniff out Internet privacy breaches http://wired.com/news/technology/0,1282,37812,00.html TechWeb: EU Commission Endorses Data Privacy Pact With U.S. - The European Commission said on Thursday that it has endorsed a data-protection agreement with the United States, averting a feared trade dispute over tough European rules on the privacy of personal data http://www.techweb.com/wire/story/reuters/REU20000727S0007 Jul 27, 2000 MSNBC: Online Ad Firms Reach Privacy Pact - The Clinton Administration and online advertising firms reached a landmark agreement Thursday aimed at defining the rules governing tracking of Web surfers, demonstrating that federal regulators still hold some faith in the Internet industry's attempt at self-regulation http://www.msnbc.com/msn/438468.asp MSNBC: House Asks Reno to Suspend Carnivore - Top House Republican leaders asked U.S. Attorney General Janet Reno today to suspend all further use of Carnivore, the FBI's controversial e-mail surveillance tool. The call for Carnivore's suspension comes on the heels of a congressional hearing on Monday in which FBI officials faced bipartisan criticism of the snooping software http://www.msnbc.com/msn/438436.asp SecurityPR.com: Symantec Strenthens Security Leadership With Acquisition of Axent - Symantec Corp. and AXENT Technologies, Inc. today announced that their boards of directors have approved the acquisition of AXENT� by Symantec in a stock-for-stock transaction valued at approximately $975 million. The combination of the two companies will create a new leader in Internet security for enterprise customers http://securityportal.com/pr/pr.20000727075830.html Digital Signatures and Stolen Automobiles - I can repudiate my apparent handwritten signature with a simple affidavit. A qualified document examiner then determines if I'm telling the truth. Recently, here in Texas, an attorney's ex-secretary sent a letter to the State Bar, with her former boss' forged signature, resigning his law license. Yet, with expert testimony about the forgery, he got his license back. Would he be so fortunate if his signature had been digital? A handwritten signature is an expression of a person's biology and mind; a digital signature is not. A conventional signature is subject to analysis regarding its authenticity. And, it remains under the person's control until the time of signing. http://securityportal.com/topnews/cars20000727.html SJ Mercury: British E-Mail Snooping Bill Passes into Law - The British government, after a long parliamentary struggle, on Wednesday enshrined in law a bill to allow police and security services to trawl private e-mails http://www.sjmercury.com/svtech/news/breaking/internet/docs/244853l.htm Many Countries Said to Lack Computer Crime Laws - According to this article more then 100 countries lack laws regarding computer related crime. http://www.cnn.com/2000/TECH/computing/07/26/crime.internet.reut/index.html Wired: U.S. Wants More Cybercrime Laws - More than 100 countries do not have the laws to deal with computer-related crime, undercutting efforts to battle a growing international threat, law enforcement officials said on Wednesday http://wired.com/news/politics/0,1283,37809,00.html IDG: U.S. Senators Propose Web Privacy Legislation - Responding to a groundswell of public concern about privacy on the Internet, a bipartisan group of U.S. senators Wednesday proposed a bill that would require Web sites to post clear and concise information about their privacy practices http://idg.net/ic_205214_1794_9-10000.html IDG: International Panel Testifies on Cyber Attacks - An international panel of computer security officials told a U.S. congressional committee Wednesday that a quicker response to cyber attacks is needed both between countries and between government and private industry http://idg.net/ic_205203_1794_9-10000.html CERT Advisory: Microsoft Outlook and Outlook Express Cache Bypass - Microsoft has recently released Microsoft Security Bulletin MS00-046, in which they announced a patch for the "Cache Bypass" vulnerability. By exploiting this vulnerability, an attacker can use an HTML-formatted message to read certain types of files on the victim's machine. In addition, because this vulnerability also allows the attacker to store files on the victim's machine, it can be used in conjunction with existing vulnerabilities to execute arbitrary code on the target system http://securityportal.com/topnews/CA-2000-14.html ZDNet: Silence the Best Security Policy - Well meaning hackers are creating an army of "script kiddies" by making security holes public, says a speaker at the Black Hat Security Conference http://www.zdnet.com/zdnn/stories/news/0,4586,2608077,00.html Jul 26, 2000 Top 20 Virus Report - Consolidated report of virus activity from several resources http://securityportal.com/research/virus/top20_20000726.html Wired: FBI Gives a Little on Carnivore - The FBI says it will conduct a privacy audit of a controversial surveillance system, but the agency won't release key information about how Carnivore works http://wired.com/news/politics/0,1283,37765,00.html FCW: VA Signs on to Digital Signatures - The General Services Administration jump-started the government's move to digital signatures this week, awarding 100,000 free digital certificates to the Department of Veterans Affairs http://www.fcw.com/fcw/articles/2000/0724/web-esign-07-25-00.asp ComputerWorld: Microsoft Security Executive Promises Improvements - The man who receives more complaints about the security of Microsoft Corp.'s software than anyone on the planet vowed here yesterday that the company's products are improving in quality and will continue to become more secure http://www.computerworld.com/cwi/story/0,1199,NAV47_STO47494,00.html?OpenDoc ument&~f ZDNet: Site Tracks Stolen Mobile Phones - Mobile phone gone missing? Australian Web site PhoneChoice.com.au is offering a service to match lost or stolen phones with their rightful owners -- and will even courier the handsets back, safe and sound http://www.zdnet.com.au/equip/news/stories/au0004308.html Jul 25, 2000 The Standard: Online Privacy 101 - The nonprofit advocacy group that has stamped its privacy seal of approval on nearly 2,000 Web sites will team up with a dozen major Internet companies to launch a consumer education campaign http://www.thestandard.net/article/display/0,1151,17088,00.html Protecting the Investigators - An article in the Harvard Journal of Law & Technology from the summer of 1997 issue warns that police may face attacks against their information systems in the 21st century. As criminals become more sophisticated about information technology, the concern loses any hint of science fiction. Attacking the investigators may become a viable option, especially when one doesn't even have to visit the police station. http://securityportal.com/topnews/protect20000725.html LinuxPR: LinuxMagic VPN Firewalls: For Home or Small Office Use. - "Now it is possible to cheaply and securely protect home and office from unwanted intrusions. Professionals can log into their office computers from home, or connect two offices via the latest Encryption Technologies, with the added bonus of a full-fledged firewall." http://linuxpr.com/releases/2236.html Freshmeat: Hacker's Calculator 1.0 - The Hacker's Calculator is a simple integer calculator based on C syntax with support for hex and octal numbers. http://www.newsnow.co.uk/cgi/NGoto/2063661?-750 SecurityPR.com: Patent Granted for Wireless Security - NTRU Cryptosystems, Inc. (www.ntru.com) on Monday announced it has received U.S. Patent No. 6,081,597 for a new public key cryptosystem. NTRU claims that the new cryptosystem is ideal for wireless solutions with a low memory footprint, high speed, and "Disposable key" architecture. http://securityportal.com/pr/pr.20000724081335.html Wired: Attack on Spy Activist's Site - A website that distributed secret documents from U.S. and Japanese intelligence agencies apparently is under siege in a denial-of-service attack. The publisher of cryptome.org, which houses a massive archive of files related to spy agencies, recently started publishing a series of classified CIA documents and personnel files related to Japan's Public Security Investigation Agency. http://wired.com/news/politics/0,1283,37746,00.html CNet: Internet Companies Partner for Privacy - Internet industry titans are putting aside their differences, just this once, to agree on a public service campaign on online privacy to be announced tomorrow. The group, called Privacy Partnership 2000, will fund print, radio and Web ads dedicated to educating the public about privacy issues and offering tips on how to protect personal information online. http://news.cnet.com/news/0-1005-200-2338272.html?tag=st.ne.1002.thed.ni ZDNet: Congress isn't Swallowing Carnivore - Officials from the FBI and the U.S. Department of Justice faced a skeptical -- and at times downright hostile -- House Judiciary Committee on Monday during an oversight hearing on the constitutional issues raised by the FBI's Carnivore electronic monitoring program http://www.zdnet.com/zdnn/stories/news/0,4586,2606899,00.html Jul 24, 2000 Personal Firewalls / Intrusion Detection Systems - Following a great deal of feedback on this article from last Monday, Sean Boran has updated his survey of personal firewalls to include a brief rundown on formerly unreviewed software, plus some other timely updates. http://securityportal.com/cover/coverstory20000717.html Linux Distribution Security Report - How are the various Linux distributions doing in terms of general security? In this article, I make a few observations on the results of a quasi-statistical analysis of the security fixes issued by Linux distributions. We will look at response time and total number of bugs, as well as how often a distribution is released and how popular it is. A second primary concern is what software a vendor ships, and how it is configured. The article is not meant so much as a comparison of the various distributions as a general industry report. Links to other related articles on this topic are provided at the end of this page. http://securityportal.com/cover/coverstory20000724.html LinuxToday: Linux Mandrake Security Team: MDKSA-2000:023 inn update - A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed. This new version also does not install inews as setgid news or rnews as setuid root. Many other security paranoia fixes have been made as well. http://linuxtoday.com/news_story.php3?ltsn=2000-07-23-005-20-SC-MD LinuxToday: Linux Mandrake Security Team: MDKSA-2000:022 dhcp update - All versions of the ISC DHCP client program, dhclient, are vulnerable to a root attack by a corrupt DHCP server. This version fixes the vulnerability. Versions of Linux Mandrake prior to 7.0, while including the ISC DHCP server, do not include the DHCP client and are therefore not subject to this vulnerability. http://linuxtoday.com/news_story.php3?ltsn=2000-07-23-004-20-SC-MD IDG: FBI demos e-mail sniffer program 'Carnivore' - The U.S. Federal Bureau of Investigation provided details on Friday about a controversial technology that law enforcement officials began using recently to uncover evidence in e-mail http://idg.net/ic_203826_1794_9-10000.html Jul 21, 2000 NetRadarEWS: PayPal lookalike scam site - PayPal is an online system people use to send each other money electronically. One user enters a credit card number, selects an amount and who to send it to, and another user has money deposited into their account. After the money has switched accounts, the recipient can have a check mailed to them, and clear their account. A scam artist, apparently based in Russia, has been emailing PayPal users, and telling them they have a large payment waiting. The email contained a link to "Paypai.com" (note: in many fonts a capitalized "i" looks very much like a lowercase "l"), which was the scam artist's web site. Unsuspecting users went to the site, which was made to look identical to the real site, and entered their logon information, which was then transmitted back to the scam artist. http://admin.securityportal.com/topnews/netradarews/paypal20000721.html InfoWorld: U.S. lawmakers introduce workplace privacy measure - Legislation introduced on Thursday in both houses of Congress would require companies to tell employees if they monitor their computer, Internet or telephone use http://www.infoworld.com/articles/hn/xml/00/07/20/000720hnprivacybill.xml Risks-Forum Digest Volume 20: Issue 95 - This is the latest issue of the RISKS digest, a public forum that discusses various risks from aviation software failures and power grid problems to google allowing anonymous spam. http://catless.ncl.ac.uk/Risks/20.95.html The Standard: Paranoia Runs Deep at Hacker Convention - The 'phreaks' and geeks at H2K wore disguises and used code names while listening to talks about not selling out to 'The Man.' http://www.thestandard.com/article/display/0,1151,17002,00.html ******* What's New With SecurityPortal ******* IPSec - We've Got a Ways To Go (Part II) Last week I covered some concerns with IPSec that most people seem unaware of. This week I'll be covering several of the more popular/advanced IPSec solutions, their shortcomings and their strengths. Obviously, for IPSec to become commonplace, the various implementations need to be compatible. Of course, the problem is that there is compatibility and there is "compatibility." Most implementations have at least adhered to the basic IPSec standards, such as protocols, service types and so on. Many, however, have added extensions, not all of which are compatible with others. Read the full story at: http://securityportal.com/closet/closet20000726.html ******* New at SecurityPR.com, a Vendor Press Release Site ******** Tiny Software Announces Solution To Recent Security Flaw In Microsoft Outlook Email Clients - WinRoute Pro Could Potentially Save Corporate Networks Millions http://securityportal.com/pr/pr.20000727140145.html SecurityPR.com: Symantec Strenthens Security Leadership With Acquisition of Axent - Symantec Corp. and AXENT Technologies, Inc. today announced that their boards of directors have approved the acquisition of AXENT� by Symantec in a stock-for-stock transaction valued at approximately $975 million. The combination of the two companies will create a new leader in Internet security for enterprise customers http://securityportal.com/pr/pr.20000727075830.html Hacking Portals & Websites - Prevention & Damage Control iCMG a global leader in standard based, component/object oriented, distributed computing and middleware solutions announced that it is bringing its Internet Security Consultant - iCMG Inc., USA, Mr. Tom Cervenka to the subcontinent for a one day workshop on 'Hacking Portals & Web sites - Prevention & Damage Control'. http://securityportal.com/pr/pr.20000725053631.html Enter your own Press Releases directly at SecurityPR.com. http://securitypr.com ******************************************* You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! Tell us how we are doing. Send any other questions or comments to [EMAIL PROTECTED] Michael McCrea and Tony Chapman SecurityPortal -- The Focal Point for Security on the Net [EMAIL PROTECTED] [EMAIL PROTECTED] -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
