March 26, 2004

Linux Advisory Watch - March 26, 2004

Author: Benjamin D. Thomas

This week, advisories were released
for ecartis, OpenSSL, httpd, and sysstat. The distributors include Debian, Fedora,
Red Hat, and Trustix.

Security Mindset

 Information security is a game
that is played by many roles. While it is not always appropriate to box people
in with labels, I think you'll find that most people fit into one of these categories.

First, the authoritative mindset:
This view is primarily held by law enforcement officials and others who encourage
strict laws and punishment regarding information security. In the example of
a system compromise, the perpetrator should be caught and punished to the fullest
extent of the law. Later, the case should be used as an example to deter further

Contrastingly, the liberated or
'hacker' mindset: The view is held that all information should be free and breaking
into a system is not actually doing any harm. The liberated view sees security
controls as a challenge rather than protection. By breaking poorly constructed
security mechanisms he/she is actually doing society a favor by making it public.

Next, the popular mindset: How does
the press view the compromise? What is the general public saying about it? Is
anyone concerned? Often, crackers are immortalized in books, movies, and television
giving the public the wrong impression. Hyped media can create public hysteria
and panic. In the case of a high-profile compromise, the information filtered
to the public can cause people to make poor decisions when faced with technology.

Finally, the security professional's
view: We know that many compromises are a direct result of negligence (either
programmer or administrator) and in most cases the cracker(s) involved is much
less skilled than seen in movies. A security professional's primary task is
to secure a system up to the management's accepted level of risk, while maintaining
business objectives. Security is a necessity for conducting business. After
a system is compromised, the security professional is most concerned with minimizing
business impact. Next, it is important to analyze faults in the system and prevent
it from happening again.

At this point, you're probably asking
yourself, "What mindset do I fall under?" My guess is that most of you are technically
system administrators or security practitioners, but slightly fall into all
of them. Security is an issue that has nearly 1024 shades of grey. Security
breaches can be stressful. Having a firm understanding of the views of those
you are working closely with can help the overall success of the investigation.

Until next time, cheers!
Benjamin D. Thomas


Feature Extras:

with Siem Korteweg: System Configuration Collector

- In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.


- This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.

Web/DNS/Mail Securely in 5 Minutes with EnGarde
- Web, DNS, and
Mail are the building block services of the Internet. In this article, I show
how to setup a Web, DNS, and Mail server with a few clicks of the mouse using
EnGarde Secure Linux.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe

Distribution: Debian
  3/24/2004 ecartis

New version fixes multiple buffer overflows plus password disclosure vulnerability.

Debian advisory 4155

Distribution: Fedora
  3/23/2004 OpenSSL
of service vulnerabilities

This update includes OpenSSL packages to fix two security issues affecting
OpenSSL 0.9.7a which allow denial of service attacks.

Fedora advisory 4154

Distribution: Red
  3/23/2004 httpd
of service vulnerability

Updated httpd packages are now available that fix a denial of service vulnerability
in mod_ssl

Red Hat advisory 4153

Distribution: Trustix
  3/19/2004 sysstat
temporary file vulnerability

This patch removes the isag script, which creates insecure temporary files.

Trustix advisory 4151

  3/19/2004 OpenSSL
of service vulnerability

Several holes were discovered that could lead to denial of service (DoS)
attacks on SSL-enabled services.

Trustix advisory 4152



  • Linux
Click Here!