Author: Benjamin D. Thomas
released for BIND, Ethereal, Glibc, Libnids, phpSysInfo, Stunnel, EPIC, iproute,
Pan, and XFree86. The distributors include Guardian Digital’s EnGarde Linux,
Gentoo, Mandrake, and Red Hat.Business and IT centers today are
controlled by the growth of the Internet. Just in ten years, technology has
changed so rapidly that the old rules no longer apply. Today, businesses are
forced to comply with the momentum of the Internet, or face extinction. Change
is always difficult, but now more than ever it is necessary. With every change
in business, security must constantly be re- evaluated.
In a typical corporate IT environment,
new business requirements arise each day. The application development team is
constantly being asked to add new features to software, the networking team
is increasingly being asked to provide access at anywhere, anytime and managers
have the opinion, “make it work now, and no you can’t have a budget.” Well,
it’s usually not that bad, but you get the idea. Everyone is being stretched
to the limit and it puts a great strain on the organization. In the middle of
adding more features, access points, and bandwidth, security is often forgotten.
That’s okay, isn’t it? “We’ll just add security later once we get the system
working.”
That is exactly the problem all
of us have today when working in security. It is typical to receive a memo at
the end of the day stating that ten new servers is going to be deployed tomorrow
morning, then at the end it asks, “Is this ok with security?” Of course not!
The typical problem that we all face does not have to do with technology, it
is simply a people problem. Unfortunately, attitudes can’t be changed over night.
Sometimes, they may not be able to be changed or years. The only way to address
this is through a security awareness program. The smaller the organization,
the easier it should be . People must be reminded daily that security is important
to the organization, and is a high priority. The quickest way to get results,
is to get top management on board. If you see that key management figures are
unwilling to comply, and the organization is large enough, total security awareness
may be an impossible task.
Security is everyone’s problem.
One administrator simply patching a server each week is a good start, but it
shouldn’t stop there. Having adequate business security depends on many. Often,
it is your job to let those people know. I realize that this task harder than
it sounds, but hopefully I’ve given you some inspiration to begin getting others
on board. Don’t face the fire alone!
Until next time, cheers!
Benjamin D. Thomas
Feature Extras:
Guardian
Digital Launches the First Secure Small Business Internet Productivity Solution
– Guardian Digital, the world’s premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.OpenVPN:
An Introduction and Interview with Founder, James Yonan
– In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
Distribution: | EnGarde | ||
11/26/2003 | BIND | ||
cache poisoning vulnerability A cache poisoning vulnerability exists in the version of BIND shipped with |
|||
Distribution: | Fedora | ||
11/25/2003 | Ethereal | ||
buffer overflow vulnerability These updated ethereal packages fix a security problem found in versions |
|||
Distribution: | Gentoo | ||
11/24/2003 | Ethereal | ||
multiple vulnerabilities It may be possible to make Ethereal crash or run arbitrary code by injecting |
|||
11/24/2003 | Glibc | ||
buffer overrun vulnerability A bug in the getgrouplist function can cause a buffer overflow if the size |
|||
11/24/2003 | Libnids | ||
remote code execution There is a bug in the part of libnids code responsible for TCP reassembly. |
|||
11/24/2003 | phpSysInfo | ||
directory traversal phpSysInfo contains two vulnerabilities which could allow local files to |
|||
Distribution: | Mandrake | ||
11/21/2003 | freeswan | ||
directory traversal The version of freeswan bundled with the latest kernel update did not match |
|||
11/26/2003 | Stunnel | ||
file descriptor leak A vulnerability was discovered in stunnel versions 3.24 and earlier, as |
|||
Distribution: | Red Hat |
||
11/24/2003 | EPIC | ||
Buffer overflow vulnerability Updated EPIC packages which fix an exploitable buffer overflow vulnerability |
|||
11/24/2003 | iproute | ||
Local denial of service vulnerability Updated iproute packages that close a locally-exploitable denial of service |
|||
11/24/2003 | stunnel | ||
Signal-handling vulnerability Updated stunnel packages are now available for Red Hat Linux 7.1, 7.2, 7.3, |
|||
11/24/2003 | Pan | ||
Denial of service vulnerability Updated Pan packages that close a denial of service vulnerability are now |
|||
11/25/2003 | XFree86 | ||
Multiple vulnerabilities Multiple integer overflows in the transfer and enumeration of font libraries |
|||
Category:
- Security