Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.

LinuxSecurity.com Feature Extras:

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

  Ubuntu still vulnerable to time-twiddling hack (May 1)
 

A security flaw in a common Unix software component remains unpatched in one of the most popular Linux distributions, more than a year after an official fix was published.
  Google develops new defense against phishing (Apr 30)
 

Google has developed a new extension for its Chrome browser that aims to stop people from falling prey to phishing sites.The free Password Alert extension stores an encrypted version of a person's password and warns if it is typed into a site that isn't a Google sign-in page, according to a blog post on Wednesday. It will then prompt a person to change their password.
  Boeing 787 Dreamliners contain a potentially catastrophic software bug (May 1)
 

A software vulnerability in Boeing's new 787 Dreamliner jet has the potential to cause pilots to lose control of the aircraft, possibly in mid-flight, Federal Aviation Administration officials warned airlines recently.
  WordPress promises patch for zero-day "within hours" (Apr 29)
 

Shortly after this article was posted, WordPress released version 4.2.1, flagging it as a critical update. Website owners are encouraged to update immediately, and automatic updates have started to roll out. More information is here.
  (Apr 27)
 

The high-profile DDoS attack against GitHub that went on for several days last month was the end result of an operation that included several phases and extensive testing and optimization by the attackers. Researchers at Google analyzed the attack traffic over several weeks and found that the attackers used both Javascript replacement and HTML injections.
  (May 1)
 

There is a firmly held concern in security circles that the automation associated with DevOps moves too swiftly, that security teams and their tests can't keep up, that too many of the metrics measured focus on production, availability, and compliance checkboxes, and as a result, security falls to the wayside.
  (Apr 30)
 

If one listens to the mainstream media, these are the biggest cyber security threats facing American businesses. When hackers from these regions make any move against western businesses and governments, the news is magnified ten-fold in comparison to the actual source of the attacks: human error on the part of the victim organizations.
  Congress, Crypto and Craziness (May 1)
 

Crazy is never in short supply in Washington. Through lean times and boom times, regardless of who is in the White House or which party controls the Congress, the one resource that's reliably renewable is nuttery.
  Decryption tool available for TeslaCrypt ransomware that targets games (Apr 28)
 

Some users whose computers have been infected with a ransomware program called TeslaCrypt might be in luck: security researchers from Cisco Systems have developed a tool to recover their encrypted files.
  (Apr 28)
 

WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver.
  The Further Democratization of Stingray (Apr 27)
 

Stingray is the code name for an IMSI-catcher, which is basically a fake cell phone tower sold by Harris Corporation to various law enforcement agencies. (It's actually just one of a series of devices with fish names -- Amberjack is another -- but it's the name used in the media.) What is basically does is trick nearby cell phones into connecting to it.
  (Apr 30)
 

I'm not a security professional -- I can't configure a firewall or hack my way out of a paper bag -- but I've been lucky enough to live and work in the info security community for almost a decade now. For me, last week's RSA Conference in San Francisco was old home week; nearly everywhere I walked, I saw someone I knew.