Author: Benjamin D. Thomas
mailman, squid, mod_python, kdeedu, gamin, pcmcia, openssh,
postgresql, gimp, midnight commander, gproftpd, cyrus imap, cups,
kdelibs, xpdf, uim, cpio, and vim. The distributors include Debian,
Fedora, Gentoo, Mandrake, Red Hat, and SuSE.The Internet has made the world smaller. In our routine usage we
tend to overlook that “www” really does mean “world wide web” making
virtually instant global communication possible. It has altered the
rules of marketing and retailing. An imaginative website can give the
small company as much impact and exposure as its much larger competitors.
In the electronics, books, travel and banking sectors long established
retail chains are increasingly under pressure from e-retailers. All this,
however, has come at a price  ever more inventive and potentially
damaging cyber crime. This paper aims to raise awareness by discussing
common vulnerabilities and mistakes in web application development. It
also considers mitigating factors, strategies and corrective measures.
The Internet has become part and parcel of the corporate agenda. But
does the risk of exposing information assets get sufficient management
attention? Extension of corporate portals for Business-to Business (B2B)
or developments of websites for Business-to-Customer (B2C) transactions
have been largely successful. But the task of risk assessing
vulnerabilities and the threats to corporate information assets is still
avoided by many organisations. The desire to stay ahead of the competition
while minimising cost by leveraging technology means the process is driven
by pressure to achieve results. What suffers in the end is the application
development cycle; – this is achieved without security in mind. Section 1
of this paper introduces the world of e-business and sets the stage for
further discussions. Section 2 looks at common vulnerabilities inherent
in web application development. Section 3 considers countermeasures and
strategies that will minimise, if not eradicate. some of the
vulnerabilities. Sections 4 and 5 draw conclusions and look at current
trends and future expectations.
The TCP/IP protocol stack, the underlying technology is known for lack of
security on many of its layers. Most applications written for use on the
Internet use the application layer, traditionally using HTTP on port 80
on most web servers. The HTTP protocol is stateless and does not provide
freshness mechanisms for a session between a client and server; hence,
many hackers take advantage of these inherent weaknesses. TCP/IP may be
reliable in providing delivery of Internet packets, but it does not
provide any guarantee of confidentiality, integrity and little
identification. As emphasised in [1], Internet packets may traverse
several hosts between source and destination addresses. During its
journey it can be intercepted by third parties, who may copy, alter or
substitute them before final delivery. Failure to detect and prevent
attacks in web applications is potentially catastrophic. Attacks are
loosely grouped into two types, passive and active. Passive attackers
[6] engage in eavesdropping on, or monitoring of, transmissions. Active
attacks involve some modification of the data stream or creation of
false data streams [6].
Read full feature:
http://www.linuxsecurity.com/content/view/118427/49/
LinuxSecurity.com
Feature Extras:Getting
to Know Linux Security: File Permissions – Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.The
Tao of Network Security Monitoring: Beyond Intrusion Detection
– To be honest, this was one of the best books that I’ve read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.Encrypting
Shell Scripts – Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn’t have a “ps -ef” loop running in an attempt to capture
that sensitive info (though some applications mask passwords in “ps” output).
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline.
| Debian | ||
| Debian: New emacs21 packages fix arbitrary code execution |
||
17th, February, 2005
|
||
| Debian: New gftp packages fix directory traversal vulnerability |
||
17th, February, 2005
|
||
| Debian: New bidwatcher packages fix format string vulnerability |
||
18th, February, 2005
|
||
| Debian: New mailman packages really fix several vulnerabilities |
||
21st, February, 2005
|
||
| Debian: New squid packages fix denial of service |
||
23rd, February, 2005
|
||
| Debian: New mod_python packages fix information leak |
||
23rd, February, 2005
|
||
| Fedora | ||
| Fedora Core 3 Update: kdeedu-3.3.1-2.3 | ||
17th, February, 2005
|
||
| Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.80 | ||
17th, February, 2005
|
||
| Fedora Core 3 Update: policycoreutils-1.18.1-2.9 | ||
17th, February, 2005
|
||
| Fedora Core 3 Update: gamin-0.0.24-1.FC3 | ||
18th, February, 2005
|
||
| Fedora Core 3 Update: pcmcia-cs-3.2.7-2.2 | ||
21st, February, 2005
|
||
| Fedora Core 2 Update: gaim-1.1.3-1.FC2 | ||
22nd, February, 2005
|
||
| Fedora Core 3 Update: gaim-1.1.3-1.FC3 | ||
22nd, February, 2005
|
||
| Fedora Core 3 Update: openssh-3.9p1-8.0.1 | ||
22nd, February, 2005
|
||
| Fedora Core 3 Update: postgresql-7.4.7-3.FC3.1 | ||
22nd, February, 2005
|
||
| Fedora Core 2 Update: postgresql-7.4.7-3.FC2.1 | ||
22nd, February, 2005
|
||
| Fedora Core 2 Update: squid-2.5.STABLE8-1.FC2.1 | ||
22nd, February, 2005
|
||
| Fedora Core 3 Update: squid-2.5.STABLE8-1.FC3.1 | ||
22nd, February, 2005
|
||
| Fedora Core 3 Update: gimp-help-2-0.1.0.7.0.fc3.1 | ||
24th, February, 2005
|
||
| Gentoo | ||
| Gentoo: Midnight Commander Multiple vulnerabilities | ||
17th, February, 2005
|
||
| Gentoo: Squid Denial of Service through DNS responses |
||
18th, February, 2005
|
||
| Gentoo: GProFTPD gprostats format string vulnerability |
||
18th, February, 2005
|
||
| Gentoo: gFTP Directory traversal vulnerability | ||
19th, February, 2005
|
||
| Gentoo: PuTTY Remote code execution | ||
21st, February, 2005
|
||
| Gentoo: Cyrus IMAP Server Multiple overflow vulnerabilities |
||
23rd, February, 2005
|
||
| Mandrake | ||
| Mandrake: Updated cups packages fix | ||
17th, February, 2005
|
||
| Mandrake: Updated gpdf packages fix | ||
17th, February, 2005
|
||
| Mandrake: Updated kdelibs packages fix | ||
17th, February, 2005
|
||
| Mandrake: Updated KDE packages address | ||
17th, February, 2005
|
||
| Mandrake: Updated xpdf packages fix | ||
17th, February, 2005
|
||
| Mandrake: Updated PostgreSQL packages | ||
17th, February, 2005
|
||
| Mandrake: Updated tetex packages fix | ||
17th, February, 2005
|
||
| Mandrake: Updated uim packages fix | ||
24th, February, 2005
|
||
| Mandrake: Updated squid packages fix | ||
24th, February, 2005
|
||
| Red Hat |
||
| RedHat: Low: cpio security update | ||
18th, February, 2005
|
||
| RedHat: Low: imap security update | ||
18th, February, 2005
|
||
| RedHat: Low: vim security update | ||
18th, February, 2005
|
||
| RedHat: Important: cups security update | ||
18th, February, 2005
|
||
| RedHat: Important: kernel security update | ||
18th, February, 2005
|
||
| RedHat: Moderate: imap security update | ||
23rd, February, 2005
|
||
| SuSE | ||
| SuSE: squid remote denial of service | ||
22nd, February, 2005
|
||
| SuSE: cyrus-imapd buffer overflows | ||
24th, February, 2005
|
||
