Linux in the news
All in one big page
See also: last week's Security page.
News and editorials
Are ISPs responsible for the current DDOS attacks? One discussion thread on BugTraq this week suggested that ISPs are ultimately responsible for the distributed denial-of-service attacks that have garnered so much attention as of late. The question is whether such attacks would be possible if ISPs had implemented network ingress and egress filtering to prevent spoofed packets from proliferating on the Internet. The answer is not clear. Filtering would definitely mitigate the impact of DDOS attacks, as mentioned in Elias Levy's summary of DDOS mitigation techniques. Bruce Schneier commented in this month's CRYPTOGRAM that "Large-scale filtering at the ISPs can help, but that requires a lot of effort and will reduce network bandwidth noticeably."
Implementing network filtering would impact performance as well, or at least require expenditure of funds on new routing equipment to handle the performance loads. Some smaller ISPs might find it too costly; some educational institutions might not be willing to spend such money. If filtering is determined to be truly effective in limiting or mitigating the impact of DDOS attacks, it will likely still not happen unless the courts choose to hold ISPs liable for attacks enabled through their equipment.
Meanwhile, one recent response to the problem has been the development of Linux kernel patches to improve filtering and auditing of network packets. Jens Hektor has backported features from the Linux v2.3 ipfilter package to augment the capabilities of the Linux v2.2 kernel. In addition, Dragos Ruiu has made available a klog patch to provide "a quick and dirty forensic logger to track down or follow the path to the origin of attacks". Last, a patch implementing Mandatory Access Control was released. It divides a Linux system up into multiple "compartments," each of which behaves like a separate virtual machine and does not see the others.
Medusa DS9. The Medusa DS9 security system extends the Linux architecture to provide additional security while maintaining backwards compatibility. It uses a kernel patch and a user-space security daemon called "Constable". "Before execution of the certain operations, the kernel asks the authorization server for the confirmation. Authorization server then permits or forbids the operation. Authorization server can also affect the way operation is executed in some cases, which are described later. This method allows to implement almost any security architecture." Medusa is the product of the Slovak Linux User Group.
Securing Linux (Information Security). Information Security Magazine has put up a lengthy article about Linux security. "What makes Linux security a special case is that never before has such a powerful, adaptable and potentially dangerous operating system been made available to such a large population of novice users." Worth a read. (Thanks to Jay R. Ashworth).
SNMP communities. Many devices with SNMP support have "communities" defined that are world-writable and may allow an attacker to manipulate route tables, corrupt arp caches and, as a result, allow further compromises. [ BugTraq ID 986, BugTraq posting.] It is recommended that you check the posting and database for your network device, to see if you are vulnerable. The list of affected devices is quite long.
nameserver configuration-based vulnerability. Improperly configured nameservers (named) are vulnerable to a traffic amplication denial-of-service attack. [BugTraq ID.] In addition, one vulnerable nameserver on a network can cause correctly configured nameservers to also be impacted.
UpdatesPlease note, any users of Caldera OpenLinux, it appears that security advisories for Caldera are not getting posted to the caldera-announce list. You'll need to either check the Caldera security page or watch this summary.
Debian's security procedures seem to have broken down slightly as well. The Debian Weekly News reported four security-related updates this week, none of which were posted to the debian-security-announce list or to the Debian security page.
MySQL 3.22.32 released. The latest version of MySQL contains fixes for the remote access vulnerability, discussed in the February 10 LWN security page. Distribution updates for MySQL have been released from:
mount/umount. A buffer overflow problem has been found in the mount command. Distribution updates:
majordomo. Two vulnerabilities in majordomo were previously reported in our January 6th Security Summary. Caldera has also issued an update for this problem.
GNU make. GNU make versions 3.77-44 and earlier contain a /tmp vulnerability. Here are the distribution-specific updates:
Additional Debian updates. Debian also issued security-related updates for the following packages:
ResourcesLinux FreeS/wan 1.3. A new version of Linux FreeS/wan has been announced.
T.Rex "open source" firewall announced. T.Rex is an open source firewall announced by Freemont Avenue Software. The firewall is being released under the "LPL" license, a copy of the QPL license with a name change and venue (state of Texas).
spidermap-0.1. Spidermap is "a collection of perl scripts which enable you to launch precisely tuned network scans".
EventsBlack Hat Briefings. The Black Hat Briefings Singapore (April 4th-5th, 2000) has been announced and the Call-for-Papers for the Black Hat Briefings USA (July 26th & 27th, Las Vegas) has been released.
Section Editor: Liz Coolbaugh
February 17, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project