[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

The last thing we wanted to do this week was to focus again on Distributed Denial of Service attacks. However, it remains true that the top security-related stories this week seem to be focusing in this area. So we'll attempt to give you access to a variety of the more interesting ones.

White House Internet Security Summit. President Clinton took 90 minutes out of his schedule on February 15th to attend this summit. Gene Spafford, from Purdue, was one of two academics invited to attend and nicely sent out this detailed report. A nice look at the political process in action, for once with people relatively behaving themselves. He outlined 7 points made in the summit that no one seemed to dispute:

  1. The Internet is international in scope, and most of the companies present have international operations. Thus, we must continue to think globally. US laws and policies won't be enough to address all our problems.

  2. Privacy is a big concern for individuals and companies alike. Security concerns should not result in new rules or mechanisms that result in significant losses of privacy.

  3. Good administration and security hygiene are critical. The problems of the previous week were caused by many sites (including, allegedly, some government sites) being compromised because they were not maintained and monitored. This, more than any perceived weakness in the Internet, led to the denial of service.

  4. There is a great deal of research that yet needs to be done.

  5. There are not enough trained personnel to deal with all our security needs.

  6. Government needs to set a good example for everyone else, by using good security, employing standard security tools, installing patches, and otherwise practicing good infosec.

  7. Rather than new structure or regulation, broadly-based cooperation and information sharing is the near-term approach best suited to solving these kinds of problems.

Wayne Madsen calls it media hype and planned Pentagon disinformation in this editorial. Note that Madsen considers himself an insider in the "spook" community, having served in the Navy, and worked in the National Security Agency, State Department, Computer Sciences Corporation, RCA, and more. "The hype associated with the recent Internet flooding is outrageous and serves the agendas of the military and intelligence communities regarding new vistas for bloated Pentagon and espionage budgets."

He makes some interesting points, but primarily serves to fuel the same media hype that he disparages so heavily. Oh, yes, the President's attendance at the above summit was another item that offended him horribly.

Cyber Vigilantes. The NUA KNOWLEDGE NEWS published this editorial in their free weekly email newsletter. Again, a bit inflammatory, but the point is interesting and might explain why the culprits in the recent DDOS cases have been so hard to track down. "Without government the choice is chaos or vigilantism. The current search for the hackers behind the major spate of website attacks is a mix of both. Scores of security firms are out looking for the culprits. Their driving objective has nothing to do with law and justice and everything to do with the hoped for PR announcement that their firm caught the nasty hacker. Members of these firms are posing as suspects and friends of suspects in online chat rooms and other areas, to the extent that 'suspects' are turning up all over the place at the same time confusing everybody."

Security Reports

This week's open source-related security reports primarily came from the *BSD community, as luck would have it. They included:

Updates

Debian update for GNU make. Here is the Debian advisory to go with the update to the GNU make package to which we already provided a pointer in this week's Security Summary. An immediate upgrade is recommended.

Resources

LinuxSecurity.com debuts. LinuxSecurity.com has been announced. "Guardian Digital, Inc., an upstart Open Source security company and primary sponsor of LinuxSecurity.com, provides consulting, installation & support and computer security services to businesses looking to use the Linux Open Source operating system. LinuxSecurity.com is intended as a pro-Linux and Open Source site that strives to provide objective and helpful information for the general Linux and Open Source community."

ITS4. John Viega has announced the release of a source code security scanner, ITS4, under an open source license. "I've put together a command-line tool for statically scanning C and C++ source code for security vulnerabilities. The tool is called ITS4. ITS4 scans through source code for potentially dangerous function calls that are stored in a database. Anything that is in the database gets flagged. ITS4 tries to automate a lot of the grepping usually done by hand when performing security audits."

John is looking for assistance improving the database that ITS4 uses.

ISIC 0.05 (IP Stack Integrity Check). Mike Frantzen released a tool to stress test IP stacks, firewall rulesets, firewall resilience and IDS implementations. ISIC "crafts random packets and launches them. You can specify the percentage of packets to fragment, to have IP options, to have bad IP versions.... Just about every field can be automagically twiddled."

Lokkit, simple firewall generator. Lokkit is a new tool from Alan Cox that sets up a simple firewall for a dialup machine in response to answers to a simple set of questions. From the look of the screen shots, lokkits might be intended as part of the Red Hat install process at some point in the future.

Events

1st International Hackers Conference in Israel. The 1st International Hackers Conference in Israel will be held March 28th-March 30th, 2000. "But in Israel, where hi-tech security startups mix up with lo-tech hackers community, where a new middle east is trying to emerge from many small anarchic pieces, this is the 1st International Hackers Convention."

Section Editor: Liz Coolbaugh


February 24, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds