See also: last week's Security page.

Security

As most of you are probably aware, the security-related story of this week was the rootshell hack, where www.rootshell.com was hacked into and its web pages replaced. You can read Rootshell's report of the incident at their main site or from their larger posting to freshmeat.

The incident spawned a larger storm over the implication that a vulnerability in ssh was exploited to allow the break-in. The potential vulnerability was denied by both SSH Communications Security Ltd and the author of SSH. Rootshell responded to these claims referring to a draft advisory from IBM. IBM, in turn, rescinded the alert, stating that the problem it described was not reproducible.

In the meantime, work continued on Bugtraq and elsewhere, a buffer overflow was reported, patches were put together and eventually a new set of ssh RPM's were made available (on ftp.linux.org.uk) by Stephen Tweedie. If you prefer the actual patches, rather than rpm files, they are available on the Bugtraq archives.

There is no final word on whether or not the patches to SSH are necessary. Many highly regarded people outside of SSH Communications and the ssh author have examined the code and (so far) found it secure, so it is not an issue of denial or damage control by the authors. The controversy will likely remain until or unless an exploit is found and published, or those who believe that ssh is exploitable change their mind. In the meantime, you can choose to run with the a patched version if you prefer, or compile ssh under Stackguard, or both.

Tuesday, November 3rd, was the tenth anniversary of the Internet Worm. Here is a brief summary of the historic incident, which includes a link to an MSN article on the topic. This editor remembers the day very well ...

In our list of Netscape security problems last week, we missed this announcement from Netscape, which details a caching problem with Netscape 4.5. They provide a "workaround", and promise a fix "in the next release." The issue only affects people running Netscape on a shared machine, but it is a serious problem, since it can expose information from SSL transactions. Another recently reported bug, also caching-related and impacting Netscape products through 4.5, apparently does not impact Unix systems. A confirmation that Linux systems are not susceptible has not yet been received. Note that the News.com article on this bug indicates that the person who discovered it, Georgi Guninski, will reap a $1000 finder's fee. Now that's the way to motivate people to find and report security problems ...

mpg123-0.58k has a reported buffer overflow. Apparently the more recent versions have fixed this; you may want to upgrade to mpg123-0.58o.

A bug in quake has been reported as well. It allows a person to force the drop of an existing IP connection, if the IP address of the remote end is known.

Tim Yocum reported that the APC PowerNet SNMP module is still vulnerable to many widely known Denial-of-Service (DOS) attacks, such as nestea, etc. APC indicated no plans to resolve the problems but instead recommended that the module should only be used behind a firewall.

There is an apparent problem with IBCS support, which can cause a system panic as a result of a simple, non-privileged command. The problem is being forwarded to the IBCS development list.

Some unconfirmed reports have come out about a possible Sendmail/Qmail DOS and a vulnerability in lightbar.

This item from the ISN mailing list describes Teiresias, a computer algorithm developed to unlock information from complex DNA strands can also be used to detect a system attack. It sounds like a lot of fun ... too bad it appears to belong to IBM and therefore likely to be a proprietary algorithm.

Another mailing list has been created, this one a newsletter focused solely on the issue of digital identify theft. It appears to be fairly interesting. The author is a lawyer rather than a computer hacker, so technical aspects can be expected to be thin. However, the issue above does report on recent legislation in this area and a new type of Neighborhood Watch. [also from the ISN mailing list]

Last week's LWN included a pointer to this InfoWorld article, which talked about "Linux's gaping security problems." Evidently they heard from a number of Linux users, because they sent out this noteexplaining their position. Their view of Linux security is pretty negative.

Next: Kernel