[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News

A security audit of the entire Internet. The Internet Auditing Project set out almost a year ago to scan the entire Internet just to see how many systems with known vulnerabilities could be found. Their report makes for a long-winded but entertaining read as it describes how they were able to put together a scan of 36 million hosts and survive the process.

Their results? Here's a table that appears at the end:

VulnerabilityCountPercentage
webdist 5622 0.77%
wu_imapd 113183 15.5%
qpopper 90546 12.4%
innd 3797 0.52%
tooltalk 190585 26.1%
rpc_mountd 78863 10.8%
bind 132168 18.1%
wwwcount 86165 11.8%
phf 6790 0.93%
ews 9346 1.28%

In other words, there are hundreds of thousands of vulnerable systems out there, just looking at a small set of well-known problems.

The authors make the point that the Internet as a whole has a problem. It is sick, with lots of little wounds. Fixing up single hosts and networks is a good thing to do, but as long as the network as a whole remains so unhealthy, there are going to be problems. Lots of them.

They have an interesting suggestion: the formation of an "International Digital Defense Network." The purpose of this network would be to perform routine scans to find problem systems early, then work to get the systems fixed. They would pattern it after some of the other network-wide processing initiatives, such as Seti@home. With enough systems, each could do a certain amount of watching without impacting its other uses.

The document also includes a fair amount of "war story" material, and a scary description (under "third week") of a truly high-clue breakin of one of their systems. Many of us have seen "script kiddies" at work, but these were a different breed of folks. Among other things, the attack shows a real-world use of a loadable kernel module to perform evil acts.

Their scanning system is also available for download. Definitely worth a read.

Security Reports

Some beta versions of EFNet's IRC daemon have a serious problem that could allow root access to the server. Fortunately, very few sites should be running this software. If you have one of them, have a look at this advisory, and upgrade to a newer version.

The telnet daemon has a problem in that it tries to verify the client side's terminal type. This verification happens prior to any type of authentication. By coming up with a cleverly crafted terminal type, a remote attacker can cause the telnet daemon to open an arbitrary file on the system, which can lead to denial of service attacks. No distributions have issued updates as yet; a source patchhas been made available by Kevin Vajk.

Updates

Debian updates. Debian has put out a couple of security advisories for the cfingerd and isdnutils packages.

Red Hat updates. Red Hat put out two alerts for possible security problems. There is a libtermcap patch which fixes a buffer overrun problem which could be nasty - especially on pre-6.0 systems. There is also an update to pump (Red Hat's DHCP client) that DHCP users should apply.

Resources

What to do if you've been hacked is a brief ComputerWorld article with some advice on first steps to take when disaster strikes. It seems to be aimed more at managers than technical folks...

Section Editor: Liz Coolbaugh


August 19, 1999


Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Debian Alerts
Red Hat Errata
SuSE Announcements

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds