Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsThe Internet is to blame ..., or so this APBnews.com article would have you believe. They talk about the "hacker" sites on the Internet and blame them for the escalation in security problems out there."The Internet has always been a haven for computer criminals," said research analyst Adam Harriss. "The technologically savvy hackers have been online swapping tips and programming for decades, but now the information is being posted and sold at low cost in a form that even the techno-illiterate can understand. Causing damage to machines and infiltrating systems has become as easy as putting together a child's Christmas toy."What are the problems with this type of commentary? Here are two examples. First, with a few exceptions, most of the sites they are talking about do not blatantly encourage criminal acts. Most of them exist to share knowledge so that people responsible for preventing security incidents can have access to all the information they need to find problems fix them and test their network security, as Robert G. Ferrell comments in his reaction to this article on the ISN mailing list. "Those of us who choose to defend the infrastructure, rather than attack it, need the information contained in most of these sites desperately. " Second, by focusing on the people who illegally try to hack sites, the true issue, creating secure applications and making it easier for people to find fixes and keep their systems secure, is totally overlooked. "That's too hard!" they might say, or perhaps companies are making too much money off of tools like anti-virus software to want to see the underlying problems addressed. "The problem is not the availability of data on how to breach a system; the problem is that the system can be breached in the first place", commented Jay D. Dyson. OpenSSH officially released. The OpenBSD folks have put out an official press release announcing the availability of OpenSSH, a new package based on an earlier version of ssh in which all proprietary code has been replaced (along with "libraries burdened with the restrictive GNU Public License (GPL)"). Familial bickering aside, this is a very good thing. The availability of a truly free version of ssh which can be packaged up with OpenBSD, Linux or any other operating system benefits all of us. Security Reportscdwtools: Suse reported problems in the cdwtools package, including some buffer overflows. They provide updated packages and indicate that other Linux distributions may be impacted. No updates for other distributions have been seen as of yet. Updateslpd: File permission problems with lpr and lpd can allow a user to print a file which they are not allowed to read.
screen: A package problem with Red Hat Linux 6.1 where ptys are created with insecure permissions. Non-Red Hat 6.1 based distributions and earlier versions of Red Hat are not affected. wu-ftpd: Several new vulnerabilities were reported last week, including nasty buffer overflows and a remotely-exploitable root vulnerability. If you are running the wu-ftpd daemon, you need to upgrade immediately.
ypserv: ypserv prior to 1.3.9 had a variety of security problems. An upgrade to 1.3.9 is recommended. ResourcesMaximum Security Linux. Maximum Security Linux, recently announced by Macmillan USA, in association with SecurityPortal.com, combines documentation with GPL'd security tools, everything currently bundled under SecurityPortal.com's Linux Security Suite. Obviously, you can probably get everything in this package for free if you want to look for it. However, like a Linux distribution, the value here is in having someone else choose and put together a combination of tools for you.The first public version of dosfw 0.1 was announced this week. It is a simple Linux netfilter firewall module, used to drop denial-of-service packets during an attack. "The current version supports only two attacks and TCP Fingerprint scan, but you may expect other attacks in the (hopefully near) future. Contributions are welcome." Section Editor: Liz Coolbaugh |
October 28, 1999
|