[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

The Internet is to blame ..., or so this APBnews.com article would have you believe. They talk about the "hacker" sites on the Internet and blame them for the escalation in security problems out there.
"The Internet has always been a haven for computer criminals," said research analyst Adam Harriss. "The technologically savvy hackers have been online swapping tips and programming for decades, but now the information is being posted and sold at low cost in a form that even the techno-illiterate can understand. Causing damage to machines and infiltrating systems has become as easy as putting together a child's Christmas toy."
What are the problems with this type of commentary? Here are two examples. First, with a few exceptions, most of the sites they are talking about do not blatantly encourage criminal acts. Most of them exist to share knowledge so that people responsible for preventing security incidents can have access to all the information they need to find problems fix them and test their network security, as Robert G. Ferrell comments in his reaction to this article on the ISN mailing list. "Those of us who choose to defend the infrastructure, rather than attack it, need the information contained in most of these sites desperately. "

Second, by focusing on the people who illegally try to hack sites, the true issue, creating secure applications and making it easier for people to find fixes and keep their systems secure, is totally overlooked. "That's too hard!" they might say, or perhaps companies are making too much money off of tools like anti-virus software to want to see the underlying problems addressed. "The problem is not the availability of data on how to breach a system; the problem is that the system can be breached in the first place", commented Jay D. Dyson.

OpenSSH officially released. The OpenBSD folks have put out an official press release announcing the availability of OpenSSH, a new package based on an earlier version of ssh in which all proprietary code has been replaced (along with "libraries burdened with the restrictive GNU Public License (GPL)"). Familial bickering aside, this is a very good thing. The availability of a truly free version of ssh which can be packaged up with OpenBSD, Linux or any other operating system benefits all of us.

Security Reports

cdwtools: Suse reported problems in the cdwtools package, including some buffer overflows. They provide updated packages and indicate that other Linux distributions may be impacted. No updates for other distributions have been seen as of yet.

Updates

lpd: File permission problems with lpr and lpd can allow a user to print a file which they are not allowed to read.

screen: A package problem with Red Hat Linux 6.1 where ptys are created with insecure permissions. Non-Red Hat 6.1 based distributions and earlier versions of Red Hat are not affected.

wu-ftpd: Several new vulnerabilities were reported last week, including nasty buffer overflows and a remotely-exploitable root vulnerability. If you are running the wu-ftpd daemon, you need to upgrade immediately.

ypserv: ypserv prior to 1.3.9 had a variety of security problems. An upgrade to 1.3.9 is recommended.

  • SuSE
  • Debian (full nis package update, with changes to rpc.yppasswd as well)

Resources

Maximum Security Linux. Maximum Security Linux, recently announced by Macmillan USA, in association with SecurityPortal.com, combines documentation with GPL'd security tools, everything currently bundled under SecurityPortal.com's Linux Security Suite. Obviously, you can probably get everything in this package for free if you want to look for it. However, like a Linux distribution, the value here is in having someone else choose and put together a combination of tools for you.

The first public version of dosfw 0.1 was announced this week. It is a simple Linux netfilter firewall module, used to drop denial-of-service packets during an attack. "The current version supports only two attacks and TCP Fingerprint scan, but you may expect other attacks in the (hopefully near) future. Contributions are welcome."

Section Editor: Liz Coolbaugh


October 28, 1999


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds