[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

The DVD crack. To get support from major motion picture studios and other producers of video output, the creators of the DVD standard built into the DVD format encryption protections. Now it turns out that those encryption protections were pretty weak. NTKnow noted and followed the results when the source code for DeCSS, a package that can be used for copying DVD content to a harddrive, was made publicly available. This opened the encryption algorithm to public scrutiny, which resulted in it being quickly broken. The keys of over 170 DVD licensees were quickly extracted. NTKnow commented:
"The CSS decryption system sucks. It works by storing a whole bunch of keys on each DVD. Industry overseers, the DVD Forum, hand out one matching decryption key to each manufacturer: if any of these company's equipment got cracked, future DVD disc's were to be pressed without this key, making the crack (and that company's hardware) unusable with new movies. Quite whether the Forum would ever dare to carry out this threat against its own licensees is unclear."

The impact of this is yet to be seen. Will the Motion Picture Association withdraw its support for the technology? Will it just resort in more legal action to try and discourage piracy? No official comments out of the DVD community are available yet.

Meanwhile, of course, the issue of keeping encryption algorithms secret has been raised again. Some will argue that the algorithm would not have been broken if it were not exposed. The rest of us will argue that a public-review process would have prevented the use of a weak algorithm and therefore prevented this fiasco for the DVD industry.

IPsec, a rising star? Netscape/CMPNet appear to think so. This past week, they issued two feature articles focusing on IPsec. The first argues that IPsec's time as finally arrived.

It has been a long time coming. But IPSec, which languished in the IETF standards process during a bitter battle over control of its encryption-key architecture a couple of years ago, is finally showing some star quality. During the past year, this protocol for securing business-to-business IP traffic has shown up in popular VPN gateways, firewalls, switches and routers.
How to address the impact of IPsec on network bottlenecks was the focus of the second article
As the demand for Internet bandwidth continues to surge, one aspect of the networking landscape has been largely ignored: the need for security processing to be omnipresent. People tend to forget that although routers and switches approach the terabit range in capability, the ability to perform inline encryption and authentication typically remains restricted to 100 Mbits/second or lower. If one considers the additional overhead imposed by Internet Protocol Security (IPsec) processing (packet construction and deconstruction), then the task of supporting high-bandwidth data transmission becomes quite daunting.

Security Reports

uum and canuum. A recent posting to BugTraq reported several different vulnerabilities. Two of the vulnerabilities reported were Linux-related, dealing with two packages, umm and canuum, which are included with some Linux distributions for Japanese support. The vulnerabilities were specfically reported under TurboLinux, but may impact other distributions as well. No workaround is provided currently, so you may want to consider disabling or removing these packages until updates are provided. Both packages can be exploited to gain root privileges.

Updates

am-utils. Remotely exploitable buffer overflows.

lpd: File permission problems with lpr and lpd can allow a user to print a file which they are not allowed to read.

ypserv: ypserv prior to 1.3.9 had a variety of security problems. An upgrade to 1.3.9 is recommended.

Resources

Stack Shield 0.6. A new beta release of Stack Shield is now out. Stack Shield is a tool that can be used to recompile code to protect against potentially exploitable buffer overflows. This release includes a new protection against "function pointer" attacks.

Events

Section Editor: Liz Coolbaugh


November 4, 1999


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds