Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsDistributed denial of service attacks are certainly the theme of the week, after the high-profile shutdown of Yahoo and other prominent commercial sites. These attacks do not attempt to exploit any particular security vulnerability in the operating system; instead, they simply flood the target site with traffic from a large number of compromised systems distributed across the net. As a result, they are very hard to defend against. There is no hole to patch, no single attacking site to block.The real problem, the thing that makes these attacks possible, is the presence of hundreds or thousands of compromised systems on the net. The existence of these systems makes the Internet an inherently unhealthy thing. Until this contagion can be cleaned up, these sorts of attacks will continue. Cleaning up, however, is easier said than done. The only thing that will work, perhaps, is some means of isolating compromised systems from the rest of the net. Disconnection renders the broken systems harmless to the net as a whole, and gets the attention of the administrators. Open relay blacklists have helped to reduce the number of systems used to relay spam, even if they have not eliminated the problem. A similar system for the net as a whole would be far more challenging to design and implement, but may need to be considered. Those interested in the mechanics of distributed DOS attacks may want to look at these analyses of the trinoo and Tribe Flood Network schemes, done by David Dittrich. Forbes on Security. A Private Little Cyberwar is an article in Forbes Magazine on what can happen when crackers turn mean. Worth a read for any who are out there on the front lines dealing with these sorts of folks. Linux Intrusion Detection System 0.8. A new stable version of LIDS has been announced. This is equivalent to the 0.8pre4 development version. "The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. " Locking up Linux. PC Week ran this article about Linux and security. It's a reasonable and straightforward look, asking questions about whether open source adds to or detracts from security. Worth a read. Security ReportsMySQL server has a remote access vulnerability, which can allow remote users to bypass authentication checks. Details can be found in this advisory; a patch has been posted for those who build MySQL from source. Updated packages from distributors will presumably come soon.The commercial Zeus web server has a problemwhich can allow the source of CGI scripts to be fetched by a remote site. A fix has been made available by Zeus Technology; see the announcement for download information. A bug in GNQS can allow users to obtain root privileges; see this note for details. Sites running GNQS should upgrade to version v3.50.8. ResourcesBastille Linux A new version of Bastille Linux is getting closer, as demonstrated by the recent announcement of Bastille Linux 1.0.3.pre5. Bastille Linux is a hardening script which takes an existing Red Hat Linux distribution and improves the security to a reasonable level. The new beta supports Red Hat 6.1 and a new installation/automation script. Section Editor: Liz Coolbaugh |
February 10, 2000
|