![[LWN Logo]](/images/lc.png) |
|
![[Timeline]](/images/Included.png) |
Date: Mon, 19 Jun 2000 08:25:43 -0500
From: InfoSec News <isn@C4I.ORG>
Subject: [ISN] Linux Security Week, June 19th 2000
To: ISN@SECURITYFOCUS.COM
Forwarded by: Benjamin D. Thomas <ben@linuxsecurity.com>
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 19, 2000 Volume 1, Number 8 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines and system advisories. It is distributed each Monday by
Guardian Digital, Inc.
After two weeks of constant advisories, it's comforting to see the
amount of activity die down. This week, updates are available for the
Document Template package, BRU Backup Utility, Kerberos 5, and a bug
on FreeBSD/Alpha systems that weakens its encryption.
In the news, OpenBSD announces its release of version 2.7, Mimestar
"Shoots Down Intruders" by releasing Version 3.0.7 of SecureNet PRO,
and the U.S. House gives its "OK" to the digital signature bill.
This week a number of interesting papers were posted. The article
"Open Sources, Security by Default" discusses actions taken by the
OpenBSD team, and Theo De Raadt, the founder of OpenBSD. With the
release of OpenBSD 2.7, the goal was to "remove most of the
extraneous, unnecessary, and insecure protocols from the OS, tightened
up the default configuration, and then hunt for bugs ruthlessly."
Sound advice for all users.
The historical paper, "Security Controls for Computer Systems" was
referenced on our site this week. It is regarded as "The Paper that
Launched Computer Security." The paper discusses intrusions, physical
security, threats, policy considerations, and gives recommendations.
Anyone interested in computer security and its history should
definitly take a look at this. A majority of this paper is applicable
to situations we face today.
We've recently learned that Red Hat has released a development build
of the 2.2.16 kernel which fixes several security issues discovered
last week. Information on this rawhide (development) version is
available at:
http://www.linuxsecurity.com/articles/host_security_article-909.html.
We'll post their formal announcement as soon as it's made.
Our sponsor this week is WebTrends. Thier Security Analyzer has the
most vulnerability tests available for Red Hat & VA Linux. It uses
advanced agent-based technology, enabling you to scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.
http://www.webtrends.com/redirect/linuxsecurity1.htm
HTML Version Available:
http://www.linuxsecurity.com/articles/forums_article-910.html
Advisories this Week:
---------------------
Conectiva: Zope problems in DocumentTemplate - 06/16/2000 - The issue
involves an inadequately protected method in one of the base classes
in the DocumentTemplate package that could allow the contents of
+DTMLDocuments or DTMLMethods to be changed remotely or through DTML
code without forcing proper user authorization.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-490.html
RedHat 6.2: Kerberos 5 vulnerability - 06/15/2000 - Security
vulnerabilities have been found in the Kerberos 5 implementation
shipped with Red Hat Linux 6.2. A number of possible buffer overruns
were found in libraries included in the affected packages. A
denial-of-service vulnerability was also found in the ksu program.
http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-489.html
RedHat: New emacs packages available - 06/15/2000 - With emacs < 20.7,
unprivileged local users can eavesdrop the communication between Emacs
and its subprocesses. Red Hat offers an update for this package.
http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-487.html
Zope: Fixed version available - 06/15/2000 - The issue involves an
inadequately protected method in one of the base classes in the
DocumentTemplate package that could allow the contents of
DTMLDocuments or DTMLMethods to be changed remotely or through DTML
code without forcing proper user authorization.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-488.html
Caldera: local ROOT exploit in BRU - 06/14/2000 - There is a serious
vulnerability in the commandline option and logfile handling of the
BRU Backup Utility which can be exploited by a local attacker to gain
root access to the machine.
http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-486.html
FreeBSD: Alpha port vulnerability - 06/12/2000 - Cryptographic secrets
(such as OpenSSH public/private keys) generated on FreeBSD/Alpha
systems may be much weaker than their "advertised" strength, and may
lead to data compromise to a dedicated and knowledgeable attacker.
http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-485.html
Linux Host Security:
--------------------
Network Intrusion Detection, An Analyst's Handbook - 6/17/2000 - Here
is an interesting book review for "Network Intrusion Detection, An
Analyst's Handbook" It gives chapter by chapter summaries throughout
the book. "This book is far-and-away one of the more relevant and
well-written books on security issues, and should be required reading
for every system administrator and network professional."
http://www.linuxsecurity.com/articles/intrusion_detection_article-904.html
Linux Kernel Bug prompts Security Alert - 6/15/2000 - The perceived
security of Linux has suffered a setback after the discovery of a
serious bug in the Linux kernel which allows attackers to gain root
access through a variety of programs, including Sendmail. The kernel
bug affects versions 2.2.15 and earlier, as well as some 2.4.0
versions, and Linux users are advised to upgrade to 2.2.16. The
problem is all the more serious because code that exploits the flaw
has been posted widely on the internet, including on a number of
well-known security sites.
http://www.linuxsecurity.com/articles/host_security_article-887.html
Detecting Signs of Intrusion - 6/14/2000 - This paper discusses
various ways on how to detect intrusions. Intruders are always looking
for new ways to break into systems. "They may attempt to breach your
network's perimeter defenses from remote locations, or physically
infiltrate your organization to gain direct access to its information
resources."
http://www.linuxsecurity.com/articles/intrusion_detection_article-882.html
An Overview of TCP and IP Spoofing - 6/12/2000 - To understand the
spoofing process, I will begin by explaining the TCP and IP
authentication process. Then I will discuss how an attacker can spoof
your network.
http://www.linuxsecurity.com/articles/network_security_article-862.html
Linux Server Security:
----------------------
Building a Secure Gateway System - 6/15/2000 - This article explains
how to secure a Linux gateway. If you do not have a gateway already
setup, it suggest that you read this article. The author assumes that
you are already familiar with Linux and currently have a constant
connection to the internet.
http://www.linuxsecurity.com/articles/network_security_article-886.html
Sub7 vid Trojan can launch distributed attacks - 6/17/2000 - As it
turns out, the most recent build of Sub7 contains an undocumented
feature which can indeed be used to ping the living hell out of Web
servers, from numerous infected clients simultaneously, according to
research just completed by security outfit iDefense.
http://www.linuxsecurity.com/articles/network_security_article-903.html
BIND 8.2.x Overflow Vulnerability - 6/16/2000 - This paper covers a
BIND buffer overflow that exists in 8.2, 8.2.1 and 8.2.2. Here CIAC
explains how the exploit works, "The exploit requires two systems to
be successful. The first is a DNS server that will have an altered DNS
table. The second machine is where the attack will take place."
http://www.linuxsecurity.com/articles/server_security_article-900.html
The Secrets of Snoop - 6/15/2000 - Lance writes, "Sniffers have
exploded in popularity over the past several years, from Network
Generals Netxray and Microsofts Network Monitor, to public domain
tools such as Etherman and Curry Sniffer. These tools are used for
various reasons, including network troubleshooting, traffic analysis,
node discovery, etc. We will be covering one of the most common, yet
effective sniffers, snoop.
http://www.linuxsecurity.com/articles/intrusion_detection_article-889.html
Cracked! part 5: Rebuilding - 6/12/2000 - This is the fifth part of
the story of a community network that was cracked and what was done to
recover from it. By this point we have realized that we must get the
cracker off of our machines before it is to late. It is only a matter
of time before he trashes our system to clean up his tracks, gets a
sniffer running under a different architecture or uses us to launch
some denial of service attack.
http://www.linuxsecurity.com/articles/intrusion_detection_article-861.html
Cryptography:
-------------
Bruce Schneier's Crypto-Gram - 6/16/2000 - In this month's issue of
Bruce Schneier's Crypto-Gram, he discusses SOAP, Crypto-Gram Reprints,
News, Counterpane Internet Security News, Java and Viruses The
Doghouse: Infraworks, The Data Encryption Standard (DES), and Comments
from eaders. Always an excellent read.
http://www.linuxsecurity.com/articles/cryptography_article-898.html
The Death of Unencrypted Connections? - 6/14/2000 - Over the last few
years "hacker" tools have become much more widespread and available to
malicious attackers. Combine this with the ease of getting operating
systems - almost anything a corporation has short of a mainframe OS
you can download from the Internet and run on your Intel PC.
Encryption is now more important than ever.
http://www.linuxsecurity.com/articles/network_security_article-879.html
New MI5 unit to crack criminal computer codes - 6/13/2000 - A special
codebreaking organisation is to be set up inside the headquarters of
MI5 to crack encrypted communications and computer discs belonging to
suspected organised criminals and terrorists. The new centre, which
will begin to recruit expert codebreakers soon, will cost about 25
million over the next few years, and has already been budgeted for by
the Home Office.
http://www.linuxsecurity.com/articles/cryptography_article-872.html
Products/Vendors/Tools:
-----------------------
OpenBSD Announces Release 2.7 - 6/15/2000 - Calgary, Canada -- OpenBSD
announces release 2.7 of the "Secure by Default" operating system for
Internet servers and workstations. OpenBSD 2.7 significantly enhances
the built-in strong cryptography with the OpenSSH suite to support the
SSH 1 and 2 secure communication protocols and drivers for hardware
accelerators for IPSec VPNs.
http://www.linuxsecurity.com/articles/cryptography_article-872.html
RootFest Opens Today - 6/14/2000 - "The Midwest's largest computer
security convention opens today in St. Paul's RiverCentre. RootFest
organizers estimate that as many as 1000 people may attend RootFest
this year.
http://www.linuxsecurity.com/articles/projects_article -883.html
MimeStar Shoots Down Intruders - 6/12/2000 - Version 3.0.7 of
MimeStar's SecureNet PRO Network Intrusion Detection and Monitoring
suite has been unveiled, revealing an enterprise-scalable security
platform with custom protocol decoding, real-time monitoring and
unique intrusion response features.
http://www.linuxsecurity.com/articles/intrusion_detection_article-866.html
Internet Security Voice Verification Technology - 6/12/2000 - Israeli
start-up Sentry Com has developed technology for a biometric voice
signature that is capable of creating a revolution in entry security
and protection of commercial transactions over the Internet. The
company's product, named VoiceShield, was demonstrated for the first
time at the SuperCOM 2000 communications exhibition in Atlanta in the
US at the end of last week, and aroused a great deal of interest.
http://www.linuxsecurity.com/articles/vendors_products_article-856.html
General News:
--------------
IT Directors Under Fire for Poor Security Policies - 6/15/2000 - IT
decision makers have come under fire for failing to invest in adequate
network security as more companies adopt ecommerce strategies.
According to a report by research house Ovum, organisations are
increasingly relying on an out-dated approach to security. A failure
to distinguish between different applications and systems also left
the network vulnerable to intruders.
http://www.linuxsecurity.com/articles/network_security_article-888.html
U.S. House gives OK to digital signature - 6/15/2000 - A bill that
gives electronic signatures and documents the same force in law as
their paper counterparts won near unanimous approval in the U.S. House
of Representatives on Wednesday. Under the proposed law, consumers and
businesses will be able to sign checks, complete loan applications and
contract services all online in a further broadening of e-commerce.
http://www.linuxsecurity.com/articles/general_article-8 93.html
Old security models inadequate for ebusiness - 6/15/2000 - In its
report E-Business Security: New Directions and Successful Strategies,
Ovum argues that the traditional hierarchy of trust adopted by
organisations does not fit the ebusiness model, meaning that access
channels, such as mobile devices, could pose a major security threat.
http://www.linuxsecurity.com/articles/network_security_article-890.html
The Paper that Launched Computer Security - 6/13/2000 - This is
reportedly the document that started computer security. It discusses
intrusions, physical security, threats, policy considerations, and
recommendations. Quite good.
http://www.linuxsecurity.com/articles/documentation_article-871.html
Open Sources, Security by Default 6/12/2000 What would happen if you
removed most of the extraneous, unnecessary and insecure protocols
from your OS, tightened up the default configuration and then hunted
bugs ruthlessly? Something very much like OpenBSD, because that's
precisely what project founder Theo De Raadt decided to do. The result
has been largely successful in terms of achieving "security by
default."
http://www.linuxsecurity.com/articles/host_security_article-860.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".