[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

What's in Windows XP?. Newsbytes reported a claim by an Al Qaeda suspect that saboteurs infiltrated Microsoft to plant "trojans, trapdoors, and bugs in Windows XP." This claim is difficult to believe, to say the least. Still, one wonders just how Microsoft would go about convincing its customers that Windows XP doesn't contain "trojans, trapdoors, and bugs" planted by Al Qaeda. A development process that allows flight simulators to be slipped into a spreadsheet product seems unlikely to be able to prevent more subtle insertions.

Companies selling closed source software are especially vulnerable to attacks like this one. Even groundless rumors can inflict real damage when you sell closed source software. Only when source code is available for public inspection can the public know what is fact and what is a cruel lie.

FBI reportedly seeks personal data without a warrant. The Daily Rotten has reported that the FBI has requested access to the Badtrans worm's pilfered data. Millions of victims of Badtrans had passwords and other personal data pilfered by a keystroke logger. The virus sent the stolen data back to a number of email addresses. One of the addresses was a free email account at IJustGotFired.com. IJustGotFired is owned by MonkeyBrains.

The rotten.com story states that last week the FBI contacted the owner of MonkeyBrains and requested a cloned copy of the password database and keylogged data sent to IJustGotFired.

The FBI wants indiscriminant [sic] access to the illegally extracted passwords and keystrokes of over two million people without so much as a warrant. Even with a warrant they would have to specify exactly what information they are after, on whom, and what they expect to find. Instead, they want it all and for no justifiable reason.

The Register described the request as a "surveillance bonanza" for the FBI.

Know Your Enemy: Honeynets (LinuxSecurity). LinuxSecurity.com is running a lengthy article on building honeynets. "Conceptually, Honeynets are a simple mechanism. We create a network similar to a fishbowl, where we can see everything that happens inside it. Similar to fish in a fishbowl, we can watch and monitor attackers in our network. Also just like a fishbowl, we can put almost anything in there we want. This controlled network, becomes our Honeynet. The captured activity teaches us the tools, tactics, and motives of the blackhat community."

December CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for December is out. Covered topics include national ID cards, SMTP banners, and forcing companies with bad security off the net. "This is where the legal system can step in. I like to see companies told that they have no business putting the security of others at risk. If a company's computers are so insecure that hackers routinely break in and use them as a launching pad for further attacks, get them off the Internet. If a company can't secure the personal information it is entrusted with, why should it be allowed to have that information?"

Security Reports

Buffer overflow problem in glibc. EnGarde Secure Linux and Red Hat released updates this week fixing the buffer overflow problem in the glibc filename globbing code.

For those who are interested, here is a detailed description of this vulnerability from Global InterSec LLC. Expect glibc updates from most other distributors in the near future.

Mandrake security update to passwd. MandrakeSoft has issued an update to its passwd package. Evidently a PAM misconfiguration in Mandrake Linux 8.1 can prevent the use of MD5 passwords.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • The PHP script "Unix Manual" allows users to execute every arbitrary shell commands as reported on Bugtraq.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Updates

Mailman cross-site scripting vulnerability. This vulnerability was first reported by LWN on  December 13th.

This week's updates:

Previous updates:

OpenSSH UseLogin vulnerability. This obscure vulnerability is not of concern to most sites. This problem first appeared in  the December 6th LWN security page.

This week's updates:

Previous updates:

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

Previous updates:

Resources

Recent SSH vulnerabilities is the topic of this CERT advisory on recent activity against secure shell daemons. "While these problems have been previously disclosed, we believe many system and network administrators may have overlooked one or more of these vulnerabilities. We are issuing this document primarily to encourage system and network administrators to check their systems, prior to the holiday break."

Email Security through Procmail version 1.131 was announced this week. This is a "collection of methods to sanitize e-mail, removing obvious exploit attempts and disabling the channels through which exploits are delivered. Facilities for detecting and blocking Trojan Horse exploits and worms are also provided."

Events

Upcoming Security Events.

CodeCon Call for Papers. The Linux Journal is running the final CodeCon 2002 call for papers. This event will be held February 15 to 17 in San Francisco, and is intended to be "the premier event in 2002 for the P2P, cypherpunk and network/security application developer community." The CFP deadline is January 1, so time is running out.

Date Event Location
December 27 - 29, 200118th Chaos Communication CongressBerlin, Germany
January 7 - 9, 20022002 Federal Convention on Emerging Technologies: a Homeland Security ForumLas Vegas, Nevada, USA
January 30 - February 2, 2002Second Annual Privacy and Data Protection SummitWashington D.C., USA
February 15 - 17, 2002CODECON 2002San Francisco, California, USA
February 18 - 22, 2002RSA Conference 2002San Jose, CA., USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney


December 20, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds