+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|    May 29, 2000                            Volume 1, Number 5       |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@linuxsecurity.com    |
|                   Benjamin Thomas         ben@linuxsecurity.com     |
+---------------------------------------------------------------------+


Greetings! Last week was another active week for security advisories.
(Thirteen advisories were issued!) These advisories ranged from a gpm
vulnerability in TurboLinux to fdmount buffer overflows in Mandrake and
Slackware. TurboLinux, SuSE, Slackware, Red Hat, Caldera, Mandrake, and
FreeBSD all had advisories issued last week. Once again, you may want to
pay close attention to these and take extra steps to prevent your system
from being vulnerable.

In the news, the open-source debate continued. Articles such as 'Without
Peer: Open Source Security,' 'The Value of Open Source,' and 'The Myth of
Open Source Security' all posed interesting questions. Another interesting
article to check out is 'Who do we really Blame for Viruses?' All Linux
enthusiast should find it entertaining. 

If you are looking for papers on how to better secure your system, I would
like to recommend that you read 'Setting up Portsentry' and 'Know Your
Enemy: A Forensic Analysis' Although Portsentry is not the ultimate
security solution, it is a great start for any administrator.

Thank you for reading LinuxSecurity.com's weekly security newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's most relevant Linux security headlines and system advisories.
It is distributed each Monday by Guardian Digital, Inc.
Would you like to contribute to this newsletter? We'd love to hear from
you. Email newsletter-admins@linuxsecurity.comwith comments, suggestions,
or information on projects you're working on. To subscribe, send an email
to newsletter-request@linuxsecurity.comwith "subscribe" in the subject.

Editorial Team:

Dave Wreski           dave@linuxsecurity.com
Benjamin Thomas    ben@linuxsecurity.com


Linux Security Week Index:


Advisories:

May 28th, 2000 - FreeBSD: users can prevent all processes from exiting
May 28th, 2000 - FreeBSD: krb5 port contains remote and local root
May 26th, 2000 - TurboLinux: gpm-1.19.1 and earlier
May 26th, 2000 - SuSE: gdm root compromise vulnerability
May 25th, 2000 - Slackware: fdmount vulnerability
May 24th, 2000 - XFree86: Multiple distribution vulnerability
May 24th, 2000 - Red Hat: Secure Web Server 3.0-3.2: mailmail
May 24th, 2000 - Qpopper Vulnerability
May 24th, 2000 - Mandrake 7: dump vulnerability
May 24th, 2000 - Mandrake: xemacs vulnerability
May 24th, 2000 - Mandrake: fdmount buffer overflow
May 24th, 2000 - Caldera: buffer overflow in kdm
May 23rd, 2000 - Caldera: DoS attack against X server


Linux Host Security:

May 25th, 2000 - The Top 10 Security Risks
May 24th, 2000 - Intrusion Detection on Linux
May 24th, 2000 - Analyzing Future Computer Trends and Threats
May 24th, 2000 - Always-on Internet Security
May 23rd, 2000 - Intrusion Detection on Linux
May 22nd, 2000 - Mini-FAQ: "antivirus software for Linux"


Linux Server Security: 

May 26th, 2000 - NIPC Tool to Detect the mstream DDoS
May 25th, 2000 - LinuxNewbie.org: Setting up Portsentry
May 23rd, 2000 - Know Your Enemy: A Forensic Analysis
May 22nd, 2000 - Cracked! Part 3: Hunting the Hunter


Firewall News: 

May 25th, 2000 - Running a BSD-based Firewall


Cryptography: 

May 25th, 2000 - Foiling the Internet Spooks
May 25th, 2000 - Secure Deletion of Data
May 24th, 2000 - PGP 5.0 Key Generation Flaw
May 23rd, 2000 - European Union sets free export of encryption
May 22nd, 2000 - TurboLinux and RSA Security Align 
May 22nd, 2000 - Sony launches PKI compliant fingerprint-scanning


Vendors/Products/Tools: 

May 27th, 2000 - E-business Embraces PKI
May 26th, 2000 - Invest in security or pay the price, warns Gartner
May 26th, 2000 - Secure Web-2-WAP File Transfers 
May 24th, 2000 - E-commerce software market gets open-source boost
May 22nd, 2000 - Dsniff v2.1 Released


General Community News: 

May 26th, 2000 - The Myth of Open Source Security
May 25th, 2000 - Everything You Need to Know about Managed Security
May 24th, 2000 - Experts lecture feds on cybersecurity
May 23rd, 2000 - Linux leaders: Beware of Napster
May 23rd, 2000 - Who do we really Blame for Viruses?
May 22nd, 2000 - Computer 'shrinkwrap' license binding
May 22nd, 2000 - Without Peer: Open Source Security
May 22nd, 2000 - The Value of Open Source



Advisories this Week:

May 28th, 2000
FreeBSD: local users can prevent all processes from exiting

An undocumented system call is incorrectly exported from the kernel
without access-control checks. This operation causes the acquisition in
the kernel of a global semaphore which causes all processes on the system
to block during exit() handling, thereby preventing any process from
exiting until the corresponding "unblock" system call is issued.

http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-447.html


May 28th, 2000
FreeBSD: krb5 port contains remote and local root exploits.

The MIT Kerberos 5 port, versions 1.1.1 and earlier, contains several
remote and local buffer overflows which can lead to root compromise.

http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-448.html


May 26th, 2000
TurboLinux: gpm-1.19.1 and earlier

The gpm-root program, included in the gpm package, contains a programming
error whereby a call to setgid() fails, and defaults to the group of the
gpm-root binary. The group for the gpm-root binary in the affected
installations is root.

http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advisory-449.html


May 26th, 2000
SuSE: gdm root compromise vulnerability

The GNOME package includes a xdm replacement called gdm for handling
graphical console and network logins. The gdm code, that process' logins
over the network, could be tricked into writing data from the network
right into the stack. This condition exists while gdm is running with root
privileges and before the user is authenticated.

http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-446.html


May 25th, 2000
Slackware: fdmount vulnerability

The fdmount program shipped with Slackware has been shown to be vulnerable
to a buffer overflow exploit. A user must be in the "floppy" group to execute
fdmount, but because fdmount is suid root this is a security problem.

http://www.linuxsecurity.com/advisories/advisory_documents/slackware_advisory-444.html


May 24th, 2000
XFree86: Multiple distribution vulnerability

Remote users can, by sending a malformed packet to port 6000 TCP, cause a
victim X server to freeze for a couple of minutes. During the freeze, the
mouse does not move, the screen does not update in any way. Worse, the
keyboard is unresponsive, INCLUDING console-switch and kill-server key
combinations. For many users, the machine might as well have crashed and a
full reboot via "the Big Red Button" will be performed.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-439.html


May 24th, 2000
Red Hat: Secure Web Server 3.0-3.2: mailmail vulnerability

New mailman packages are available which close security holes present in
earlier versions of mailman. All sites using the mailman mailing list
management software should upgrade.

http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-442.html


May 24th, 2000
Qpopper Vulnerability

The exploit (details below) involves sending a specially-constructed
message to a user, then logging in as that user and issuing the EUIDL
command. A successful attack can yield a shell running with group 'mail'.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-441.html


May 24th, 2000
Mandrake 7: dump vulnerability

Dump may cause security problem due to a buffer overflow. This package
removes the set gid root on the dump exec file. 

http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-440.html


May 24th, 2000
Mandrake: xemacs vulnerability

Under some circumstances, users are able to snoop on other users'
keystrokes. This is a serious problems if you use modules that require
e.g. input of passwords, such as MailCrypt. 

http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-438.html


May 24th, 2000
Mandrake: fdmount buffer overflow

A vulnerability in fdmount will allow any user to exploit a buffer
overflow. This user, when he is in the floppy group, can have a root
access on the machine. 

http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-437.html


May 24th, 2000
Caldera: buffer overflow in kdm

There is a buffer overflow in kdm, the KDE graphical login manager. Since
the buffer variable that is affected is NOT on the stack but in the data
area, it is not clear whether this bug can be exploited.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-450.html


May 23rd, 2000
Caldera: DoS attack against X server

A bug was discovered in the X server's authentication code that allows a
remote user to completely hang the victim's X server at least for a
considerable amount of time, and eventually crash it. While the X server
is frozen, it is not even possible to switch to a different console. 

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-436.html



--------------------------------------------------------------------------

Linux Host Security:


May 25th, 2000
The Top 10 Security Risks

Here's a list of the most common security vulnerabilities found to date.
"This list is derived from various trusted sources including Internet
Security Systems (ISS) X-Force analysis, customer input, ISS Professional
Services, and security partners. The top 10 list is maintained by ISS
X-Force and distributed quarterly." 

http://www.linuxsecurity.com/articles/general_article-736.html

May 24th, 2000
Intrusion Detection on Linux

This SecurityFocus article discusses configuring PortSentry, monitoring
system logs, LogCheck and kernel security patches to improve the security
of your Linux box. "This article focuses on several host-based intrusion
detection systems that are available on Linux. In particular, I will cover
some of the basics of installing setting up these packages, how they are
useful, and in what circumstances they can be used." 

http://www.linuxsecurity.com/articles/intrusion_detection_article-731.html

May 24th, 2000
Analyzing Future Computer Trends and Threats

Computer security plays out mostly as a game of "catch-up." The latest
threat hits the servers, then the media, and everyone scrambles to react.
A "plague of the week" syndrome is the motif for much of what happens in
the IT community. For warfare generates chaos, and managing chaos is about
as easy as building a house with bricks of Jello

http://www.linuxsecurity.com/articles/general_article-727.html

May 24th, 2000
Always-on Internet Security

The two best things about those fast Internet connections you get from
cable, DSL, and ISDN are that you don't have to dial a number to connect
to the Internet, and they are also easy to share over a network. That's
also the worst thing about them--the Internet's a two-way street, and when
you've got always-on access to the Net, the Net has the same access to
your hard disk. And as for networking... well, that presents its own set
of problems, especially in the telecommuter home office and the satellite
corporate bureau. 

http://www.linuxsecurity.com/articles/network_security_article-722.html

May 23rd, 2000
Intrusion Detection on Linux

This article focuses on several host-based intrusion detection systems
that are available on Linux. In particular, I will cover some of the
basics of installing setting up these packages, how they are useful, and
in what circumstances they can be used. This article assumes a basic
knowledge of systems security. In particular, I will assume that the most
basic security measures have already been taken to secure a host against
intrusion from the internet. 

http://www.linuxsecurity.com/articles/network_security_article-718.html

May 22nd, 2000
Mini-FAQ: "antivirus software for Linux"

Rainer submitted a pointer to a mini-faq he has written on virus
protection software for Linux. It discusses commercial and
freely-available products as well. This is more of a Resource link, but
due to it's timeliness... 

http://www.linuxsecurity.com/articles/documentation_article-715.html


--------------------------------------------------------------------

Linux Server Security:


May 26th, 2000
NIPC Tool to Detect the mstream DDoS

The potential represented by the "mstream" Distributed Denial of Service
(DDoS) exploit is a serious and continuing threat. This advisory provides
an update to a previously delivered NIPC DDoS detection tool that now
allows users to identify the presence of mstream on host systems. The NIPC
recommends that all computer network owners and organizations examine
their systems for evidence of DDoS tools, including mstream. 

http://www.linuxsecurity.com/articles/server_security_article-742.html

May 25th, 2000
LinuxNewbie.org: Setting up Portsentry

Okay, before I start to tell you how great Portsentry is and how you to
can install and use it, I'm going to give two pieces of advice. First,
read this all the way through prior to doing ANYTHING! This is especially
true for my fellow Debian users. There is a special treat near the end for
you, but this is advice everyone should follow. Second, while Portsentry
is an excellent security application, having it is not an excuse to be
lazy on security. You can't put Portsentry on an entirely insecure box
with everyone's worst security holes and expect it to be secure. It isn't
happening. That said, I will continue. 

http://www.linuxsecurity.com/articles/host_security_article-732.html

May 23rd, 2000
Know Your Enemy: A Forensic Analysis

This paper, the fourth of the series, studies step by step a successful
attack of a system. However, instead of focusing on the tools and tactics
used, we will focus on how we learned what happened and pieced the
information together. The purpose is to give you the forensic skills
necessary to analyze and learn on your own the threats your organization
faces. 

http://www.linuxsecurity.com/articles/intrusion_detection_article-720.html

May 22nd, 2000
Cracked! Part 3: Hunting the Hunter

Noel continues the story of when some Unix boxes that he helped admin were
cracked. This article talks about some of the efforts made to track down
the cracker and some surprises. This is the third part of the story of a
community network that was cracked and what was done to recover from it.
The first part Cracked! Part1: Denial and truth details the report that
leads to the discovery that the community network was indeed cracked and
some of the initial reactions. The second article Cracked! Part 2:
Watching and Waiting talks about how they learned more about the cracker
and what they did next. This article talks about some of the efforts made
to track down the cracker and some surprises. 

http://www.linuxsecurity.com/articles/server_security_article-712.html


----------------------------------------------------------------------

Firewall News:


May 25th, 2000
Running a BSD-based Firewall

Internet security is currently a hot topic. Because of that, many smaller
networks are turning toward firewalls to give them some protection. Many
of these networks do not have the money to pay for a commercial firewall
product, so they are moving to free Unix-based firewalls such as IP
Firewall, IP Filter or IPChains. 

http://www.linuxsecurity.com/articles/firewalls_article-739.html

-------------------------------------------------------------------------


Cryptography:


May 25th, 2000
Foiling the Internet Spooks

Here's a good article on the status of the DES replacement, apparently due
to be announced in the summer. "The National Institute of Standards and
Technology (NIST, www.nist.gov) is developing the standard as a
replacement to the popular DES algorithm. NIST has already considered 15
proposals for the Advanced Encryption Standard (AES). Five made the final
round of evaluation: MARS from IBM; RC6 from RSA Laboratories
(www.rsa.com); Rijndael from Joan Daemen and Vincent Rijmen; Serpent from
Ross Anderson, Eli Biham, and Lars Knudsen; and Twofish from Counterpane
Internet Security (www.counterpane.com)." 

http://www.linuxsecurity.com/articles/general_article-738.html

May 25th, 2000
Secure Deletion of Data

With the use of increasingly sophisticated encryption systems, an attacker
wishing to gain access to sensitive data is forced to look elsewhere for
information. One avenue of attack is the recovery of supposedly erased
data from magnetic media or random-access memory. This article covers some
of the methods available to recover erased data and presents schemes to
make this recovery significantly more difficult. 

http://www.linuxsecurity.com/articles/server_security_article-733.html

May 24th, 2000
PGP 5.0 Key Generation Flaw

A flaw has been found in the randomness gathering code of PGP 5.PGP 5
will, under certain well-defined circumstances, generatepublic/private key
pairs with no or only a small amount ofrandomness. Such keys are insecure.

http://www.linuxsecurity.com/articles/cryptography_article-724.html

May 23rd, 2000
European Union sets free export of encryption

The EU has reportedly decided that allowing the export of crypto is a good
thing, despite the best efforts of the US to prevent it. Even France
agrees. "But they can't any longer block the export. Companies are allowed
to export their encryption products without any interference of the
intelligence community." 

http://www.linuxsecurity.com/articles/cryptography_article-719.html

May 22nd, 2000
TurboLinux and RSA Security Align 

TurboLinux Inc., the high-performance Linux company, and RSA Security
Inc., the most trusted name in e-security, today announced that TurboLinux
has signed an agreement to license RSA Security software for use in its
e-commerce Linux operating system platform, TurboLinux Server 6.0. 

http://www.linuxsecurity.com/articles/vendors_products_article-711.html

May 22nd, 2000
Sony launches PKI compliant fingerprint-scanning technology

It would be great to know the state of the Linux support for this. See
http://www.linuxnet.com for more biometrics info. "Sony has launched a new
biometrics product, the FIU-700 fingerprint identification system. The
product is a credit card-size biometric device that provides both
authentication and data security. The company claims the product will help
make Internet transactions secure. The FIU-700 is a stand-alone
fingerprint verification device with PKI (public key infrastructure) key
generation to provide more security than other existing fingerprint
identification technologies." 

http://www.linuxsecurity.com/articles/vendors_products_article-710.html


------------------------------------------------------------------------

Vendors/Products/Tools:


May 27th, 2000
E-business Embraces PKI

"... many companies looking at public key infrastructure (PKI) technology.
PKI allows use of digital certificates to ensure the confidentiality and
integrity of data through encryption, control access through private keys,
authenticate documents via digital signatures, and ease completion of
business transactions." 

http://www.linuxsecurity.com/articles/cryptography_article-750.html

May 26th, 2000
Invest in security or pay the price, warns Gartner

Companies developing ebusiness applications should spend more time and
money on installing better security measures or risk facing high financial
losses, according to analysts at Gartner, speaking at the company's
Ebusiness and Internet Conference in Paris this week

http://www.linuxsecurity.com/articles/general_article-744.html

May 26th, 2000
Secure Web-2-WAP File Transfers 

Accessing the Web using WAP (Wireless Application Protocol)-enabled mobile
phones may be all the rage, but what about the security issues? While it
is possible to encrypt selected sections of the Web using a desktop PC
with conventional browser and Internet access facilities, WAP
microbrowsers are still where Web browsing was in the mid-1990s. Now
StoragePoint.com says it has come up with a security system that supports
secure Web-based file transfers with WAP-enabled mobile phones 

http://www.linuxsecurity.com/articles/network_security_article-746.html

May 24th, 2000
E-commerce software market gets open-source boost

OpenSales today announced the availability of their open source e-commerce
solution. "The software, called AllCommerce, lets companies such as
MyHome.com build online sales catalogs that can handle orders, keep track
of inventory and generate Web pages. It's open-source software, meaning
that anyone can use or modify it for free, and it competes with
better-known but proprietary software from companies such as Intershop and
InterWorld." 

http://www.linuxsecurity.com/articles/vendors_products_article-729.html

May 22nd, 2000
Dsniff v2.1 Released

Dsniff is a tool suite to audit your network. It includes tools for
sniffing cleartext protocols, ip redirection, mac flooding, so be careful!
The features include arpredirect, macof, tcpkill, tcpnice, dsniff,
mailsnarf, urlsnarf, webspy. The tool was written by dungsong@monkey.org 

http://www.linuxsecurity.com/articles/vendors_products_article-706.html

------------------------------------------------------------------------


General Community News:


May 26th, 2000
The Myth of Open Source Security

An author of the open source Mailman program explains why open source is
not as secure as you might think -- using security holes in his own code
as an example. 

http://www.linuxsecurity.com/articles/general_article-747.html

May 25th, 2000
Everything You Need to Know about Managed Security Services

"This is the latest in a series of free Webcast seminars for professionals
interested in learning about the latest technology and market trends on
implementing the "right" level of security for their e-business needs. In
this Webcast on managed security services, attendees will learn the
benefits of outsourcing security to a managed services provider and what
to look for when seeking one." 

http://www.linuxsecurity.com/articles/forums_article-737.html

May 24th, 2000
Experts lecture feds on cybersecurity

Hopefully this initiative will help to improve the number of cluefull
gov't folks. "Congressional funding to curtail cybercrime has been focused
on law enforcement and existing programs, but the real solution will come
from education, research and development programs, federal officials said
Tuesday." 

http://www.linuxsecurity.com/articles/general_article-728.html

May 23rd, 2000
Linux leaders: Beware of Napster

Piracy is bad," says Linus Torvalds, the creator of Linux, when asked
about the matter. "Of course you should be able to sue over copyrights.
The one good lawsuit in the whole Napster case is the one by Metallica: a
suit by the actual authors. While it's probably motivated mostly by money,
I can still at least hope that there is a strong feeling of morals there,
too." 

http://www.linuxsecurity.com/articles/forums_article-717.html


May 23rd, 2000
Who do we really Blame for Viruses?

More than 45,000 viruses infect PCs running the Windows operating system
worldwide. Several have caused billions of dollars in damage in the past
12 months. Hundreds more viruses appear each year, requiring armies of
anti-virus programmers to isolate and kill the offending bugs. By
contrast, perhaps 35 viruses have been written for the Macintosh and four
or five for the Unix-based computers that run most Web sites, says Eugene
Spafford, director of the Computer Operations, Audit and Security
Technology lab at Purdue University. This, a growing chorus of security
experts say, is not happenstance 

http://www.linuxsecurity.com/articles/general_article-716.html

May 22nd, 2000
Computer 'shrinkwrap' license binding

I'll never forget my management stating they wouldn't use Linux because
there was no one to sue. I think this story tosses that argument out the
window. "In a 7-2 decision yesterday, the court rejected a construction
firm's claim that a software maker should be liable for $1.95 million in
losses the company says were caused by a bad computer program. The court
said the agreement enclosed in the packaging protected the software firm
from liability, even if the construction company never read it." 

http://www.linuxsecurity.com/articles/general_article-713.html

May 22nd, 2000
Without Peer: Open Source Security

Open source code is not infallible. It is prone to some of the glitches
that plague its commercial counterpart. Yet, at the same time, it contains
a number of safeguards and checks against any one person's mistake being
carried too far. The recent incident in which Red Hat included a default
log-in for its Piranha clustering modules - raising security concerns
about the product - illustrates the point. Lead developer Philip Copeland
complained in an online diary that "the Piranha package was literally
nailed together a day before the CD had to be finalised, so there was less
than 24 hours for other people to review the code." Red Hat Linux 6.2
included parts that were rushed together at the last minute, something
like a commercial product being stamped out on deadline. But Copeland's
complaint contains the clue to the cure: "other people to review the
code." 

http://www.linuxsecurity.com/articles/projects_article-707.html

May 22nd, 2000
The Value of Open Source

Here is an interesting article discussing the value of Open Source. "Let's
start by saying one thing: Value is relative. What's priceless to me is
worthless to you (and vice versa), so it really changes the question of
value to one of relevance, not actual worth. Does a car have value? Sure,
if you have gas. Without, it's just a heavy, cramped room. Without, you'd
trade it for a hamburger 

http://www.linuxsecurity.com/articles/general_article-708.html