Linux Security Magazine June 5, 2000. In this issue - Articles: An Introduction to IP Masquerading - Part 2, Firewall placement, Cracked! Part 4: The Sniffer, Who's Sniffing Your Network?, Update: Blocking "Killer Resume", Buffer Overrun Vulnerabilities in Kerberos, popa3d v0.4 contributed Kerberos, Linux Deleted File Recovery Tool, Mission Critical Linux, and Domain Hijacking Raises Security Issue. Advisories: RedHat Majordomo, Turbolinux users can view shadowed password file, PGP 5.0 Key generation weakness, SuSE kmulti local root compromise, Mandrake kdesu vulnerability, NetBSD Local "cpu-hog" denial of service, NetBSD SysV semaphore denial-of-service, NetBSD /etc/ftpchroot parsing broken, NetBSD Exploitable Vulnerability in Xlockmore, OpenBSD Xlockmore vulnerability, OpenBSD ipf vulnerability.
f0f51e6bebaced28e0897a3a32124913bf3c6f78a6cd621e702bf62b3c0902bf
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 5, 2000 Volume 1, Number 6 |
| |
| Editorial Team: Dave Wreski dave@linuxsecurity.com |
| Benjamin Thomas ben@linuxsecurity.com |
+---------------------------------------------------------------------+
Greetings! We would like to take a moment to thank our readers for all of
your support. The response has been tremendous for both our newsletter
and website, LinuxSecurity.com. If you have any suggestions reguarding the
website, newsletter, or anything else, please let us know! We are here to
serve the open-source community; your voice should be heard.
In the news, a few good articles were released. A few of my favorites
included, "Cracked! Part 4: The Sniffer", "The Shell Game", and "Who's
Sniffing Your Network?." 'Cracked!' and 'Who's Sniffing your network' both
are written about the use of packet sniffers. While both take different
approaches to explain this topic, they are interesting to read. The Shell
Game explains the rational for SSH and using encrypted communications.
Take a moment to treat yourself to these three articles.
Last week, the major topic of concern was The Top 10 System Security
Threats released by SANS. Articles such as "FBI, DOJ issue list of worst
Internet threats and IT, Company Execs Add To Security Holes" spawned from
SANS' initial release.
This list should be familiar to most of you. If you are unaware of any of
the ten problems listed in the report, be sure to educate yourself and
your users to these potential threats. In a few instances, I saw the
mainstream media portray this as "SANS is revealing the hacker's secrets."
This really isn't the case. I think it is a wake up call for us all. =20
Many of us like to romanticize system intrusions by thinking of them as
being "clever", while in reality, almost all of the intrusions that occur
are a direct result of administrators not taking the proper steps to
maintain a secure system. Want a real challege? Try to crack a properly
secured Linux system. "Security is a Process, Not a Single Solution." Take
time each day to address security issues. This should be done by
developing a security policy, patching your system, and helping others
gain a better security awareness.
Last week's feature was an interview with Frank van Vliet. He is the
author of AuditFile, many security advisories, and recently pointed out
configuration errors on apache.org . In the interview, Frank explains how
he audits a systems security, major pitfalls administrators fall into, and
how he attempts to uncover bugs. We believe that everyone can learn
something from this interview.
Also recently added to the site is the WebTrends Security Analyzer. The
WedTrends Security Analyzer has the most vulnerability tests for Red Hat &
VA Linux. Using advanced agent-based technology, you can scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.
http://www.webtrends.com/redirect/linuxsecurity1.htm
Thank you for reading LinuxSecurity.com's weekly security newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's most relevant Linux security headlines and system advisories.
It is distributed each Monday by Guardian Digital, Inc.
Would you like to contribute to this newsletter? We'd love to hear from
you. Email newsletter-admins@linuxsecurity.com with comments, suggestions,
or information on projects you're working on. To subscribe, send an email
to newsletter-subscribe@linuxsecurity.com with "subscribe" in the subject.
Editorial Team:
Dave Wreski dave@linuxsecurity@.com
Benjamin Thomas ben@linuxsecurity.com
Linux Security Week Index:
Advisories:
May 31st, 2000 - RedHat 6.1: New majordomo package available
May 30th, 2000 - TurboLinux: users can view shadowed password file
May 30th, 2000 - PGP 5.0: Key generation weakness
May 29th, 2000 - SuSE: kmulti local root compromise
May 29th, 2000 - Mandrake: kdesu vulnerability
May 29th, 2000 - NetBSD: Local "cpu-hog" denial of service
May 29th, 2000 - NetBSD: SysV semaphore denial-of-service
May 29th, 2000 - NetBSD 1.4.2: /etc/ftpchroot parsing broken
May 29th, 2000 - NetBSD: Exploitable Vulnerability in Xlockmore
May 29th, 2000 - OpenBSD: Xlockmore vulnerability
May 29th, 2000 - OpenBSD 2.7: ipf vulnerability
Firewall News:=20
June 2nd, 2000 - An Introduction to IP Masquerading - Part 2
May 30th, 2000 - Firewall placement
Linux Host Security:
June 4th, 2000 - Just Linux.com: From the Desktop
June 2nd, 2000 - CERT Vulnerability Summary
June 1st, 2000 - Cracked! Part 4: The Sniffer
May 31st, 2000 - SANS Top 10 Threats
May 29th, 2000 - IPv6 wins support as multimedia protocol
Linux Server Security:=20
June 4th, 2000 - Who's Sniffing Your Network?
May 31st, 2000 - Update: Blocking "Killer Resume"
May 31st, 2000 - Buffer Overrun Vulnerabilities in Kerberos
May 30th, 2000 - popa3d v0.4 contributed Kerberos=20
Cryptography:=20
June 1st, 2000 - Making an Unbreakable Code
May 31st, 2000 - The Shell Game
May 29th, 2000 - Maths prize could revolutionise encryption
May 29th, 2000 - Life in an Era of Cryptographic Abundance
May 29th, 2000 - Can IPv6 replace SSL?
Vendors/Products/Tools:=20
June 2nd, 2000 - Retina=99 The Network Security Scanner
June 2nd, 2000 - Information on SANS Security DC2000
June 1st, 2000 - Linux Deleted File Recovery Tool
May 31st, 2000 - Nmap 2.53 Released
May 30th, 2000 - Mission Critical Linux
General Community News:=20
June 3rd, 2000 - Domain Hijacking Raises Security Issue
June 2nd, 2000 - IT, Company Execs Add To Security Holes
June 2nd, 2000 - Hackers' favorite security holes revealed
June 2nd, 2000 - Security holes going unpatched
May 31st, 2000 - Should We Hack back?
May 31st, 2000 - Internet to Transmit "Notarized" Documents
May 30th, 2000 - Privacy Looters
May 30th, 2000 - Striking a Blow for Privacy
May 30th, 2000 - Spring cleaning tips for managers
May 30th, 2000 - Cross-Company Applications Open Up Security
May 30th, 2000 - Senate hears computer export control arguments
Advisories this Week:
May 31st, 2000
RedHat 6.1: New majordomo package available
A vulnerability in /usr/lib/majordomo/resend and
/usr/lib/majordomo/wrapper will allow execution of arbitrary commands with
elevated privileges.
http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-=
460.html
May 30th, 2000
TurboLinux: local users can view shadowed password file
"The xlock program locks an X server until a valid password is entered.
The command line option -mode provides a user with a mechanism to change
the default display shown when the X server is locked. xlock is installed
with privileges to obtain password information, although these are dropped
as early as possible. An overflow in the -mode command line option allows
a malicious attacker to reveal arbitrary portions of xlock's address space
including the shadow password file."
http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advis=
ory-459.html
May 30th, 2000
PGP 5.0: Key generation weakness
During a recent review of our published PGP 5.0 for Linux source code,
researchers discovered that under specific, rare circumstances PGP 5.0 for
Linux will generate weak, predictable public/private keypairs.
http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-4=
61.html
May 29th, 2000
SuSE: kmulti local root compromise
The KDE CD player kscd is setgid disk to be able to access the device file
of the CDROM. To perform some action kscd calls the unix command shell
specified in the environment variable SHELL with the privileges of group
disk.
http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-45=
2.html
May 29th, 2000
Mandrake: kdesu vulnerability
Problem: A vulnerability in kdesud will allow any user to exploit a buffer
overflow. This user then can have a root group access on the machine, by
exploiting a bug in the kdesud program.
http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisor=
y-451.html
May 29th, 2000
NetBSD: Local "cpu-hog" denial of service
Untrusted local processes can hog cpu and kernel memory by tricking the
kernel into running exclusively on their behalf, denying other processes
the CPU.
http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-=
454.html
May 29th, 2000
NetBSD: SysV semaphore denial-of-service
An undocumented system call permits any user process to lock up the entire
semaphore subsystem, preventing processes using semaphores from locking or
unlocking them, and preventing processes holding semaphores from exiting.
http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-=
455.html
May 29th, 2000
NetBSD 1.4.2: /etc/ftpchroot parsing broken
A fix which attempted to make ftpd's parsing of /etc/ftpusers more robust
was incorrect, and broke parsing of /etc/ftpchroot, allowing users listed
in /etc/ftpchroot access to files outside their home directory.
http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-=
453.html
May 29th, 2000
NetBSD: Exploitable Vulnerability in Xlockmore
The advisory outlines how xlock can be manipulated to print the shadow
password information even though it drops root privileges before an
overflow occurs.
http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-=
456.html
May 29th, 2000
OpenBSD: Xlockmore vulnerability
xlockmore has a localhost attack against it which allows recovery of the
encrypted hash of the root password. The damage to systems using DES
passwords from this attack is pretty heavy, but to systems with a
well-chosen root password under blowfish encoding (see crypt(3)) the
impact is much reduced
http://www.linuxsecurity.com/advisories/advisory_documents/openbsd_advisory=
-458.html
May 29th, 2000
OpenBSD 2.7: ipf vulnerability
A misuse of ipf(8) keep-state rules can result in firewall rules being
bypassed. This patch also includes fixes for an unaligned timestamp issue,
and reliability fixes for ipmon and the in-kernel ftp proxy. A jumbo patch
exists, which remedies this problem, and updates ipf to version 3.3.16
http://www.linuxsecurity.com/advisories/advisory_documents/openbsd_advisory=
-457.html
Firewall News:
June 2nd, 2000
An Introduction to IP Masquerading - Part 2
In mid-May, Linux.com released Part 1 - 'An Introduction to IP
Masquerading.' Here is 2nd and final part of this article. "Now that
relatively high-bandwidth Internet connections are becoming both
commonplace and inexpensive, cable modem and DSL users wanting to put more
than one computer on the Internet find that their Internet service
provider will not allow them to do so. Typically, an ISP will grant a user
a single, dynamically-allocated IP address to be used by only one computer
at the user's home, in order to conserve their precious pool of IP
addresses."
http://www.linuxsecurity.com/articles/firewalls_article-788.html
May 30th, 2000
Firewall placement
".. We are linking our company to the Internet, and we are discussing the
placement of the firewall. I feel that the firewall should reside in-house
for the best security; others want to put the firewall at our ISP and run
a point-to-point T-1 between us. Although the risk is small, I think there
is a risk of having an unprotected circuit between us and the firewall. Am
I off-base?"
http://www.linuxsecurity.com/articles/firewalls_article-763.html
Linux Host Security:
June 4th, 2000
Just Linux.com: From the Desktop
Here is a pretty good article; you'll find the most relevant Linux
information midway down..."The biggest security problem with Linux is its
ability to run multiple processes with relative ease and giving certain
users a lot of access to these processes. Those of you new to Linux might
be scratching their heads since it looks like I just indicated one of
Linux biggest strengths. "
http://www.linuxsecurity.com/articles/host_security_article-797.html
June 2nd, 2000
CERT Vulnerability Summary
"Each quarter, the CERT Coordination Centern issues the CERT Summary to
draw attention to the types of attacks reported to our incident response
team, as well as other noteworthy incident and vulnerability information.
The summary includes pointers to sources of information for dealing with
the problems."
http://www.linuxsecurity.com/articles/forums_article-787.html
June 1st, 2000
Cracked! Part 4: The Sniffer
Noel continues the story of when some Unix boxes that he helped admin were
cracked. This article tells how they found the sniffer that the cracker
was running on their network and what they did next. "We had thousands of
logins each day from a large selection of places all over the world. Many
of these users then connected to other systems using telnet or FTP. Each
time one of our users connected to a system somewhere else the cracker had
a new door that he could open. A new system that he could crack or just
use to store things. To run his port redirector all he needed was a
regular user account on a machine and then he had a new system to cover
his tracks with. "
http://www.linuxsecurity.com/articles/intrusion_detection_article-781.html
May 31st, 2000
SANS Top 10 Threats
The System and Network Security group is is meeting with several key
players in the information security arena on Friday to discuss and outline
the 10 top security threats. "Tomorrow (June 1) the FBI, Justice
Department, GSA, the CIAO and CERT/CC will join with SANS and two dozen
leading security gurus to unveil the Top Ten Security Threats on the
Internet. These are vulnerability clusters that account for the majority
of all successful attacks. At noon (EST) on Thursday, you'll find the Top
Ten posted at
http://www.linuxsecurity.com/articles/projects_article-773.html
May 29th, 2000
IPv6 wins support as third-generation multimedia protocol
"... The proposal, which paves the way to make IPv6 the standard protocol
in third-generation mobile multimedia networks, was accepted this week in
a plenary session of the system architecture group of the 3GPP
(Third-Generation Partnership Project), Nokia said in a statement."
http://www.linuxsecurity.com/articles/network_security_article-757.html
Linux Server Security:
June 4th, 2000
Who's Sniffing Your Network?
This Linux.com article talks about a few of the sniffer tools that are
available, and what can be done to detect their presence. "Sniffers
represent a high level of risk because: they can capture passwords; they
can capture confidential or proprietary information; and they can be used
to breach security of neighboring networks, or gain leveraged access."
http://www.linuxsecurity.com/articles/intrusion_detection_article-798.html
May 31st, 2000
Update: Blocking "Killer Resume"
Jose Nazario has updated the .cf/.mc patch on his mirror site to include
"Killer Resume" and was kind enough to share the fix with us. The patch,
designed to block the ILOVEYOU worm and related worm/virus medleys, works
on sendmail 8.9.x and above using the subject line checking options
available.
http://www.linuxsecurity.com/articles/server_security_article-770.html
May 31st, 2000
CIAC Revision: Buffer Overrun Vulnerabilities in Kerberos
The CERT Coordination Center has recently been notified of several buffer
overflow vulnerabilities in the Kerberos authentication software. The most
severe vulnerability allows remote intruders to gain root privileges on
systems running services using Kerberos authentication. If vulnerable
services are enabled on the Key Distribution Center (KDC) system, the
entire Kerberos domain may be compromised
http://www.linuxsecurity.com/articles/security_sources_article-769.html
May 30th, 2000
popa3d v0.4 contributed Kerberos=20
"Dug Song has contributed Kerberos v4 (KPOP) and APOP authentication
patches for popa3d v0.4. I've mirrored them into popa3d/contrib on the FTP
and added links to the popa3d page at the usual location:
http://www.openwall.com/popa3d/ "
http://www.linuxsecurity.com/articles/network_security_article-758.html
Cryptography:
June 1st, 2000
Making an Unbreakable Code
This article talks about the need for encryption. Email, e-commerce,
digital cash, the NSA's Echelon Project all lead to reasons why crypto is
necessary. "... more and more of our private communications are being
routed through electronic channels. Channels like e-mail are simply too
easy to intercept and scan for interesting keywords. This can be done
routinely, automatically, and imperceptibly on a very large scale."
http://www.linuxsecurity.com/articles/cryptography_article-776.html
May 31, 2000
The Shell Game
This article explains the need and rationale for Secure SHell, an
encrypted communications channel which functions as a telnet replacement,
and also guides you through the process of installing and using SSH on
your own system.
http://www.linuxsecurity.com/articles/network_security_article-772.html
May 29th, 2000
Maths prize could revolutionise encryption
A =A33.6m mathematics competition announced Wednesday could spark a
revolution in computer security and online privacy experts believe. The
competition is sponsored by the Clay Mathematics Institute in the US and
was revealed at the Millennium Mathematics Conference in France. Entrants
must tackle some of the world's most perplexing unsolved mathematical
problems including the Reimann Hypothesis.
http://www.linuxsecurity.com/articles/cryptography_article-756.html
May 29th, 2000
Life in an Era of Cryptographic Abundance
In the Palo Alto area on June 20th? Xerox PARC is holding a free
conference on the abundance of cryptography. "It seems clear to some that
by 2010 cryptographic operations of all sorts will be as cheap and as
plentiful as dirt, and that they will be as unremarkable then as IP stacks
have become today. How will things be different in the coming era of
abundant cryptography? How will our children keep a secret? What new
businesses will arise?"
http://www.linuxsecurity.com/articles/forums_article-755.html
May 29th, 2000
Can IPv6 replace SSL?
Reto Haeni has written this paper that gives a brief overview of the
features of IPv6 and discuss its security specifications. In the later
sections of the paper, he compares the security specifications of IPv6 to
one of today's available security protocols, SSL (Secure Sockets Layer).
http://www.linuxsecurity.com/articles/network_security_article-754.html
Vendors/Products/Tools:
June 2nd, 2000
Retina The Network Security Scanner
"Retina is a network security scanner and monitor that helps discover and
fix all known security vulnerabilities on your Internet, Intranet and
Extranet systems. Retina includes easy to navigate reporting tools to help
you prioritize and isolate high priority fixes giving you total control
over auditing your network security and open gateways to your internal
network."
http://www.linuxsecurity.com/articles/vendors_products_article-792.html
June 2nd, 2000
Information on SANS Security DC2000
SANS Security DC2000 will be here July 5-10th, 2000. It is located at the
JW Marriot Hotel in Washington DC. SANS will provide "In-depth training
for people interested in developing skills and confidence as technical
security professionals." The training includes security essentials,
intrusion detection, firewalls, and Linux security.
http://www.linuxsecurity.com/articles/organizations_events_article-789.html
June 1st, 2000
WetStone & SM&A Release Linux Deleted File Recovery Tool
WetStone Technologies, Inc. and SM&A are announcing the release of
Extractor, a Linux RedHat deleted file recovery tool. The technology will
assist law enforcement, goverment and commercial organizations in
retrieving maliciously or accidentally deleted files within a Linux
environment.
http://www.linuxsecurity.com/articles/vendors_products_article-784.html
May 31st, 2000
Nmap 2.53 Released
The latest version of nmap, a utility for port scanning networks, has been
released. This tool should be in everyone's security arsenal. "The main
addition is IP Protocol scan mode (-sO) which tells you what protocols the
host allows over IP (such as TCP, UDP, IGMP, ICMP, SWIPE, EGP, etc). This
release also includes some minor fixes & enhancements."
http://www.linuxsecurity.com/articles/network_security_article-775.html
May 30th, 2000
Mission Critical Linux
In the following interview with company president, CEO and founder Moiz
Kahari, conducted as he was preparing to speak at the European Linux@Work
Conference, the E-Commerce Times explores all things Linux and the
operating system's role in the future of e-commerce.
http://www.linuxsecurity.com/articles/forums_article-762.html
General Community News:
June 3rd, 2000
Domain Hijacking Raises Security Issue
web.net and bali.com were stolen from their rightful owners last week. "In
spite of a recent May 5th U.S. district court decision which declared that
domain names are not property, and hence, can't be "stolen," domain
thieves last weekend successfully hijacked two web site/domains from their
rightful owners."
http://www.linuxsecurity.com/articles/general_article-796.html
June 2nd, 2000
IT, Company Execs Add To Security Holes
The SANS threat list has become the focus this week. "The majority of
successful attacks on computer systems via the Internet can be traced to
exploitation of one of a small number of security flaws, SANS said. Most
of the systems compromised in the Solar Sunrise Pentagon hacking incident
were attacked through a single vulnerability. A related flaw was exploited
to break into many of the computers later used in massive
denial-of-service attacks."
http://www.linuxsecurity.com/articles/network_security_article-795.html
June 2nd, 2000
Hackers' favorite security holes revealed
More on the recent SANS report. ""Many of the vulnerabilities on that list
are well-known vulnerabilities that everyone knows about," said Sean
Hernan, team leader for vulnerability handling at the Computer Emergency
Response Team (CERT) Coordination Center at Carnegie Mellon University and
one of more than 40 contributors to the report."
http://www.linuxsecurity.com/articles/network_security_article-794.html
June 2nd, 2000
Security holes going unpatched
The CIO Council is asking every federal chief information officer to find
and fix the lapses that made a top 10 list of critical Internet security
threats. The list, released Thursday, includes problems that have
solutions, but the solutions have not been put in place by federal systems
administrators. So agency World Web Web sites keep getting hacked, and
agencies keep ending up in the news after being hit by attacks that should
not have happened, said Allan Paller, director of research at the SANS
Institute, a group of federal, industry and academic experts that
coordinated the list.
http://www.linuxsecurity.com/articles/projects_article-793.html
May 31st, 2000
Should We Hack back?
To retaliate or not to retaliate? In cyberspace, there is no simple
answer. ... Most IT professionals interviewed for this story said they
would not strike back in cyberspace, for fear of hitting an innocent
bystander. But they're not averse to taking some action when they're sure
of the perpetrator's identity.
http://www.linuxsecurity.com/articles/general_article-777.html
May 31st, 2000
Internet to Transmit "Notarized" Documents
The 150,000-member National Notary Association (NNA) announced Friday that
it would be introducing a "new and revolutionary" method to send secure,
authenticated documents via the Internet. The formal introduction of what
the NNA said was "groundbreaking" technology is scheduled to take place
during the 22nd Annual National Notary Association Conference that will
take place next month in Las Vegas.
http://www.linuxsecurity.com/articles/general_article-767.html
May 30th, 2000
Privacy Looters
A new law that lets banks, insurers, and brokerage houses merge and share
your personal data has frightening implications for consumers. Your
insurance company can now find out that you use your credit card to buy
lots of big boxes of chocolate and bottles of wine. Never mind that these
gifts were for business clients. Suddenly, your health and car insurance
premiums rise because the company's actuarial computers think you're more
likely to drive drunk or have a heart attack from eating all that
chocolate.
http://www.linuxsecurity.com/articles/general_article-766.html
May 30th, 2000
Striking a Blow for Privacy
ComputerCurrents reviews Simson Garfinkel's new book, "Database Nation".
"Privacy? The very rich still can buy it. For the rest of us, however,
it's almost dead. This is not news, Garfinkel concedes in his heavily
researched, well-written study. Still, "Database Nation" dramatically
chronicles a growing range of threats against information once considered
personal, such as buying habits, credit histories, medical records, and
telephone records."
http://www.linuxsecurity.com/articles/documentation_article-765.html
May 30th, 2000
Spring cleaning tips for managers
If your agency deals in classified or sensitive information, you probably
wage an ongoing war against Internet hackers. The danger isn=92t so much
from hackers=92 creativity as much as it=92s due to managers=92 failures to=
seal
security holes, establish policies for information sharing on intranets
and public Web sites, and protect the data physically.
http://www.linuxsecurity.com/articles/network_security_article-759.html
May 30th, 2000
Cross-Company Applications Open Up Security
The profusion of supply chain and other applications that involve data
sharing between companies raises a number of security issues IT managers
must sort through, including the ability of current security products to
filter based on specific application and data types.
http://www.linuxsecurity.com/articles/host_security_article-760.html
May 30th, 2000
Senate hears computer export control arguments
Efforts to ease Cold War export controls on high-performance computers
could sacrifice national security interests for business gains, experts
told a Senate hearing today. But an industry representative disagreed,
saying change is essential if computer companies are to compete in a
rapidly changing marketplace.
http://www.linuxsecurity.com/articles/general_article-761.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------