+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|    May 22, 2000                            Volume 1, Number 4       |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@linuxsecurity.com    |
|                   Benjamin Thomas         ben@linuxsecurity.com     |
+---------------------------------------------------------------------+

Greetings! Welcome to yet another edition of Linux Security week. Last
week was certainly an active week for LinuxSecurity.com. Beginning last
Monday, ten different advisories were released. Two were attributed to the
LYNX vunerability, two covered Kerberos, and the others ranged from PAM
vulnerabilities to a Netscape fix. We recommend that you take a little
extra time this week to review all of the new advisories released. As
always, if you have any questions, please feel free to contact us.

After the 'LoveBug' hype cooled off, the news has remained steady.
Security issues seem to be getting more and more attention from the
mainstream media. Hopefully all of this speculation will cause a greater
number computer users to be security conscious. This week, a few
interesting papers were released. "Watching your Logs", "Apache: The
Definitive Guide", and "Security Scanners for Linux" are definite reads.
"Watching your Logs", by Lance Spitzner discusses various ways on how to
automate log filtering. It is easy to read and covers a broad range of
information. Apache: The Definitive Guide" is an excerpt from the actual
2nd edition book. "Security Scanners for Linux" outlines different
scanners to help harden a Linux system. We hope these you find these
papers enjoyable and have a great week.

Thank you for reading LinuxSecurity.com's weekly security newsletter. The
purpose of this document is to provide our readers with a quick summary of
each week's most relevant Linux security headlines and system advisories.
It is distributed each Monday by Guardian Digital, Inc. 
Would you like to contribute to this newsletter? We'd love to hear from
you. Email newsletter-admins@linuxsecurity.com with comments, suggestions,
or information on projects you're working on. To subscribe, send an email
to newsletter-admins@linuxsecurity.com with "subscribe" in the subject.

Editorial Team:

Dave Wreski dave@linuxsecurity@.com
Benjamin Thomas ben@linuxsecurity.com


Linux Security Week Index:

Advisories:

May 19th, 2000 - Slackware users, Upgrade lynx!
May 19th, 2000 - Netscape 4.73 packages are available
May 19th, 2000 - BUFFER OVERRUN VULNERABILITIES IN KERBEROS
May 18th, 2000 - Several problems in xemacs
May 17th, 2000 - (re) gnapster/knapster - remote users to view local files
May 17th, 2000 - Lynx ports contain numerous buffer overflows
May 17th, 2000 - SUSE Kernel Vulnerability
May 17th, 2000 - OpenLDAP 1.2.9 and earlier Vulnerability
May 17th, 2000 - Updated Kerberos 5 packages
May 15th, 2000 - TurboLinux pam-0.70-2 

Firewall News: 

May 17th, 2000 - An Introduction to IP Masquerading - Part 1

Linux Host Security:

May 18th, 2000 - The Plausibility of UNIX Virus Attacks
May 18th, 2000 - Unix's poor Internet Security Reputation?
May 17th, 2000 - Watching Your Logs
May 17th, 2000 - And The Loser Is ...
May 16th, 2000 - Security Scanners for Linux

Linux Server Security: 

May 20th, 2000 - Best Practices in Network Security
May 19th, 2000 - Updated CERT Advisory on Kerberos Vulnerabilities
May 19th, 2000 - Kerberos In The Legal Limelight
May 19th, 2000 - Apache: The Definitive Guide
May 18th, 2000 - Obscurity as Security
May 16th, 2000 - Guide to Home Networking
May 16th, 2000 - New DDoS tools developed
May 15th, 2000 - BUGTRAQ Vulnerability Database Statistics

Cryptography News:

May 16th, 2000 - SSH: Secure Administration to Virtual Private Networking
May 16th, 2000 - Call For Papers
May 15th, 2000 - Crypto-Gram May 15
May 15th, 2000 - Snake Oil Warning Signs

Vendors/Products/Tools: 

May 18th, 2000 - Secrecy for Everyone, as Encryption Goes to Market
May 17th, 2000 - OpenBSD perfects security by one-upmanship
May 17th, 2000 - Nessus 1.0 Released
May 15th, 2000 - Intel releases security implementation

General Community News: 

May 20th, 2000 - Improving Reliability and Security of the Internet
May 20th, 2000 - Kerberos Loophole May Close Around Microsoft's Neck
May 17th, 2000 - Phone Phreaks to Rise Again?
May 16th, 2000 - Security draws extra millions
May 15th, 2000 - Mom, I Clustered My Servers!


Advisories this Week:


May 19th, 2000
Slackware users, Upgrade lynx!

A new Lynx package is available in the Slackware-current tree. Users of
Slackware 7.0 and -current are urged to upgrade to this version. Versions
of Lynx prior to 2.8.3pre.5 contained numerous security holes which could
permit a malicious server to execute arbitrary code on the user's system.
This version was heavily audited by the Lynx team before release.

http://www.linuxsecurity.com/advisories/advisory_documents/slackware_advisory-435.html


May 19th, 2000
Netscape 4.73 packages are available

Netscape 4.73 packages are available. These new packages fix bugs in SSL
certificate validation; these bugs could allow for the compromising of
encrypted SSL sessions.

http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-434.html


May 19th, 2000
BUFFER OVERRUN VULNERABILITIES IN KERBEROS

Serious buffer overrun vulnerabilities exist in many implementations of
Kerberos 4, including implementations included for backwards compatibility
in Kerberos 5 implementations. Other less serious buffer overrun
vulnerabilites have also been discovered. ALL KNOWN KERBEROS 4
IMPLEMENTATIONS derived from MIT sources are believed to be vulnerable.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-430.html


May 18th, 2000
Several problems in xemacs

Under some circumstances, users are able to snoop on other users'
keystrokes. This is a serious problems if you use modules that require
e.g. input of passwords, such as MailCrypt.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-432.html


May 17th, 2000
(re) gnapster/knapster - remote users to view local files

The gnapster port (version 1.3.8 and earlier), and the knapster port
(version 0.9 and earlier) contain a vulnerability which allows remote
napster users to view any file on the local system which is accessible to
the user running gnapster/knapster. Gnapster and knapster do not run with
elevated privileges, so it is only the user's regular filesystem access
permissions which are involved.

http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-428.html


May 17th, 2000
Lynx ports contain numerous buffer overflows

Versions of the lynx software prior to version 2.8.3pre.5 were written in
a very insecure style and contain numerous potential and several proven
security vulnerabilities (publicized on the BugTraq mailing list
exploitable by a malicious server.

http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-427.html


May 17th, 2000
SUSE Kernel Vulnerability

The masquerading feature in the Linux kernel has got a vulnerability in
the udp and ftp masquerading code which allows arbitary backward
connections to be opened. Some denial of service were found.

http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-426.html


May 17th, 2000
OpenLDAP 1.2.9 and earlier Vulnerability

OpenLDAP follows symbolic links when creating files. The default location
for these files is /usr/tmp, which is a symlink to /tmp, which in turn is
a world writable directory.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-429.html


May 17th, 2000
Updated Kerberos 5 packages

A number of possible buffer overruns were found in libraries included in
the affected packages. A denial-of-service vulnerability was also found in
the ksu program.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-433.html


May 15th, 2000
TurboLinux pam-0.70-2

Nobody says it like Dildog: "Both 'pam' and 'userhelper' (a setuid binary
that comes with the 'usermode-1.15' rpm) follow .. paths. Since pam_start
calls down to _pam_add_handler(), we can get it to dlopen any file on
disk. 'userhelper' being setuid means we can get root." 

http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advisory-400.html


Firewall News:


May 17th, 2000
An Introduction to IP Masquerading - Part 1

Now that relatively high-bandwidth Internet connections are becoming both
commonplace and inexpensive, cable modem and DSL users wanting to put more
than one computer on the Internet find that their Internet service
provider will not allow them to do so. Typically, an ISP will grant a user
a single, dynamically-allocated IP address to be used by only one computer
at the user's home, in order to conserve their precious pool of IP
addresses. 

http://www.linuxsecurity.com/articles/firewalls_article-672.html


Linux Host Security:


May 18th, 2000
Security Beyond the Garden of Eden

For security-conscious IT managers, choosing between Linux and Windows NT
is like a return trip to the Garden of Eden. With security concerns rising
in the open source community, BeOpen recently interviewed two developers
who have taken two very different approaches to addressing those concerns.
Tom Vogt is a lead developer of Nexus, a "maximum security" Linux
distribution unveiled on May 9. Theo DeRaadt is leader of the OpenBSD
project, a BSD offshoot that has built a reputation as one of the most
secure "out of the box" operating systems in the world. We asked both of
them about open source security issues and how they deal with them. 

http://www.linuxsecurity.com/articles/host_security_article-689.html


May 18th, 2000
The Plausibility of UNIX Virus Attacks

This CyberSoft article talks about how possible it is to "contract" a UNIX
virus. "I am still amazed at the number of people who somehow believe that
UNIX is immune to software attack. Recently I was the subject of a heckler
at a conference in which I was speaking on this subject. It appears that
this is a subject that still angers some people so much that they become
obnoxious. Days later, a high level technical manager of a very savvy
firewall company made the statement that UNIX viruses don't exist and
thereby killed an opportunity to port VFind (VFind is a "virus scanner"
that executes on UNIX systems and searches for UNIX, MSDOS, Macintosh and
Amiga attack programs) directly to their firewall. I can only state that
those individuals who work hard and diligently at remaining ignorant of
the world around them have themselves as their most appropriate
punishment." 

http://www.linuxsecurity.com/articles/host_security_article-688.html


May 18th, 2000
Unix's poor Internet Security Reputation?

Unix has an undeserved reputation for poor network security. There is no
inherent design defect in Unix that has led to this reputation -- unless
providing a rich collection of network services is considered a security
flaw. Close examination of the superior security claims of proprietary
system vendors reveals that they rest upon a dearth of networking services
and the infamous "security through obscurity" policy -- a policy available
only to products of limited market penetration. No proprietary operating
system compares favorably to Unix when the disparate and widespread usage,
along with the rich variety of network services, are taken into account.
As other operating systems come to compete with Unix in the Internet
server space, the difficulty of providing such services with high levels
of security will become ever more obvious. 

http://www.linuxsecurity.com/articles/forums_article-684.html


May 17th, 2000
Watching Your Logs

In this article, Lance Spitzner talks about how to make the best use of
your system logs. "Determine what information you need out of your system
logs. The second step is to identify which logs contain that information.
The third step is identifying the trigger, what defines the critical
information?" 

http://www.linuxsecurity.com/articles/host_security_article-678.html


May 17th, 2000
And The Loser Is ...

ZDNet has a few comments on the recent SecurityFocus research from bugtraq
data. "before the Linux fans start popping open their champagne bottles,
they'll be horrified to know that the different distributions aggravate
problems almost matched NT and were much higher than other operating
systems covered such as the BSDs, Solaris and Windows 95/98." 

http://www.linuxsecurity.com/articles/host_security_article-671.html


May 16th, 2000
Security Scanners for Linux

This paper discusses the differnt types of security scanners available for
Linux. "A scanner is a program that automatically detects security
weaknesses in a remote or localhost.". Scanners are important to Internet
security because they reveal weaknesses in the network. System
administrators can strengthen the security of networks by scanning their
own networks. 

http://www.linuxsecurity.com/articles/network_security_article-664.html


Linux Network Security:


May 20th, 2000
Best Practices in Network Security

In this article, Frederick M. Avolio discusses developing a security
policy, developing a security architecture, network security ground rules,
and much more. This is a really good article. "Developing a sound security
strategy involves keeping one eye on the reality of Internet-speed changes
in threats and technology, and the other on the reality of the corporate
environment. purchasing security devices is easy. Knowing how and what to
protect and what controls to put in place is a bit more difficult. It
takes security management, including planning, policy development and the
design of procedures." 

http://www.linuxsecurity.com/articles/network_security_article-704.html


May 19th, 2000
Updated CERT Advisory on Kerberos Vulnerabilities

The Computer Emergency Response Team has updated their advisory on the
recent Kerberos buffer overflow vulnerabilities. Most vendors have updated
their packages already to fix this vulnerability. "The most severe
vulnerability allows remote intruders to gain root privileges on systems
running services using Kerberos authentication. If vulnerable services are
enabled on the Key Distribution Center (KDC) system, the entire Kerberos
domain may be compromised. " 

http://www.linuxsecurity.com/articles/network_security_article-697.html


May 19th, 2000
Kerberos In The Legal Limelight

This article discusses the recent turmoil over the Slashdot postings
regarding Kerberos, and the modifications that Microsoft has made to the
Kerberos security protocol. "On Thursday, lawyers for Andover.Net, the
parent company of the Linux enthusiast site Slashdot, posted a response to
a legal challenge posed by Microsoft Corp. lawyers last week over
Kerberos. On the same day, the Massachusetts Institute of Technology
announced it was working with Apple Computer Inc. to ensure availability
of Kerberos for the forthcoming Mac OS X operating system. And to top it
all off, CERT warned of a Kerberos buffer overflow that could result in
severe security problems for certain implementations." 

http://www.linuxsecurity.com/articles/network_security_article-696.html


May 19th, 2000
Apache: The Definitive Guide

We are no more anxious to have unauthorized people in our computer than to
have unauthorized people in our house. In the ordinary way, a desktop PC
is pretty secure. An intruder would have to get physically into your house
or office to get at the information in it or to damage it. However, once
you connect a telephone line, it's as if you moved your house to a street
with 30 million close neighbors (not all of them desirable), tore your
front door off its hinges, and went out leaving the lights on and your
children in bed. 

http://www.linuxsecurity.com/articles/documentation_article-693.html


May 18th, 2000
Obscurity as Security

This slashdot article states, "Matthew Priestley has taken a break from
slaving for the man to write us a piece where he takes on the convential
wisdom that Security through Obscurity isn't secure at all, and tries to
argue that sometimes it is. Click the link below to read it. Lots of
interesting stuff and some good examples. Its worth a read." 

http://www.linuxsecurity.com/articles/forums_article-686.html


May 16th, 2000
Guide to Home Networking

This justlinux article discusses the security (or lack thereof) of a home
DSL connection, and how the author went about detecting the intruder.
"What I found in /dev/.oz was a real shocker. There were several binaries
with names like, scan, sniff, fix and several others. I opened install.
... The hacker changed the index page for one website, so I take it down
and call the user to tell him re-publish his site. The other three sites
were OK -- all three were PHP sites using pattern files stored in unusal
directories."

http://www.linuxsecurity.com/articles/host_security_article-667.html


May 16th, 2000
New DDoS tools developed

More information on the "mstream" DDoS attack tool. "A new distributed
denial-of-service (DDoS) tool found recently in computers at several
universities may be able to avoid defenses put up by Web sites after a
rash of DDoS attacks in February temporarily shut down eBay, Amazon.com
and others, said an executive with Computer Associates. The tool, called
"mstream," has been found at several universities, including the
University of Washington, where it was sitting in a computer running a
Linux operating system, said Alan Komet, a Computer Associates manager." 

http://www.linuxsecurity.com/articles/network_security_article-663.html


May 15th, 2000
BUGTRAQ Vulnerability Database Statistics

Ever wanted to know which operating systems and applications have the most
reported security vulnerabilities? Are there more known vulnerabilities in
Windows NT or Linux? To find out check out the BUGTRAQ Vulnerability
Database statistics page. 

http://www.linuxsecurity.com/articles/server_security_article-658.html


Cryptography:


May 16th, 2000
SSH: Secure Administration to Virtual Private Networking

OpenSSH is an inexpensive improvement well worth the minimal effort
required to install and configure it. You can also use SSH to set up
simple "circuit level" VPNs. In this article, we take a hands-on look at
the two faces of SSH2: the open source *NIX implementation freely
available from OpenSSH, and a trio of commercial Windows clients sold by
F-Secure (formerly DataFellows), SSH Communications, and VanDyke
Technologies. We'll show you how to enable secure administration and
create a circuit-layer VPN with OpenSSH. We'll also illustrate
multi-vendor compatibility between OpenSSH and these three Windows
clients. 

http://www.linuxsecurity.com/articles/cryptography_article-669.html


May 16th, 2000
Call For Papers

The Network and Distributed System Security Symposium is looking for
authors for information on PKI, security policy, authentication,
firewalls, and a handful of other exciting topics. 

http://www.linuxsecurity.com/articles/organizations_events_article-668.html


May 15th, 2000
Crypto-Gram May 15

Crypto-Gram is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography. This
month Bruce Schneier discusses ILOVEYOU, more on Microsoft kerberos, and
what it's going to take before we learn from previous mistkes. "Security
is a process, not a product. Products provide some protection, but the
only way to effectively do business in an insecure world is to put
processes in place that recognize the inherent insecurity in the products.
The trick is to reduce your risk of exposure regardless of the products or
patches." 

http://www.linuxsecurity.com/articles/cryptography_article-659.html


May 15th, 2000
Snake Oil Warning Signs

Why ``snake oil''? The term is used in many fields to denote something
sold without consideration of its quality or its ability to fulfill its
vendor's claims. This term originally applied to elixirs sold in traveling
medicine shows. The salesmen would claim their elixir would cure just
about any ailment that a potential customer could have. Listening to the
claims made by some crypto vendors, ``snake oil'' is a surprisingly apt
name. Superficially, it is difficult to distinguish snake oil from the
Real Thing: all encryption utilities produce garbled output. The purpose
of this document is to present some simple ``red flags'' that can help you
detect snake oil. 

http://www.linuxsecurity.com/articles/cryptography_article-652.html


Vendors/Products/Tools:



May 18th, 2000
Secrecy for Everyone, as Encryption Goes to Market

"As president of Zero-Knowledge Systems, which builds privacy software,
Mr. Hill has spoken at conferences around North America, espousing the
credo that a person's online movements are no one else's business. ...
Many companies have also published the code that lies behind their
programs -- open-source code -- so that the programming can be reviewed by
other technical experts. Among those that have open-source philosophies
are Hush Communications, Zero-Knowledge, PrivacyX and Network Associates,
which now owns the P.G.P. software." 

http://www.linuxsecurity.com/articles/cryptography_article-685.html


May 17th, 2000
OpenBSD perfects security by one-upmanship

Upside has a great article on the security merits of OpenBSD, the
operating system developed with security as a specific focus. "... when it
comes to OpenBSD, the open-source operating system that for the last three
years has built up a near-perfect track record for software security, it
shouldn't be too surprising that project leader Theo de Raadt espouses a
similarly reductionist design philosophy." 

http://www.linuxsecurity.com/articles/projects_article-680.html


May 17th, 2000
Nessus 1.0 Released

The Nessus team is pleased to announce the availability of Nessus 1.0
Nessus is a remote security scanner which has been developped over the
last two years. It is free, open-sourced (GPLed), and updated very
regularly.

http://www.linuxsecurity.com/articles/host_security_article-677.html


May 15th, 2000
Intel releases security implementation

Intel on Monday announced the release of the open-source specification and
reference implementation of its CDSA (Common Data Security Architecture)
version 2, release 3.0 through the company Web site. The security
specification will simplify the assignment of security technology to
networks and e-businesses that may not possess the security expertise to
deploy defenses without assistance, according to Terry Smith, CDSA
Marketing manager for Intel. 

http://www.linuxsecurity.com/articles/vendors_products_article-660.html


General Community News:


May 20th, 2000
Improving Reliability and Security of the Internet

A group of leading Internet executives said today that cyber-related
problems like the ILOVEYOU virus are international in nature; therefore,
effective information security solutions must be pursued on an
international basis. The Global Internet Project (GIP) released a
statement at this week's G-8 conference in Paris to help both businesses
and governments prevent, detect and respond to cyber attacks. 

http://www.linuxsecurity.com/articles/organizations_events_article-700.html


May 20th, 2000
Kerberos Loophole May Close Around Microsoft's Neck

The implications of Microsoft's propreitary "extensions" to Kerberos could
be pretty far-reaching. "As a legal wrangle develops over whether the
Linux/open-source news Web site Slashdot.org can post messages containing
what Microsoft calls a "trade secret," key members of the technical
standards community have lost patience with the software giant's assertion
of proprietary control over an open standard. At issue is a security
protocol called Kerberos, a mechanism that enables secure identity
authentication when users log on to a network. The version of Kerberos in
Windows 2000 exploits a loophole in the Internet standard specification
that was deliberately left open for customized versions." 

http://www.linuxsecurity.com/articles/network_security_article-703.html


May 17th, 2000
Phone Phreaks to Rise Again?

Back before there were hackers, phreakers ruled the underground. They may
be making a comeback, to the chagrin of those on whom they prey. A
phreaker explores the telephone system. Some are just electronic voyeurs
who want to understand how telecom structure works. 

http://www.linuxsecurity.com/articles/intrusion_detection_article-676.html


May 15th, 2000
Mom, I Clustered My Servers!

So, you've got this growing dot-com business in the basement of your home
(running on Linux, obviously), and need to make sure the website is up and
running at all times? You need a cluster. 

http://www.linuxsecurity.com/articles/general_article-651.html


May 16th, 2000
Security draws extra millions

"The Senate last week responded to the growing menace of cyberattacks by
adding $76.8 million to the fiscal 2001 Defense authorization bill to
kick-start a new information security scholarship program and a security
institute. 

http://www.linuxsecurity.com/articles/general_article-662.html