+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 29, 2000 Volume 1, Number 5 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Greetings! Last week was another active week for security advisories. (Thirteen advisories were issued!) These advisories ranged from a gpm vulnerability in TurboLinux to fdmount buffer overflows in Mandrake and Slackware. TurboLinux, SuSE, Slackware, Red Hat, Caldera, Mandrake, and FreeBSD all had advisories issued last week. Once again, you may want to pay close attention to these and take extra steps to prevent your system from being vulnerable. In the news, the open-source debate continued. Articles such as 'Without Peer: Open Source Security,' 'The Value of Open Source,' and 'The Myth of Open Source Security' all posed interesting questions. Another interesting article to check out is 'Who do we really Blame for Viruses?' All Linux enthusiast should find it entertaining. If you are looking for papers on how to better secure your system, I would like to recommend that you read 'Setting up Portsentry' and 'Know Your Enemy: A Forensic Analysis' Although Portsentry is not the ultimate security solution, it is a great start for any administrator. Thank you for reading LinuxSecurity.com's weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. It is distributed each Monday by Guardian Digital, Inc. Would you like to contribute to this newsletter? We'd love to hear from you. Email newsletter-admins@linuxsecurity.comwith comments, suggestions, or information on projects you're working on. To subscribe, send an email to newsletter-request@linuxsecurity.comwith "subscribe" in the subject. Editorial Team: Dave Wreski dave@linuxsecurity.com Benjamin Thomas ben@linuxsecurity.com Linux Security Week Index: Advisories: May 28th, 2000 - FreeBSD: users can prevent all processes from exiting May 28th, 2000 - FreeBSD: krb5 port contains remote and local root May 26th, 2000 - TurboLinux: gpm-1.19.1 and earlier May 26th, 2000 - SuSE: gdm root compromise vulnerability May 25th, 2000 - Slackware: fdmount vulnerability May 24th, 2000 - XFree86: Multiple distribution vulnerability May 24th, 2000 - Red Hat: Secure Web Server 3.0-3.2: mailmail May 24th, 2000 - Qpopper Vulnerability May 24th, 2000 - Mandrake 7: dump vulnerability May 24th, 2000 - Mandrake: xemacs vulnerability May 24th, 2000 - Mandrake: fdmount buffer overflow May 24th, 2000 - Caldera: buffer overflow in kdm May 23rd, 2000 - Caldera: DoS attack against X server Linux Host Security: May 25th, 2000 - The Top 10 Security Risks May 24th, 2000 - Intrusion Detection on Linux May 24th, 2000 - Analyzing Future Computer Trends and Threats May 24th, 2000 - Always-on Internet Security May 23rd, 2000 - Intrusion Detection on Linux May 22nd, 2000 - Mini-FAQ: "antivirus software for Linux" Linux Server Security: May 26th, 2000 - NIPC Tool to Detect the mstream DDoS May 25th, 2000 - LinuxNewbie.org: Setting up Portsentry May 23rd, 2000 - Know Your Enemy: A Forensic Analysis May 22nd, 2000 - Cracked! Part 3: Hunting the Hunter Firewall News: May 25th, 2000 - Running a BSD-based Firewall Cryptography: May 25th, 2000 - Foiling the Internet Spooks May 25th, 2000 - Secure Deletion of Data May 24th, 2000 - PGP 5.0 Key Generation Flaw May 23rd, 2000 - European Union sets free export of encryption May 22nd, 2000 - TurboLinux and RSA Security Align May 22nd, 2000 - Sony launches PKI compliant fingerprint-scanning Vendors/Products/Tools: May 27th, 2000 - E-business Embraces PKI May 26th, 2000 - Invest in security or pay the price, warns Gartner May 26th, 2000 - Secure Web-2-WAP File Transfers May 24th, 2000 - E-commerce software market gets open-source boost May 22nd, 2000 - Dsniff v2.1 Released General Community News: May 26th, 2000 - The Myth of Open Source Security May 25th, 2000 - Everything You Need to Know about Managed Security May 24th, 2000 - Experts lecture feds on cybersecurity May 23rd, 2000 - Linux leaders: Beware of Napster May 23rd, 2000 - Who do we really Blame for Viruses? May 22nd, 2000 - Computer 'shrinkwrap' license binding May 22nd, 2000 - Without Peer: Open Source Security May 22nd, 2000 - The Value of Open Source Advisories this Week: May 28th, 2000 FreeBSD: local users can prevent all processes from exiting An undocumented system call is incorrectly exported from the kernel without access-control checks. This operation causes the acquisition in the kernel of a global semaphore which causes all processes on the system to block during exit() handling, thereby preventing any process from exiting until the corresponding "unblock" system call is issued. http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-447.html May 28th, 2000 FreeBSD: krb5 port contains remote and local root exploits. The MIT Kerberos 5 port, versions 1.1.1 and earlier, contains several remote and local buffer overflows which can lead to root compromise. http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-448.html May 26th, 2000 TurboLinux: gpm-1.19.1 and earlier The gpm-root program, included in the gpm package, contains a programming error whereby a call to setgid() fails, and defaults to the group of the gpm-root binary. The group for the gpm-root binary in the affected installations is root. http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advisory-449.html May 26th, 2000 SuSE: gdm root compromise vulnerability The GNOME package includes a xdm replacement called gdm for handling graphical console and network logins. The gdm code, that process' logins over the network, could be tricked into writing data from the network right into the stack. This condition exists while gdm is running with root privileges and before the user is authenticated. http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-446.html May 25th, 2000 Slackware: fdmount vulnerability The fdmount program shipped with Slackware has been shown to be vulnerable to a buffer overflow exploit. A user must be in the "floppy" group to execute fdmount, but because fdmount is suid root this is a security problem. http://www.linuxsecurity.com/advisories/advisory_documents/slackware_advisory-444.html May 24th, 2000 XFree86: Multiple distribution vulnerability Remote users can, by sending a malformed packet to port 6000 TCP, cause a victim X server to freeze for a couple of minutes. During the freeze, the mouse does not move, the screen does not update in any way. Worse, the keyboard is unresponsive, INCLUDING console-switch and kill-server key combinations. For many users, the machine might as well have crashed and a full reboot via "the Big Red Button" will be performed. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-439.html May 24th, 2000 Red Hat: Secure Web Server 3.0-3.2: mailmail vulnerability New mailman packages are available which close security holes present in earlier versions of mailman. All sites using the mailman mailing list management software should upgrade. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-442.html May 24th, 2000 Qpopper Vulnerability The exploit (details below) involves sending a specially-constructed message to a user, then logging in as that user and issuing the EUIDL command. A successful attack can yield a shell running with group 'mail'. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-441.html May 24th, 2000 Mandrake 7: dump vulnerability Dump may cause security problem due to a buffer overflow. This package removes the set gid root on the dump exec file. http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-440.html May 24th, 2000 Mandrake: xemacs vulnerability Under some circumstances, users are able to snoop on other users' keystrokes. This is a serious problems if you use modules that require e.g. input of passwords, such as MailCrypt. http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-438.html May 24th, 2000 Mandrake: fdmount buffer overflow A vulnerability in fdmount will allow any user to exploit a buffer overflow. This user, when he is in the floppy group, can have a root access on the machine. http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-437.html May 24th, 2000 Caldera: buffer overflow in kdm There is a buffer overflow in kdm, the KDE graphical login manager. Since the buffer variable that is affected is NOT on the stack but in the data area, it is not clear whether this bug can be exploited. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-450.html May 23rd, 2000 Caldera: DoS attack against X server A bug was discovered in the X server's authentication code that allows a remote user to completely hang the victim's X server at least for a considerable amount of time, and eventually crash it. While the X server is frozen, it is not even possible to switch to a different console. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-436.html -------------------------------------------------------------------------- Linux Host Security: May 25th, 2000 The Top 10 Security Risks Here's a list of the most common security vulnerabilities found to date. "This list is derived from various trusted sources including Internet Security Systems (ISS) X-Force analysis, customer input, ISS Professional Services, and security partners. The top 10 list is maintained by ISS X-Force and distributed quarterly." http://www.linuxsecurity.com/articles/general_article-736.html May 24th, 2000 Intrusion Detection on Linux This SecurityFocus article discusses configuring PortSentry, monitoring system logs, LogCheck and kernel security patches to improve the security of your Linux box. "This article focuses on several host-based intrusion detection systems that are available on Linux. In particular, I will cover some of the basics of installing setting up these packages, how they are useful, and in what circumstances they can be used." http://www.linuxsecurity.com/articles/intrusion_detection_article-731.html May 24th, 2000 Analyzing Future Computer Trends and Threats Computer security plays out mostly as a game of "catch-up." The latest threat hits the servers, then the media, and everyone scrambles to react. A "plague of the week" syndrome is the motif for much of what happens in the IT community. For warfare generates chaos, and managing chaos is about as easy as building a house with bricks of Jello http://www.linuxsecurity.com/articles/general_article-727.html May 24th, 2000 Always-on Internet Security The two best things about those fast Internet connections you get from cable, DSL, and ISDN are that you don't have to dial a number to connect to the Internet, and they are also easy to share over a network. That's also the worst thing about them--the Internet's a two-way street, and when you've got always-on access to the Net, the Net has the same access to your hard disk. And as for networking... well, that presents its own set of problems, especially in the telecommuter home office and the satellite corporate bureau. http://www.linuxsecurity.com/articles/network_security_article-722.html May 23rd, 2000 Intrusion Detection on Linux This article focuses on several host-based intrusion detection systems that are available on Linux. In particular, I will cover some of the basics of installing setting up these packages, how they are useful, and in what circumstances they can be used. This article assumes a basic knowledge of systems security. In particular, I will assume that the most basic security measures have already been taken to secure a host against intrusion from the internet. http://www.linuxsecurity.com/articles/network_security_article-718.html May 22nd, 2000 Mini-FAQ: "antivirus software for Linux" Rainer submitted a pointer to a mini-faq he has written on virus protection software for Linux. It discusses commercial and freely-available products as well. This is more of a Resource link, but due to it's timeliness... http://www.linuxsecurity.com/articles/documentation_article-715.html -------------------------------------------------------------------- Linux Server Security: May 26th, 2000 NIPC Tool to Detect the mstream DDoS The potential represented by the "mstream" Distributed Denial of Service (DDoS) exploit is a serious and continuing threat. This advisory provides an update to a previously delivered NIPC DDoS detection tool that now allows users to identify the presence of mstream on host systems. The NIPC recommends that all computer network owners and organizations examine their systems for evidence of DDoS tools, including mstream. http://www.linuxsecurity.com/articles/server_security_article-742.html May 25th, 2000 LinuxNewbie.org: Setting up Portsentry Okay, before I start to tell you how great Portsentry is and how you to can install and use it, I'm going to give two pieces of advice. First, read this all the way through prior to doing ANYTHING! This is especially true for my fellow Debian users. There is a special treat near the end for you, but this is advice everyone should follow. Second, while Portsentry is an excellent security application, having it is not an excuse to be lazy on security. You can't put Portsentry on an entirely insecure box with everyone's worst security holes and expect it to be secure. It isn't happening. That said, I will continue. http://www.linuxsecurity.com/articles/host_security_article-732.html May 23rd, 2000 Know Your Enemy: A Forensic Analysis This paper, the fourth of the series, studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we will focus on how we learned what happened and pieced the information together. The purpose is to give you the forensic skills necessary to analyze and learn on your own the threats your organization faces. http://www.linuxsecurity.com/articles/intrusion_detection_article-720.html May 22nd, 2000 Cracked! Part 3: Hunting the Hunter Noel continues the story of when some Unix boxes that he helped admin were cracked. This article talks about some of the efforts made to track down the cracker and some surprises. This is the third part of the story of a community network that was cracked and what was done to recover from it. The first part Cracked! Part1: Denial and truth details the report that leads to the discovery that the community network was indeed cracked and some of the initial reactions. The second article Cracked! Part 2: Watching and Waiting talks about how they learned more about the cracker and what they did next. This article talks about some of the efforts made to track down the cracker and some surprises. http://www.linuxsecurity.com/articles/server_security_article-712.html ---------------------------------------------------------------------- Firewall News: May 25th, 2000 Running a BSD-based Firewall Internet security is currently a hot topic. Because of that, many smaller networks are turning toward firewalls to give them some protection. Many of these networks do not have the money to pay for a commercial firewall product, so they are moving to free Unix-based firewalls such as IP Firewall, IP Filter or IPChains. http://www.linuxsecurity.com/articles/firewalls_article-739.html ------------------------------------------------------------------------- Cryptography: May 25th, 2000 Foiling the Internet Spooks Here's a good article on the status of the DES replacement, apparently due to be announced in the summer. "The National Institute of Standards and Technology (NIST, www.nist.gov) is developing the standard as a replacement to the popular DES algorithm. NIST has already considered 15 proposals for the Advanced Encryption Standard (AES). Five made the final round of evaluation: MARS from IBM; RC6 from RSA Laboratories (www.rsa.com); Rijndael from Joan Daemen and Vincent Rijmen; Serpent from Ross Anderson, Eli Biham, and Lars Knudsen; and Twofish from Counterpane Internet Security (www.counterpane.com)." http://www.linuxsecurity.com/articles/general_article-738.html May 25th, 2000 Secure Deletion of Data With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This article covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult. http://www.linuxsecurity.com/articles/server_security_article-733.html May 24th, 2000 PGP 5.0 Key Generation Flaw A flaw has been found in the randomness gathering code of PGP 5.PGP 5 will, under certain well-defined circumstances, generatepublic/private key pairs with no or only a small amount ofrandomness. Such keys are insecure. http://www.linuxsecurity.com/articles/cryptography_article-724.html May 23rd, 2000 European Union sets free export of encryption The EU has reportedly decided that allowing the export of crypto is a good thing, despite the best efforts of the US to prevent it. Even France agrees. "But they can't any longer block the export. Companies are allowed to export their encryption products without any interference of the intelligence community." http://www.linuxsecurity.com/articles/cryptography_article-719.html May 22nd, 2000 TurboLinux and RSA Security Align TurboLinux Inc., the high-performance Linux company, and RSA Security Inc., the most trusted name in e-security, today announced that TurboLinux has signed an agreement to license RSA Security software for use in its e-commerce Linux operating system platform, TurboLinux Server 6.0. http://www.linuxsecurity.com/articles/vendors_products_article-711.html May 22nd, 2000 Sony launches PKI compliant fingerprint-scanning technology It would be great to know the state of the Linux support for this. See http://www.linuxnet.com for more biometrics info. "Sony has launched a new biometrics product, the FIU-700 fingerprint identification system. The product is a credit card-size biometric device that provides both authentication and data security. The company claims the product will help make Internet transactions secure. The FIU-700 is a stand-alone fingerprint verification device with PKI (public key infrastructure) key generation to provide more security than other existing fingerprint identification technologies." http://www.linuxsecurity.com/articles/vendors_products_article-710.html ------------------------------------------------------------------------ Vendors/Products/Tools: May 27th, 2000 E-business Embraces PKI "... many companies looking at public key infrastructure (PKI) technology. PKI allows use of digital certificates to ensure the confidentiality and integrity of data through encryption, control access through private keys, authenticate documents via digital signatures, and ease completion of business transactions." http://www.linuxsecurity.com/articles/cryptography_article-750.html May 26th, 2000 Invest in security or pay the price, warns Gartner Companies developing ebusiness applications should spend more time and money on installing better security measures or risk facing high financial losses, according to analysts at Gartner, speaking at the company's Ebusiness and Internet Conference in Paris this week http://www.linuxsecurity.com/articles/general_article-744.html May 26th, 2000 Secure Web-2-WAP File Transfers Accessing the Web using WAP (Wireless Application Protocol)-enabled mobile phones may be all the rage, but what about the security issues? While it is possible to encrypt selected sections of the Web using a desktop PC with conventional browser and Internet access facilities, WAP microbrowsers are still where Web browsing was in the mid-1990s. Now StoragePoint.com says it has come up with a security system that supports secure Web-based file transfers with WAP-enabled mobile phones http://www.linuxsecurity.com/articles/network_security_article-746.html May 24th, 2000 E-commerce software market gets open-source boost OpenSales today announced the availability of their open source e-commerce solution. "The software, called AllCommerce, lets companies such as MyHome.com build online sales catalogs that can handle orders, keep track of inventory and generate Web pages. It's open-source software, meaning that anyone can use or modify it for free, and it competes with better-known but proprietary software from companies such as Intershop and InterWorld." http://www.linuxsecurity.com/articles/vendors_products_article-729.html May 22nd, 2000 Dsniff v2.1 Released Dsniff is a tool suite to audit your network. It includes tools for sniffing cleartext protocols, ip redirection, mac flooding, so be careful! The features include arpredirect, macof, tcpkill, tcpnice, dsniff, mailsnarf, urlsnarf, webspy. The tool was written by dungsong@monkey.org http://www.linuxsecurity.com/articles/vendors_products_article-706.html ------------------------------------------------------------------------ General Community News: May 26th, 2000 The Myth of Open Source Security An author of the open source Mailman program explains why open source is not as secure as you might think -- using security holes in his own code as an example. http://www.linuxsecurity.com/articles/general_article-747.html May 25th, 2000 Everything You Need to Know about Managed Security Services "This is the latest in a series of free Webcast seminars for professionals interested in learning about the latest technology and market trends on implementing the "right" level of security for their e-business needs. In this Webcast on managed security services, attendees will learn the benefits of outsourcing security to a managed services provider and what to look for when seeking one." http://www.linuxsecurity.com/articles/forums_article-737.html May 24th, 2000 Experts lecture feds on cybersecurity Hopefully this initiative will help to improve the number of cluefull gov't folks. "Congressional funding to curtail cybercrime has been focused on law enforcement and existing programs, but the real solution will come from education, research and development programs, federal officials said Tuesday." http://www.linuxsecurity.com/articles/general_article-728.html May 23rd, 2000 Linux leaders: Beware of Napster Piracy is bad," says Linus Torvalds, the creator of Linux, when asked about the matter. "Of course you should be able to sue over copyrights. The one good lawsuit in the whole Napster case is the one by Metallica: a suit by the actual authors. While it's probably motivated mostly by money, I can still at least hope that there is a strong feeling of morals there, too." http://www.linuxsecurity.com/articles/forums_article-717.html May 23rd, 2000 Who do we really Blame for Viruses? More than 45,000 viruses infect PCs running the Windows operating system worldwide. Several have caused billions of dollars in damage in the past 12 months. Hundreds more viruses appear each year, requiring armies of anti-virus programmers to isolate and kill the offending bugs. By contrast, perhaps 35 viruses have been written for the Macintosh and four or five for the Unix-based computers that run most Web sites, says Eugene Spafford, director of the Computer Operations, Audit and Security Technology lab at Purdue University. This, a growing chorus of security experts say, is not happenstance http://www.linuxsecurity.com/articles/general_article-716.html May 22nd, 2000 Computer 'shrinkwrap' license binding I'll never forget my management stating they wouldn't use Linux because there was no one to sue. I think this story tosses that argument out the window. "In a 7-2 decision yesterday, the court rejected a construction firm's claim that a software maker should be liable for $1.95 million in losses the company says were caused by a bad computer program. The court said the agreement enclosed in the packaging protected the software firm from liability, even if the construction company never read it." http://www.linuxsecurity.com/articles/general_article-713.html May 22nd, 2000 Without Peer: Open Source Security Open source code is not infallible. It is prone to some of the glitches that plague its commercial counterpart. Yet, at the same time, it contains a number of safeguards and checks against any one person's mistake being carried too far. The recent incident in which Red Hat included a default log-in for its Piranha clustering modules - raising security concerns about the product - illustrates the point. Lead developer Philip Copeland complained in an online diary that "the Piranha package was literally nailed together a day before the CD had to be finalised, so there was less than 24 hours for other people to review the code." Red Hat Linux 6.2 included parts that were rushed together at the last minute, something like a commercial product being stamped out on deadline. But Copeland's complaint contains the clue to the cure: "other people to review the code." http://www.linuxsecurity.com/articles/projects_article-707.html May 22nd, 2000 The Value of Open Source Here is an interesting article discussing the value of Open Source. "Let's start by saying one thing: Value is relative. What's priceless to me is worthless to you (and vice versa), so it really changes the question of value to one of relevance, not actual worth. Does a car have value? Sure, if you have gas. Without, it's just a heavy, cramped room. Without, you'd trade it for a hamburger http://www.linuxsecurity.com/articles/general_article-708.html