+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 5, 2000 Volume 1, Number 6 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Greetings! We would like to take a moment to thank our readers for all of your support. The response has been tremendous for both our newsletter and website, LinuxSecurity.com. If you have any suggestions reguarding the website, newsletter, or anything else, please let us know! We are here to serve the open-source community; your voice should be heard. In the news, a few good articles were released. A few of my favorites included, "Cracked! Part 4: The Sniffer", "The Shell Game", and "Who's Sniffing Your Network?." 'Cracked!' and 'Who's Sniffing your network' both are written about the use of packet sniffers. While both take different approaches to explain this topic, they are interesting to read. The Shell Game explains the rational for SSH and using encrypted communications. Take a moment to treat yourself to these three articles. Last week, the major topic of concern was The Top 10 System Security Threats released by SANS. Articles such as "FBI, DOJ issue list of worst Internet threats and IT, Company Execs Add To Security Holes" spawned from SANS' initial release. This list should be familiar to most of you. If you are unaware of any of the ten problems listed in the report, be sure to educate yourself and your users to these potential threats. In a few instances, I saw the mainstream media portray this as "SANS is revealing the hacker's secrets." This really isn't the case. I think it is a wake up call for us all. =20 Many of us like to romanticize system intrusions by thinking of them as being "clever", while in reality, almost all of the intrusions that occur are a direct result of administrators not taking the proper steps to maintain a secure system. Want a real challege? Try to crack a properly secured Linux system. "Security is a Process, Not a Single Solution." Take time each day to address security issues. This should be done by developing a security policy, patching your system, and helping others gain a better security awareness. Last week's feature was an interview with Frank van Vliet. He is the author of AuditFile, many security advisories, and recently pointed out configuration errors on apache.org . In the interview, Frank explains how he audits a systems security, major pitfalls administrators fall into, and how he attempts to uncover bugs. We believe that everyone can learn something from this interview. Also recently added to the site is the WebTrends Security Analyzer. The WedTrends Security Analyzer has the most vulnerability tests for Red Hat & VA Linux. Using advanced agent-based technology, you can scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm Thank you for reading LinuxSecurity.com's weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. It is distributed each Monday by Guardian Digital, Inc. Would you like to contribute to this newsletter? We'd love to hear from you. Email newsletter-admins@linuxsecurity.com with comments, suggestions, or information on projects you're working on. To subscribe, send an email to newsletter-subscribe@linuxsecurity.com with "subscribe" in the subject. Editorial Team: Dave Wreski dave@linuxsecurity@.com Benjamin Thomas ben@linuxsecurity.com Linux Security Week Index: Advisories: May 31st, 2000 - RedHat 6.1: New majordomo package available May 30th, 2000 - TurboLinux: users can view shadowed password file May 30th, 2000 - PGP 5.0: Key generation weakness May 29th, 2000 - SuSE: kmulti local root compromise May 29th, 2000 - Mandrake: kdesu vulnerability May 29th, 2000 - NetBSD: Local "cpu-hog" denial of service May 29th, 2000 - NetBSD: SysV semaphore denial-of-service May 29th, 2000 - NetBSD 1.4.2: /etc/ftpchroot parsing broken May 29th, 2000 - NetBSD: Exploitable Vulnerability in Xlockmore May 29th, 2000 - OpenBSD: Xlockmore vulnerability May 29th, 2000 - OpenBSD 2.7: ipf vulnerability Firewall News:=20 June 2nd, 2000 - An Introduction to IP Masquerading - Part 2 May 30th, 2000 - Firewall placement Linux Host Security: June 4th, 2000 - Just Linux.com: From the Desktop June 2nd, 2000 - CERT Vulnerability Summary June 1st, 2000 - Cracked! Part 4: The Sniffer May 31st, 2000 - SANS Top 10 Threats May 29th, 2000 - IPv6 wins support as multimedia protocol Linux Server Security:=20 June 4th, 2000 - Who's Sniffing Your Network? May 31st, 2000 - Update: Blocking "Killer Resume" May 31st, 2000 - Buffer Overrun Vulnerabilities in Kerberos May 30th, 2000 - popa3d v0.4 contributed Kerberos=20 Cryptography:=20 June 1st, 2000 - Making an Unbreakable Code May 31st, 2000 - The Shell Game May 29th, 2000 - Maths prize could revolutionise encryption May 29th, 2000 - Life in an Era of Cryptographic Abundance May 29th, 2000 - Can IPv6 replace SSL? Vendors/Products/Tools:=20 June 2nd, 2000 - Retina=99 The Network Security Scanner June 2nd, 2000 - Information on SANS Security DC2000 June 1st, 2000 - Linux Deleted File Recovery Tool May 31st, 2000 - Nmap 2.53 Released May 30th, 2000 - Mission Critical Linux General Community News:=20 June 3rd, 2000 - Domain Hijacking Raises Security Issue June 2nd, 2000 - IT, Company Execs Add To Security Holes June 2nd, 2000 - Hackers' favorite security holes revealed June 2nd, 2000 - Security holes going unpatched May 31st, 2000 - Should We Hack back? May 31st, 2000 - Internet to Transmit "Notarized" Documents May 30th, 2000 - Privacy Looters May 30th, 2000 - Striking a Blow for Privacy May 30th, 2000 - Spring cleaning tips for managers May 30th, 2000 - Cross-Company Applications Open Up Security May 30th, 2000 - Senate hears computer export control arguments Advisories this Week: May 31st, 2000 RedHat 6.1: New majordomo package available A vulnerability in /usr/lib/majordomo/resend and /usr/lib/majordomo/wrapper will allow execution of arbitrary commands with elevated privileges. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-= 460.html May 30th, 2000 TurboLinux: local users can view shadowed password file "The xlock program locks an X server until a valid password is entered. The command line option -mode provides a user with a mechanism to change the default display shown when the X server is locked. xlock is installed with privileges to obtain password information, although these are dropped as early as possible. An overflow in the -mode command line option allows a malicious attacker to reveal arbitrary portions of xlock's address space including the shadow password file." http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advis= ory-459.html May 30th, 2000 PGP 5.0: Key generation weakness During a recent review of our published PGP 5.0 for Linux source code, researchers discovered that under specific, rare circumstances PGP 5.0 for Linux will generate weak, predictable public/private keypairs. http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-4= 61.html May 29th, 2000 SuSE: kmulti local root compromise The KDE CD player kscd is setgid disk to be able to access the device file of the CDROM. To perform some action kscd calls the unix command shell specified in the environment variable SHELL with the privileges of group disk. http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-45= 2.html May 29th, 2000 Mandrake: kdesu vulnerability Problem: A vulnerability in kdesud will allow any user to exploit a buffer overflow. This user then can have a root group access on the machine, by exploiting a bug in the kdesud program. http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisor= y-451.html May 29th, 2000 NetBSD: Local "cpu-hog" denial of service Untrusted local processes can hog cpu and kernel memory by tricking the kernel into running exclusively on their behalf, denying other processes the CPU. http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-= 454.html May 29th, 2000 NetBSD: SysV semaphore denial-of-service An undocumented system call permits any user process to lock up the entire semaphore subsystem, preventing processes using semaphores from locking or unlocking them, and preventing processes holding semaphores from exiting. http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-= 455.html May 29th, 2000 NetBSD 1.4.2: /etc/ftpchroot parsing broken A fix which attempted to make ftpd's parsing of /etc/ftpusers more robust was incorrect, and broke parsing of /etc/ftpchroot, allowing users listed in /etc/ftpchroot access to files outside their home directory. http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-= 453.html May 29th, 2000 NetBSD: Exploitable Vulnerability in Xlockmore The advisory outlines how xlock can be manipulated to print the shadow password information even though it drops root privileges before an overflow occurs. http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-= 456.html May 29th, 2000 OpenBSD: Xlockmore vulnerability xlockmore has a localhost attack against it which allows recovery of the encrypted hash of the root password. The damage to systems using DES passwords from this attack is pretty heavy, but to systems with a well-chosen root password under blowfish encoding (see crypt(3)) the impact is much reduced http://www.linuxsecurity.com/advisories/advisory_documents/openbsd_advisory= -458.html May 29th, 2000 OpenBSD 2.7: ipf vulnerability A misuse of ipf(8) keep-state rules can result in firewall rules being bypassed. This patch also includes fixes for an unaligned timestamp issue, and reliability fixes for ipmon and the in-kernel ftp proxy. A jumbo patch exists, which remedies this problem, and updates ipf to version 3.3.16 http://www.linuxsecurity.com/advisories/advisory_documents/openbsd_advisory= -457.html Firewall News: June 2nd, 2000 An Introduction to IP Masquerading - Part 2 In mid-May, Linux.com released Part 1 - 'An Introduction to IP Masquerading.' Here is 2nd and final part of this article. "Now that relatively high-bandwidth Internet connections are becoming both commonplace and inexpensive, cable modem and DSL users wanting to put more than one computer on the Internet find that their Internet service provider will not allow them to do so. Typically, an ISP will grant a user a single, dynamically-allocated IP address to be used by only one computer at the user's home, in order to conserve their precious pool of IP addresses." http://www.linuxsecurity.com/articles/firewalls_article-788.html May 30th, 2000 Firewall placement ".. We are linking our company to the Internet, and we are discussing the placement of the firewall. I feel that the firewall should reside in-house for the best security; others want to put the firewall at our ISP and run a point-to-point T-1 between us. Although the risk is small, I think there is a risk of having an unprotected circuit between us and the firewall. Am I off-base?" http://www.linuxsecurity.com/articles/firewalls_article-763.html Linux Host Security: June 4th, 2000 Just Linux.com: From the Desktop Here is a pretty good article; you'll find the most relevant Linux information midway down..."The biggest security problem with Linux is its ability to run multiple processes with relative ease and giving certain users a lot of access to these processes. Those of you new to Linux might be scratching their heads since it looks like I just indicated one of Linux biggest strengths. " http://www.linuxsecurity.com/articles/host_security_article-797.html June 2nd, 2000 CERT Vulnerability Summary "Each quarter, the CERT Coordination Centern issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems." http://www.linuxsecurity.com/articles/forums_article-787.html June 1st, 2000 Cracked! Part 4: The Sniffer Noel continues the story of when some Unix boxes that he helped admin were cracked. This article tells how they found the sniffer that the cracker was running on their network and what they did next. "We had thousands of logins each day from a large selection of places all over the world. Many of these users then connected to other systems using telnet or FTP. Each time one of our users connected to a system somewhere else the cracker had a new door that he could open. A new system that he could crack or just use to store things. To run his port redirector all he needed was a regular user account on a machine and then he had a new system to cover his tracks with. " http://www.linuxsecurity.com/articles/intrusion_detection_article-781.html May 31st, 2000 SANS Top 10 Threats The System and Network Security group is is meeting with several key players in the information security arena on Friday to discuss and outline the 10 top security threats. "Tomorrow (June 1) the FBI, Justice Department, GSA, the CIAO and CERT/CC will join with SANS and two dozen leading security gurus to unveil the Top Ten Security Threats on the Internet. These are vulnerability clusters that account for the majority of all successful attacks. At noon (EST) on Thursday, you'll find the Top Ten posted at http://www.linuxsecurity.com/articles/projects_article-773.html May 29th, 2000 IPv6 wins support as third-generation multimedia protocol "... The proposal, which paves the way to make IPv6 the standard protocol in third-generation mobile multimedia networks, was accepted this week in a plenary session of the system architecture group of the 3GPP (Third-Generation Partnership Project), Nokia said in a statement." http://www.linuxsecurity.com/articles/network_security_article-757.html Linux Server Security: June 4th, 2000 Who's Sniffing Your Network? This Linux.com article talks about a few of the sniffer tools that are available, and what can be done to detect their presence. "Sniffers represent a high level of risk because: they can capture passwords; they can capture confidential or proprietary information; and they can be used to breach security of neighboring networks, or gain leveraged access." http://www.linuxsecurity.com/articles/intrusion_detection_article-798.html May 31st, 2000 Update: Blocking "Killer Resume" Jose Nazario has updated the .cf/.mc patch on his mirror site to include "Killer Resume" and was kind enough to share the fix with us. The patch, designed to block the ILOVEYOU worm and related worm/virus medleys, works on sendmail 8.9.x and above using the subject line checking options available. http://www.linuxsecurity.com/articles/server_security_article-770.html May 31st, 2000 CIAC Revision: Buffer Overrun Vulnerabilities in Kerberos The CERT Coordination Center has recently been notified of several buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to gain root privileges on systems running services using Kerberos authentication. If vulnerable services are enabled on the Key Distribution Center (KDC) system, the entire Kerberos domain may be compromised http://www.linuxsecurity.com/articles/security_sources_article-769.html May 30th, 2000 popa3d v0.4 contributed Kerberos=20 "Dug Song has contributed Kerberos v4 (KPOP) and APOP authentication patches for popa3d v0.4. I've mirrored them into popa3d/contrib on the FTP and added links to the popa3d page at the usual location: http://www.openwall.com/popa3d/ " http://www.linuxsecurity.com/articles/network_security_article-758.html Cryptography: June 1st, 2000 Making an Unbreakable Code This article talks about the need for encryption. Email, e-commerce, digital cash, the NSA's Echelon Project all lead to reasons why crypto is necessary. "... more and more of our private communications are being routed through electronic channels. Channels like e-mail are simply too easy to intercept and scan for interesting keywords. This can be done routinely, automatically, and imperceptibly on a very large scale." http://www.linuxsecurity.com/articles/cryptography_article-776.html May 31, 2000 The Shell Game This article explains the need and rationale for Secure SHell, an encrypted communications channel which functions as a telnet replacement, and also guides you through the process of installing and using SSH on your own system. http://www.linuxsecurity.com/articles/network_security_article-772.html May 29th, 2000 Maths prize could revolutionise encryption A =A33.6m mathematics competition announced Wednesday could spark a revolution in computer security and online privacy experts believe. The competition is sponsored by the Clay Mathematics Institute in the US and was revealed at the Millennium Mathematics Conference in France. Entrants must tackle some of the world's most perplexing unsolved mathematical problems including the Reimann Hypothesis. http://www.linuxsecurity.com/articles/cryptography_article-756.html May 29th, 2000 Life in an Era of Cryptographic Abundance In the Palo Alto area on June 20th? Xerox PARC is holding a free conference on the abundance of cryptography. "It seems clear to some that by 2010 cryptographic operations of all sorts will be as cheap and as plentiful as dirt, and that they will be as unremarkable then as IP stacks have become today. How will things be different in the coming era of abundant cryptography? How will our children keep a secret? What new businesses will arise?" http://www.linuxsecurity.com/articles/forums_article-755.html May 29th, 2000 Can IPv6 replace SSL? Reto Haeni has written this paper that gives a brief overview of the features of IPv6 and discuss its security specifications. In the later sections of the paper, he compares the security specifications of IPv6 to one of today's available security protocols, SSL (Secure Sockets Layer). http://www.linuxsecurity.com/articles/network_security_article-754.html Vendors/Products/Tools: June 2nd, 2000 Retina The Network Security Scanner "Retina is a network security scanner and monitor that helps discover and fix all known security vulnerabilities on your Internet, Intranet and Extranet systems. Retina includes easy to navigate reporting tools to help you prioritize and isolate high priority fixes giving you total control over auditing your network security and open gateways to your internal network." http://www.linuxsecurity.com/articles/vendors_products_article-792.html June 2nd, 2000 Information on SANS Security DC2000 SANS Security DC2000 will be here July 5-10th, 2000. It is located at the JW Marriot Hotel in Washington DC. SANS will provide "In-depth training for people interested in developing skills and confidence as technical security professionals." The training includes security essentials, intrusion detection, firewalls, and Linux security. http://www.linuxsecurity.com/articles/organizations_events_article-789.html June 1st, 2000 WetStone & SM&A Release Linux Deleted File Recovery Tool WetStone Technologies, Inc. and SM&A are announcing the release of Extractor, a Linux RedHat deleted file recovery tool. The technology will assist law enforcement, goverment and commercial organizations in retrieving maliciously or accidentally deleted files within a Linux environment. http://www.linuxsecurity.com/articles/vendors_products_article-784.html May 31st, 2000 Nmap 2.53 Released The latest version of nmap, a utility for port scanning networks, has been released. This tool should be in everyone's security arsenal. "The main addition is IP Protocol scan mode (-sO) which tells you what protocols the host allows over IP (such as TCP, UDP, IGMP, ICMP, SWIPE, EGP, etc). This release also includes some minor fixes & enhancements." http://www.linuxsecurity.com/articles/network_security_article-775.html May 30th, 2000 Mission Critical Linux In the following interview with company president, CEO and founder Moiz Kahari, conducted as he was preparing to speak at the European Linux@Work Conference, the E-Commerce Times explores all things Linux and the operating system's role in the future of e-commerce. http://www.linuxsecurity.com/articles/forums_article-762.html General Community News: June 3rd, 2000 Domain Hijacking Raises Security Issue web.net and bali.com were stolen from their rightful owners last week. "In spite of a recent May 5th U.S. district court decision which declared that domain names are not property, and hence, can't be "stolen," domain thieves last weekend successfully hijacked two web site/domains from their rightful owners." http://www.linuxsecurity.com/articles/general_article-796.html June 2nd, 2000 IT, Company Execs Add To Security Holes The SANS threat list has become the focus this week. "The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws, SANS said. Most of the systems compromised in the Solar Sunrise Pentagon hacking incident were attacked through a single vulnerability. A related flaw was exploited to break into many of the computers later used in massive denial-of-service attacks." http://www.linuxsecurity.com/articles/network_security_article-795.html June 2nd, 2000 Hackers' favorite security holes revealed More on the recent SANS report. ""Many of the vulnerabilities on that list are well-known vulnerabilities that everyone knows about," said Sean Hernan, team leader for vulnerability handling at the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University and one of more than 40 contributors to the report." http://www.linuxsecurity.com/articles/network_security_article-794.html June 2nd, 2000 Security holes going unpatched The CIO Council is asking every federal chief information officer to find and fix the lapses that made a top 10 list of critical Internet security threats. The list, released Thursday, includes problems that have solutions, but the solutions have not been put in place by federal systems administrators. So agency World Web Web sites keep getting hacked, and agencies keep ending up in the news after being hit by attacks that should not have happened, said Allan Paller, director of research at the SANS Institute, a group of federal, industry and academic experts that coordinated the list. http://www.linuxsecurity.com/articles/projects_article-793.html May 31st, 2000 Should We Hack back? To retaliate or not to retaliate? In cyberspace, there is no simple answer. ... Most IT professionals interviewed for this story said they would not strike back in cyberspace, for fear of hitting an innocent bystander. But they're not averse to taking some action when they're sure of the perpetrator's identity. http://www.linuxsecurity.com/articles/general_article-777.html May 31st, 2000 Internet to Transmit "Notarized" Documents The 150,000-member National Notary Association (NNA) announced Friday that it would be introducing a "new and revolutionary" method to send secure, authenticated documents via the Internet. The formal introduction of what the NNA said was "groundbreaking" technology is scheduled to take place during the 22nd Annual National Notary Association Conference that will take place next month in Las Vegas. http://www.linuxsecurity.com/articles/general_article-767.html May 30th, 2000 Privacy Looters A new law that lets banks, insurers, and brokerage houses merge and share your personal data has frightening implications for consumers. Your insurance company can now find out that you use your credit card to buy lots of big boxes of chocolate and bottles of wine. Never mind that these gifts were for business clients. Suddenly, your health and car insurance premiums rise because the company's actuarial computers think you're more likely to drive drunk or have a heart attack from eating all that chocolate. http://www.linuxsecurity.com/articles/general_article-766.html May 30th, 2000 Striking a Blow for Privacy ComputerCurrents reviews Simson Garfinkel's new book, "Database Nation". "Privacy? The very rich still can buy it. For the rest of us, however, it's almost dead. This is not news, Garfinkel concedes in his heavily researched, well-written study. Still, "Database Nation" dramatically chronicles a growing range of threats against information once considered personal, such as buying habits, credit histories, medical records, and telephone records." http://www.linuxsecurity.com/articles/documentation_article-765.html May 30th, 2000 Spring cleaning tips for managers If your agency deals in classified or sensitive information, you probably wage an ongoing war against Internet hackers. The danger isn=92t so much from hackers=92 creativity as much as it=92s due to managers=92 failures to= seal security holes, establish policies for information sharing on intranets and public Web sites, and protect the data physically. http://www.linuxsecurity.com/articles/network_security_article-759.html May 30th, 2000 Cross-Company Applications Open Up Security The profusion of supply chain and other applications that involve data sharing between companies raises a number of security issues IT managers must sort through, including the ability of current security products to filter based on specific application and data types. http://www.linuxsecurity.com/articles/host_security_article-760.html May 30th, 2000 Senate hears computer export control arguments Efforts to ease Cold War export controls on high-performance computers could sacrifice national security interests for business gains, experts told a Senate hearing today. But an industry representative disagreed, saying change is essential if computer companies are to compete in a rapidly changing marketplace. http://www.linuxsecurity.com/articles/general_article-761.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------