Date: Mon, 17 Jul 2000 10:59:03 -0400 (EDT) From: newsletter-admins@linuxsecurity.com To: newsletter@linuxsecurity.com Subject: Linux Security Week, July 17th, 2000 +---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | July 17, 2000 Volume 1, Number 12 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. This week, several vendors released patches for packages such as: cvsweb, popper, canna, wu-ftpd, dump, dhclient, tnef, and Apache::ASP. Although most of these problems surfaced weeks ago, it is important that you check for and implement each update provided by your current distro. Privacy continues to weigh on the minds of many Internet users. Recently, the FBI's newest e-mail surveillance tool, "Carnivore," has upset many privacy-conscience individuals and organizations. While the FBI argues that there is no clear law that prohibits the usage of this system, some ISPs are already vowing to resist 'Carnivore' being installed on their networks. If you are interested in this topic, articles regarding privacy and 'Carnivore' can be found in the General News section of this newsletter. Our feature this week, "Jay Beale and the Bastille Linux Project," by Dave Wreski, discusses Jay's efforts as a lead developer for the Bastille Linux Project. He points out that security is an easier process if users are educated and understand basic vulnerabilities. He continues to speak about the "tradeoffs" that must be made to fully secure a system. Bastille helps users understand vulnerabilities and usability sacrifices. http://www.linuxsecurity.com/feature_stories/feature_story-59.html Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version Available: http://www.linuxsecurity.com/articles/forums_article-1137.html --------------------- Advisories This Week: --------------------- * Debian: cvsweb vulnerability July 16th, 2000 The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user. http://www.linuxsecurity.com/advisories/debian_advisory-559.html * FreeBSD: Multiple kerberosIV vulnerabilities July 14th, 2000 Local or remote users can obtain root access on the system running Kerberos, whether as client or server. If you have not chosen to install the KerberosIV distribution on your FreeBSD 3.x system, then your system is not vulnerable to this problem. http://www.linuxsecurity.com/advisories/freebsd_advisory-557.html * Mandrake: cvsweb vulnerability July 14th, 2000 Cvsweb contains a hole that provides attackers who have write access to a cvs repository with shell access. Thus, attackers who have write access to a cvs repository but not shell access can obtain a shell. In addition, anyone with write access to a cvs repository that is viewable with cvsweb can get access to whatever user the cvsweb cgi script runs as (typically nobody or www-data, etc.). http://www.linuxsecurity.com/advisories/mandrake_advisory-558.html * FreeBSD: UPDATE: Remote denial-of-service in IP stack July 12th, 2000 There are several bugs in the processing of IP options in the FreeBSD IP stack, which fail to correctly bounds-check arguments and contain other coding errors leading to the possibility of data corruption and a kernel panic upon reception of certain invalid IP packets. http://www.linuxsecurity.com/advisories/freebsd_advisory-552.html * FreeBSD: UPDATE: popper port contains remote vulnerability July 12th, 2000 Remote users can cause arbitrary code to be executed as the retrieving user when a POP client retrieves email. If you have not chosen to install the qpopper-2.53 port/package, then your system is not vulnerable to this problem. http://www.linuxsecurity.com/advisories/freebsd_advisory-553.html * FreeBSD: UPDATE: Canna port contains remote vulnerability July 12th, 2000 Remote users can run arbitrary code as user 'bin' on the local system. Depending on the local system configuration, the attacker may be able to upgrade privileges further by exploiting local vulnerabilities. If you have not chosen to install the Canna port/package, then your system is not vulnerable to this problem. http://www.linuxsecurity.com/advisories/freebsd_advisory-554.html * FreeBSD: UPDATE: wu-ftpd port contains remote root compromise July 12th, 2000 FTP users, including anonymous FTP users, can cause arbitrary commands to be executed as root on the local machine. If you have not chosen to install the wu-ftpd port/package, then your system is not vulnerable to this problem. http://www.linuxsecurity.com/advisories/freebsd_advisory-556.html * Mandrake: dump vulnerability July 12th, 2000 There was the potential for a buffer overflow exploit in the restore program. This new verson fixes this possible vulnerability. http://www.linuxsecurity.com/advisories/mandrake_advisory-555.html * SuSE: dhclient July 11th, 2000 Dhclient could be tricked by a rogue DHCP server to execute commands as user root. This leads to a remote root compromise of the system using dhclient. http://www.linuxsecurity.com/advisories/suse_advisory-547.html * SuSE: tnef vulnerability July 11th, 2000 By specifing a path name like /etc/passwd and sending a compressed mail to root an adversary could gain remote root access to a system by overwriting the local password database. The same could happen if a mail virus scanner, like AMaVIS, process' a malicious mail. http://www.linuxsecurity.com/advisories/suse_advisory-548.html * Apache::ASP v1.95: Permissions vulnerability July 11th, 2000 Apache::ASP < http://www.nodeworks.com/asp/ > had a security hole in its ./site/eg/source.asp distribution examples file, allowing a malicious hacker to potentially write to files in the directory local to the source.asp example script. http://www.linuxsecurity.com/advisories/other_advisory-551.html * Big Brother: Permission vulnerability July 11th, 2000 It is possible to view the contents of any file on the remote system. The problem exists in the code where $HOSTSVC does not do authenticity checking for its assigned variable. http://www.linuxsecurity.com/advisories/other_advisory-550.html * NetBSD: wu-ftpd package vulnerability. July 10th, 2000 Remote anonymous FTP users to execute arbitrary code as root on the local machine. http://www.linuxsecurity.com/advisories/netbsd_advisory-544.html * NetBSD: ftpd setproctitle vulnerability July 10th, 2000 An improper use of the setproctitle() library function by ftpd may allow a malicious remote ftp client to subvert an FTP server, including possibly getting remote access to a system. http://www.linuxsecurity.com/advisories/netbsd_advisory-545.html * NetBSD: dhclient vulnerability July 10th, 2000 The DHCP client program, dhclient(8), did not correctly handle DHCP options it receives in DHCP response messages, possibly permitting a rogue dhcp server to send maliciously formed options which resulted in a remote root compromise. http://www.linuxsecurity.com/advisories/netbsd_advisory-546.html * SuSE: makewhatis not vulnerable July 10th, 2000 makewhatis from man package reported to not be vulnerable to /tmp race condition bug. http://www.linuxsecurity.com/advisories/suse_advisory-543.html ----------------------- Top Articles This Week: ----------------------- Host Security News: ------------------- * Unix Security Holes July 13th, 2000 The hottest trend these days in network intrusion is to exploit buffer overruns, a technique where-by you feed a program more data than it has allocated, overwriting the memory in the hope of making the program do something it would normally never do. It's an interesting technique but just one of many available in the arsenal of today's intruders. In the interest of feeding the media blitz about Internet security, this month's column features a walk through some of the more innovative and interesting security holes that we've come across in the past few years. http://www.linuxsecurity.com/articles/server_security_article-1116.html * Securing Sendmail on Four Types of Systems July 12th, 2000 Depending on where you are and what you're doing there, security can mean very different things. This second article in our series on sendmail and security, based on the tutorial given by Eric Allman and Greg Shapiro at the recent USENIX conference in San Diego, looks at what you can do to secure sendmail on four types of systems: systems with user login access, systems with user accounts but no shell access, POP/IMAP mail servers, and firewalls. http://www.linuxsecurity.com/articles/server_security_article-1104.html * Tripwire - The Only Way to Really Know July 11th, 2000 So you think you may have been hacked, but you're really not sure 'cause some crackers seem pretty stealthy. There really is only one way to know - employ a file integrity checker, like Tripwire or AIDE. In this article, I'll explain why you need Tripwire/AIDE, what they do, and how you can deploy Tripwire. I'll give you a sample configuration that you can tune. http://www.linuxsecurity.com/articles/host_security_article-1095.html * Installing djbdns (DNScache) for Name Service Part 2 July 11th, 2000 Traditionally, BIND has been the nameserver of choice when doing name service on a Unix system. Like many of its close relatives, such as sendmail, it was designed at a time when the internet wasn't even known as the internet, and security wasn't a concern. This has caused more than a few problems over the years, and many point to the age of its codebase, and lack of designed-in security as part of the problem. http://www.linuxsecurity.com/articles/server_security_article-1094.html Network Security News: ------------------- * Smart card accepted at portal July 13th, 2000 Pulsar Data Systems Inc. on Tuesday unveiled its secure e-commerce portal, PulsarData.com, which uses smart cards to enable agencies to purchase information technology products. Pulsar, a wholly owned subsidiary of Internet data security company Litronic Inc., announced the smart card feature, which is free for government users, at the E-Gov trade show in Washington, D.C. http://www.linuxsecurity.com/articles/server_security_article-1121.html * Stolen Computers Will Self-Destruct July 13th, 2000 The Cyber Group Network Corp. (CGN) is developing a software-controlled hardware device that can be installed in computers worldwide to either locate or destroy the devices when they are lost or stolen. CGN says that the hardware/software combination, code named "The C-4 Chip," will be able to determine the location, within five feet, of missing or stolen computers as well as other devices, anywhere on the planet. CyberCrimeCorp, a subsidiary of CGN, will distribute the device. According to the company, for locating a computer that is stolen or missing, a toll-free number will be available 24 hours a day, seven days a week, in more than 20 countries. http://www.linuxsecurity.com/articles/vendors_products_article-1120.html * Cracked! Part 7: The Cracker's Revenge July 12th, 2000 In this article I explain what the Cracker did when he broke back in, our recovery from this, talking to the cracker afterwards and bring the story to a close. http://www.linuxsecurity.com/articles/intrusion_detection_article-1109.html * Security policies fall short July 12th, 2000 Federal agencies are failing to follow the policies to ensure that changes in their software and systems do not open security vulnerabilities, the General Accounting Office told agency officials last month. http://www.linuxsecurity.com/articles/government_article-1113.html * Companies adding Privacy officers July 12th, 2000 Move over, CEO, CIO, and COO. Your titles are passe compared to the newest position in high demand from corporate headhunters -- Chief Privacy Officer. With consumers increasingly concerned about their privacy and new technology able to track Internet users click by click, companies are rapidly hiring privacy officers and giving them broad powers to set policies that protect consumers from invasion and companies from public relations nightmares. http://www.linuxsecurity.com/articles/privacy_article-1108.html * Telecommuting has Increased Security Threats July 11th, 2000 The proliferation of Internet technologies has helped fuel the telecommuting wave with its mobility and connectivity needs, but it's been a double-edged sword as that very mobility has increased security threats to networks from dial-up and wireless access http://www.linuxsecurity.com/articles/general_article-1091.html Cryptography News: ------------------ * Counterpane Crypto-Gram July 16th, 2000 This month Bruce Schneier comments on CIA, Counterpane cracker insurance, (in)security in QuickBooks, current security news, and more. Always a good read. http://www.linuxsecurity.com/articles/cryptography_article-1133.html * SSH Tutorial July 14th, 2000 Enter SSH (Secure SHell). By using SSH, you encrypt the traffic and you can make 'man-in-the-middle' attacks almost impossible. It also protects you from DNS and IP spoofing. http://www.linuxsecurity.com/articles/cryptography_article-1125.html * OpenSSH's Cinderella story July 11th, 2000 Once upon a time, a Finnish programmer named Tatu Ylnen developed a networking protocol and attendant software called SSH, short for Secure SHell. Not having spoken to Mr. Ylnen, I know nothing about his precise motivations at the time, but the practical upshot of SSH is that it provides the world with an encrypted alternative to telnet. http://www.linuxsecurity.com/articles/cryptography_article-1096.html * Making an Unbreakable Code July 10th, 2000 Because information is sent over the Internet (which is an open network), valuable data can be easily intercepted and exploited. Obviously, there could be disastrous consequences for individuals and businesses if this information fell into the wrong hands. http://www.linuxsecurity.com/articles/cryptography_article-1083.html Vendor/Product/Tools News: --------------------------- * Beware: E-signatures can be easily forged July 14th, 2000 Consumer groups say the electronic signatures recently authorized by President Clinton are easy to forge. http://www.linuxsecurity.com/articles/privacy_article-1129.html * Security, the Way It Should Be July 12th, 2000 Today, security is often provided by patched-together, reactionary defenses, which many see as an inhibitor to business. In order to take their rightful place as a business enabler, security systems must provide distributed, real-time, flexible defenses against attacks. http://www.linuxsecurity.com/articles/network_security_article-1105.html General News: ------------- * FBI Defends 'Carnivore' Cyber-Snoop Device July 13th, 2000 The FBI's newest e-mail surveillance tool is simply a logical extension of its existing wiretapping technology and does not pose any new privacy threat to rank-and-file Internet users, the FBI contended today in response to a critical news report about its recently developed "Carnivore" device. http://www.linuxsecurity.com/articles/privacy_article-1117.html * ACLU: Law Needs 'Carnivore' Fix July 13th, 2000 "There's no clear law that authorizes Carnivore," said ACLU associate director Barry Steinhardt. "But the FBI and the Justice Department ... will argue that there's no clear law that prohibits it. And Congress needs to put some real limits on what law enforcement can do." http://www.linuxsecurity.com/articles/privacy_article-1115.html * 'Carnivore' Eats Your Privacy July 13th, 2000 "An FBI surveillance system called Carnivore is alarming privacy advocates and some members of Congress. Agents typically install the specialized computer on the networks of Internet providere target of an investigation, the Wall Street Journal reported on Tuesday." s, where it intercepts all communications and records sent to or from th http://www.linuxsecurity.com/articles/privacy_article-1114.html * ISPs bite back at Carnivore July 13th, 2000 Internet-service providers and privacy advocates are concerned about the implications of a new electronic surveillance system devised by the Federal Bureau of Investigation, with some providers vowing to resist if they are asked to install it on their networks. http://www.linuxsecurity.com/articles/privacy_article-1119.html * Websites Facing 'Privacy Storm' July 13th, 2000 Members of the Internet Advertising Bureau met Wednesday for a privacy forum where a quartet of industry players fired a warning shot at Web companies. The message: People are worried, politicians are aware of it, and laws are coming. So, be ready. http://www.linuxsecurity.com/articles/privacy_article-1123.html * FBI's system to covertly search e-mail raises privacy, legal issues July 11th, 2000 The U.S. Federal Bureau of Investigation is using a superfast system called Carnivore to covertly search e-mails for messages from criminal suspects. Essentially a personal computer stuffed with specialized software, Carnivore represents a new twist in the federal government's fight to sustain its snooping powers in the Internet age. http://www.linuxsecurity.com/articles/privacy_article-1102.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------