+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | June 26, 2000 Volume 1, Number 9 | | | | Editorial Team: Dave Wreski dave@linuxsecurity.com | | Benjamin Thomas ben@linuxsecurity.com | +---------------------------------------------------------------------+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines and system advisories. Multiple vendors released fixes for the serious wu-ftpd vulnerability. The problem exists in wu-ftpd's handling of the SITE EXEC command. The default configuration of wu-ftpd is vulnerable to remote users gaining root access. Privacy is an issue that caught the attention of many readers this week. The World Wide Web Consortium debuted the Platform for Privacy Preferences Project (P3P). It is intended to make privacy statements more understandable to users who want to know how the sites they visit use their personal information. An article titled, "Pretty Poor Privacy: An Assessment of P3P" examines whether P3P is an effective solution to growing public concerns about online privacy. Additional articles covering this subject are available in the "General News" section of this newsletter. Another subject for discussion this week is Simple Object Access Protocol. (SOAP) An articled titled, "Soap could slip up on security," points out the problems with this protocol. The article states, "Microsoft promotes Soap as a means for application developers to get around the 'limitations' security administrators have set in place." This raises a very serious question, is extending the functionality of software worth extra security risks? Bruce Schneier states, "Soap is going to open up a whole new avenue for security vulnerabilities." Our feature this week, "Network Intrusion Detection Using Snort," by Dave Wreski and Christopher Pallack, describes the basics of intrusion detection, the steps necessary to configure the "snort" IDS, testing and operation, and how to detect intrusion attempts. It is available at the following URL: http://www.linuxsecurity.com/feature_stories/feature_story-49.html Our sponsor this week is WebTrends. Their Security Analyzer has the most vulnerability tests available for Red Hat & VA Linux. It uses advanced agent-based technology, enabling you to scan your Linux servers from your Windows NT/2000 console and protect them against potential threats. Now with over 1,000 tests available. http://www.webtrends.com/redirect/linuxsecurity1.htm HTML Version Available: http://www.linuxsecurity.com/articles/forums_article-963.html Advisories This Week: --------------------- June 23rd, 2000 -- Caldera: wu-ftpd vulnerability There is a problem in wu-ftpd handling of the SITE EXEC command that allows remote attackers to gain root access. http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-498.html June 23rd, 2000 -- Debian: remote root exploit The version of wu-ftpd distributed in Debian GNU/Linux 2.1 (a.k.a. slink), as well as in the frozen (potato) and unstable (woody) distributions, is vulnerable to a remote root compromise. The default configuration in all current Debian packages prevents the currently available exploits in the case of anonymous access, although local users could still possibly compromise the server. http://www.linuxsecurity.com/advisories/advisory_documents/debian_advisory-496.html June 23rd, 2000 -- RedHat: wu-ftpd update Buffer overflow in wu-ftpd 2.6.0 and below fixed. The bug in wu-ftpd can permit remote users, even without an account, to gain root access. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-500.html June 23rd, 2000 -- Mandrake: Multiple Vulnerabilities Updates available for bind, cdrecord, dump, fdutils, kdesu, xemacs, xlockmore http://www.linuxsecurity.com/advisories/advisory_documents/mandrake_advisory-497.html June 23rd, 2000 -- Conectiva: wu-ftpd update Buffer overflow fixed in wu-ftpd package version 2.6.0 and below. The wu-ftpd package version 2.6.0 and below has a buffer overflow that can be remotely exploited and give an attacker root privileges on the remote machine http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-499.html June 22nd, 2000 -- FreeBSD: Remote denial-of-service in IP stack Remote users can cause a FreeBSD system to panic and reboot. There are several bugs in the processing of IP options in the FreeBSD IP stack, which fail to correctly bounds-check arguments and contain other coding errors leading to the possibility of data corruption and a kernel panic upon reception of certain invalid IP packets. http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-494.html June 22nd, 2000 -- RedHat PowerTools: Zope Vulnerabilities Remote vulnerabilities exist with all Zope-2.0 releases. This hotfix corrects issues with an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-495.html June 22nd, 2000 -- NetBSD: libdes vulnerability The replacement versions of these functions written during the integration process have a serious bug. If /dev/urandom is not present and functioning correctly, des_init_random_number_generator seeds the random number generator with constant data, causing the generation of keys which are easy to determine. http://www.linuxsecurity.com/advisories/advisory_documents/netbsd_advisory-493.html June 21st, 2000 -- RedHat: 2.2.16 Kernel Released This new kernel release fixes a security hole that could affect any setuid program on the system. In addition, several accumulated fixes are included. http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-492.html June 19th, 2000 -- TurboLinux: kernel vulnerability Any local user with an account can use this vulnerability to obtain root priviledges by exploiting setuid root applications. Originally this security bug was reported by Sendmail. An unsafe fgets() usage in sendmail's mail.local exposes the setuid() security hole in the Linux kernel. This vunlnerability allows local users to obtain root privilege by exploiting setuid root applications. http://www.linuxsecurity.com/advisories/advisory_documents/turbolinux_advisory-491.html Host Security News: ------------------- Bastille Linux Review June 20th, 2000 Bastille Linux has taken on the challenge of securing the often infamously crackable Red Hat distribution with an "after market" hardening script. The developers have stated that "the Bastille Hardening System attempts to `harden' or `tighten' the Linux operating system. http://www.linuxsecurity.com/articles/host_security_article-921.html An Interview with Chris Rouland June 20th, 2000 Chris Rouland is the director of X-Force at Internet Security Systems (ISS), a group dedicated to understanding, documenting and coding new vulnerability checks and tests, attack signatures and solutions to global security problems. http://www.linuxsecurity.com/articles/general_article-930.html Trust and the System Administrator June 19th, 2000 Noel writes about some things that a System Administrator should consider when configuring or maintaining a system. "One of the first things many of us think about is the trust we give to the users of our systems. Some of these users have special privileges so that they can perform their own jobs." They have to walk a fine line between making their systems unusable and leaving them unsecured or unreliable. http://www.linuxsecurity.com/articles/network_security_article-912.html Network Security News: ---------------------- Intel admits wireless security concerns June 23rd, 2000 Intel chief exec admits that the future of wireless and mobile technology is overshadowed by security complications. Speaking at Intel's Wireless Competency Centre in Stockholm this week managing director Leif Persson acknowledged hugely complicated wireless environments are causing them serious anxiety. http://www.linuxsecurity.com/articles/network_security_article-954.html Network security threats growing June 22nd, 2000 Networks face three vulnerabilities: physical security problems, logical security problems such as computers within a network, and security problems involving people -- all of which should be equally important to businesses, according to a British Telecommunications executive speaking here at InfowarCon Thursday. http://www.linuxsecurity.com/articles/network_security_article-947.html Software Acts As Robotic Hacker June 22nd, 2000 The best way to determine if your IT infrastructure is secure is to have a hacker try to break into your corporate systems. Short of that, software that simulates attacks is the next best thing. Wednesday, Sanctum rolled out an automated audit tool that analyzes Web applications, points to security glitches, and provides advice on how to fix any vulnerability. http://www.linuxsecurity.com/articles/network_security_article-951.html Special Report: Privacy on the Internet June 21st, 2000 My favorite trade mag has a new look. Here's a good (albeit, short) article on network security and privacy. "The Internet is a powerful tool that promises its users many exciting possibilities, including unprecedented access to a vast expanse of information. Tacked onto that promise as a sort of afterthought is the realization that the Internet can acquire quite a bit of information about its users http://www.linuxsecurity.com/articles/network_security_article-940.html Firewall News: -------------- Dual Protection: New firewalls defend the interior June 21st, 2000 The firewall, which has served as the sentry between the outside world of the Internet and the internal agency network, may be moving inside the network perimeter to World Wide Web servers, PCs, modems and silicon chips. Such internal firewalls -- known as distributed firewalls -- are the next line of defense against hackers who breach traditional firewalls by exploiting open ports and e-mail servers. http://www.linuxsecurity.com/articles/firewalls_article-932.html Soap could slip up on security June 21st, 2000 Microsoft is championing a protocol for cross-platform communication that can bypass firewall defences and could leave companies open to what experts describe as a fresh class of security vulnerabilities. The Simple Object Access Protocol, or Soap, specifies how to encode an HTTP header and an XML (eXtensible Markup Language) file so that a program in one computer can call a program in another computer and pass it information. It also defines how the called program can return a response. http://www.linuxsecurity.com/articles/firewalls_article-936.html New firewalls defend the interior June 20th, 2000 "Such internal firewalls -- known as distributed firewalls -- are the next line of defense against hackers who breach traditional firewalls by exploiting open ports and e-mail servers. Network managers tend to see distributed firewalls as added firepower against hackers." http://www.linuxsecurity.com/articles/firewalls_article-931.html Configuring an Internet Firewall and Home LAN With Linux June 20th, 2000 Here is an interesting FAQ that you may want to consider reading. "This FAQ describes basic Linux Ethernet connection and home LAN configuration. Particular emphasis is placed on network security and firewall construction. http://www.linuxsecurity.com/articles/firewalls_article-918.html Cryptography News: ------------------ Canadian encryption experts to guard secret U.S. data June 21st, 2000 Canada's Kasten Chase has been given the exclusive go-ahead by the U.S. National Security Agency to safeguard top-secret government data, which could make the recent theft of computer hard drives laden with nuclear secrets from Los Alamos National Laboratory a nonissue in the future. Toronto-based Kasten Chase became the first company to be endorsed by the security agency to encrypt the hard drives, not just the data, the company said today. http://www.linuxsecurity.com/articles/cryptography_article-942.html Quantum physics used to create 'unhackable' systems June 20th, 2000 Scientists at the Department of Energy's Los Alamos National Laboratory and other research organizations around the world are harnessing the laws of quantum physics to develop what they hope will be impregnable data encryption systems. http://www.linuxsecurity.com/articles/cryptography_article-927.html Encryption Gets Better, but Remains Imperfect June 19th, 2000 "There is some outstanding technology available, and in publicly available algorithms," Bauer told Newsbytes after his speech. "The problem isn't that there's no good cryptographic technology available. The problem is that it's fiendishly difficult to implement the technology in a secure fashion." http://www.linuxsecurity.com/articles/cryptography_article-913.html Vendor/Product News: -------------------- Raven SSL 1.5 for Apache June 23rd, 2000 Raven SSL 1.5 for Apache boasts added support for e-commerce. Covalent Technologies, Inc., the leading provider of Apache Web server e-commerce solutions, announced the availability today of the newest version of its security add-on for Apache, Raven SSL 1.5. http://www.linuxsecurity.com/articles/vendors_products_article-953.html WireX Announces the Release of Immunix OS 6.2 and StackGuard 2.0 June 22nd, 2000 "Immunix" is a family of tools designed to enhance system integrity by hardening system components and platforms against security attacks. The Immunix OS is a Linux platform hardened with the Immunix tool set. Immunix works by hardening existing software components and platforms so that attempts to exploit security vulnerabilities will fail safe, i.e. the compromised process halts instead of giving control to the attacker, and then is restarted. http://www.linuxsecurity.com/articles/server_security_article-952.html Web Group Debuts Privacy Platform Prototype June 22nd, 2000 The World Wide Web Consortium debuted a long-awaited technology Wednesday that is intended to give Internet users more control over their personal information. The consortium's interoperability session in New York gave companies and privacy advocates the opportunity to add input to the prototype design of the Platform for Privacy Preferences Project (P3P), which will be available in the coming year. P3P technology makes privacy statements understandable when users want to know how the sites they visit use their personal information. http://www.linuxsecurity.com/articles/vendors_products_article-945.html Trustix releases XPloy June 22nd, 2000 Trondheim, Norway. Trustix AS, the leader in eBusiness Systems Management Solution for Linux, today announced its release of the industry's first truly graphical user interface for Linux operating system administration and management. http://www.linuxsecurity.com/articles/host_security_article-948.html IPAudit: Monitor Network Activity June 21st, 2000 Here is a tool recently released on Packetstorm. IPAU DIT listens to a network device in promiscuous mode, and records of every 'connection', each conversation between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them and the port numbers (if they are communicating via udp or tcp). http://www.linuxsecurity.com/articles/intrusion_detection_article-937.html General News: ------------- Pretty Poor Privacy: An Assessment of P3P June 23rd, 2000 This report examines whether P3P is an effective solution to growing public concerns about online privacy. The report surveys earlier experience with "cookie" technology and notes similarities. The report finds that P3P fails to comply with baseline standards for privacy protection. http://www.linuxsecurity.com/articles/projects_article-956.html New Technology Is Aimed at Increasing Web Privacy June 22nd, 2000 More on the P3P standard. Free registration required. Major Internet companies and the Web's standard-setting body on Wednesday unveiled some long-awaited technology that would alert computer users before they visited Web sites that collect more personal information than they are willing to share. Although the new standard, called the Platform for Privacy Preferences, or P3P, was billed as just one step in improving the state of privacy on the Internet, it was immediately denounced by some privacy advocates as a way for companies to avoid increased regulation and a tool that would give consumers a false sense of security. http://www.linuxsecurity.com/articles/general_article-949.html Agencies act to secure the future June 21st, 2000 In the charge to protect computer systems against cyberattacks, the National Security Agency and the State Department are two prime examples of agencies that have taken a proactive approach. NSA is one of the federal agencies that have taken the lead in cooperation between government and industry to advance cybersecurity. NSA has formed alliances with more than 150 leading IT companies to help identify emerging security solutions and has certified 14 academic institutions as "centers of excellence" in security training, according to John Nagengast, assistant deputy director for information systems security at NSA. http://www.linuxsecurity.com/articles/organizations_events_article-933.html White House backs Web privacy project June 21st, 2000 The White House today endorsed a major Internet industry initiative aimed at boosting online privacy by redesigning the way "browsing" software handles personal data. ... P3P is designed to provide an automated way to compare consumers' privacy preferences with the privacy practices of the Web sites they visit. It lets Web sites express their privacy practices in a format that can be retrieved automatically and interpreted easily. http://www.linuxsecurity.com/articles/general_article-939.html Cyberprivacy catches eye of Congress June 20th, 2000 After years of piecemeal proposals to safeguard personal information on the Internet, Congress is beginning to seriously address the concept of ''online privacy.'' It is considering an array of legislation that could dramatically increase the rights of consumers who release personal details into cyberspace. http://www.linuxsecurity.com/articles/general_article-916.html Another Industry Group Tackles Online Privacy Problem June 20th, 2000 As policy makers and regulators step up their scrutiny of invasive Internet privacy practices, a coalition of high-tech executives and advertising and marketing groups on Monday launched yet another effort to try fixing some of the problems on their own. In full-page newspaper advertisements, the more than 20 companies and groups vowed to work closely with consumers to find privacy solutions that really work. http://www.linuxsecurity.com/articles/general_article-920.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------