Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Computer Security Insurance. Counterpane Internet Security announced this week its plans to offer a "first-of-its-kind, comprehensive risk management insurance solution". This insurance is offered exclusively to customers of Counterpane, companies whose network are actively monitored by Counterpane for vulnerabilities and intrusions. It is offered through authorized insurance brokers and backed by Lloyds of London. Bruce Schneier provided details information on the insurance in Bruce Schneier's Crypto-Gram. Monitoring is done via the installation of a Linux server on the network.
PlanetIT picked up the story. They comment that such insurance is available from other companies, but generally requires regular auditing of company security by an outside source. "Regular security audits result in a list of the company's security holes that can be exploited if the list falls into the wrong hands. Moreover, those lists are generated at intervals and the problems must be corrected all at once, while Counterpane offers continuous monitoring and problems can be solved as they come up, Pescatore said."
The interesting thing about computer insurance is that it offers a real model for revenue generation without the reliance on selling commercial security software products. "Install all of our software on your network and you'll be secure" is a litany that you might hear from some security companies. How do you know you're secure as a result? What if you spend all that money and you still aren't secure? Bruce Schneier commented, "I have never believed that simply installing products will ever protect you, and have focused on the process of security."
Offering computer insurance, especially in the model initiated by Counterpane, has no dependence on the use or sale of security products. In fact, Counterpane will have a strong incentive, through the insurance model, to get highly effective monitoring for a minimum price. That makes free software tools a good choice.
Counterpane's offer is unique both to the security industry as a whole and to the fledgling Linux/free software portion of that industry, as they seek compatible revenue models. It will be watched closely, to determine its success, and, presuming such success, is likely to have a permanent impact on the industry.
RSA patent expiration. Several people asked for a confirmation or a date for the expiration of the RSA patent, mentioned in last week's Security Summary. Here is a URL where you can find this information. "RSA is patented under U.S. Patent 4,405,829, filed December 14, 1977, issued September 20, 1983, and held by RSA Security Inc.; the patent expires 17 years after issue (not 20 years after filing) on September 20, 2000."
OpenHack update. The first crack in the OpenHack competition has been reported, with lots of nice, gory details. The piece of software hacked was Mini Vend, a GPL'd, perl-based package now owned by Akopia. Akopia has already released fixes for the vulnerabilities that allowed the successful hack. Meanwhile, the contest continues, with the Web server, mail server and database as available targets.
Given the political nature of some previous contests ("Is Linux more secure than NT?"), the OpenHack contest has been refreshing so far, focusing primarily on the goal of providing incentive and recognition to the people who spend time and energy to find and report security vulnerabilities.
LinuxSecurity.com interviews Jay Beale. Jay Beale, the Lead Developer of the Bastille Project and author of several articles on Unix/Linux security is interviewed by LinuxSecurity.com. "Bastille can stop almost every single root grab vulnerability that I know of against Red Hat 6.x. In the case of the well-known BIND remote root vulnerability, we had secured against that one before it was even discovered"!
SecurityFocus provides HOPE 2000 coverage. SecurityFocus has been following this week's H2K / HOPE 2000 conference. Here are a couple of articles that they've published so far:
Updated NFS packages are being issued after a format string
vulnerability was found in rpc.statd, part of the NFS package.
This is a nasty bug, which could allow a remote root compromise.
An upgrade to 0.1.9.1 is required to close the hole.
Daniel Jacobowitz demonstrated the vulnerability and forwarded
a "rant" from Chris Evans on this particular vulnerability:
Call the UNIX security model non-granular, and poor, but there's no way
you need root to do that.
It's true that it requires a low-port (i.e. privileged) socket to send
data on, as a way of gaining the trust of the remote (where remote is
often the localhost). However, since it's a connectionless UDP socket, you
can launch the daemon as root, grab the socket, and drop root.
Furthermore, the daemon is a prime candidate for chroot()'ing, but this is
not done. The above plus a chroot() would limit the severity of this hole
to a non-root shell without the ability to raise privilege by exec()'ing
any suid-root binaries.
Finally note that rpc.statd is by no means the only daemon guilty of
overprivilege like this. The neanderthal "use root" approach of most
ftpd's is just asking for remote root trouble. Has no-one heard of
distrusting privileged helpers?
Call the UNIX security model non-granular, and poor, but there's no way you need root to do that.
It's true that it requires a low-port (i.e. privileged) socket to send data on, as a way of gaining the trust of the remote (where remote is often the localhost). However, since it's a connectionless UDP socket, you can launch the daemon as root, grab the socket, and drop root.
Furthermore, the daemon is a prime candidate for chroot()'ing, but this is not done. The above plus a chroot() would limit the severity of this hole to a non-root shell without the ability to raise privilege by exec()'ing any suid-root binaries.
Finally note that rpc.statd is by no means the only daemon guilty of overprivilege like this. The neanderthal "use root" approach of most ftpd's is just asking for remote root trouble. Has no-one heard of distrusting privileged helpers?
Linux-Mandrake: new usermode packages. Linux-Mandrake reported a bug in usermode that can allow a non-privileged user to halt or reboot a machine. They have provided updated packages to fix the problem.
More ISC DHCP client problems.Pavel Kankovsky took a look at the official package updates for the ISC DHCP client, released in response to reports of a potential root vulnerability (BID 1388). He, in turn, mentioned his concerns that the updated code is still vulnerable. OpenBSD responded, indicating that their fix differed from the official ISC fix and is not vulnerable to the concerns Pavel raised. ISC reports they are currently working on a clean fix.
cvsweb 1.80 shell access vulnerability.Joey Hess reported a vulnerability in cvsweb 1.80 which can allow a user who has been given write access to use that privilege to gain shell access to the CVS host as well.
SuSE security update to nkitb. SuSE has issued a security update to nkitb which fixes a vulnerability in this package, which is installed by default on SuSE systems.
CGI script vulnerabilities.
Commercial products. The following commercial products were reported to contain vulnerabilities:
Kerberos buffer overflow. Check the June 15th Security Summary for details.
Immunix OS 6.2 released. Immunix OS 6.2 has been released. Based on Red Hat 6.2, all source-available programs have been recompiled with the StackGuard compiler. "The result is a system that is compatible with Red Hat Linux, but is protected against a majority of all Internet security attacks".
July 15th Crypto-Gram. The latest issue of Bruce Schneier's Crypto-Gram is now available. The feature article this month tackles the issue of Unicode security. As the number of potential input characters expands from 256 to 65536 and beyond, the difficulty of prevent input validation attacks will expand with it. "Unicode is just too complex to ever be secure."
ToorCon Computer Security Expo. The ToorCon Computer Security Expo will be held Labor Day weekend, September 1-3, 2000, in San Diego, California, USA.
Biometric Consortium 2000. Stephen Walker will be delivering the opening address at the upcoming Biometric Consortium 2000, scheduled for September 13 and 14, 2000, in Gaithersburg, MD, USA.
July/August security events.
Section Editor: Liz Coolbaugh
July 20, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Nexus
Secure Linux Secure Linux (Flask)
Security List Archives
Firewall Wizards Archive
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily
Linux Security Audit Project