Linux in the news
All in one big page
See also: last week's Security page.
News and EditorialsThe Commonly Accepted Security Practices and Recommendations (CASPR) project. Rob Slade announced his acceptance as the leader of the CASPR Anti-virus Management and Protection discussion group. The group's goal is to document commonly accepted practices and recommendations for anti-virus management and protection.
CASPR is an ambitious project to "document the information security common body of knowledge (CBK) through a series of Commonly Accepted Security Practices and Recommendations." CASPR grew out of Thomas Akin's thinking about how to use the Open Source development model to create a set of recommended practice documents.
Since CASPR was founded in April, 2001, it has attracted contributions from over 450 volunteer Information Security experts. They are looking for group leaders and contributors to prepare papers on a variety of security topics roughly grouped under a dozen CBK domains. Interested readers are encouraged to find out more about volunteering.
Sun appoints Whitfield Diffie as Chief Security Officer. Sun has announced the appointment of Whitfield Diffie as the company's new "Chief Security Officer." Mr. Diffie has been active in cryptography rights for years, and is the inventor of public key encryption. His appointment can be seen as a sign that Sun, perhaps, is getting serious about security issues.
Honeynet looks to sting hackers (Network World Fusion). Network World Fusion News reports on the The Honeynet Project. "A group of 30 computer security researchers who set up inexpensive "fake" networks to observe how hackers behave as they break into them are finding out about new software vulnerabilities and warning the public."
New tool helps hackers evade detection (News.com). News.com covers a program called Fragroute, which can be used to test a network's vulnerabilities. "Some security aficionados posting to the Bugtraq list concentrated on Snort as a program vulnerable to the Fragroute program, but [Dug] Song waved off the implied criticism on the open-source program in his posting. 'Snort, I'd wager, does much better than most,' he wrote, adding that many other proprietary programs are also vulnerable."
Snort 1.7 Named a 2002 Finalist by Network Computing for Well-Connected Award. Sourcefire, Inc. announced that that Snort 1.7 has been awarded finalist status by Network Computing for a 2002 Well-Connected Award in the category of Intrusion Detection Systems. "Snort 1.7 is an open source network IDS that was chosen for its innovative ability to detect a variety of Internet attacks and probes and perform real-time traffic analysis and packet logging on IP networks."
Another OpenSSH vulnerability. An advisory has gone out for another vulnerability in OpenSSH. It could be remotely exploitable, but only under a set of relatively rare conditions: "A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file."
Gentoo Linux Security update - exim. Gentoo Linux has released an update for exim. This fixes a security vulnerability that was found which might allow a local attacker to gain elevated priveleges. This affects Gentoo's exim-3.34-r1 and prior packages.
MHonArc script filtering bypass vulnerability. MHonArc v2.5.3 has been released; this release fixes a vulnerability which could allow some HTML tags to be placed in the archive unfiltered. MHonArc is a mail-to-HTML converter which "provides HTML mail archiving with index, mail thread linking, etc; plus other capabilities including support for MIME and powerful user customization features."
A denial of service vulnerabilty in Mosix 1.5.x was reported.
MosiX is an cluster-environment for
Linux. The clumpOS-Mosix client cd is also vulnerable, "the
clumpOS-Mosix Node has also no vnc password set so anyone in the
cluster-network can gain root-access to the affected node. this issue will
be fixed in the next clumpOS Version."
web scripts.The following web scripts were reported to contain vulnerabilities:
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
rsync supplementary groups vulnerability. Ethan Benson reported that rsyncd fails to remove supplementary groups (such as root) from the server process after changing to the specified unprivileged uid and gid. "This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root)." (First LWN report: March 14th, 2002).
This week's updates:
Webalizer DNS server based attach vulnerability. The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002).
This week's updates:
Nessus 1.2.0 has been released. "Nessus is a remote security scanner which has been developed since 1998. It is free, open-sourced (GPLed) and updated very regularly (and currently performs over 900 security checks)."
Frédéric Raynal's article on "Howto exploit a remote format bug automatically" was posted by the author to Bugtraq. The article was written "for a French magazine (MISC #2) which main topic is security."
Remote Timing Techniques over TCP/IP is the topic of this paper by Mauro Lacy. The paper "describes remote timing techniques based on TCP/IP intrinsic operation and options."
Upcoming Security Events.
Foundstone Executives Conduct All Day Security Seminar At Networld+Interop. George Kurtz, Foundstone CEO and co-author of "Hacking Linux Exposed" and Stuart McClure, Foundstone President and CTO and lead author of "Hacking Exposed: Network Security Secrets and Solutions" will conduct the session "Hacking Exposed, Live!" on May 6, at Networld+Interop in Las Vegas, Nevada.
HiverCon 2002 call for papers. . The 6th of September is the proposal deadline. HiverCon 2002 will be held 26th-27th November, 2002 at the Hilton Hotel, Dublin, Ireland. "Created to fill the gap of deep knowledge computer security conferences. Aimed at the security concious programmer, admin and consultant, HiverCON avoids introductionary talks to focus on advanced and prominent security topics."
SummerCon 2002 is looking for speakers. The Conference will be held on May 31 and June 1 at the Renaissance Hotel Washington D.C. "Summercon is the oldest and one of the most storied of the computer security conferences. No doubt more history will be made this year. Details about the conference will be posted to the website http://www.summercon.org/ in two weeks."
SEcurity of Communications on the Internet 2002 (SECI'02) has extended the deadline for submitting papers to May 5th. The conference will be held Setpember 19-21, 2002 in Tunis, Tunisia.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Dennis Tenney
April 25, 2002