|
|
Subscribe / Log in / New account

Security

Brief items

Honeytokens

A "honeypot" is a digital system whose purpose is to attract and identify illegal activity. Traditionally, honeypots are sacrificial computers placed on a network. The honeypot system serves no useful purpose; no legitimate user will have any reason to access it. As a result, any accesses which actually happen are likely to be somebody attempting something nasty. The honeypot can thus serve as a sort of early warning system, as well as a laboratory in which cracker techniques can be studied in real time.

A new paper by Lance Spitzner points out that the honeypot concept can be applied in other contexts. One such application is "honeytokens," a bit of information which should never be accessed. An example might be login information placed in a message in a senior manager's mail spool; anybody attempting to actually log in using that information is almost guaranteed to be an attacker. A properly setup system could initiate a trace and catch the attacker before he gets into something truly useful.

This idea is not particularly new; direct (physical) mail companies have long embedded special addresses in their lists to track the use of those lists, for example. The security community has not, until now, made much use of this technique, however. Properly used, honeytokens could become a valuable part of intrusion detection and other security-related systems. Stolen information may not bite, but it may yet manage to strike back at thieves anyway.

Comments (7 posted)

New vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 24, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 kernel 2003-12-19
Gentoo 200308-01 gentoo-sources 2003-08-14
Debian DSA-358-4 linux-kernel-i386 2003-08-13
SuSE SuSE-SA:2003:034 kernel 2003-08-12
Debian DSA-358-2 kernel 2003-08-05
Debian DSA-358-3 kernel 2003-08-04
Debian DSA-358-1 linux-kernel-i386 2003-07-31
EnGarde ESA-20032407-018 kernel 2003-07-24
Red Hat RHSA-2003:238-01 kernel 2003-07-21

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:October 1, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 fdclone 2003-07-22

Comments (none posted)

gnupg: gpg setgid

Package(s):gnupg CVE #(s):
Created:July 21, 2003 Updated:July 23, 2003
Description: gpg needs to be setuid to make use of protected memory space, however the setgid bit allowed the gpg user to overwrite files owned by the group root.
Alerts:
Gentoo 200307-06 gnupg 2003-07-19

Comments (none posted)

Resources

Linux Security Week

The LinuxSecurity.com Linux Security Week for July 21, 2003 is available.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds