Linux Security Week: April 11th 2005

In Cambridge, Mass., not too far from the Charles River, which cuts near Harvard and M.I.T., David Pearson is attempting to build an un-hackable network.

news/cryptography/the-hacker-proof-network

In most notebooks the hard disk can be protected against unauthorized access with the aid of a password. Without it the disk, even went inserted into another computer, cannot be made to divulge its data. This security function has meanwhile become a feature of almost all 3.5" ATA hard disks and presents a full-blown security loophole.

I hadn't actually noticed the Security Innovation study comparing the frequency of reported security problems in the Windows and open source web application server stacks. These kinds of surveys and tests are pretty easily manipulated. But since eSchool News has an article on the matter, I might as well weigh in.

If you're interested in this matter at all, you should go straight to the primary source material: the Red Hat and Microsoft security advisories. Your milage may vary, but my scans of the two lists shows a lot of Red Hat fixes that are mostly irrelevant to my simple web server, unless I've given lots of untrustworthy and industriously malicious people shell access to log in to the server. On the other hand, I see lots more references to "remote code execution" on the Microsoft site, which is what I'm really afraid of when I'm exposing a server to the internet.

When a hacker broke into the network at George Mason University (VA) earlier this year, IT officials were absolutely powerless to stop him. Within minutes, the hacker compromised the school’s main Windows 2000 server and gained access to information that included names, Social Security numbers, university identification numbers, and even photographs of almost everyone on campus. Next, he poked around for a back door into other GMU servers that store information such as student grades, financial aid, and payroll.

news/network-security/hack-job

Hacker tools are growing more sophisticated and automated. Hackers can now quickly adapt to new security vulnerabilities as they are uncovered and distribute the fruits of their exploits more widely with the help of automated toolkits. And they're employing an ever-increasing range of methods to find individuals' and companies' private information and use it to their own advantage.

And yet many of us have a false sense of security about our own data and networks. We install a firewall at the perimeter, put anti-virus and anti-spyware tools on our desktops, and use encryption to send and store data. Microsoft and the big security companies provide ever-improving tools and patches to protect us. Although others who are less careful might be at risk, we're safe, right?

news/network-security/7-myths-about-network-security

Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began receiving reports from multiple sites about DNS cache poisoning attacks that were redirecting users to websites hosting malware. As the "Handler on Duty" for March 4, I began investigating the incident over the course of the following hours and days. This report is intended to provide useful details about this incident to the community.

The initial reports showed solid evidence of DNS cache poisoning, but there also seemed to be a spyware/adware/malware component at work. After complete analysis, the attack involved several different technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec firewall/gateway products, default settings on Windows NT4/2000, spyware/adware, and a compromise of at least 5 UNIX webservers. We received information the attack may have started as early as Feb. 22, 2005 but probably only affected a small number of people.

news/network-security/sans-tracking-active-dns-cache-poisonings

DNSSEC, which stands for DNS Security Extensions, is a method by which DNS servers can verify that DNS data is coming from the correct place, and that the response is unadulterated. In this article we will discuss what DNSSEC can and cannot do, and then show a simple ISC Bind 9.3.x configuration example.

news/network-security/dnssec-what-is-it-good-for

The InfoCon is currently set at yellow in response to the DNS cache poisoning issues that we have been reporting on for the last several days. We originally went to yellow because we were uncertain of the mechanisms that allowed seemingly "secure" systems to be vulnerable to this issue. Now that we have a better handle on the mechanisms, WE WANT TO GET THE ATTENTION OF ISPs AND ANY OTHERS WHO RUN DNS SERVERS THAT MAY ACT AS FORWARDS FOR DOWNSTREAM Microsoft DNS SYSTEMS. If you are running BIND, please consider updating to Version 9.

news/network-security/dns-cache-poisoning-update

In a meeting with an engineer (Jonathan Hogue) from a security company called Okena (recently acquired by Cisco), I was introduced to the concept of the five Ps. Hogue graciously gave me the presentation slide and I use it all the time. There are a lot of models of how an attack progresses, but this is the best I've seen. These five steps follow an attack's progression whether the attack is sourced from a person or an automated worm or script. We will concentrate on the Probe and Penetrate phases here, since these are the stages that Snort monitors. Hopefully, the attacker won't get past these phases without being noticed. The five Ps are Probe, Penetrate, Persist, Propagate, and Paralyze.

When we turn our minds to matters of e-security, our first thoughts tend to be about defenses such as firewalls and intrusion detection. And rightly so. After all, there is much wisdom in the pursuit of prevention before cure. But, what happens when our defenses are breached? How should we respond to such an incident?

Enterprise Linux users should update their installations of XFree86 to remedy several security holes, some of which could allow attackers to take over a system. According to an advisory released by Red Hat affected operating systems include Enterprise Linux AS 3, Enterprise Linux ES 3 and Enterprise Linux WS 3.

news/server-security/red-hat-patches-security-flaw

Microsoft's efforts to improve the security of Windows have paid off, leading to significant improvements in patch management and other areas, according to executives from North American companies surveyed by Yankee Group. The Linux-Windows 2005 TCO Comparison Survey, to be published in full in June, is based on responses from 509 companies of all sizes in markets such as healthcare, academia, financial services, legal, media, retail and government, Yankee Group said this week.

news/server-security/linux-still-seen-as-most-secure

Red Hat is warning enterprise Linux users to update their installations of XFree86 to fix a number of serious security bugs, some of which could allow attackers to take over a system.

The affected operating systems include Enterprise Linux AS 3, Enterprise Linux ES 3 and Enterprise Linux WS 3, Red Hat said in an advisory.

news/vendors-products/red-hat-patches-critical-hole

A flaw has been discovered in the popular open-source browser Firefox that could expose sensitive information stored in memory, Secunia has warned.

Firefox versions 1.0.1 and 1.0.2 contain the vulnerability, the security information company said in an advisory on Monday. The flaw stems from an error in the JavaScript engine that can expose arbitrary amounts of heap memory after the end of a JavaScript string. As a result, an exploit may disclose sensitive information in the memory, Secunia said.

news/vendors-products/flaw-found-in-firefox

Publicity surrounding the JavaScript flaw shows “the open source system is working,