Linux Security Week - December 27th 2004

The year of the penguin, some people hailed 2004 at the turn of the year. And in many ways it was. Was it because the march on the server space continued at a relentless pace? Because there were big announcements around desktop installments? Because there was finally some realistic perspective about the threat from SCO, or the threat to Microsoft? However you look at it, the penguin's tux has never looked more pristine or ready for business. So here we'll take a stroll though the last 12 months that sharpened the creases and quickened the pace of the Linux-based platforms.

Adding security to constrained devices is not an easy task for developers who need to accommodate a range of new features without compromising usability. Experience has shown that building security in at the design stage yields better results from a security and performance perspective. Therein lies the challenge. ItÕs no secret that most cryptographic systems are computationally taxing. Such is not the case with Elliptic Curve Cryptography, or ECC, which has the most strength per bit of any known public key system today and consequently is ideally suited for resource-constrained devices.

news/cryptography/adding-strong-security-from-day-one

A flaw in two popular Unix and Linux administration consoles could lead to systems being compromised, according to an alert from security firm Secunia. The bug in Usermin, a widely used administration console for Unix and Linux, could allow the introduction of rogue shell code when a user views a particular e-mail via the web.

Intrusion detection systems--the primary source of warnings that attacks are under way--are critical pieces of network-security infrastructure, providing detailed records of attacks, intrusions and unexpected network activity. For most enterprises, the IDS has become the central piece of security hardware, certainly the most visible piece to the staff. Without an IDS, the security staff must gather forensics information from firewall, server and router log files.

Happy Holidays! This week, advisories were released for cscope, htget, a2ps, ethereal, xzgv, debmake, xcdroast, udev, cups, postgresql, namazu, pam, samba, glibc, krb5, php, gnumeric, abiword, libtiff, kfax, abcm2ps, phpMyAdmin, WordPress, NASM, mplayer, mpg123, wget, urpmi, aspell, krb5, logcheck, samba, Linux kernel, kerberos5, libxml, gd, XFree86, and nfs-utils. The distributors include Debian, Fedora, Gentoo, Mandrake, NetBSD, Trustix, Red Hat, and SuSE.

newsletters/linux-advisory-watch-december-24th-2004

The General Public License hasn't had a proper update for 13 years, and it's starting to show its age. It looks set to be updated though, to ensure it's more in tune with today's software models and potential legal battles.

{mos_sb_discuss:20}

news/organizations-events/gpl-to-get-a-makeover

iDEFENSE has discovered a flaw in Xpdf, an open-source viewer for Portable Document Format (PDF) files included in most Linux distros. iDEFENSE has confirmed the existence of this vulnerability in version 3.00 of xpdf. It is suspected that previous versions may also be vulnerable. Remote exploitation of the buffer overflow vulnerability in the xpdf PDF viewer could allow attackers to execute arbitrary code as the user viewing a PDF file.

news/server-security/security-flaw-found-in-multiple-linux-distro

Databases control most of the business world's valuable information. Pick a vital application--credit-card processing, EDI, financial analysis, just-in-time production--and you'll find a database under it.

news/server-security/special-report-database-security

New Honeynet Project KYE paper released "Know Your Enemy: Trends". This paper documents how the life expectancy of unpatched or vulnerable deployments of common Linux systems has increased from 3 days to 3 months. This is surprising based on the increase of malicious activity seen in the past 18 months.

news/security-projects/know-your-enemy-trends

The concept of adding security to the coding phase of application development is catching on, with new companies delivering tools to help developers test for vulnerabilities early in the process.

Your data is vulnerable no matter where it resides. While most companies take security precautions, many of those precautions turn out to be insufficient to protect valuable corporate assets. The key lies in knowing where vulnerabilities exist and making appropriate risk-based decisions.

Patrick Angle, 34, was charged with intentionally damaging a protected computer. The charge alleged that Angle, who had worked for Varian, had become disgruntled with his employment by September 2003 and had been told by the company that his employment contract would be terminated in October of that same year.

{mos_sb_discuss:24}

The Indian Computer Emergency Response Team (CERT-In) has compiled a report that speaks on how with the global rise in cyber terrorism activity, Indian websites too have come under fire by attackers, some of them being opportunists while others targeting specific sites and domains.

A recent 'honeynet' experiment showed that unpatched Linux systems held up for an average of three months before succumbing to Internet-based attacks.

ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment.

{mos_sb_discuss:24}

Unpatched Linux systems are surviving longer on the Internet before being compromised, according to a report from the Honeynet Project released this week. The data, from a dozen networks, showed that the average Linux system lasts three months before being compromised, a significant increase from the 72 hours life span of a Linux system in 2001. Unpatched Windows systems continue to be compromised more quickly, sometimes within minutes, the Honeynet Project report stated.

Sometimes writing about security is just too easy. Making predictions about next year is like this in some ways. Let's pick some of the low-hanging fruit early. Even though most spam-tracking companies show that spam already comprises 75 percent or more of all e-mail, that proportion will go up in 2005. We are approaching the situation in which, I have always assumed, users will begin to withdraw from e-mail because it is so unpleasant.

For years, banks gave away toasters to people who opened checking accounts; soon they may be distributing a more modern kind of appliance. Responding to an increase in Internet fraud, some banks and brokerage firms plan to begin issuing small devices that would help their customers prove their identities when they log on to online banking, brokerage and bill-payment programs. E*Trade Financial intends to introduce such a product in the first few months of 2005. And U.S. Bancorp says it will test a system, though it has not given a timetable.

If a must-have, must-know innovation exists for Linux's future viability, you might place all bets on Security Enhanced Linux. Vastly misunderstood and underrated, SELinux provides a marketing differentiator that could carry Linux deep into infrastructures that so far have shown lukewarm acceptance of the open-source operating system. SELinux transforms standard Linux from a cost-effective and secure operating system into a behemoth.

A US man has been jailed for six months for a 2001 attack on the web systems of space agency NASA which cost $200,000 to fix.

news/government/nasa-hacker-jailed-for-six-months

Companies and advocacy groups opposed to the FBI's plan to make the Internet more accommodating to covert law enforcement surveillance are sharpening a new argument against the controversial proposal: that law enforcement's Internet spying capabilities are just fine as it is.

news/government/groups-fight-internet-wiretap-push

A recently issued Army white paper, "Fight the Network," provides a new framework for the Signal Regiment, the service's communications organization, as it changes to support lighter, more mobile warfighting units. Army information technology officials devised the document to help foster a different mind-set for communications personnel in defending and managing the service's networks, said Gordon Van Vleet, public affairs officer for the service's Network Enterprise Technology Command/Ninth Army Signal Command at Fort Huachuca, Ariz. Netcom officials oversee the operation, management and protection of the Army's networks.

news/government/army-focuses-on-cyber-protection

A Chinese security group has released sample code to exploit two new unpatched flaws in Microsoft Windows. The advisory comes in the week before Christmas, a time when many companies and home users are least prepared to deal with the problems. Security firm Symantec warned its clients of the vulnerabilities on Thursday, after the Chinese company that found the flaws published them to the Internet. One vulnerability, in the operating system's LoadImage function, could enable an attacker to compromise a victim's PC when the computer displays a specially crafted image placed on a Web site or in an e-mail. The other vulnerability, in the Windows Help program, likewise could affect any program that opens a Help file.

news/hackscracks/exploits-released-for-new-windows-flaws