+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 24, 2000                             Volume 1, Number 13      |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@linuxsecurity.com    |
|                   Benjamin Thomas         ben@linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines and system advisories.

This week, advisories for the nfs-utils vulnerability were released. 
Although there are currently no known exploits for this bug, in theory, 
it can be used for gaining root access remotely.  Advisories for nkitb, 
LISTSERV, wu-ftpd, gpm, and dhcp were also released.  

In the news, a paper titled "Deploying Portsentry" provides a step-by-step
guide to setting up the popular port-scan detection package, Portsentry.
The paper explains how to configure the portsentry.conf file, advanced
stealth options, advanced_exclude response options, and how to configure
external commands (retaliation scripts).  If you have not installed
portsentry, you may want to consider obtaining it.

https://www.psionic.com/abacus/portsentry/

Our feature this week, "Advanced Access Control with the Trustees Project,"
by Dave Wreski, is an interview with Slava Zavadsky regarding the work
his organization has done.  The Linux Trustees Project is an effort to 
create improved access control and advanced file permission management 
similar to other operating systems.

https://www.linuxsecurity.com/feature_stories/feature_story-60.html

Our sponsor this week is WebTrends. Their Security Analyzer has the most
vulnerability tests available for Red Hat & VA Linux. It uses advanced
agent-based technology, enabling you to scan your Linux servers from your
Windows NT/2000 console and protect them against potential threats. Now
with over 1,000 tests available.
 
https://www.webtrends.com/redirect/linuxsecurity1.htm 
 
HTML Version Available:
https://www.linuxsecurity.com/newsletter.html
 

---------------------
Advisories This Week:
---------------------

* Mandrake: dhcp vulnerability
July 22nd, 2000

All versions of the ISC DHCP client program, dhclient, are vulnerable
to a root attack by a corrupt DHCP server.  This version fixes the
vulnerability. Versions of Linux Mandrake prior to 7.0, while
including the ISC DHCP server, do not include the DHCP client and are
therefore not subject to this vulnerability.  

https://www.linuxsecurity.com/advisories/mandrake_advisory-573.html


* RedHat: Updated PAM packages are available
July 22nd, 2000

Workstations running a display manager may potentially allow remote
users to access console devices.

https://www.linuxsecurity.com/advisories/redhat_advisory-574.html


* RedHat: UPDATE: nfs-utils vulnerability
July 21st, 2000

The rpc.statd daemon shipped in Red Hat Linux 6.0, 6.1, and 6.2 
contains a flaw that could lead to a remote root break-in.  Version
0.1.9.1 of the nfs-utils package corrects the problem. Although there
is no known exploit for the flaw in rpc.statd, Red Hat urges all
users running rpc.statd to upgrade to the new nfs-utils package.    

https://www.linuxsecurity.com/advisories/redhat_advisory-572.html


* Caldera: DoS in gpm
July 20th, 2000

There are security problems within gpm (General Purpose Mouse support
daemon) which allow removal of system files and also exhibit a local
denial of service attack.  

https://www.linuxsecurity.com/advisories/caldera_advisory-571.html


* Caldera: rpc.statd information
July 19th, 2000

Recently, a vulnerability was discovered in the rpc.statd server,
which can be used to obtain root privilege remotely.  rpc.statd
should not be confused with rpc.rstatd. The former implements the
Network Status Monitor protocol, which is used by the NFS locking
functionality. The latter allows remote clients to query a host's
statistics (such as load average etc). 

https://www.linuxsecurity.com/advisories/caldera_advisory-569.html


* Mandrake: nfs-utils vulnerability
July 19th, 2000

A bug recently discovered in the nfs-utils package can theoretically
be used for gaining remote root access.  While there are currently no
known exploits for this bug, we recommend upgrading to the latest
version which fixes the bug.  

https://www.linuxsecurity.com/advisories/mandrake_advisory-568.html


* TurboLinux: wu-ftpd-2.6.0 and earlier
July 19th, 2000

A buffer overrun exists in wu-ftpd versions prior to 2.6.1. Due to
improper  bounds checking, SITE EXEC may enable remote root
execution, without having  any local user account required.  

https://www.linuxsecurity.com/advisories/turbolinux_advisory-570.html


* Trustix: nfs-utils vulnerability
July 18th, 2000

A bug recently discovered in the nfs-utils package can theoretically
be  used for gaining remote root. While there is currently no known
exploits  for this hole "in the wild", we suggest that all users of
Trustix Secure Linux 1.0x and 1.1 upgrade.  

https://www.linuxsecurity.com/advisories/other_advisory-566.html


* Mandrake: usermode vulnerability
July 18th, 2000

A bug existed in the usermode package that permitted users to reboot
or halt the system without having root access. This update removes
those files associated with allowing users access to reboot,
shutdown, halt, or poweroff the system.  

https://www.linuxsecurity.com/advisories/mandrake_advisory-567.html


* LISTSERV web archive remote overflow
July 18th, 2000

The L-Soft LISTSERV web archive (wa,wa.exe) component contains an
unchecked buffer allowing remote execution of arbitrary code with the
privileges of the LISTSERV daemon.  

https://www.linuxsecurity.com/advisories/other_advisory-565.html


* Stalker CommuniGate Pro vulnerability
July 18th, 2000

CommuniGate provides a useful mapping to access the Web User Guide,
which  maps the URL /Guide/ to a directory in the CommuniGate sub
tree.  The  built-in web server suffers of the well-known "../.." web
server problem.  If we request a document from the administrative web
server /Guide/ mapping,  using the "../.." technique, we get to see
the file contents

https://www.linuxsecurity.com/advisories/other_advisory-564.html


* RedHat: Updated package for nfs-utils available
July 17th, 2000

The rpc.statd daemon in the nfs-utils package shipped in Red Hat
Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote
root break-in. 

https://www.linuxsecurity.com/advisories/redhat_advisory-562.html


* SuSE: nkitb vulnerability
July 17th, 2000

It may be possible for an attacker to modify his/her DNS record to
execute abitrary machine code as root while connecting to the
standard ftp daemon.

https://www.linuxsecurity.com/advisories/suse_advisory-561.html


* Conectiva: nfs-utils vulnerability
July 17th, 2000

There is a problem in the nfs-utils packag that could lead to a
remote root exploit.  

https://www.linuxsecurity.com/advisories/other_advisory-563.html


-----------------------
Top Articles This Week:
-----------------------

Host Security News:
-------------------

* Deploying Portsentry
July 21st, 2000

And then it dawned on me that by simply scanning subnets your 
average script kiddie didn't need to know what my site was all about
at all. He or she could just scan en masse for open ports and an easy
way in and then plant a root kit for laughs or turn my machine into
a spam forwarding station. I got a copy of SATAN  and ran it against
my own site. I was astonished. Every port, that  could be, was open
and identifiable to anyone on the internet.

https://www.linuxsecurity.com/articles/host_security_article-1181.html


* Tech View: How 'buffer overflow' attacks work
July 20th, 2000

A "buffer overflow" attack deliberately enters more data  than a
program was written to handle. The extra data, "overflowing" the
region of memory set aside to accept  it, overwrites another region
of memory that was meant  to hold some of the program's instructions.
The values  thus introduced become new instructions that give the 
attacker control of the target computer. 

https://www.linuxsecurity.com/articles/server_security_article-1175.html


* Maximizing Apache Server Security
July 19th, 2000

An extensive article on Apache security.  However, does "free" come
at a price when it  comes to security? It doesn't have to. The
diligent  network manager will quickly recognize the advantages  of
choosing a platform that is field-tested on more than  six million
Web servers and runs on 17 operating  systems.

https://www.linuxsecurity.com/articles/server_security_article-1167.html


Network Security News:
----------------------

* Why Do I Have to Tighten Security on My System?
July 20th, 2000

Again and again, when considering system security, people tell me, "I
already patch my system." I try to explain to them, as I will here,
why they're still vulnerable, even if they patch and read BugTraq
regularly. 

https://www.linuxsecurity.com/articles/host_security_article-1168.html


* Security guru: Napster a security risk
July 20th, 2000

Corporate networks that allow Napster  downloads are sitting ducks
for hackers, says  one network security expert. "We call it risky
Internet behavior," says Chris Rouland,  director of research at
Atlanta-based Internet Security  Systems Inc., a leading computer
security firm.  

https://www.linuxsecurity.com/articles/host_security_article-1174.html


* Secure Directory Services for E-Business, Part 3
July 19th, 2000

The threats to a directory are many, and if appropriate safeguards
are not maintained, a company may not even know when a directory has
been compromised. The primary threats include theft, destruction and
alteration of information (including user privileges.)

https://www.linuxsecurity.com/articles/network_security_article-1166.html


* IPSec - We've Got a Ways to Go
July 19th, 2000

IPSec, supposedly the next great thing that will fix most (if not
all) our network security problems. No longer will attackers be able
to sniff network traffic, hijack connections or spoof servers.
Hijacking domain names will be impossible with DNSSEC, and
redirecting people to fake Websites will be a thing of the past. Or
will it? There are currently a lot of problems and shortcomings with
IPSec that prevent the majority of network traffic from being
encrypted. 

https://www.linuxsecurity.com/articles/network_security_article-1160.html


* RootPrompt: My experience with being cracked
July 19th, 2000

I emailed my findings to the systems admin and the owner of the ISP,
including the backdoor password and how to use it, with the
suggestion that they should backup everything, wipe the machine, and
load a current version of Red Hat (6.0 at the time) with the latest
patches. They replied that they would look into it."  

https://www.linuxsecurity.com/articles/host_security_article-1163.html


* ADSL fundamentally insecure - BT
July 18th, 2000

The head of broadband services at BT has acknowledged that its
implementation of ADSL lacks security and it will be up to third
parties to ensure customers' data is unhackable.   Chris Gibbs, who
is masterminding the introduction of ADSL in the UK for BT, said that
the use of a fixed IP address in the implementation it expects to
roll out early next year, meant that unless steps were taken by its
third-party resellers, data on users' PCs could be accessed by
hackers. 

https://www.linuxsecurity.com/articles/network_security_article-1151.html



Cryptography News:
------------------

* Encryption export policies updated
July 17th, 2000

The United States on Monday announced an update to its encryption
export policy affecting companies that sell encryption software to
users in the 15 European Union nations and in eight other countries
that are U.S. allies. 

https://www.linuxsecurity.com/articles/cryptography_article-1150.html


* Administration Announces New Encryption Regulations
July 17th, 2000

The Clinton administration today said it plans to change laws
governing the export of powerful encryption technologies to allow
export of all information-scrambling products to any end user in the
European Union and to eight other trading partners. 

https://www.linuxsecurity.com/articles/government_article-1143.html



Vendor/Product/Tools News:
--------------------------

* Check Point surpasses results, sees gains
July 21st, 2000

Surging demand for secure Internet connections helped online security
company Check Point Software Technologies Ltd. (CHKP.O) more than
double its earnings in the latest quarter, beating forecasts, the
company said on Wednesday. 

https://www.linuxsecurity.com/articles/vendors_products_article-1177.html


* Biometrics Meet Wireless Internet
July 19th, 2000

Identix Inc. - a Motorola Inc.-funded maker of fingerprint
identification devices - last week launched a division that will
offer biometric authentication services to wireless and Internet
service providers.  The technology will allow customers of wireless
services and products to authenticate their identities when
conducting electronic transactions, according to Identix.  

https://www.linuxsecurity.com/articles/vendors_products_article-1162.html


* Signing Up to Be Surveilled
July 18th, 2000

One company is making it easier for folks to "track" anyone, by
allowing them to pull up a map of the person's location on a personal
digital assistant (PDA) or computer.  Fleet Tracking lets businesses
such as taxi companies and delivery services  keep tabs on their
employees. L411, a consumer-oriented directory assistance, allows
subscribers to call switchboard operators who can view a map and
identify where a call is being made from.

https://www.linuxsecurity.com/articles/privacy_article-1152.html



General News:
-------------

* Banning secret workplace snooping
July 21st, 2000

A group of bipartisan  lawmakers introduced a bill today that would
ban  companies from secretly monitoring employees'  electronic
communications. The bill wouldn't  prohibit companies from snooping,
but would  require them to disclose their monitoring practices to
employees when they are hired and to update  them on an annual basis.

https://www.linuxsecurity.com/articles/privacy_article-1182.html


* Fighting a losing battle on the front lines of security
July 20th, 2000

You sacrifice convenience for security and security for convenience.
For which goal was your computer  network built? In the realm of
human endeavor, there is usually a simple logic applied to the
process of building things. This logic is seen in the way houses,
computers, a even cans of mandarin oranges are built. 

https://www.linuxsecurity.com/articles/general_article-1173.html


* .comment: Service Security -- Where Is It?
July 19th, 2000

I have a bone to pick with most, maybe all, Linux distributors: Why
in  the world do they ship such security nightmares?   To their
credit, many stay on top of security issues, sending urgent  messages
to registered users and mailing list subscribers when a  potential
security exploit is found in a particular package, along with 
workarounds, updated packages, or both.

https://www.linuxsecurity.com/articles/general_article-1165.html


* ACLU Requests Source to 'Carnivore'
July 19th, 2000

In what may be the first request of its kind, the American Civil
Liberties Union is  asking the Federal Bureau of Investigation to
disclose the computer source code and other technical  details about
its new Internet wiretapping programs.  (Carnivore)

https://www.linuxsecurity.com/articles/privacy_article-1164.html


* How to be stupid by mutual agreement
July 18th, 2000

A reader was somewhat surprised by his ISP's apparent disregard for
security when he received an email requesting his username and
password.   The request came as part of an update email from
themutual.net, telling him what news features had been added, what
its "partners" could offer them and why themutual.net was the only
ISP he should even consider. Fair enough. 

https://www.linuxsecurity.com/articles/privacy_article-1155.html


* EarthLink claims Carnivore can cause technical problems
July 17th, 2000

Saying it could cause technical problems and bring part of its system
down, EarthLink Inc., one of the country's largest Internet service
providers (ISPs), has reportedly refused to install a new FBI
electronic surveillance device on its network. 

https://www.linuxsecurity.com/articles/privacy_article-1138.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------