Linux Security Week, August 7, 2000

[InfoSec News <isn () C4I ORG>]

+---------------------------------------------------------------------+
|  LinuxSecurity.com                        Weekly Newsletter         |
|  August 7, 2000                           Volume 1, Number 15       |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave () linuxsecurity com    |
|                   Benjamin Thomas         ben () linuxsecurity com     |
|  Written By:      Chris Parker            cparker () linuxsecurity com |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines and system
advisories.

Our feature for this week, "Carnivore and Privacy: An Oxymoron?" is an
article discussing the US and UK governments want to install a device on
public networks to monitor traffic for suspected criminal activities by
Chris Parker. The article discusses both FBI's Carnivore email
surveillance system and the RIP Bill that has recently been passed in the
UK.

http://www.linuxsecurity.com/feature_stories/feature_story-63.html

Our sponsor this week is WebTrends. Their Security Analyzer has the most
vulnerability tests available for Red Hat & VA Linux. It uses advanced
agent-based technology, enabling you to scan your Linux servers from your
Windows NT/2000 console and protect them against potential threats. Now
with over 1,000 tests available.

http://www.webtrends.com/redirect/linuxsecurity1.htm

HTML Version Available:
http://www.linuxsecurity.com/newsletter.html

---------------------
Advisories This Week:
---------------------

* Debian: mailman vulnerability
August 6th, 2000

Former versions of mailman v2.0 came with a security problem, introduced
during the 2.0 beta cycle, that could be exploited by clever local users
to gain group mailman permission.  No exploit does exist at the moment,
though.

http://www.linuxsecurity.com/advisories/debian_advisory-599.html


* SuSE: Misc Security Info
August 4th, 2000

This advisory contains information on the status of several outstanding
potential security vulnerabilities present in SuSE Linux. Including:
netscape, knfsd, system user account nobody, pam_console, gpm, openldap,
and mailman

http://www.linuxsecurity.com/advisories/suse_advisory-598.html


* RedHat: mailman vulnerability
August 3rd, 2000

New mailman packages are available which close security holes present in
earlier versions of mailman.  All sites using the mailman mailing list
management software should upgrade.

http://www.linuxsecurity.com/advisories/redhat_advisory-597.html

* Mandrake: mailman
August 3rd, 2000

The wrapper program supplied with the mailman package has a format
bug which could be exploited to obtain the privileges of the mailman
user which has read and write access to all files mailman uses.  This
vulnerability can only be exploited by root users with shell access.

http://www.linuxsecurity.com/advisories/mandrake_advisory-596.html


* Mandrake: pam vulnerability
August 2nd, 2000

There is a problem with the pam_console module that incorrectly
identifies remote X logins for displays other than :0 (for example,
:1, :2, etc.) as being local displays, thus giving control of the
console to the remote user.  Because the remote user has control of
the console they are able to issue commands to reboot the remote
system after providing their password.  Please note that this
vulnerability is only exploitable if the system is running a
graphical login manager like gdm, kdm, or xdm and if XDMCP is enabled
and remote access is granted. Users are highly recommended to upgrade
to this version which fixes the exploit (thanks to RedHat).

http://www.linuxsecurity.com/advisories/mandrake_advisory-593.html


* Conectiva: mailman vulnerability
August 2nd, 2000

The wrapper program supplied with the mailman package has a format
bug which could be exploited to obtain the privileges of the mailman
user. This user has read and write access to all files of the mailman
package. Note that this vulnerability can only be exploited by local
users with shell access.

http://www.linuxsecurity.com/advisories/other_advisory-595.html


* Mandrake: kon2 vulnerability
August 2nd, 2000

There is a vulnerable suid program called fld.  This program accepts
option input from a text file and it is possible to input arbitrary
code into the stack, thus spawning a root shell.

http://www.linuxsecurity.com/advisories/mandrake_advisory-592.html


* TurboLinux: netscape-4.73 and earlier
August 2nd, 2000

Current and previous versions of netscape communicator have a buffer
overflow condition in its handling of JPEG files. Specifically, it
trusts the purported length of JPEG files provided by the header and
can be mislead into reading arbitrary amounts of data, leading to the
overwriting of memory.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-594.html


* TurboLinux: cvsweb-1.90 and earlier
August 1st, 2000

Remote root exploit present in versions earlier than 2.0.   Current
and previous version of cvsweb allow remote users to access/write
files as the default web user via the cvsweb.cgi script.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-591.html


* Mandrake: netscape vulnerability
August 1st, 2000

Previous versions of Netscape, from version 3.0 to 4.73 contain a
serious overflow flaw due to improper input verification in
Netscape's JPEG processing code.  The way Netscape processed JPEG
comments trusted the length parameter for comment fields.  By
manipulating this value, it was possible to cause Netscape to read in
an excessive amount of data which would then overwrite memory.  Data
with a malicious design could allow a remote site to execute
arbitrary code as the user of Netscape on the client system.  It is
highly recommended that everyone  using Netscape upgrade to this
latest version that fixes the flaw.

http://www.linuxsecurity.com/advisories/mandrake_advisory-590.html


* RedHat: netscape vulnerability
July 31st, 2000

Netscape's processing of JPEG comments trusted the length parameter
for comment fields; by manipulating this value, it would be possible
to cause netscape to read in an excessive amount of data, overwriting
memory. Specially designed data could allow a remote site to execute
arbitrary code as the user of netscape.

http://www.linuxsecurity.com/advisories/redhat_advisory-589.html


-----------------------
Top Articles This Week:
-----------------------

Network Security News:
-------------------
* Interivew with Jasta: coder of Gnapster
August 4th, 2000

Chris writes, "Since the invention of Napster, Peer to Peer sharing
has been on all of our security concious minds... Is this safe? Can
this program allow my network to  be comprimised? Was security an
issue when these Apps were created? Well, we interviewed Jasta,
creator of Gnapster, the gnome napster client, about the security
concerns of Gnapster/Napster, the feedback of  Open Source security
hackers, and how much he thought about security when coding
Gnapster."

http://www.linuxsecurity.com/articles/host_security_article-1282.html


* Discussion of "Linux Sux Redux" Issue
August 4th, 2000

Peter writes, "This is in response to an article posted at
abcnews.com by Fred Moody, available at:
http://abcnews.go.com/sections/tech/FredMoody/moody.html, in which he
claims that Linux is a far less secure operating system than NT,
based on his interpretation of the Bugtraq vulnerability statistics.

http://www.linuxsecurity.com/articles/forums_article-1288.html


* How Do I Tighten Security on My System?
July 31st, 2000

"Hardening" a system is the practice of making that system much
harder to crack. I like to think that this involves steps not only to
prevent break-ins, but also to detect them when they happen.

http://www.linuxsecurity.com/articles/general_article-1239.html


* Bruce Schneier, "It doesn't look good."
July 31st, 2000

Speaking at the Black Hat Security Conference, cryptographer and
security expert Bruce Schneier gave one of the opening keynotes
Wednesday. In it, he argued that inevitably, as the Internet and
computer systems become more complex, they become more insecure.

http://www.linuxsecurity.com/articles/cryptography_article-1241.html


Cryptography News:
-------------------
* Will Crypto Feast on Carnivore?
August 4th, 2000

In the aftermath of the FBI's recently revealed  Carnivore email
surveillance system, email security  companies are hoping they can
convince average  email users to seal their electronic envelopes --
and finally propel email encryption into a broader  market.    "We're
seeing Carnivore pop up and become a real  threat to people's privacy
and saying, 'Wait a  second -- we could take this product Mithril,
our  secure server product, re-brand it and put it out  there," said
Sean Steele, director of business  development at security firm
ChainMail.

http://www.linuxsecurity.com/articles/privacy_article-1283.html


* An Old Spy with a New Vision of Encryption
August 3rd, 2000

Ex-NSA official and now Cylink CEO Bill Crowell is   reviving the
software maker and helping to bridge the   government-industry
divide.After three decades at America's largest spy center, the
National Security Agency, Crowell turned to the private sector in
1998 and has brought Cylink Corp., which nearly collapsed under the
weight of accounting irregularities and a spate of resignations by
top brass, back from the brink.

http://www.linuxsecurity.com/articles/cryptography_article-1273.html


Vendor/Product/Tools News:
-------------------
* The Coroner's Toolkit
August 5th, 2000

Wietse Venema and Dan Farmer the authors of SATAN have written a
package called The Coroner's Toolkit (TCT) that is designed to help a
System Administrator do forensic analysis on their cracked Unix box.
The authors say that TCT does not have one single goal, but instead
it has the theme of making a snapshot of the machine so that there
can be an attempt towards reconstruction of the past.

http://www.linuxsecurity.com/articles/intrusion_detection_article-1291.html


* Running logcheck, the logfile auditing software for Unix
August 3rd, 2000

Portsentry has some very specific behaviors when triggered: it drops
the offending connection, locks out the  offending IP address, and
then writes an alert to your system logs. Logcheck picks up where
Portsentry leaves off,  parsing system logs at pre-set intervals and
mailing information about the attack or alert to the administrator
(or the  admin's designated recipient).

http://www.linuxsecurity.com/articles/host_security_article-1274.html


* Tools of the Trade: nmap
August 2nd, 2000

The intent of this article is to familiarize the reader with the
network scanner nmap. As Lamont Grandquist (an nmap
contributor/developer) points out, nmap does three things: It will
ping a number of hosts to determine if they are up. It will portscan
hosts to determine what services they are offering and it will
attempt to determine the OS (operating system) of host(s). Nmap
allows the user to scan networks as small as a two node LAN (Local
Area Network) or as large as a 500 node LAN and even larger. Nmap
also allows you to customize your scanning techniques.

http://www.linuxsecurity.com/articles/network_security_article-1264.html


General News:
-------------------
* FBI Agrees To Release Carnivore Details
August 7th, 2000

Pushed by a court hearing and growing press attention, the FBI on
Wednesday agreed to expedite its release of documents detailing the
inner workings of Carnivore, its controversial electronic wiretap
system that scans private E-mail through Internet service providers.
But ISPs must allow the FBI to install the system on their networks
in the meantime.

http://www.linuxsecurity.com/articles/privacy_article-1297.html


* ISPs sued over spamming blacklist
August 5th, 2000

A leading Internet-based polling company is suing America Online Inc.
and a dozen other Internet service providers for blocking
correspondence with some 2.7 million of its 6.6 million online
members

http://www.linuxsecurity.com/articles/privacy_article-1292.html


* They Know Where You're Shopping
August 5th, 2000

Chris Hughes was surprised when Internet merchant PayPal rejected his
credit card last week, but was even more surprised when he found out
why. PayPal's credit card verification service, Cybersource Corp.,
indicated Hughes was a high risk because he had used 10 different
credit cards at various Internet sites during the past several
months.

http://www.linuxsecurity.com/articles/privacy_article-1293.html


* Interview with Lance Brown: StopCarnivore.org
August 4th, 2000

The HNS Staff did an interview with Lance Brown, the creator of
http://www.stopcarnivore.org. Mr. Brown is the President and Founder
of Future Solutions, which was founded in 1996 with the goal of
pursuing freedom-minded solutions to tomorrow's problems. Mr. Brown
is also: President and CEO of PeoplesForum.com; CIO/Technology
Supervisor of Dispute Solvers/Rent-a-Court, an online dispute
resolution firm; Candidate for President (of the U.S.) in 2008.

http://www.linuxsecurity.com/articles/privacy_article-1281.html


* E-tailers violate own privacy policies
August 4th, 2000

Without knowing it, some Internet shoppers are forking over more than
cash for their purchases. Several online retailers have been giving
their customers' personal information to a marketing company.

http://www.linuxsecurity.com/articles/privacy_article-1286.html


* 'Uncle Spam' wants you!
August 3rd, 2000

Uncle Sam could become "Uncle Spam" if the government follows through
with plans for creating an "official U.S. e-mail box" for every
address in America, say industry executives briefed on the proposal.
The ruckus began earlier this week, when the U.S. Postal Service
disclosed that it was exploring the e-mail idea.The government would
use the e-mail addresses to send driver's license renewal forms, tax
documents and other materials that would normally be sent by snail
mail. And Americans would visit two mailboxes every day -- the ones
outside their homes and the ones inside their computers, said Deputy
Postmaster General John M. Nolan.

http://www.linuxsecurity.com/articles/privacy_article-1269.html


* Join Us, Don't Fight Us, Pentagon Tells Hackers
August 1st, 2000

The largest-ever convention of computer hackers opened here on Friday
with top-ranking U.S. military officials offering to hire the elite
of the cybervandal world and put them to work defending against
foreign government attacks. "I invite you to join the government, or
private industry for that matter. But get on the defense side," Art
Money, U.S. Assistant Secretary of Defense, and the Pentagon's Chief
Information Officer with responsibility for command, control,
communications and intelligence."

http://www.linuxsecurity.com/articles/government_article-1251.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".