Thomas –
This week, advisories were
released for proftpd, openssl, marbles, freesweep, webfs, OpenSSL, mpg123, teapop,
and proftpd. The distributors include Conectiva, Debian, Guardian Digital’s EnGarde
Linux, Gentoo, Immunix, Red Hat, Trustix, and Turbolinux.
Last week, I wrote about
some of the problems that are associated with using passwords as a method of
authentication. There are several techniques that can be utilized to improve
password security, however, users often have such a large number of different
passwords they can become difficult to manage. Users are forced to remember
multiple passwords to different systems on different networks. This causes users
to write down or continuously need their passwords reset.
Single sign-on is a technology
that can be implemented to relieve some of the strain that passwords put on
users and administrators. With SSO, multiple passwords become invisible to the
user because they are only required to login initially then the credentials
are sent to each application by the way of the single sign-on system.
Initially, migrating from
a traditional password structure can be a daunting task. The problem is particularly
apparent when trying to connect legacy applications. However, the headaches
will quickly go away if the system includes the ability for users to reset their
own password using other credentials that were given at their initial connection
to the system. This functionality could be extremely beneficial to enterprise
size organizations that must reset hundreds of passwords a day.
A single sign-on system
is not the holy grail. Like any feature on a network, it provides its own set
of risks. Having a SSO system provides a single point of failure. If the system
is down, every application on the network is potentially down. There are always
tradeoffs between security and convenience, but many large organizations have
felt that this is a risk worth taking. Although SSO provides the possibility
of having a single point of failure, it is also possible to configure the system
so that it is redundant, providing service if one system goes down. Implementing
a system correctly requires a great deal of planning, time, and money.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity Feature
Extras:
R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.A
Practical Approach of Stealthy Remote Administration
– This paper is written for those paranoid administrators who are looking
for a stealthy technique of managing sensitive servers (like your enterprise
firewall console or IDS).[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
Distribution: | Conectiva | ||
9/29/2003 | proftpd | ||
Arbitrary code execution vulnerability An attacker who is able to upload and download the same file can exploit |
|||
9/30/2003 | openssl | ||
ASN.1 parsing vulnerabilities An SSL/TLS testing suite developed by the NISCC (UK National Infrastructure |
|||
Distribution: | Debian | ||
9/26/2003 | marbles | ||
Buffer overflow vulnerability Steve Kemp discovered a buffer overflow in marbles, when processing the |
|||
9/28/2003 | freesweep | ||
Buffer overflow vulnerability Steve Kemp discovered a buffer overflow in freesweep, when processing several |
|||
9/29/2003 | webfs | ||
Multiple vulnerabilities Multiple vulnerabilities including unauthorized access and buffer overflow |
|||
Distribution: | EnGarde | ||
9/30/2003 | OpenSSL | ||
ASN.1 parsing vulnerabilities An SSL/TLS testing suite developed by the NISCC (UK National Infrastructure |
|||
Distribution: | Gentoo | ||
9/29/2003 | media-video/mplayer Buffer overflow vulnerability |
||
ASN.1 parsing vulnerabilities A remotely exploitable buffer overflow vulnerability was found in MPlayer. |
|||
9/29/2003 | net-ftp/proftpd Remote file compromise vulnerability |
||
ASN.1 parsing vulnerabilities ISS X-Force discovered a vulnerability that could be triggered when a specially |
|||
9/30/2003 | mpg123 | ||
Buffer overflow vulnerability mpg123 contains a heap based buffer overflow that would allow an remote |
|||
9/30/2003 | teapop | ||
SQL Injection vulnerability teapop suffers from a sql injection in the postgresql and mysql authentication |
|||
Distribution: | Immunix | ||
9/30/2003 | ASN.1 Parsing vulnerabilities |
||
SQL Injection vulnerability An SSL/TLS testing suite developed by the NISCC (UK National Infrastructure |
|||
Distribution: | Red Hat |
||
9/30/2003 | OpenSSL | ||
ASN.1 Parsing vulnerabilities An SSL/TLS testing suite developed by the NISCC (UK National Infrastructure |
|||
Distribution: | Trustix | ||
9/29/2003 | ‘proftpd’ remote exploit |
||
ASN.1 Parsing vulnerabilities An error exists in the ASCII upload handling of Proftpd version 1.2.7 and |
|||
Distribution: | Turbolinux | ||
9/30/2003 | proftpd | ||
ASCII File Remote Compromise Vulnerability A vulnerability exists in the ProFTPD server that can be triggered by remote |
|||
Category:
- Security