ARP, openssh, wu-ftpd, ipmasq, sendmail, proftpd and perl. The
distributors include Conectiva, Debian, Guardian Digital’s EnGarde
Secure Linux, FreeBSD, Gentoo, Red Hat, Slackware, SuSE, and TurboLinux.
Using only passwords as a method of authentication is often
insufficient for critical data because they fundamentally have weaknesses. Several
of those include: users pick easy to guess words, users often voluntarily give
them away in order to make work easier, and passwords are often easily intercepted.
Many applications/protocols that are still in use send passwords in cleartext.
A weak password is the equivalent of a faulty lock on a safe. Passwords do not
guarantee security, only increase the time required to access data or information.
System administrators can improve password security for users
in several ways. First, a limit on log-in attempts should be set. For example,
user ids should be locked after a number of failed login attempts. Next, passwords
should have strength requirements set. For example, passwords should have a
minimum length, special characters and capitalizations should be required, and
they should be checked against a dictionary file. Password security can also
be improved if there are expiration dates set and passwords are not reused consecutively.
Biometrics and other forms of authentication in addition to
passwords can dramatically increase security. Having a second line of defense
is critical. For example, ssh security can be improved by using key-authentication
and IP based access controls. Passwords are slowly becoming obsolete with improvements
in technology, but will remain in use for many years. Next week, I’ll discuss
how using single sign-on mechanisms can improve password security and management
for users.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity Feature
Extras:
R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.A
Practical Approach of Stealthy Remote Administration
– This paper is written for those paranoid administrators who are looking
for a stealthy technique of managing sensitive servers (like your enterprise
firewall console or IDS).[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
FREE
Apache SSL Guide from Thawte – Are you worried about your web server security?
Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your
Apache SSL security needs.
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability. [ Subscribe
]
| Distribution: | OpenServer | ||
| 9/24/2003 | ‘wu-ftpd’ fb_realpath() off-by-one bug |
||
|
Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local |
|||
| Distribution: | Conectiva | ||
| 9/22/2003 | wu-ftpd Command execution remote vulnerability |
||
|
This update fixes a vulnerability in the way wu-ftpd uses the “conversion” |
|||
| 9/23/2003 | vnc | ||
| Multiple vulnerabilities This update fixes two vulnerabilities found in VNC that affect the versions |
|||
| 9/23/2003 | krb5 | ||
| Multiple kerberos vulnerabilities This update fixes pricipal name handling, cryptographic weaknesses, faulty |
|||
| 9/24/2003 | php4 | ||
| Multiple vulnerabilities This new version includes several fixes[3] and improvements, including fixes |
|||
| Distribution: | Debian | ||
| 9/20/2003 | ipmasq | ||
| Insecure packet filtering rules Due to use of certain improper filtering rules, traffic arriving on the |
|||
| 9/21/2003 | ssh-krb5 Multiple vulnerabilities |
||
| Insecure packet filtering rules This advisory is an addition to the earlier DSA-383-1 advisory: Solar Designer |
|||
| 9/21/2003 | ssh | ||
| Multiple additional vulnerabilities This advisory is an addition to the earlier DSA-382-1 and DSA-382-3 advisories: |
|||
| Distribution: | EnGarde | ||
| 9/24/2003 | ‘WebTool-userpass’ passphrase disclosure vulnerability. |
||
| Multiple additional vulnerabilities “Shawn” |
|||
| Distribution: | FreeBSD | ||
| 9/24/2003 | ARP | ||
| resource starvation DoS Under certain circumstances, it is possible for an attacker to flood a FreeBSD |
|||
| Distribution: | Gentoo | ||
| 9/23/2003 | openssh | ||
| Multiple PAM vulnerabilities Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities |
|||
| Distribution: | RedHat | ||
| 9/22/2003 | apache/mod_ssl Multiple vulnerabilities |
||
| Multiple PAM vulnerabilities Updated Apache and mod_ssl packages that fix several minor security issues |
|||
| 9/22/2003 | perl | ||
| Multiple vulnerabilities Updated Perl packages that fix a security issue in Safe.pm and a cross-site |
|||
| Distribution: | Slackware | ||
| 9/23/2003 | ‘wu-ftpd’ vulnerability |
||
| Multiple vulnerabilities Upgraded WU-FTPD packages are available for Slackware 9.0 and -current. |
|||
| 9/23/2003 | ‘proftpd’ vulnerability |
||
| Multiple vulnerabilities Upgraded ProFTPD packages are available for Slackware 8.1, 9.0 and -current. |
|||
| 9/23/2003 | ‘openssh’ PAM vulnerability |
||
| Multiple vulnerabilities Upgraded OpenSSH 3.7.1p2 packages are available for Slackware 8.1, 9.0 and |
|||
| Distribution: | SuSE | ||
| 9/20/2003 | sendmail, sendmail-tls |
||
| Multiple vulnerabilities A remotely exploitable buffer overflow has been found in all versions of |
|||
| Distribution: | TurboLinux | ||
| 9/24/2003 | ‘openssh’ PAM vulnerabilities |
||
| Multiple vulnerabilities Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities |
|||
Category:
- Security
