for qt, krb5, kdelibs, zlib,kernel, acrobat, gaim, and the Linux kernel. The
distributors include Debain, Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware,
SuSE, Trustix, and TurboLinux.Introduction to Cryptography
Implementing any large security
project on the Linux operating system requires the use of cryptography. Several
weeks ago, I wrote about a book by Fred Piper and Sean Murphy titled, "Cryptography:
A Very Short Introduction." It offers a very good introduction to the subject,
but those wishing to implement cryptography in an open source projects need
a more in-depth understanding of the area. Another excellent resource is the
"Handbook of Applied Cryptography," by Menezes, Oorschot, and Vanstone. It has
often been considered "the bible of cryptography" and offers a detailed and
The first several chapters of the
book focus on the basics. It gives an overview and history of cryptography and
follows with an explanation of the mathematics necessary to understand the algorithms.
Midway through the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After the
reader has an understanding of the algorithms, the book moves to explain how
they can be used in key establishment protocols. It also offers chapters on
key management and tips for efficient implementation.
For the long time manager, this
book may be slightly on the technical side. However, there are clear benefits
for management having an understanding of technical subjects. Cryptography today
offers a very strong level of protection. It only fails in implementation. For
example, keys are not properly protected or managed. For those of you wishing
to learn a little more about the fascinating subject of cryptography, I highly
recommend this book.
Perhaps the best part is
that the book is available fully for free on the Web:
Hard-copies of the book can also
be purchased through Amazon or any other large bookseller.
When any company decides to take
on a in-house software development project, it is essential to include cryptographic
mechanisms. Books such as this, can give programmers the proper knowledge necessary
to understand how cryptography works and how to avoid problems.
Until next time, cheers!
Benjamin D. Thomas
Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code
- Gary McGraw is perhaps best known for his groundbreaking work on securing software,
having co-authored the classic Building Secure Software (Addison-Wesley, 2002).
More recently, he has co-written with Greg Hoglund a companion volume, Exploiting
Software, which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his insights with
all of us at LinuxSecurity.com.
Expert Dave Wreski Discusses Open Source Security - Dave Wreski,
CEO of Guardian Digital, Inc. and respected author of various hardened security
and Linux publications, talks about how Guardian Digital is changing the face
of IT security today. Guardian Digital is perhaps best known for their hardened
Linux solution EnGarde Secure Linux, touted as the premier secure, open-source
platform for its comprehensive array of general purpose services, such as web,
FTP, email, DNS, IDS, routing, VPN, firewalling, and much more.
Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[
Markus W?rle discovered a cross site scripting problem in status-display
(list.cgi) of the icecast internal webserver.
http://www.linuxsecurity.com/advisories/debian_advisory-4693.html 8/30/2004qt arbitrary
code execution and DoS
Several vulnerabilities were discovered in recent versions of Qt, a commonly
used graphic widget set.
really fix buffer overflow arbitrary
code execution and DoS
This security advisory corrects DSA 458-1 which caused some segmentation
faults in gethostbyaddr with non-localhost input. This update also disables
IPv6 on all architectures.
http://www.linuxsecurity.com/advisories/debian_advisory-4718.html 8/31/2004krb5 several
The MIT Kerberos Development Team has discovered a number of vulnerabilities
in the MIT Kerberos Version 5 software
http://www.linuxsecurity.com/advisories/debian_advisory-4723.html Distribution:Fedora 8/31/2004krb5 double-free
bugs (Core 1)
Several double-free bugs were found in the Kerberos 5 KDC and libraries
http://www.linuxsecurity.com/advisories/fedora_advisory-4724.html 8/31/2004krb5 double-free
bugs (Core 2)
Several double-free bugs were found in the Kerberos 5 KDC and libraries.
http://www.linuxsecurity.com/advisories/fedora_advisory-4725.html Distribution:Gentoo 8/27/2004Mozilla,
Firefox, Thunderbird New releases fix vulnerabilities double-free
bugs (Core 2)
New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix several
vulnerabilities, including remote DoS and buffer overflows.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4708.html 8/27/2004kdelibs Cross-domain
cookie injection vulnerability
The cookie manager component in kdelibs contains a vulnerability allowing
an attacker to potentially gain access to a user's session on a legitimate
http://www.linuxsecurity.com/advisories/gentoo_advisory-4711.html 8/27/2004zlib enial
of service vulnerabilit
The zlib library contains a Denial of Service vulnerability.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4714.html 8/27/2004gaim New vulnerabilities
Gaim contains several security issues that might allow an attacker to execute
arbitrary code or commands.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4715.html Distribution:Mandrake 8/27/2004kernel multiple
A race condition was discovered in the 64bit file offset handling by Paul
Starzetz from iSEC.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4699.html 9/1/2004krb5 multiple
A double-free vulnerability exists in the MIT Kerberos 5's KDC program that
could potentially allow a remote attacker to execute arbitrary code on the
http://www.linuxsecurity.com/advisories/mandrake_advisory-4726.html Distribution:OpenBSD 8/31/2004zlib reliabilty
A bug has been found in the version of zlib included in OpenBSD 3.5 (and
only 3.5) that could allow an attacker to crash programs linked with it
Hat 8/27/2004acrobat security
An updated Adobe Acrobat Reader package that fixes multiple security issues
is now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4701.html 8/31/2004krb5 security
Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing
bugs are now available for Red Hat Enterprise Linux.
http://www.linuxsecurity.com/advisories/redhat_advisory-4729.html 8/31/2004krb5 security
Updated krb5 packages that improve client responsiveness and fix several
security issues are now available for Red Hat Enterprise Linux 3.
http://www.linuxsecurity.com/advisories/redhat_advisory-4730.html Distribution:Slackware 8/27/2004gaim updated
A couple of bugs were found in the gaim 0.82 release, and gaim-0.82.1 was
released to fix them
http://www.linuxsecurity.com/advisories/slackware_advisory-4717.html Distribution:Suse 9/1/2004kernel vulnerabilities
Various signedness issues and integer overflows have been fixed within kNFSd
and the XDR decode functions of kernel 2.6.
http://www.linuxsecurity.com/advisories/suse_advisory-4728.html Distribution:Trustix 8/27/2004courier-imap,
samba, zlib Multiple vulnerabilities vulnerabilities
http://www.linuxsecurity.com/advisories/trustix_advisory-4705.html Distribution:Turbolinux 8/31/2004rsync,
qt vulnerabilities vulnerabilities
Security roll-up for 31/Aug/2004.