Security Week in Review

Enterprise-grade Linux: Five network security FOSS apps
iTWire has a story detailing five open source security applications:
http://www.itwire.com/content/view/16246/1141/1/0/
As more security applications are gobbled up by large firms, open source projects gain a unique advantage. Anytime an organization needs to make money, they are willing to draw a gray line with respect to their ethics. As most open source projects don't rely on corporate funding, they can be more strict with respect to what they call malware. It is quite likely that as the volume of malware increases, this advantage will become more clear.

Growing virus production taxes security firms
The Register points out the current problem with growing malware trends:
http://www.theregister.co.uk/2008/01/25/malware_surge/

The rate at which malware is growing is quite alarming. If this trend continues it will become impossible for anti virus firms to keep ahead of the wave. The current attitude toward malware is to take a very reactive approach. Most groups don't focus on stopping the cause of problems, but rather treating the symptoms. While there is certainly a great deal of money to be made in treating symptoms, the well is going to dry up eventually.

X Update
New versions of X.org were released this week.
http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

The tricky thing with X.org is that it has to run as root, so it gives a local attacker the potential to compromise the machine.

More Vulnerability Reporting
A report was made public last week that once again compares the number of flaws fixed in various things. I think Mark Cox and Window Snyder summed things up pretty well regarding those reports:
http://blog.mozilla.com/security/2008/01/17/read-past-the-headlines-firefox-is-fixed-faster/
http://www.awe.com/mark/blog/200801161200.html

At this point any intelligent reader should notice that these reports need to be taken with a grain of salt, and the real story isn't what's reported, but what one can learn from the data.

Embedded library madness
Right now there has been a bit of news from a company named Palamida. They like to point out all the things that contain embedded copies of various open source projects.
http://www.linuxinsider.com/rsstory/61202.html

Before 2002 this was a fairly common occurrence within a number of open source projects, until there were a number of zlib flaws. This made most project rethink keeping their own local copies of the source and using the system copy instead. This ties in nicely with the above mentioned vulnerability report. More vulnerabilities doesn't always mean less secure.

Clever Tools
So a coworker pointed me at his blog today, which discusses a few really nice tools for those of us in the security world:
http://www.kernel.sg/blog/2008/01/18/running-pfiles-on-a-process-in-linux-to-report-open-files/
http://www.kernel.sg/blog/2008/01/13/psig-for-linux/

These tools should help with the analysis of various bits of software. Figuring out what a piece of malware is doing can always be challenging. Knowing what signals are being trapped along with what files are open can be most useful.

I'm back now after the holiday break and a bout with illness. Luckily it's been a fairly slow couple of weeks.

Coverity and Open Source
There were quite a few stories about Coverity this week. Most were rather poorly written and were confusing at best. The real story is best read from the Coverity site here:
http://scan.coverity.com/

In general Coverity is portrayed in a mostly positive light for providing their service to various Open Source projects. In reality it's not that simple. Using a closed source tool for the supposed benefit of Open Source is misleading at best. If Coverity was serious about improving the state of Open Source, they would release their tool under an Open Source license for the community to consume and improve upon. Right now they simply have a clever marketing program.

Bruce Schneier Interview
Computerworld has a nice interview with Bruce Schneier that even mentions Linux:
http://www.computerworld.com.au/index.php/id;1891124482;pp;1

He is one of the few security public figures who can explain things in a manner that most people can understand.

Squirrelmail Compromise
It seems that some of the squirrelmail 1.4.11 and 1.4.12 releases have been compromised. The problem only exists in their releases, not in CVS, which is good. This is still a rather scary scenario though.
http://marc.info/?l=squirrelmail-announce&m=119757931707501&w=2

We looked through the version being shipped in Fedora and didn't find the backdoor, but we will still upgrade to version 1.4.13 for peace of mind and to reduce confusion.


Linux Virus Scanner
And what better to end 2007 with than a story about virus scanners on Linux:
http://www.informationweek.com/blog/main/archives/2007/12/would_we_need_a.html


The Top 5 Most Overlooked Open Source Vulnerabilities for 2007
This story is most interesting, but a little confusing if you don't understand what Palamida does.
http://www.palamida.com/node/513

Palamida specializes in inspecting source repositories and finding embedded source. A good example of this is projects that like to include source copies of zlib, rather than linking against a system version. It's no secret that there are significant benefits to using system libraries rather than including your own. Any project that includes a copy of an upstream library, needs to track the security flaws that affect that source. Most do not do this, which ends up leaving their users vulnerable.

Critical Vulnerability in Microsoft Metrics
Window Snyder has some rather insightful feedback regarding Microsoft Metrics.
In general this commentary can apply to anyone who tries to compare closed source and open source security records.
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/

Firefox 2.0.0.10
Firefox 2.0.0.10 was released last week. This of course means that everyone should be upgraded to the latest and greatest version by now. It's always extremely important to keep the web browser up to date given it processes an amazing amount of untrusted content.

On the note of Firefox, I ran across this rather interesting study regarding Mozilla security flaws:
http://www.st.cs.uni-sb.de/softevo/vulnerabilities.php

I'm tempted to attempt such an analysis over the Fedora codebase to see how things fare.

Insecurity Blues
Jeremy Allison has writeup regarding his thoughts on the recent Samba security issues.
http://www.tuxdeluxe.org/node/273
His words really do apply to most open source projects today. Security in the open source world does indeed tend to be a well orchestrated mess

Samba
Last week saw the release of a new version of Samba, with two security fixes:
http://samba.org/samba/security/CVE-2007-4572.html
http://samba.org/samba/security/CVE-2007-5398.html

Both of these issues sound pretty bad, but only CVE-2007-5398 is truly scary. CVE-2007-4572 initially looked rather bad, but after a thorough analysis it was determined that under normal use the flaw shouldn't even crash the Samba server. A detailed analysis of this flaw can be found here:
https://bugzilla.redhat.com/show_bug.cgi?id=294631#c3

AppArmor's Security Goals
I'm no fan of AppArmor, but aside from that there is a most interesting read regarding it on Kernel Trap. Those of you interested in such a thing might find it useful:
http://kerneltrap.org/Linux/AppArmors_Security_Goals

Hushmail not so hush
It seems that Hushmail is willing to share the PGP keys of its clients with law enforcement:
http://www.itnews.com.au/News/65213,hushmail-turns-out-to-be-anything-but.aspx
While this probably isn't terribly surprising (most companies are willing to work with law enforcement). It is an opportunity to point out that unless you have complete control over your encryption key, you should assume that someone else has it. This includes things like storing keys on NFS home directories or using public computers with your private key. Keeping a private key protected properly is very difficult, and everyone has to compromise perfect security for reality at some point. It should be completely obvious though, that trusting someone else, especially a corporation, with your private key is most unwise.


I don't plan to write a column next week due to the holiday weekend. I shall see everyone the week of the 25th, which I'm certain will be eventful.

Fedora 8 released
Last week saw the release of Fedora 8. This is important for countless reasons, one of them being a new firewall configuration tool. This is important since it should hopefully keep more people using the firewall. In previous Fedora releases it was often easiest to just turn off the firewall when something didn't work. This is obviously an unwise move as it can leave your machine open to various other issues. One of the most difficult things for security to achieve is keeping users safe while staying out of the way.

pcre
Some rather foul pcre flaws were made public last week. In reality these flaws aren't a big deal for most users, but it was found that pcre is used by Konqueror. It seems that the Konqueror web browser uses the pcre library for its JavaScript regular expression support. Web browsers are easily one of the most dangerous applications on a computer, as they process an incredible amount of arbitrary third party content.

This week has been very slow. This isn't a bad thing, but when you have to write a weekly blurb about what happened, it's a bit of a challenge.

IBM Plans Major Security Initiative
http://ap.google.com/article/ALeqM5iSFxylj-4ojpf44zNT6k01yBY5RgD8SKHH781
IBM announced last week that they plan to spend 1.5 billion (with a big B) dollars on security research in 2008. Information Security is becoming a very serious business. I suspect the biggest issue now is going to be finding employees to fill these positions.

Why are so many browser flaws rated as critical?
To many people on the outside world, it's sometimes non obvious why such a big deal is made about the web browser. The story below highlights that an ad server was broken into and used to distribute malware.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043418&source=NLT_AM&n

People usually think that if they're at a trusted site, such as their bank, a news site, or even some search engines., they are safe and they can let their guard down. The network of webservers have become very pervasive, and the line between sites continues to blur. As various sites start opening up public APIs, this line will eventually vanish completely. The web seems to be evolving into one giant squishy ball of putty, rather than lots of little ones. This in turn is creating an environment more dangerous for its users, with no clear fix in sight.

Virtualization is less secure
I ran across this posting to an OpenBSD mailing list the other day:
http://kerneltrap.org/OpenBSD/Virtualization_Security

Talk of security virtualization reminds me of the old saying about debugging by Brian Kernighan

Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

This is hard problem. I doubt the solution lies in writing golden code. It's more likely that technologies like SELinux are going to be far more effective than expecting everyone to write bug free software.

Firefox Security Update
This week was mostly consumed with the Firefox security update. A security update of Firefox will result in the release of Firefox, Seamonkey, and Thunderbird. This is of course a great deal of work for all the involved parties. Those programs are rather complex and much can go wrong along the way. On the plus side though, we have gotten rather good at dealing with these updates in RHEL and Fedora. All the interesting bits can be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html

So this week this entry isn't syndicated in Fedora Weekly News. I was very busy this weekend working on my yard and missed the deadline. If any of you ever think that planting ivy on the side of you house is a good idea, don't do it. It's horrible to remove.

OpenSSL Security Advisory
A very scary OpenSSL flaw went public last week:
http://www.openssl.org/news/secadv_20071012.txt
On the surface this looks like a horrible flaw, which it is. The redeeming factor is that very little uses DTLS in OpenSSL. After an audit of Red Hat Enterprise Linux, we determined that nothing is shipped that actually uses DTLS.

Air Force to get ‘cyber sidearms’
http://www.fcw.com/online/news/150483-1.html
This is a rather odd idea the US Air Force seems to be planning to use. It seems the idea is that if a user thinks their computer has been compromised, they can somehow alert someone who can verify this. I'm going to guess this isn't going to work. It can probably be suggested that most of the machines in the 50 million computers that are part of the Storm Botnet do not have users that know they're a part of the network. No doubt some portion of Air Force personnel will be able to tell if their computer is hacked, but most probably can't.

VM-Based Rootkits Proved Easily Detectable
Some time ago it a number of researchers claimed that it would be possible for a virtual machine based rootkit to evade security software. It seems that's not quite the case.

Linux phishing botnet statistics can be deceptive
eBay's chief information security officer made a comment last week that most botnets are hosted off of compromised Linux machines. The above article refutes some of these claims.

"you security people are insane."
Linus makes some interesting points about various security systems in the Linux kernel. While his colorful comments are humorous, this makes a rather powerful statement. Linus says:

Schedulers can be objectively tested. There's this thing called
"performance", that can generally be quantified on a load basis.

Yes, you can have crazy ideas in both schedulers and security. Yes, you
can simplify both for a particular load. Yes, you can make mistakes in
both. But the discussion on security seems to never get down to real
numbers.

So the difference between them is simple: one is "hard science". The other
one is "people wanking around with their opinions".

This is a big problem. Security is hard to understand, so you end up with two different types of people causing trouble. There are people who don't really understand what they're doing. These are the people that say incorrect things and just make up what they don't know. There are also the people who will blatantly lie to further their own agenda. The hope is that the right solution will eventually win out, but that's not always the case.

I ran across a rather clever security information site. I'd suggest just visiting it to see for yourself:
http://www.ibm.com/developerworks/spaces/linuxsecurity?ca=dgr-lnxw02aLinuxSecuritySpaces

How safe are Wi-Fi hot spots?
I grew up in Green Bay Wisconsin, so I tend to pay attention to local news from that area. A friend sent me this story
http://www.postcrescent.com/apps/pbcs.dll/article?AID=/20070925/APC0101/709250595/1004

The story contains this morsel:

How safe are Wi-Fi hot spots?

"The Internet is not a real secure place in general, but it's also not something to be overly worried about if you're working with sites (and) businesses that you've worked with before," said Scott Liske, the city of Appleton's director of technology services. "When you know you're at a legitimate site, then there are very few issues."

I can understand how normal people are utterly confused by all the threats on the Internet when a supposed expert doesn't even get it. If your browser isn't encrypting the connection to the remote server, there is no way you can verify that the data you are seeing hasn't been altered between the host and your computer.

Is a chroot secure?
Kerneltrap has a nice summary of why a chroot is not a security feature. This is an issue that comes up every couple of years. It is likely this will continue to happen since there is quite a lot of information available on the Internet that claims a chroot is a fine way to keep something secure. The best advice if you wish to keep a process in a cage would be to use SELinux.
http://kerneltrap.org/Linux/Abusing_chroot

Is SELinux really too complex?
Speaking of SELinux, this article takes a rather insightful look at the technology.
http://enterpriselinuxlog.blogs.techtarget.com/2007/09/26/selinux-is-it-really-too-complex/

The article does point out that the OpenBSD mailing list is obviously a rahter biased place to find SELinux commentary, but many of the points made about SELinux are good for someone who hasn't been keeping an eye on the discussions.

Last week was fairly slow as far as all things security are concerned. There wasn't anything terribly exciting to happen, which always scares me a bit as I see it as the calm before the storm.

Internal Abuse Overtakes Viruses as Security Threat
I suspect these two threats go hand in hand to a certain degree, but this is terribly interesting. It begs the question why have the virus numbers gone down faster than the "Internal Abuse" numbers?

It's quite possible that the operating systems have become more robust, the users are better educated, antivirus software is starting to work better. Perhaps more companies are now running antivirus software. It's also very possible that the respondents to the report are starting to ignore the virus problem and just consider it a cost of doing business.

Internal attacks have always been a far larger issue than outside threats in an organization. A lot of people like to ignore this fact and focus on attacks coming in from the outside. It's easy to sensationalize some hackers trying to steal your bank account numbers. Catching Bob from accounting looking at executive pay isn't very exciting. I can understand why so many groups focus on the external. There is also the issue of keeping your employees happy and not making them feel like they work in a bad rendition of 1984.

Sometimes it works to compare a computer security idea to the tangible world. Nobody thinks twice about locking the server room door. Why should anyone take offense to not having access to an area of the network they don't need? A bit like the old saying that locks are really only there to keep the honest people honest.