||In Other News||Security Roundup||Tips of the Trade|
- Several vendors released patches for assorted vulnerabilities in the Linux kernel, including Debian (1, 2, 3), Mandrake, and SUSE. Although the vulnerabilities addressed vary, all involve potential root compromises.
- OpenPKG, and Debian released MySQL patches to address a bug that could allow malicious
users to overwrite files with permissions of the MySQL owner (which is often the root user).
- Several vendors also patched a vulnerability in the version control software CVS that could allow a malicious user to create any file on the local user’s disk. Look for patches from
OpenPKG, Mandrake, SUSE, and
- HP reported a patch for systems using IPsec/IKE (Internet Key Exchange) and vulnerable to an exploit that could lead to a root compromise.
Tips of the Trade
One of the tools the blackhats used in that crack attack was a piece of software called “John the Ripper” (“John” henceforth). Some reports call John “sophisticated” and say it “sniffs” passwords. While we don’t want to take anything away from its developers, John isn’t particularly exotic, and it doesn’t so much “sniff” passwords as much as throw itself at the system password file with a brute-force dictionary attack, looking for weak passwords.
John is, in fact, so common that the best way to keep from it from having its way with your own password file is to first use it to audit users’ passwords — before a malicious user compromises an account (using a weak password, for example) and does it for you.
A visit to the John the Ripper home page provides download information. Versions are available for a wide variety of Unix and Linux variants as well as OpenVMS, Microsoft Windows, and a few others.
You can also take a look at crack, which does much the same thing and has the benefit of being one of the snarkiest FAQs on the ‘net. Snark aside, the FAQ provides download links and some useful information about how to get it up and running on your system.
Both programs can ensure that your users aren’t creating the dreaded “plain English password.”
Finally, consider installing pam_passwdqc, a module that runs in conjunction with PAM to check the strength of passwords users enter using the passwd command. Among this module’s tricks is the ability to detect whether a user’s new password is too similar to the last one as well as the ability to offer a randomly generated choice to users when they run passwd.