Author: Benjamin D. Thomas
This week, advisories were
released for cvs, neon, perl, logcheck, kernel, iproute, xchat, ident2, utempter,
cadaver, XChat, libneon, MySQL, samba, utempter, OpenSSL, tcp, IA64, XFree86,
tcpdump, and xine. The distributors include Debian, Fedora, Gentoo, Mandrake,
NetBSD, Red Hat, Slackware, and Trustix.
Data Classification
One of the biggest problems in security
today is that business managers and security administrators do not have a good
idea of how much their organization’s proprietary data is worth. Consider the
example of a company’s client details or schematics for a new product. How much
money should be spent to protect it? Who should access it? If this information
is leaked to competitors, how much impact would if have on the business? If
you aren’t asking these types of questions, you should be.
One of the first steps in risk management
in any organization is determining the assets. Later, a value is assigned to
each asset and known risks are either accepted, transferred, or mitigated. When
determining the value of an organization’s information, it can very easily become
infinitely complex.
A technique commonly used to assist
with the valuation of information is data classification. The concept involves
assigning a label and in some cases a classification to a piece of information,
or a document. For example, documents in any government agency will be assigned
labels such as unclassified, classified, secret, or top secret. Sometimes labeling
is more granular including labels such as unclassified but sensitive, or internal.
Most governments implement this in slightly different ways. A security classification
describes who the information is intended for. For example, a budgeting document
could be labeled classified and only intended for the finance and accounting
departments. This means that the document’s label is classified and the classification
is finance and accounting. In theory, only those individuals in the finance
and accounting departments with classified clearance should be able to access
that particular document.
Assigning labels to information
gives security administrators a logical way to create a protection strategy.
Appropriately applying security controls can be easier if similar data is held
in similar places. Back to the budgeting document example, because it is classified
and intended only for finance or accounting, it should only be stored on a confidential,
accounting or finance data-store/server. It is not always necessary to have
separate servers for each label. Segmentation can be done just as easily by
assigning group permissions to specific directories on a single server.
Data classification allows
managers to more easily determine the type and quantity of information used
by an organization. Also, it can simplify the security administrator’s role
of providing consistent access control across all information used.
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Next
Generation Internet Defense & Detection System
– Guardian Digital has announced the first fully open source system designed
to provide both intrusion detection and prevention functions. Guardian Digital
Internet Defense & Detection System (IDDS) leverages best-in-class open
source applications to protect networks and hosts using a unique multi-layered
approach coupled with the security expertise and ongoing security vigilance
provided by Guardian Digital.Interview
with Siem Korteweg: System Configuration Collector
– In this interview we learn how the System Configuration Collector (SCC)
project began, how the software works, why Siem chose to make it open source,
and information on future developments.Security:
MySQL and PHP
– This is the second installation of a 3 part article on LAMP (Linux Apache
MySQL PHP). In order to safeguard a MySQL server to the basic level, one has
to abide by the following guidelines.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
Distribution: | Debian | ||
4/17/2004 | cvs | ||
Multiple vulnerabilities Patch fixes bugs for both server and client which allows the creation of |
|||
4/17/2004 | neon | ||
Format string vulnerability These vulnerabilities could exploited by a malicious WebDAV server to execute |
|||
4/19/2004 | perl | ||
Information leak vulnerabilities DSA 431-1 incorporated a partial fix for this problem. This advisory includes |
|||
4/19/2004 | logcheck | ||
Insecure temporary directory This bug may be exploited to write or read arbitrary directories to which |
|||
4/19/2004 | kernel | ||
2.4.17 Multiple vulnerabilities This patch takes care of multiple kernel vulnerabilities, specifially for |
|||
4/19/2004 | kernel | ||
2.4.19 Multiple vulnerabilities Several serious problems have been discovered in the Linux kernel. This |
|||
4/19/2004 | zope | ||
Arbitrary code execution vulnerability A flaw in the security settings of ZCatalog allows anonymous users to call |
|||
4/19/2004 | iproute | ||
Denial of service vulnerability Herbert Xu reported that local users could cause a denial of service against |
|||
4/21/2004 | xchat | ||
Buffer overflow vulnerability This bug allows an attacker to execute arbitrary code on the users’ machine. |
|||
4/22/2004 | ident2 | ||
Buffer overflow vulnerability This vulnerability could be exploited by a remote attacker to execute arbitrary |
|||
Distribution: | Fedora | ||
4/21/2004 | utempter | ||
Improper directory traversal vulnerability An updated utempter package that fixes a potential symlink vulnerability |
|||
Distribution: | Gentoo | ||
4/19/2004 | cadaver | ||
Multiple format string vulnerabilities There are multiple format string vulnerabilities in the neon library used |
|||
4/19/2004 | XChat | ||
Stack overflow vulnerability XChat is vulnerable to a stack overflow that may allow a remote attacker |
|||
4/19/2004 | monit | ||
Multiple vulnerabilities Two new vulnerabilities have been found in the HTTP interface of monit, |
|||
Distribution: | Mandrake | ||
4/19/2004 | utempter | ||
Multiple vulnerabilities Incorrect path validation and denial of service vulnerabilities are patched |
|||
4/20/2004 | libneon | ||
Format string vulnerabilities A number of various format string vulnerabilities were discovered in the |
|||
4/20/2004 | xine-ui Temporary file vulnerability |
||
Format string vulnerabilities This problem could allow local attackers to overwrite arbitrary files with |
|||
4/20/2004 | MySQL | ||
Temporary file vulnerabilities An attacker could create symbolic links in /tmp that could allow for overwriting |
|||
4/20/2004 | samba | ||
Privilege escalation vulnerability A user can use smbmnt along with a remote suid program to gain root privileges |
|||
4/22/2004 | utempter | ||
Update to patch MDKSA-2004:031 This patch corrects some small problems with the original utempter patch, |
|||
4/22/2004 | xchat | ||
Improper execution vulnerability Successful exploitation could lead to arbitrary code execution as the user |
|||
Distribution: | NetBSD | ||
4/21/2004 | OpenSSL | ||
Denial of service vulnerabilities This patch fixes two seperate Denial of Service vulnerabilities. |
|||
4/21/2004 | tcp | ||
Denial of service vulnerability Patch modifies the TCP/IP stack to minimize the probability of a disconnection |
|||
Distribution: | Openwall | ||
4/19/2004 | kernel | ||
Multiple vulnerabiltiies Descriptions and links for the newest kernel patches. |
|||
Distribution: | Red Hat |
||
4/21/2004 | kernel | ||
Multiple vulnerabilities Updated kernel packages that fix several minor security vulnerabilities |
|||
4/22/2004 | kernel | ||
Buffer overflow vulnerability Updated kernel packages that fix a security vulnerability which may allow |
|||
4/22/2004 | IA64 | ||
kernel Multiple vulnerabilities Updated IA64 kernel packages fix a variety of security vulnerabilities. |
|||
4/22/2004 | XFree86 | ||
Denial of service vulnerability Flaws in XFree86 4.1.0 allows local or remote attackers who are able to |
|||
Distribution: | Slackware | ||
4/19/2004 | tcpdump | ||
Denial of service vulnerability Upgraded tcpdump packages are available for Slackware 8.1, 9.0, 9.1, and |
|||
4/19/2004 | cvs | ||
Arbitrary file creation vulnerabilities Two seperate cvs vulnerabilities, one for the client and one for the server, |
|||
4/20/2004 | utempter | ||
Insecure symlink vulnerability Steve Grubb has identified an issue with utempter-0.5.2 where under certain |
|||
4/21/2004 | xine | ||
Insecure temporary file vulnerability This release fixes a security problem where opening a malicious MRL could |
|||
Distribution: | Trustix | ||
4/16/2004 | ppp/squid ACL escape vulnerability |
||
Insecure temporary file vulnerability The PPP fix is a simple bugfix. The Squid fix involves the ability to craft |
|||
4/16/2004 | kernel | ||
Multiple vulnerabilities This patch fixes a variety of kernel sercurity holes, some filesystem related. |
|||
4/22/2004 | kernel | ||
Integer overflow vulnerability A successful exploit could lead to full superuser privileges. |
|||
Category:
- Linux