Security News > 2003 > July > Linux Advisory Watch - July 11th 2003
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | July 11th, 2003 Volume 4, Number 27a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released xpdf, ml85p, openldap, imp, php, semi, x-face-el, liece, mozart, skk, unzip, xbl, phpsysinfo, and teapop. The distributors include Conectiva, Debian, Mandrake, and TurboLinux. Again, there were no particularly serious vulnerabilities this week. However, it is imperative that you make an effort to keep your servers up-to-date. It's mid-July, which means 'vacation month' for many of our readers. When going on leave from work, there are often many things that needs to be prepared for. Often, a system administrator will ensure that all systems are fully patched and up-to-date, backup and restore functions are working correctly, and other users have the appropriate access so that minor problems can be taken care of while away. Hypothetically, this could mean a senior administrator is giving a junior admin full rights, or perhaps the root passwords to the servers. Next, if he senior admin has an over-sized ego (most likely) he/she will feel compelled to add an autoreply message to his/her email. Because this senior admin is very proactive, he/she is subscribed to over 30 security related mailing lists. Because this hypothetical senior admin took only a 1/2 day on Friday, he/she did not take the time to ensure that autoreply was setup to only reply to emails from the same domain. Instead, the account was configured to reply to every single email received. By mid-Saturday, the autoreply "feature" has kicked out over 100 emails. Although primarily replies to bogus spam addresses, several were sent to un-moderated mailing list. What does this mean? The entire world knows the senior admin is "in Florida, please contact my staff Jr. Admin, Ryan Typesalot." It's now Monday morning, quiet, and Ryan is just now getting settled in at this desk. He receives a call from "patient social engineer" who has been waiting for the perfect time to attack this this company. What happens next? Because our patient social engineer knows that the senior admin is out of the office for the next two weeks, and that Ryan Typesalot is eger to solve problems, the attack is started. You can probably figure out what will happen next. Ryan is conned into believing that the person on the other side of the phone is a company executive who is on the road and needs immediate access to his network home directory and several passwords resets. What is the moral of this story? Don't give out more information that you have to. If you're going on vacation, you should only let the minimum number of people know. If you must use autoreply, it is necessary to keep it intracompany. Many of you probably already know this and already take every necessary precaution. However, each time we send this newsletter out, we receive quite a few auto replies. I don't want to tell you that it should never be used, only that "features" such as autoreply should be used carefully. Until next time, Benjamin D. Thomas ben () linuxsecurity com --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf