Study Singles Out Security Slips in Software Sources
July 15th, 2008 by Justin Ryan
A study by researchers at the University of Arizona has revealed that taking over the world — or at least a whole lot of computers — may be easier than we think, using nothing but a server and a simple software repository.
The trick, which eschews directly delivering viruses or other malware onto a target system, exploits the manner in which software repositories handle package signatures, specifically, those for expired or otherwise obsoleted packages. According to the research team, which studied ten of the most popular package management systems — APT, APT-RPM, Pacman, Portage, Ports, Slaktool, Stork, Urpmi, Yast and YUM — all an attacker needs to do to gain control of an unlimited number of systems is to set up a mirror repository and configure it to provide only outdated versions of software packages. In doing so, the malicious mirror ensures that the systems that utilize it will load packages with known, and often widely documented, vulnerabilities, which can then be exploited. As proof-of-concept, the researchers set up their own renegade repo and managed to have it listed among the official mirrors for CentOS, Debian, Fedora, OpenSuse, and Ubuntu, and watched as thousands of unwitting users — the military and government offices among them — utilized the mirror without concern.
__________________________
Justin Ryan is News Editor for LinuxJournal.com.
Submit a tip: Email IRC
Special Magazine Offer -- 2 Free Trial Issues!
Receive 2 free trial issues of Linux Journal as well as instant online access to current and past issues. There's NO RISK and NO OBLIGATION to buy. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Sorry, offer available in the US only. International orders, click here.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
The Latest
Featured Videos
Linux Journal Live - Oct 2, 2008
October 3rd, 2008 by Shawn Powers
The October 2, 2008 edition of Linux Journal Live! Associate Editor, Shawn Powers, and Steven Evatt, Online Development manager for The Houston Chronicle discuss surviving disaster with Linux.
Mastering IPTables, Part I
October 2nd, 2008 by Elliot Isaacson
Linux comes with a powerful firewall built-in, although the interface can be a little intimidating. This is the first in a multi-part tutorial on how to master basic and not-so-basic IPTables functionality and create the perfect firewall for your home network.
Recently Popular
From the Magazine
November 2008, #175
There aren't many numbers that put the US national debt to shame, but here's one: 1,100,000,000,000,000. What's that? That's how many floating-point operations per second the Roadrunner supercomputer at Las Alamos can perform. That's about 100 FLOPS per dollar of US debt (unfortunately, the debt is winning the second derivative race). Read the article about Roadrunner in this month's High Performance Computing issue of LJ.
Along with that, find out how to program the Cell processor and how to use CUDA with your NVIDIA GPU. Also in this issue: Mr HandS (aka Kyle Rankin) gives us a few tips on using Compiz, Chef Marcel shows you how to get blogging off your plate quicker, Mick Bauer talks about Samba security, Dan Sawyer interviews Cory Doctrow and Doc talks about how information technology can affect democracy and fix the national debt (just kidding about that last part). That and more for your reading pleasure in this month's Linux Journal.
Post new comment