Very, very interesting.. > The attacks outlined in the study could give an attacker the ability to > read or erase files on the system, capture passwords, set up a backdoor into > the system or carry out other malicious activity, the researchers said. > The technique outlined by the University of Arizona researchers is not to > feed malicious code directly to a target system via a package manager, but > rather to cause the package manager to install an older piece of legitimate > software with known bugs, or to prevent the system from updating to a newer > software package that fixes known bugs. > > The attacks work because of flaws in the system of secure signatures for > packages and for the metadata describing the packages in a repository, the > researchers said. > > In the case of many distributions, the signatures either never expire or > the package manager used by the distribution isn't set up to support > signature expiry. > http://news.zdnet.co.uk/security/0,1000000189,39446765,00.htm
> Security vulnerabilities are often the result of software bugs. It is > important to keep software up-to-date, as malicious parties often can > exploit bugs in outdated software. Package managers were created to automate > the process of package update and installation, however, if the package > manager is not secure, it may represent another avenue of attack! > > Package managers are normally run with unrestricted access in order to > allow them to modify critical system software. The package manager's > actions, therefore, affect the entire system and make the security of > package managers vital. http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html#overview Secret Key Techniques: Secret key techniques are based on the fact that the > sender and recipient share a secret, which is used for various cryptographic > operations, such as encryption and decryption of messages and the creation > and verification of message authentication data. This secret key must be > exchanged in a separate out of bound procedure prior to the intended > communication (using a PKI for example). > > Public Key Techniques: Public Key Techniques are based on the use of > asymmetric key pairs. Usually each user is in possession of just one key > pair. One of the pair is made publicly available, while the other is kept > private. Because one is available there is no need for an out of band key > exchange, however there is a need for an infrastructure to distribute the > public key authentically. Because there is no need for pre-shared secrets > prior to a communication, public key techniques are ideal for supporting > security between previously unknown parties. > > Asymmetric Key Pairs: Unlike a front door key, which allows its holder to > lock or unlock the door with equal facility, the public key used in > cryptography is asymmetric. This means just the public key can encrypt a > message with relative ease but decrypt it, if at all, with considerable > difficulty. Besides being one-way functions, cryptographic public keys are > also trapdoor functions- the inverse can be computed easily if the private > key is known. > http://www.edos-project.org/xwiki/bin/view/Main/SecurityTopic It's always been evident. While desktop users could care less, I believe this is a significant issue in professional environments.
_______________________________________________ Slugnet mailing list [email protected] http://wiki.lugs.org.sg/LugsMailingListFaq http://www.lugs.org.sg/mailman/listinfo/slugnet
