Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Security pros warn of critical flaws in Kerberos

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Security pros warn of critical flaws in Kerberos
Date: Thu, 2 Sep 2004 06:51:46 -0500 (CDT) 
http://news.com.com/Security+pros+warn+of+critical+flaws+in+Kerberos/2100-1002_3-5343325.html

By Robert Lemos 
Staff Writer, CNET News.com
September 1, 2004

Vulnerabilities in a technology widely used for network authentication
have left computers running Unix, Linux and Apple Computer's Mac OS X
potentially open to attack.

The flaws could allow an online intruder to gain access to computers
running a security feature known as Kerberos. The vulnerabilities,
found by the developers at the Kerberos Team at the Massachusetts
Institute of Technology, should be patched as soon as possible, Sam
Hartman, engineering lead for the team, said Wednesday.

"I would not expect this to lead to a worm," Hartman said. "Most sites
will patch it because patching is easy to do. Whereas, if you do have
a compromise, it is a lot of work to recover."

Kerberos is the keystone to security for many networks. The software
essentially acts as a gatekeeper, identifying the people who are
allowed to access computers in the network and those who are not. That
makes the software flaws particularly pernicious.

The flaws, known as double-free vulnerabilities, are caused because a
part of the program attempts to free up the same computer memory space
twice. Such errors are not as easy to take advantage of as another,
more common memory error--the buffer overflow. That gives
administrators a little breathing room, Hartman said.

"We have no reason to believe that anyone has produced an exploit
program," he said. "Moreover, this is not something where we have seen
an attack in the wild."

Kerberos is a building block of many network security devices and
software. Microsoft uses the mechanism to control security in its
Active Directory authentication. However, the company uses a homegrown
version of Kerberos that is not affected by the flaws, Hartman said.

However, Sun Microsystems' Solaris, Linux from Red Hat and Mandrake,
and OS X all use Kerberos. Some companies, such as Red Hat, have
announced patches for the problem, but not all have.

[...]



_________________________________________
Donate online for the Ron Santo Walk to Cure Diabetes - 
http://www.c4i.org/ethan.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Security pros warn of critical flaws in Kerberos, InfoSec News <=
Previous by Date:  [ISN] Security Researchers Call for More Info from Oracle, InfoSec News
Next by Date:  [ISN] Alarming Garden security breaches, InfoSec News
Previous by Thread:  [ISN] Security Researchers Call for More Info from Oracle, InfoSec News
Next by Thread:  [ISN] Alarming Garden security breaches, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]