Educause Security Discussion mailing list archives
Re: Linux Grinch attack
From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Thu, 18 Dec 2014 21:22:47 +0000
My observation after reading what materials I have found is this - exploiting this requires the equivalent of dropping dominoes on the floor, and all of them landing upright and within range of each other to allow the "hacker" to touch the first one and bring them all tumbling down. Our Linux systems do not have packagekit (which IMO is a piece of software looking for a use case - why would you mix up packages from different Linux systems - you are begging for something to break) installed by default, so this is mostly a nonissue for us. The other question is: Why would you by default allow a user who does not have root privilege to install system software without some kind of authentication/verification? Sounds like a hack waiting to happen. The headlines I have seen have been over-hyped and sensational in nature - feels like a publicity stunt. Dan Daniel H. Boyd (94C) Senior Network Architect Security Governance and Documentation Committee Chair Network Operations Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 -----Original Message----- From: Lisciotti, Kevin [mailto:klisciotti () UMASSP EDU] Sent: Wednesday, December 17, 2014 10:04 AM Subject: Linux Grinch attack Has anyone picked up on this Grinch attack that was announced yesterday? http://www.scmagazine.com/impact-of-linux-bug-grinch-spans-servers-workstations-android-devices-and-more/article/388689/
Current thread:
- Linux Grinch attack Lisciotti, Kevin (Dec 17)
- Re: Linux Grinch attack Colleen Blaho (Dec 17)
- Re: Linux Grinch attack Everett, Alex D (Dec 17)
- <Possible follow-ups>
- Re: Linux Grinch attack Boyd, Daniel (Dec 18)
- Re: Linux Grinch attack Pete Hickey (Dec 18)
- Re: Linux Grinch attack Colleen Blaho (Dec 17)