Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityNewsEfforts to build a secure Linux distribution came up this week. The basic idea is to create a new distribution which has security as its primary goal. Other details, like functionality and user friendliness, come later. Such a distribution, if it lived up to its promise, could become the distribution of choice for any of a number of security-critical applications.There are a few such projects out there, most of which are in the embryonic state. Jon Lasser started things off with a description of a secure distribution project to be done as a project of SANS. His thinking at this point is to start with Red Hat's distribution and tighten security from there. Alexander Kjeldaas pointed out a couple of obscure, older efforts to make a secure distribution. He also made the point that starting from a distribution like Red Hat is probably a bad idea; it is better to build a secure system from the beginning. In any case, enough of the system will have to be different that starting from an existing distribution does not necessarily buy much in the first place. Alexander gave a list of features a secure system would need to have, relying heavily on cryptography, capabilities, and other techniques. Rik van Riel revealed that he is currently being paid to produce exactly such a distribution. Le Reseau netwerksystemen intends to create a high-security distribution, then to make its living through service contracts with users throughout northern Europe. They are still at an early stage, having not yet decided which distribution to start with, if any. So it appears that such a distribution will exist before too long. The benefits should be widespread, since many of the features of a secure distribution will eventually filter back into other distributions. Security ReportsJavaScript code in the title of a document can be executed by Netscape Communicator in strange contexts. Given the right sequence of events, malicious code could get at a fair amount of personal information, including any password or other information stored in the cache. See this note for more information on the problem. The author believes that the vulnerability could be exploited by HTML mail messages, among other things.UpdatesThe latest CERT summary is out. This update covers the sorts of activies they have been seeing recently: viruses, a resurgence of SYN attacks, scanning, etc.Red Hat has announced a new set of Netscape packages that include version 4.6. Some of the 4.6 changes included security fixes, so they are recommending that all users install the new version. ResourcesWeb security is the subject of a bulletinsent out by the CIAC. Rather than talk about any current exploit, it gives a sizeable list of general instructions on how to run a web server in a secure manner.How script kiddies work. Know your enemy III is a white paper put on by Lance Spitzner which describes just how script kiddies obtain root access on systems they are able to penetrate. Hints from SecurityPortal. Here's a set of basic security tips for Linux put out by the folks at SecurityPortal. EventsComputer Security 99 will be happening in Mexico City on October 4-8, 1999. It is intended to cover all aspects of systems security. See the announcement for a description of the conference and the call for papers; if you wish to submit to the conference, the deadline is July 2.Section Editor: Liz Coolbaugh |
May 27, 1999 |