[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News

Efforts to build a secure Linux distribution came up this week. The basic idea is to create a new distribution which has security as its primary goal. Other details, like functionality and user friendliness, come later. Such a distribution, if it lived up to its promise, could become the distribution of choice for any of a number of security-critical applications.

There are a few such projects out there, most of which are in the embryonic state. Jon Lasser started things off with a description of a secure distribution project to be done as a project of SANS. His thinking at this point is to start with Red Hat's distribution and tighten security from there.

Alexander Kjeldaas pointed out a couple of obscure, older efforts to make a secure distribution. He also made the point that starting from a distribution like Red Hat is probably a bad idea; it is better to build a secure system from the beginning. In any case, enough of the system will have to be different that starting from an existing distribution does not necessarily buy much in the first place. Alexander gave a list of features a secure system would need to have, relying heavily on cryptography, capabilities, and other techniques.

Rik van Riel revealed that he is currently being paid to produce exactly such a distribution. Le Reseau netwerksystemen intends to create a high-security distribution, then to make its living through service contracts with users throughout northern Europe. They are still at an early stage, having not yet decided which distribution to start with, if any.

So it appears that such a distribution will exist before too long. The benefits should be widespread, since many of the features of a secure distribution will eventually filter back into other distributions.

Security Reports

JavaScript code in the title of a document can be executed by Netscape Communicator in strange contexts. Given the right sequence of events, malicious code could get at a fair amount of personal information, including any password or other information stored in the cache. See this note for more information on the problem. The author believes that the vulnerability could be exploited by HTML mail messages, among other things.

Updates

The latest CERT summary is out. This update covers the sorts of activies they have been seeing recently: viruses, a resurgence of SYN attacks, scanning, etc.

Red Hat has announced a new set of Netscape packages that include version 4.6. Some of the 4.6 changes included security fixes, so they are recommending that all users install the new version.

Resources

Web security is the subject of a bulletinsent out by the CIAC. Rather than talk about any current exploit, it gives a sizeable list of general instructions on how to run a web server in a secure manner.

How script kiddies work. Know your enemy III is a white paper put on by Lance Spitzner which describes just how script kiddies obtain root access on systems they are able to penetrate.

Hints from SecurityPortal. Here's a set of basic security tips for Linux put out by the folks at SecurityPortal.

Events

Computer Security 99 will be happening in Mexico City on October 4-8, 1999. It is intended to cover all aspects of systems security. See the announcement for a description of the conference and the call for papers; if you wish to submit to the conference, the deadline is July 2.

Section Editor: Liz Coolbaugh


May 27, 1999

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds