"Knock" Some Sense into your Linux Laptop
Using Linux and the HDAPS kernel drivers, you can access the embedded accelerometers on Lenovo ThinkPads, then process the accelerometer data to read specific sequences of "knocking" events -- literally rapping on the laptop case with your knuckles -- and run commands based on those knocks. Double tap to lock the screen, and knock in your secret code to unlock. You can also download and use article Perl scripts to customize your own knocking input environment.
Anatomy of Security-Enhanced Linux
Linux has been described as one of the most secure operating systems available, but the NSA has taken Linux to the next level with Security-Enhanced Linux (SELinux). In this article explore the ideas behind SELinux and how it's implemented. SELinux takes the existing GNU/Linux operating system and extends it with kernel and user-space modifications to make it bullet-proof.
Assess system security using a Linux LiveCD
Want to assess security vulnerabilities on your Linux system without lengthy installation and configuration efforts? We introduce four packages -- Auditor, Whoppix, Knoppix-STD, and PHLAK -- that bring you that ability through the magic of LiveCD.
Call components safely
Clicking on a hypertext link while viewing a PDF file shouldn't
be a security problem as long as you trust the viewer it
invokes. But users of xpdf version 0.90 discovered that this
assumption was an extremely bad one. When an xpdf user clicked
on a hypertext link, xpdf started up a viewer (Netscape by
default) and sent the URL to the viewer. So far, so good. But
the xpdf developers decided to start up the viewer by using the
system() call. That was the bad idea.
Configurations to keep your Linux System safe from attack
In this series of articles, learn how to plan, design, install, configure, and maintain systems running Linux in a secure way. In addition to a theoretical overview of security concepts, installation issues, and potential threats and their exploits, you'll also get practical advice on how to secure and harden a Linux-based system.
Connect securely with ssh
You'll undoubtedly want to use ssh to work on your servers from remote sites, but it takes an assortment of tricks to keep progress rolling smoothly.
Create a New Key Type Using Linux Kernel
The Linux key retention service introduced with Linux 2.6 is a great new way to handle authentication, cryptography, cross-domain user mappings, and other security concerns for the Linux platform. Learn the components of the Linux key retention service and get an understanding of its usage with a working sample application.
Developing secure programs
This column explains how to write secure applications; it focuses on the Linux operating system, but many of the principles apply to any system. In today's networked world, software developers must know how to write secure programs, yet this information isn't widely known or taught. This first installment of the Secure programmer column introduces the basic ideas of how to write secure applications and discusses how to identify the security requirements for your specific application. Future installments will focus on different common vulnerabilities and how to prevent them.
Dynamic iptables firewalls
Firewalls are good and fun, but what do you do when you need to
make rapid, complex changes to your firewall rules? Easy. Use
Daniel Robbins' dynamic firewall scripts that are demonstrated
in this article. You can use these scripts to increase your
network security and responsiveness, and to inspire your own
creative designs.
Executing Signed Binaries in Linux Kernel
This tutorial is the second in a two-part series on locking your Linux machines down to streamline the associated support and administration processes. In Part 2 learn how to configure the Linux kernel to execute only signed binaries. In Part 1 you learned how to remove the interpreters from the installation base system to prevent spurious user changes.
Firing up Firewalls
One of the first lines of defense against hackers is your firewall. The firewall acts as a filter, blocking unwanted packets from reaching your network. In most cases, a properly configured firewall will protect a network from viruses such as the Code Red worm, even if there are vulnerable machines residing inside the network.
Identify and Verify Users Based on how they Type
Support user verification through keystroke-dynamics processing by modifying the GNOME Display Manager (GDM). Create and store a one-way encrypted hash of your keystroke patterns when entering your user name. Add code to GDM to read current keystroke patterns and permit a user to log in when the characteristics are a match.
Improve Security with Linux PAM
Linux Pluggable Authentication Module (PAM) can help you protect world-writeable shared directories from abuse. This article for Linux system administrators lays out the steps to enable namespaces with PAM. The pam_namespace module creates a separate namespace for users on your system when they login to protect users from several types of security attacks.
Improving the security of open UNIX platforms Using Mandrake MD5 checksums
This article takes a look at a little shell application that
uses an innovative approach to increasing open UNIX security. A
step-by-step analysis of the code is provided. The author's
areas of expertise are in Web programming and cutting-edge
network security development.
Installing and securing Red Hat Linux in less than an hour
Want a quick guide to installing and securing Red Hat Linux? This article details the steps required to install Red Hat Linux 8.0 on a production server. It covers the procedures necessary to get the operating system from the setup CDs to your system's hard disk (along with the configuration details to remove any unnecessary packages), shutting down any unnecessary system services, and applying any required system updates from Red Hat. The article is a good reference for Red Hat users who want simple instructions on advanced boot loader options, firewall configuration, security fixes and info about controlling system services.
Introduction to PAM
User authentication has always been a problem. Build it into a program, and it's hard to change. Leave it out, and you have no security at all. Now there's an alternative: PAM, or Pluggable Authentication Modules.
Know How To Prevent Race Conditions
Using a stolen password, Mallory managed to log into an
important server running Linux. The account was a very limited
account, but Mallory knew how to cause trouble with it. Mallory
installed and ran a trivial program with very odd behavior.
Learn what a race condition is and why it can cause security
problems.
Linux Kernel Bug
This article shows us a bug in Linux Kernels newer than 2.4.3; a buffer overflow in Solaris' dtmail; vulnerabilities in CylantSecure, PHPLib, top, Apache, tar, Firewall-1, Arkeia backup software, and IRIX's netprint; and talks about the configuration of Cayman DSL routers.
Linux Lockdown: Removing the Shell
Maintaining an installed base of Linux machines can be a harrowing experience for an administrator. This tutorial is the first in a two-part series that shows you how and why to lock those machines down to streamline the associated support and administration processes. In this tutorial, you learn how to remove the interpreters from the installation base system.
Linux System Auditing by Example
Think you have a secure Linux system? Following best practices during installation and setup is a must, but if you haven't set up regular system auditing, you've only won half the battle. This article discusses some existing tools and offers a couple of sample scripts to automate the process in a real-world environment.
Minimizing privileges
Secure programs must minimize privileges so that any bugs are
less likely to be become security vulnerabilities. This article
discusses how to minimize privileges by minimizing the
privileged modules, the privileges granted, and the time the
privileges are active. The article discusses not only some of
the traditional UNIX-like mechanisms for privileges, but some
of the newer mechanisms like the FreeBSD jail(), the Linux
Security Modules (LSM) framework, and Security-Enhanced Linux
(SELinux).
OpenSSH key management, Part 1
In this series, you'll learn how RSA and DSA authentication work, and see how to set up passwordless authentication the right way. In the first article of the series, Daniel Robbins focuses on introducing the RSA and DSA authentication protocols and showing you how to get them working over the network.
OpenSSH key management, Part 2
Many developers use the excellent OpenSSH as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based upon a pair of complementary numerical "keys". One of the main appeals of RSA and DSA authentication is the promise of being able to establish connections to remote systems without supplying a password. In this second article, Daniel introduces ssh-agent (a private key cache) and keychain, a special bash script designed to make key-based authentication incredibly convenient and flexible.
OpenSSH key management, Part 3
In this third article in a series, Daniel Robbins shows you how to take advantage of OpenSSH agent connection forwarding to enhance security. He also shares recent improvements to the keychain shell script.
OpenSSH Problems
This article reports that sftp is the weakest link in OpenSSH. Find out what to do about it and problems with Websphere, Red Hat setserial, and Apache running on OS X.
Practical Linux security
Security is a big, challenging topic, but everyone with
server-side responsibilities should know the basic steps.
Cameron outlines a number of ways to keep your user accounts
clean and safe.
SAMBA Remote Root Exploit
This article shows us buffer overflows in the GazTek HTTP Daemon, Solaris Printer Daemon, and w3m; a problem in default SAMBA installations that can be used to gain root access; and problems in Cisco 6400 NRP2 . . .
Secure programmer: Developing secure programs
This column explains how to write secure applications; it
focuses on the Linux operating system, but many of the
principles apply to any system. In today's networked world,
software developers must know how to write secure programs, yet
this information isn't widely known or taught. This first
installment of the Secure programmer column introduces the
basic ideas of how to write secure applications and discusses
how to identify the security requirements for your specific
application. Future installments will focus on different common
vulnerabilities and how to prevent them.
Secure programmer: Keep an eye on inputs
This article discusses various ways data gets into your
program, emphasizing how to deal appropriately with them; you
might not even know about them all! It first discusses how to
design your program to limit the ways data can get into your
program, and how your design influences what is an input. It
then discusses various input channels and what to do about
them, including environment variables, files, file descriptors,
the command line, the graphical user interface (GUI), network
data, and miscellaneous inputs.
Secure programmer: Validating input
In nearly all secure programs, your first line of defense is to
check every piece of data you receive. If you can keep
malicious data from entering your program, or at least keep it
from being processed, your program becomes much harder to
attack. This article shows how to validate input -- one of the
first lines of defense in any secure program.
Secure Programming with the OpenSSL
Create secure server applications with OpenSSL; its documentation makes it look intimidating, but it's actually rather simple. In Part 3 of this three-part series learn how to build a secure server app by building on the concepts from Part 1 for creating a basic secure client, and by going in depth in Part 2 about digital certificates.
Securing Linux for Java services
Enterprise Java expert Dennis Sosnoski starts with his view of how Java server technologies fit with Linux, then gives pointers on setting up the Tomcat Java servlet engine on Linux -- securely.
Securing Linux, Part 2: Planning the installation
Only the paranoid survive, and that is no less true when securing Linux systems as any other. Fortunately, a host of security features are built into the kernel, are packaged with one of the many Linux distributions, or are available separately as open source applications. This second installment covers inventory assessment, risk analysis, identifying user categories and access privileges, and then moves on to a more detailed action plan and steps for safely acquiring a Linux distribution.
Securing Linux: What it means to be secure
Only the paranoid survive, and that is no less true when
<securing Linux® systems as any other. Fortunately, a host of
security features are built into the kernel, are packaged with
one of the many Linux distributions, or are available
separately as open source applications. The first in a series,
this article starts you on your way to understanding security
concepts and potential threats, and sets the stage for what you
really need to know: how to secure and harden a Linux-based
installation.
Security Alerts: Linux IP Masquerading
This article shows us buffer overflows in xloadimage, ucd-snmp, Oracle dbsnmp, and xmcd's cda; and vulnerabilities in phpMyAdmin, wvdial, Slackware's man, Linux IP masquerading, and Slackware's locate.
Security: Preventing today's top vulnerability
This article discusses the top vulnerability in Linux/UNIX systems: buffer overflows. This article first explains what buffer overflows are and why they're both so common and so dangerous. It then discusses the new Linux and UNIX methods for broadly countering them -- and why these methods are not enough. It then shows various ways to counter buffer overflows in C/C++ programs, both statically-sized approaches (such as the standard C library and OpenBSD/strlcpy solution) and dynamically-sized solutions, as well as some tools to help you. Finally, the article closes with some predictions on the future of buffer overflow vulnerabilities.
Uncovering the secrets of SE Linux: Part 1
In an uncharacteristic move, the U.S. National Security Agency recently released a security-enhanced version of Linux -- code and all -- to the open source community. This dW-exclusive article takes a first look at this unexpected development -- what it means and what's to come -- and delves into the architecture of SE Linux.
InfoWorld is a enterprise-level publication that focuses on technology and HOW to use it to achieve higher revenues, more efficient operations and greater profits.
subscribe now
Links
