– by Tina Gasperson –
Jay Beale, the lead developer of Bastille Linux and an independent security consultant, says it’s not the Unix-based systems with interesting stuff on them that get hacked, it’s the vulnerable ones. And if you’re not prepared to tighten up what you get from the vendor, it’s just a matter of time.

Beale shared his philosophy for building a secure system Tuesday at a LinuxWorld Expo tutorial on securing Linux/Unix systems. “The purpose of tightening a system is just to make it hard to attack,” he says.

As the development of Linux progresses, many people set up systems that are running lots of features. For instance, in the Mandrake Linux setup, you can choose to install software that makes your computer an FTP server, a Web server, or even an email server.

“If there’s a bug in any one of these features,” says Beale, “then the chances are that someone can exploit one of those features. If you’ve left your system as it is, from the vendor, you’re going to be vulnerable.”

The problem happens when people think that they don’t need extra security measures because their system “just isn’t interesting.” Beale’s example is the average university mathematics department. “If I’m the system administrator, I’m thinking, ‘what could a hacker possibly want with my system?’ so, why worry?” But, Beale says, even the math department he was a part of was continuously cracked.

“The issue is, while you can target a system, an attack more than likely isn’t targeting you specifically,” he says. A script kiddie looks for and downloads exploit code that tells him what to look for. “He sets up a scanner with a huge block of IP addresses. Out of the tens of thousands of addresses, he’ll get a list of a few hundred that are vulnerable. In that list is perhaps my home machine, perhaps the university math department.

“They’re not coming after us because we’re interesting, they’re coming after us because we’re vulnerable.”

The way to stop hackers, says Beale, is to employ what he calls minimalism. “If you can bring your system down from 10 functions to three functions, there’s less of a chance to be exploited. This is why we tighten.”

Beales lists five things that sysadmins can do to lock down their systems:

1. Set up a firewall. “This is not the end of the security process,” Beale says. “But it is a good start.”

2. Decrease the number of privileged programs. By this Beale means don’t run too many applications that give the user power to make changes to the system.

3. Tighten configurations on the remaining programs. Most network daemons can be set to reduce their access and the kinds of interactions they permit.

4. Reduce the number of paths to root. Every user on the system is assigned a number, or UID. Root is assigned the number zero. Some programs automatically run with the root UID, a potential vulnerability. Reducing these kinds of programs reduces the “paths to root.”

5. Deploy intrusion detection. “Tripwire (an application to detect intruders) can be amazingly effective,” says Beale.

Anonymous Reader writes “Advanced Micro Devices Inc.the No. 2 maker of microprocessors that are the brains of personal computers, on Monday released its highest-performing chip for laptop computers as the company seeks to gain share in that market.

The Sunnyvale, California-based company said that its AMD Athlon 4 processor 1500+ is available as of Monday for $525 in lots of 1,000. Notebooks using the chip from No. 2 PC maker Compaq Computer Corp will be available on Monday.

NEWS Source: http://www.machit.com/article.php?sid=468&mode=threado=0”

Wired: “On the eve of LinuxWorld, Microsoft still believes that open source is not a viable model. But some observers think the software giant is slowly embracing the movement.”

LinuxSecurity Contributor writes:”Anton Chuvakin discusses the known approaches to choosing the level of security for your
organization, risk assessment, and finding the balance between effective security practices and the
existing budget. At LinuxSecurity.com.“

LinuxPR: “Although many Linux websites provide a forum for their users, how many sites are there
that specifically host and maintain a forum for Linux users? Well, NEForums, in conjuction
with Let’s Buy Linux have opened up the gateway for such ventures.”

NewsFactor Network writes: “Multics is a mainframe timesharing OS that started as far back as 1965 and was put to rest after a long life in October 2000. You may be asking why you need to know more about an OS that is no longer in use. The answer to that question is, “You’ll never know where you’re going if you don’t know where you’ve been.” Although this saying is a bit corny, it is especially true of Multics because of its influence on today’s operating systems.”

Onlamp.com: “The latest stable version of Slash comes with several interesting plugins, and most future Slash development will probably involve creating new plugins. In this article, Slashdot’s chromatic introduces Wikis and gives a detailed explanation of how and why the Wiki plugin works.”

Wired: “Thanks to a little-known piece of legislation known as the Tunney Act, the government is required to listen to people’s comments before handing down antitrust rulings. Here’s a peek at what advocates are claiming they’re saying.”

J.M. Weathersby writes: “Olliance Consulting Group has been selected by the Open-Source Software Institute
(OSSI) to lead a coalition of industry vendors in a study of open-source technology?s
feasibility for the Naval Oceanographic Office (NAVOCEANO).”
The
Open-Source Software Institute (OSSI), a non-profit organization comprised of
high-tech industry, government agency and academic entity representatives, recently
entered into a Cooperative Research and Development Agreement (CRADA) with the
Naval Oceanographic Office, based at Stennis Space Center.
The
purpose of this CRADA is to facilitate an exchange of information between NAVOCEANO
and OSSI that will (1) produce a technical study concerning the application
of open-source software at NAVOCEANO, (2) engage the application of open-source
software methodologies and techniques to the vast repositories of application
software at NAVOCEANO, (3) provide access to the Government of the intellectual
capabilities of OSSI and the open-source industry, and (4) provide a beta test
site for the concepts and procedures of OSSI.
?OSSI
selected the Olliance Consulting Group to lead the NAVOCEANO study because of
their expertise in the business, financial and technical aspects of open-source
technologies and their relations with the community and industry vendors,? said
John Weathersby, OSSI chairman. ?We are confident in Olliance?s ability to
lead a diverse team of research and industry experts to produce an objective
report as part of the CRADA?s results.?
The
OSSI/NAVOCEANO CRADA team will consist of technical and business systems experts
from participating OSSI member representatives.
?We
are excited with the opportunity to lead the OSSI team on this CRADA project
with the Navy,? said Andrew Aitken, Olliance Consulting Group?s managing partner.
?The scope of this project allows us to fully utilize our expertise in technology
assessment, ROI analysis and systems migration. We also look forward to working
with a variety of industry representatives to demonstrate open-source technology?s
viability in a DOD environment.?
The
CRADA study was initiated in November 2001. The study is expected to take up
to nine months to complete.
Open-Source
Software Institute
The
Open-Source Software Institute is a non-profit organization established to promote
the development and implementation of open-source software solutions within
Federal and State government agencies and academic entities. For more information
contact: http://www.oss-institute.org.

Olliance
Consulting Group
Olliance
Consulting Group is a leading professional services firm enabling corporations
and government organizations to understand and leverage the business and technology
value of Open Source technologies. Olliance Consulting Group blends experienced
Open Source and proprietary technical and strategic experts within a proven
engagement framework to advise, develop, and implement appropriate Open Source
solutions. For more information contact: http://www.olliancegroup.com.
Naval
Oceanographic Office
NAVOCEANO?s
(www.navo.navy.mil) primary mission is to
collect and analyze data on the world?s oceans for the Navy and other Department
of Defense agencies. As host to one of the world?s largest supercomputing centers
and the world?s largest oceanographic library, NAVOCEANO gathers information
by airborne, surface and subsurface platforms deployed worldwide. The information
is then provided as a wide variety of products and services to the Joint Warfighters
in all mission areas.
#
# #”

bkuhn writes: “The FSF filed a statement on Monday in response to the Proposed Revised Final Judgment in United States vs. Microsoft. a press release and the full response are available.”