WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 31-12-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Linux ]
      [http://hackyourself.com/showarticle.dyn?article=http://www.newsforge.com/article.pl?sid=01/12/05/1229211


      Secured against disaster: Governments look to Linux to avoid viruses
      Wednesday December 05, 12:46 PM EST [ Security ]
      by Jack Bryar -

      This week brought an Outlook disaster as yet another virus took down every Windows system in sight. I'm so sick of viruses and badly written software.

      Unfortunately, I don't think switching the world to some standard vanilla Linux would solve the problem. It is better, but not foolproof. However, there is a version of Linux that could make viruses a thing of the past. If I could only get past that weird feeling I have concerning the people who wrote it.

      Today's column nearly didn't make it to print today. All connectivity at my primary employer effectively ceased for nearly six hours when one of our salespeople opened a cute little note from a friend. It said,

      "Hi, How are you? When I saw this screen saver, I immediately thought about you. I am in a harry, I promise you will love it."

      She didn't love it one bit. Soon everyone in her Microsoft Outlook Address book was sent the same message with the same copy of the W32/Goner@MM worm virus, disguised as an alleged screen saver, GONE.SCR. In the meantime her system was wrecked. Files were altered. Executables were messed up.

      Once again MS Outlook was the vehicle for taking down an entire business. It's always something. A few weeks ago the virus de jour was Sircam. Despite all the patches and tweaks, there is always something being made by someone that can change and even delete files and even entire applications running on Microsoft's monopoly platform.

      Microsoft isn't the only OS with built-in security holes, although it is easily the worst. If anything it does better than some of its competitors at fixing those holes. According to a Netcraft survey, the Code Red virus that popped up earlier this year prompted Microsoft to offer a cumulative patch to fix many of the most glaring security holes in their system.

      It also prompted many users to pay attention and implement the patch. Meanwhile, security problems on Sun remain uncorrected. Even Linux systems have been hit with viruses. Based on the number of defacements reported by a German Web site that tracks such things, Linux and Apache can be messed with, as well.

      Whatever its flaws, Linux, like all other members of the Unix family, is a lot more difficult to attack with viruses. The partitioned user/administrator-level permissioning architecture is far more secure in fighting the types of large-scale attacks that show up on Windows systems with depressing regularity.

      In addition, file types are easier to shelter from the end user, making it much more difficult to set up a Trojan horse. Finally, programs like Tripwire provide additional protection for systems administrators, allowing them to catch a greater share of nuisance code before it can do any mischief.

      These features of Linux architecture are among the many reasons that several governments have begun to champion Linux as an alternative platform.

      Last year RedFlag Linux was being promoted by China's security apparatus as an alternative to a Windows platform many felt was too vulnerable (not to mention too American). Even today, RedFlag is being promoted using an interesting phrase, as "an alternative solution for governments, armies, and businesses."

      Elsewhere, governments such as India have been less public about their Linux preferences. However, even as it has been criticized in the Indian media for ignoring the technological threat posed by Jihadi extremists and Kashmiri separatists, India has quietly hardened its communications backbone using redundant, Linux-based systems in critical sites.

      Nevertheless, Linux remains a vulnerable architecture. As Avi Fogel pointed out in a LinuxSecurity.com article earlier this year, Linux, like Windows, has little in the way of intrusion detection capabilities. More importantly, it lacks sufficiently granular network or file access controls.

      There's a first principle at stake here; there is something fundamentally wrong with ANY system that allows code to automatically change executables and other core files without a user permission.

      Oddly enough, the most important intelligence arm of the U.S. government has prepared a fix and wants you to have it, no questions asked. At the beginning of the year, the formerly secretive National Security Agency ported to Red Hat Linux 7.1 a security feature people there had built into the NSA's Mach Operating System's microkernel. This "Security-Enhanced Linux" has been released as a GPL package with support documentation and can be downloaded from the agency's Web site. Admittedly, there's no tutorial for this "SELinux" package and when you try to set group policies and configure domain management, you're on your own, but it is secure.

      SELinux employs an access control system that uses data types and a variety of rules-based enforcement protocols as a means for setting up both confidentiality and integrity rules on user systems. The result is a highly flexible, yet highly secure system with enforcement rules embedded into a discrete "security server." The server contains the policies for each type of data and on each each type of data acts on another piece of data. SELinux revalidates the security permission schema for each file type each time it is used.

      The result is that a virus cannot succeed in a SELinux system. In the unlikely event that a virus could even be introduced into an SELinux-based system, and then executed, the virus should not be able reproduce onto an executable file.

      In theory, this shouldn't happen because Unix programs shouldn't have more than read or write permissions anyway, but in this case, SELinux would also prevent propagation of the virus because the reach of each program executable is restricted to its own "type." Therefore, any of the executables that would normally be targets for the virus are effectively walled off. Even attacking the root won't have an effect on the policies structure. The system may not be foolproof, but as a secure, intelligently configured alternative it beats traditional Unix configurations, and it beats Windows hands down.

      Perhaps your company doesn't think replacing Windows with Linux is worth the hassle. But if their systems crashed because of Code Red or Systran or Goner - or perhaps all three, have them take a look at SELinux, and - have a conversation.]
      Cross-Indexed:

      New document Icon


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)