Check List for Linux Security

Linux is an amazing operating system considering how it was originally created. It was a modest program written for one person as a hobby  – Linus Torvald of Finland. It has grown into a full-fledge 32-bit operating system. It is solid, stable and provides support for an incredible number of applications.  It has very powerful capabilities and runs very fast and rarely crashes.

Unfortunately Linux machines are broken almost every day. This happens not because it is an insecure operating system. It contains all the necessary tools to make it very secure.  But the truth is. It hasn’t become significantly more secure with the increase in popularity. On the other hand, our understanding of the hackers methods and the wide variety of tools and techniques available contributed to help system administrators to secure their Linux computers.

Our goal in this article is to list the most critical situations, and how to prevent an invasion with simple measures.

1-    Weak passwords – By far the first and most used   method used by hackers to try penetrating a Linux system is cracking a password, preferently of the user root. Usually they will target a common user first, and then, using his/her access to the operating system, try to get a privileged access cracking the root password. Good password policy, and good passwords are absolutely critical to the security on any computer.   Some common mistakes when selecting a password:
A- use “password” as password.
B- use the name of the computer.
C- a well-know name from science, sports or politics.
D- reference to movies.
E- anything that is part of the user web site.
F– references associated with the account.

The latest version of Linux offer shadowed passwords. If a cracker can see an encrypted password, crack it would a simple task. So, instead of storing the password in the passwd file, they are now stored in the shadow file which is readable only for root. Before a hacker can crack a password he needs to figure out an account name.  So, simple accounts names must be avoided as well. Another security measure is to apply a “no login” to the account in the passwd file. This must be done to all the accounts that don’t need to log in to the system. Examples are: apache, mysql, ftp and other.

Limit which terminals root may log in from. If the root account is allowed to log in only in certain terminals that are considered secure, it will be almost impossible for a hacker to penetrate the system. This can be done listing the allowed terminals on /etc/security. The login program will consider insecure any terminal that is not listed on this file, which is readable, only by root.

2-    Open Network Ports


Any Linux default installation will provide the Operating System with tons of software and services. Several of them are not necessary or even wanted by the administrator. Removing these software and services will close the path to several attacks and improve security.  The /sbin/chkconfig program can be used to stop services from automatically starting at run levels 3, 4 and 5. Log in as root and type /sbin/chkconfig --list to view all the services set to start automatically. Select the ones you don’t need and type /sbin/chkconfig 345 name_of_service off. You must do that to all services you don’t want to keep running. Also, the xinetd server can be used to disable other services as well.


3-    Old Software Versions


Everyday vulnerabilities are found in programs, and most of them are fixed constantly. It is important, and sometimes critical, to keep up with the changes. There are mailing lists for every Linux distribution where one can have security related information’s, and the latest vulnerabilities found.
Some place to watch for security holes are:
·    http://www.redhat.com/mailman/listinfo/redhat-announce-list
·    http://www.debian.org/MailingLists/
·    http://www.mandrakesecure.net/en/mlist.php
·    http://www.suse.com/us/private/support/security/index.html
·    http://www.freebsd.org/security/index.html
·    http://www.linuxtoday.com/
·    http://www.lwn.net/
It is crucial to insure that the security released patches are applied to the programs as soon as they area available. The hacker community will be aware of the discovered holes and will try to explore them before the fixes are applied.

4-    Insecure and Badly Configured Programs

There are some programs that have a history of security problems. To name a few IMAP, POP, FTP, port map and NFS, are the most known. The good thing is that most of these programs can be replaced by a secure version like spop, sftp or scp.

It is important that,  before deploying any service,  the administrator investigate its security history. Sometimes simple configuration measures can prevent serious headaches in the future.



Some advices regarding a web server configuration are well worth to mention:

-    Never run the web server as a privileged user;
-    Do not keep clients’ confidential data on the web server – Credit card numbers, phone numbers, mailing addresses, must be recorded on a different machine.
-    Make sure the privileged data that a user supplies on a form does not show up as a default for the next person to use the form;
                  -     Establish acceptable values for data that is supplied by web clients.
                  -     Check vulnerabilities on CGI programs.



5-    Stale and Unnecessary Accounts

When a user no longer uses his /her account, make sure it is removed from the system. This stale account won’t have this password changed periodically leaving a hole.  Publicly readable or writable files owned by that account must be removed. When you remove an unnecessary service make sure you remove or disable the correspondent account.

Security Resources in the web

Bugtraq – Includes detailed discussions of Unix security holes
http://www.securityfocus.com/

Firewalls – Discuss the design, construction, operation, and maintenance of firewall systems.

http://www.isc.org/services/public/lists/firewalls.html

RISKS Discuss risks to society from computers

http://www.risks.org/

Insecure.org

http://www.insecure.org/

Read rest of entry

Best Passwords You Should Practice

No sane person would ever like someone else reading her email. Or for that matter some other person using her password and breaking into a financial institution. You should, therefore, choose a strong, secure password in such a manner that would be a hard nut to crack for others and easy for you to remember. The more random and mixed-up you make it, the harder it is for others to crack. Mind you, if your password is compromised, the password crackers will even take over your identity.

A password, if too short, is vulnerable to attack if an attacker gets hold of the cryptographic hash of the password. Present-day computers are fast enough to try all alphabetic passwords shorter than seven characters. We can call a password weak if it is short or is a default, or which can be rapidly guessed by searching a subset of all possible passwords such as words in the dictionary, proper names, words based on the user name or common variations on these themes.

On the other hand, a strong password would be sufficiently long, random, or which can be produced only by the user who chose it, so that 'guessing' for it will require too long a time.

For maximum security, the user should follow some simple guidelines:

1) Passwords should preferably be at least 8 characters long and not more than 14.

2) Passwords should contain a mix of numbers, letters, and special characters (%&3ac_ht4@m7).

3) Passwords should not contain a dictionary word from any dictionary, be it French, Spanish, medical, etc.

4) Each password should be different from the user's User-ID and any permutation of that User-ID.

5) New passwords and old passwords should differ by at least 3 characters.

6) Avoid picking names or nicknames of people, pets, or places, or personal information that can be easily found out, such as your birthday, address etc.

7) It’s wise to stay away from common keyboard sequences, such as dfgh678 or abc345 .

8) Never form a password by appending a digit to a word. That can be easily guessed.

9) Avoid writing your password down or storing it on your computer.

10) Never share your password with anyone else.

Read rest of entry

Right Path for A Computer Lessons

If you don’t know how to use a computer at all, it’s a good idea to get a computer lesson and get started. Even just having a basic working knowledge of how to use a computer and how to use the internet will drastically increase the amount of things you can do and open a lot of doors that would otherwise be shut for you.

Indeed, if you are still working or looking for employment (i.e.; not yet retired) knowing how to use a computer will allow you to do a world of different jobs you never would have been able to before.

You are extremely limited in the kind of work you can do without any knowledge of computers, so it is well worth whatever the fees are for a computer lesson or two.

Of course, if you are reading this you probably already have at least a basic knowledge of computers because you are online right now. Even if you already know the basic skills to use the internet and some simple programs like word processors or spread sheet programs, an additional computer lesson or two can still be very valuable.

Most programs have loads of features above and beyond the more obvious ones. Word for Windows and Excel, for example, may seem pretty self-explanatory initially, but with a couple of computer lesson you can do things you never would have even dreamed before with even such standard programs.

Even operating systems, like Windows XP or the Mac OS series have loads of features and nuances that a few computer lessons can expose for you.

I took some night school classes held at a local high school on the beast of a program that is Adobe Photoshop a while back, and the computer lessons were invaluable to me. I have just begun to crack the surface of that particular program and yet I can do things with photos I never would have imagined before.

Live classes are probably the most effective way to get a computer lesson, but another thing I recommend is buying computer courses in the form of interactive CD-ROMs or DVDs to be played on your computer.

These can be done at your own convenience, in the comfort of your home, and are generally less expensive. One I recommend is ‘Video Professor’. His commercials are kind of annoying, but they are very affordable computer lessons and cover the basics for most programs you’d ever use.

Read rest of entry

Computer and Internet Lingo You Must Know

Computer-related things tend to have a language all their own. While you do not need to know all of it, there are many confusing words and phrases that you are going to come across sooner or later.

Bandwidth. Bandwidth is the amount of data that your website can send each second, as well as the amount of data that the visitor to your website can receive. If either one does not have enough bandwidth, then the website will appear slowly.

For this reason, you should choose a host with plenty of bandwidth, as well as testing that your site doesn't take too long to download on slow connections.

Browser. A browser is the software (see below) that visitors to your site use to view it. The most popular browser is Microsoft's Internet Explorer, which comes with Windows.

Cookie. Cookies are data files that your site can save on the computer of someone who visits that site, to allow it to remember who they are if they return.

FTP. File Transfer Protocol. This is a common method of uploading (see below) files to your website.
Javascript. A common language for writing 'scripts' on websites, which are small programs that make the site more interactive. Another common cause of problems for visitors.

JPEG. Joint Photographic Experts Group. This is the name of the most popular format for pictures on the web, named after the group that came up with it. If you want to put pictures on your website, you should save them as JPEGs.

Hardware. Hardware is computer equipment that physically exists. It is the opposite of software.
Hosting. If you've got a website out there on the Internet, then you'll be paying someone for hosting. It is the service of making your site available for people to see.

HTML. HyperText Markup Language. A kind of code used to indicate how web pages should be displayed, using a system of small 'tags'. The 'b' tag, for example, causes text to appear in bold, and the 'img' tag displays a picture.

Hyperlink. A hyperlink is when a piece of text on a website can be clicked to take you to another site, or another page on the same site. For example, if clicking your email address on your website allows someone to email you, then your email address is a hyperlink.

Programming. This is when the computer is given instructions to tell it what to do, using one of many 'programming languages'. Programming languages for the web include PHP and Perl.

Server. The server is where your website is stored, and it is the server that people are connecting to when they visit the site. Note that server refers both to the hardware and software of this system.

Software. Programs that run on the computer, or that make your website work. Microsoft Word is software, for example, as is Apache (the most popular web server software). Opposite of hardware.

Spider. Do not be scared if a spider visits your website! Spiders are simply programs used by search engines to scan your site and help them decide where it should appear when people search. It is good to be visited by spiders, as it means you should start appearing in search engines soon.

Upload. Uploading is when you transfer data from your own computer to your website. For example, you might upload your logo, or an article you've written. Opposite of download.

URL. Uniform Resource Locator. This is just a short way of saying 'web address', meaning what you have to type in to get to your website.

Read rest of entry

Bluetooth Security You Should Know

These days, all communication technology faces the issue of privacy and identity theft, with Bluetooth being no exception. Almost everyone knows that email services and networks require security. What users of Bluetooth need to realize is that Bluetooth also requires security measures as well.

The good news for Bluetooth users is that the security scares, like most scares, are normally over dramatized and blown entirely out of proportion. The truth being told, these issues are easy to manage, with various measures already in place to provide security for Bluetooth technology.

It's true that there has been some Bluetooth phones that have been hacked into. Most devices that are hacked into are normally those that don't have any type of security at all.

According to Bluetooth specialists, in order to hack into a Bluetooth device, the hacker must:
1. Force two paired devices to break their connection.
2. Steal the packets that are used to resend the pin.
3. Decode the pin.

Of course, the hacker must also be within range of the device, and using very expensive developer type equipment. Most specialists recommend that you have a longer pin, with 8 digits being recommended.

Fundamentals of security
The "pairing process" is one of the most basic levels of security for Bluetooth devices. Pairing, is two or more Bluetooth devices that recognize each other by the profiles they share - in most cases they both must enter the same pin.

Read rest of entry