Linux Security: Reflections on 2002
by Bob Toxen - Tuesday, 7 January 2003.
Even those Linux users with good security are at risk if they make on-line purchases from sites with poor security. Almost all large e-commerce

sites use hardened Linux or Unix servers. Unfortunately, a fair number of "Mom and Pop" sites use IIS, though a surprisingly high percentage

do use Linux. For this reason, before giving my credit card to a new web merchant I always do:

nmap -O -sS -F -P0 -T Aggressive

and require that all ports show as closed or filtered except for 80, 443, and, possibly, 25 and 22, and that the Operating System is not Windows.

Other ways to protect yourself are to use only a single credit card for all on-line transactions, preferably one with a small limit. Have a different card for large purchases, such as airline tickets and hotel rooms. Never, but never, use a debit card for on-line purchases or with any merchant other than one you trust highly. Remember that "possession is nine tenths of the law". With a credit card problem, you still have your money and only a successful law suit will take it from you. With a debit card problem, your money already is gone, making it much harder to get back.

A reasonably secure web server is not all that is needed for a web merchant. It is critical to secure the database in a way that makes it exceptionally hard for a cracker to download the entire database. Most small companies (and even many large ones) keep the database on the web server itself. Thus, a single vulnerability will allow a cracker to get the credit card numbers and expiration dates of every customer. Solutions include not saving this information, my "One-way credit card data path", and separate encryption keys for each customer. Perhaps Underwriters Laboratories will start rating the security of various techniques similarly to the way they rate how hard different safes are to crack.

I expect to see greater use of encryption and digital signing of email and documents. The GNU Privacy guard is a wonderful tool for this and is compatible with PGP. GPG or PGP is supported in most Linux mail user agents. Whether one is sending or storing a love letter or a trade secret, encryption keeps it secret. Even if someone breaks into someone's system or steals its disk, without the keys, encrypted information remains secret for all time. Hopefully, encrypted file systems will become popular on laptop computers since these are stolen so frequently.

We may see a major Cyberterrorism event in 2003, causing major loss of Internet connectivity. Even those in countries not directly involved may suffer from backbones in the United States and elsewhere being "taken out", causing their systems or their customers' systems being "knocked off the web". With an anticipated 23 million homes in the U.S. alone expected to have broadband in 2003, the potential for massive Distributed Denial of Service (DDoS) attacks is huge. With so many of these being unprotected Windows systems, this DDoS will be easy to do.

Sadly, the U.S. Government's draft Cybersecurity proposal can most kindly be described as naive and ineffective. Its reliance on voluntary good practices, if it was the basis for criminal law, would be called anarchism. An excellent opportunity to make organizations and individuals and ISPs responsible for their problems was lost. Sheesh. The penalties for not stopping one's dog from barking are more severe in most jurisdictions.


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th