From the Editor - Security One Step at a Time
As I write this, yet another e-mail worm is spreading among non-Linux computers and incidentally filling my mailbox with “YOU HAVE A VIRUS” bounces from dumb software that somehow doesn't yet get the concept that worms forge mail. There's nothing like a worm attack that spares Linux to bring out the smug superiority in Linux users.
Cut it out. The attack path here is one step long. All that's keeping us safe is that most programs for Linux don't make it easy to run attachments from incoming mail. But combine the right vulnerability in a common desktop app with a little social engineering, and you've got a Linux worm.
Last year, the not-so-dramatically-named CAN-2003-0434 vulnerability allowed humble PDF files to run arbitrary commands as you. Linux users and distributions dealt with it quickly enough that it didn't turn into a vector for spreading a worm. With today's larger Linux user base and more desktop standardization, the next vulnerability will be a bigger risk.
Now that we've scared you, we'll cover the tools you could use to prevent not just a mail worm, but other attacks we don't know about yet. Run a local firewall and don't let programs on your company's desktops reach outside SMTP servers. Deploy exactly the firewall policy you want, on every host, with the advanced iptables advice in Chris Lowth's Kernel Korner on page 24. As you move your business apps to PHP, design them for security with Xavier Spriet's battle-tested designs on page 54.
And, make the next move in the spam wars. Deal with forgery where it starts. Although the US has essentially legalized spam, all the ISP advertising we've seen recently has used spam filtering as a selling point. Sender Permitted From, which Meng Weng Wong covers on page 62, lets you pop up out of the weeds and get mail through to customers who use strict spam filtering. SPF is a “look at me, I'm legit” measure you can deploy in a few minutes for a simple mail configuration.
Finally, in our cover story, Ibrahim Haddad and Miroslaw Zakrzewski explain a promising example of how to apply the kernel's Linux Security Module (LSM) interface to add process-level access control for telecom apps running on clusters (page 68). Developers can carry out this level of work, free of restrictions, because of the freedom that the GPL licensing consensus gives all of us. Keep your systems secure and enjoy this month's issue.
Don Marti is editor in chief of Linux Journal.
Getting Started with DevOps - Including New Data on IT Performance from Puppet Labs 2015 State of DevOps Report
August 27, 2015
12:00 PM CDT
DevOps represents a profound change from the way most IT departments have traditionally worked: from siloed teams and high-anxiety releases to everyone collaborating on uneventful and more frequent releases of higher-quality code. It doesn't matter how large or small an organization is, or even whether it's historically slow moving or risk averse — there are ways to adopt DevOps sanely, and get measurable results in just weeks.
Free to Linux Journal readers.Register Now!
|Secure Server Deployments in Hostile Territory, Part II||Jul 29, 2015|
|Hacking a Safe with Bash||Jul 28, 2015|
|KDE Reveals Plasma Mobile||Jul 28, 2015|
|Huge Package Overhaul for Debian and Ubuntu||Jul 23, 2015|
|diff -u: What's New in Kernel Development||Jul 22, 2015|
|Shashlik - a Tasty New Android Simulator||Jul 21, 2015|
- Hacking a Safe with Bash
- Secure Server Deployments in Hostile Territory, Part II
- Home Automation with Raspberry Pi
- Huge Package Overhaul for Debian and Ubuntu
- The Controversy Behind Canonical's Intellectual Property Policy
- Shashlik - a Tasty New Android Simulator
- Embed Linux in Monitoring and Control Systems
- KDE Reveals Plasma Mobile
- diff -u: What's New in Kernel Development
- Purism Librem 13 Review