March 15, 2007 | Comments: (0)
Linux file system security options
Maybe buying a FDE (Full Disk Encryption) hard drive is not an option for you right now, but that doesn't mean you need to compromise on your Linux file system security.
linux.com has an article on how to hide an entire file system. There are several approaches mentioned in the article, such as using the loop-AES loop back device, or using package such as FUSE or eCryptfs (though these come with performance penalties). Here is another site that provides a lot more options to just simply encrypt your file system the old fashioned way, including encrypting your home directory, using transparent cryptographic file systems, and also steganographic file systems.There is something for the network file systems as well, you can use SSH File System, which is built-on FUSE, a userspace file system framework for Linux (so normal users can create and mount file systems without super-user privilege). The advantages of SSHFS is that it can be a easy and secure replacement for NFS or other network file system, although I would imagine the performance is not going to be as great due to the encryption.
ReiserFSv4 (sponsored by DARPA) also supports encryption, but it may not be included in your favorite Linux distribution yet, and you may need to manually patch your kernel.
Josh Kuo
Co-Owner of q!Bang Solutions
Mar 16, 2007
Posted by Josh Kuo on March 15, 2007 09:18 AM
March 15, 2007 | Comments: (0)
New OpenBSD Remote Security Vulnerability Found
Wow! I was astonished to find the news this morning when I woke up. Core Security Technologies found that a malformed IPv6 packet MBUF header could be used for vulnerbility remote code execution on OpenBSD. What's remarkable about this is that such a vulnerability was found at all. Until this vulnerability came along, OpenBSD had gone over a decade with only ONE remote security hole in its default install. Stop and think about that. A decade is a darned long time in this industry. How many operating systems can claim this level of security? Certainly not Windows or Linux.
So consider using OpenBSD in your enterprise (or smaller business as well). It's obviously super secure, and there are some pre-built OpenBSD-based firewall appliance installers that you can easily use with any regular PC hardware. And if you have some in-house Unix experience, OpenBSD can be used to setup high-availability redundant firewalls which even share NAT state! So dip your toes in the pool and see how the water feels.
High Mobley
Co-owner of q!Bang Solutions
Posted by Josh Kuo on March 15, 2007 05:52 AM
March 12, 2007 | Comments: (0)
Seagate's Full Disk Encryption (FDE) hard drive
I remember this announcement back in 2005, when Seagate first announced that they would release a hard drive with full disk encryption (FDE). Well, they now have the Momentus FDE line of notebook drives (5400RPM) with 192-bit Triple-DES encryption, and it will be part of ASI's $2,150 laptop. The 2.5" drive is aimed at corporate users and managers who need to deal with storing sensitive data on laptops. The product specs are here. Hardware encryption is definitely the way to go for FDE, since using software to encrypt every read/write operation would be way too slow even on a modern CPU. Seagate claims that with their on-board encryption, it only takes up 1~2% of the CPU resources. I wonder how well the VIA chips with AES built-in would handle the encryption. It would make an interesting benchmark...
One of my first questions is: "What happens when the user loses his/her password?". We all know that at some point, some person will lose his or her password. According to this article, there can be up to 4 master keys, and up to 4 user keys. So, if a sales rep quits unexpectedly, the sales manager can still use the master key to recover data on the laptop. Seagate also suggests it is possible to remotely manage the hard drive, to configure its user accounts and such. I hope administrators remember to NOT send their admin password for the hard drive in clear text over the Internet...
All in all, it looks like Seagate has brought to market a good product with the Momentus FDE line of drives. It has some good applications for corporations and government types as well.
Josh Kuo
Co-Owner of q!Bang Solutions
Mar 12, 2007
Posted by Josh Kuo on March 12, 2007 09:55 AM
February 07, 2007 | Comments: (0)
Speed Up Encryption with PadLock
Security is a topic that is getting more and more attention these days, and encryption plays a large role in security. However, those of us who have played with encryption know that it consumes a significant amount of system resources. If you are doing your encryption in software, you are most likely playing a catch-up game to your network speed (when encryption network traffic) and storage volume (when encrypting file system).
The tradition approach is to get an encryption card and drop it into your PCI slot. But have you checked out encryption built directly into the CPU? This is not exactly news, since VIA Technologies has been making CPU's with encryption built-in since 2004. VIA processors with PadlLock has SHA1-256 (Secure Hashing Algorithm), AES (Advanced Encryption Standard), and random number generator all built into the hardware.
So how fast is hardware encryption? In this benchmark, you can see that a 1.2GHz VIA processor can encrypt about 5 to 16 times faster than a Pentium IV 2.4GHz. And in this benchmark, where the author tests against encrypted file system and IPSec connections, there is almost no slow down when doing IPSec with PadLock, and you only lose about 10% of performance when writing to encrypted file system. Compare that to software encryption where you are looking at roughly 50% to 80% loss in performance.
Josh Kuo
Co-Owner of q!Bang Solutions
Feb 7, 2007
Posted by Josh Kuo on February 7, 2007 11:37 AM
February 05, 2007 | Comments: (0)
After last week's release of three security advisories, Cisco has again released another security advisory for the SIP protocol. Apparently Cisco IOS devices which supports voice that are not configured for SIP processing will reload if a packet to port 5060 is received. Cisco doesn't know the exact conditions of the flaw but has released an advisory with a work around and patched IOS to fix the problem. If you are wondering, "Is my device vulnerable?", please see the official Cisco advisory. You may not know this, but most Cisco routers have voice capabilities. The SIP functionality is in most basic IOS images. . The last thing you need is a DDoS attack against your main router. The SIP protocol is the defacto standard for VoIP solutions and it could be a simple mis-configuration of a SIP endpoint trying to register to your router that causes it to reload. Security first.
John Jones
q!Bang Solutions, Inc.
Posted by Cynthia Kuo on February 5, 2007 10:12 AM
January 26, 2007 | Comments: (0)
Computer Security Explained for the Masses
It is often cited that the biggest issue in the fight against worms and viruses and other such malware is uneducated users. If a person doesn't understand why it's a bad thing to open email attachments from people that he doesn't know, then you can bet that he will open every attachment which comes to him. Several email clients (not just MS Outlook!) will happily open and execute any Visual Basic or batch file that a user clicks on. Then wham! - You've got an infected machine that's probably already calling home to the nasty individual who wrote the malware and now "owns" the user's computer - which you as the IT department have to go and fix...
Of course the various network security and bug tracking sites are great about announcing the security flaws and exploits that are found, but arguably their audience is only people who are already pretty savvy about security issues. So I was pleased to see an article written more for public consumption at howstuffworks.com today, entitled "What's the problem with Microsoft Word?". The author, Julia Layton, does an excellent job of explaining some computer security jargon and bringing the layman up to speed with the MS Word zero-day flaws which were recently announced. I hope that this is a sign of a new trend of educating the end user in a comprehensible language.
When I was a full time sysadmin and helpdesk tech responsible for a few hundred users and 50 servers, I struggled to explain the same topics to the many end users individually. So instead, I sent out ocassional messages via email with some helpful tip on how to use their computer or a link to a web article that contained some useful information on a subject that I knew would tweak their interest. So I always had these sorts of articles bookmarked to send out to my users. They appreciated that I was trying to educate them and I appreciated that I had fewer infected machines to reformat and reinstall.
High Mobley
Co-Owner of q!Bang Solutions
January 26, 2007
Posted by Josh Kuo on January 26, 2007 02:33 PM
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Solution for Open Virtualization Provides Server Consolidation
- Help Simplify Virtualization
- A Guide to Rich Internet Application (RIA) Security
