Thoughts from Time to Time on Linux and Security
I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.
They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).
My New Year's Resolution: Use Cloud Backup
It's cheap, it's easy to use, so take advantage of it. Use Amazon's Glacier service to back up your digital pictures and other precious personal data. I can't really imagine many major corporations or U.S. Government agencies using such a thorough design for data durability (that is, availability in the long term), and the price is right at $0.01 per gigabyte per month.
Keeping Your New Year's Resolution With Cloud Backup
Here are some details on how to actually do that, including the graphical Simple Amazon Glacier Uploader.
Fear and Loathing in the Cloud
Some people are terrified of the cloud being unreliable. But every day we (well, most of us, anyway) get along just fine in an imperfect physical world. Cloud services drop some gaming sites and popular blogs during the middle of a work day and it's huge news. But one of the world's largest transit systems is slowed by a data networking problem and life goes on with no real problems.
Good News: Swiss Clouds Are Forming Over the Alps
My main question: What took them so long? Swisscom AG, 57% owned by the Swiss Confederation, is building a Swiss cloud that could serve as a privacy haven. Switzerland continues to lead in some significant cybersecurity developments, following their long tradition of strong privacy in banking.
Encryption is "Exponentially Easier" to Break, But What Does That Really Mean?
A report from MIT and the National University of Ireland has shown that we have been over-estimating the security of the cipher algorithms used to protect confidentiality. That doesn't mean that they discovered weaknesses in the ciphers. The problem is that they feel we have been estimating the difficulty of attack in the wrong way.
Simple Is Safer (There's More To It, That's Just The Safely Simple Summary)
Servers are going to be safer than desktop machines due to the much lower complexity. Here are some details I noticed during an upgrade. This is good news for the cloud: simpler servers are more secure servers.
The Dark Mail Alliance is a Promising Cloud-Based Email Project
Government legal pressure caused both Silent Circle and Lavabit to shut down their secure email services last August. Those services were based on traditional protocols like SMTP. Now they are working on a new messaging architecture that will use the cloud to increase security.
The New Android Version Should Help Security
Android version 4.4 has some nice security improvements. The biggest is the move to is that SELinux will now enforce its policy. There are also some nice improvements in the handling of digital certificates.
What Happens When Your Cloud Server Gets Hacked?
As is the case when anything gets hacked, it depends on what the attacker wants to do with your system. In this case, it was used to take part in a distributed denial-of-service attack. The cloud provider was notified and they modified the virtualized firewall to mostly block it off from the Internet.
Take Their Advice: Disregard Their Earlier Advice!
RSA is saying "Don't use these two products of ours" and NIST is saying "Let's take another very close look at this" as we learn of possible NSA backdoors in cryptographic products.
Large and Small Clouds Close, Hang On To Your Data!
Nirvanix just closed down its cloud storage service on short notice, customers were given just two weeks to retrieve their data. Keep a close eye on your cloud storage services and be ready to pull your data out if needed.
For Compliance, Keep Control of Your Encryption and Don't Lose Your Head (Or Your Header)!
Encryption is crucial to protect confidentiality. But making things more secure in that sense can make them less secure as far as availability goes. You can get into a fix where you can't decrypt your sensitive data! Here is some guidance on avoiding that problem.
Microsoft Windows Azure Makes Some Big Jumps Forward With FedRAMP and Barracuda
Microsoft did a smart thing when PaaS cloud services proved less attractive than hoped. They expanded Windows Azure to include IaaS. Now that has joined Amazon's EC2 as a public cloud provider (in the full self-provisioning highly agile sense) in getting federal government approval and some Barracuda virtualized security device images.
Google Announces "By Default" Cloud Storage Encryption, Following the Amazon Path
Amazon led the way with their highly resilient S3 storage, first providing client-side encryption and then easy server-side encryption. Now Google Cloud Storage has followed that path. However...
Google's "By Default" Cloud Storage Encryption Means Very Little
Even before Ed Snowden's revelations about NSA surveillance and unlimited access to cloud storage, there was little reason to have confidence in server-side encryption. The problem is that the data owner has no control or visibility of the process.
How Much Will The NSA's Prism System Cost?
The Department-of-Defense-wide Consolidated Cryptologic Program costs $11 billion per year. But that's just the immediate operational cost. The estimated loss in income to cloud providers caused by loss of confidence range up to $11 billion per year over the next three years. Spend $11 billion in order to lose $11 billion, every year, that's not a good deal.
First The BEAST Threatened Us, But Now We Have Worse Things To Worry About
For a while web server administrators were urged to enforce the use of the RC4 cipher whenever possible. Things have changed — most browsers now include the BEAST work-arounds and RC4 is looking more and more vulnerable, so it's time to change things again.
Security in the Quantum World — Part 1, Defense
Perfect security is available, although you probably don't want it in the form usually implemented to date. But Quantum Key Distribution has arrived, and it is protecting financial transactions in Switzerland, New York, Paris and Australia.
Security in the Quantum World — Part 2, Offense
On the other hand, quantum systems might be used to attack confidentiality. Researchers have reported using a quantum computer for an exponential speed-up in factoring large numbers. The security of RSA is based on the factoring problem being impractically difficult. This may be changing!
Toilet Cybersecurity Shows the Risks of the "Internet of Things"
Larry Ellison has famously complained about how the term "The Cloud" has come to mean nothing because people use it to mean just about anything. Well, to extend that even further, a recent vulnerability report described a Bluetooth attack against a luxury toilet. Increasing complexity brings increasing risk...
Clouds Fade Away, And They Can Take Your Data With Them
The companies running the largest cloud services have been around for quite a while and we expect them to stay around. But their specific services can shut down and fade away rapidly.
BYOD? I Hope You Didn't Really Want That Data
What happens when an employee leaves and TTOD, or Takes Their Own Device? The immediate panic has to do with confidentiality, but availability is an even bigger problem. Especially if the employee was fired, what makes you think they will help you recover your corporate data from their personal hardware?
Password Rules Accomplish Things, But Not Necessarily What You Expect Or Want
A study by Carnegie Mellon University and US NIST showed that requirements for more complex passwords greatly increased user frustration (and self-imposed lock-out) but only very slight increased resistance to automatic discovery or cracking.
Some Day Soon We May Compute Covertly in the Cloud
Researchers have been discussing homomorphic encryption since the late 1970s, which so much happened in public cryptography within a few years. It was considered to be purely theoretical, impossible in any practical setting, until 2008 when it was shown to be possible but still impractical. But now DARPA, IARPA, Google and Citigroup are funding research into this bizarre seeming topic.
Malicious Insiders Could Steal Entire Cloud Systems
Your employees will want the ability to provision their own cloud resources, and management will likely back up their requests in the interest of efficiency, meaning money. But have you considered how easily, quickly, and covertly one malicious insider could steal entire system images complete with all their data and programs?
A Cloud Model Saved This Construction Project From Catastrophe
Cloud-style storage saved this construction project's data. But quite a bit of luck was also involved.
The U.S. Government Has Lost Patience With Your Six Months of Privacy, It Needs Your Secrets Right Now — Part 1 The U.S. Government Has Lost Patience With Your Six Months of Privacy, It Needs Your Secrets Right Now — Part 2
Even before all the revelations of NSA surveillance beginning in early June of 2013, cloud providers were clearly stating that they hand over even data stored in the EU to U.S. authorities, and they don't inform the data subjects when the U.S. government tells them to keep it secret (as it routinely does). But there's even more.
Never Go Into A Place Without Knowing How To Get Out
Cloud services can end with very little notice. Don't put data into the cloud until you are certain that you can get it back out easily and quickly enough to save it.
OAuth's Creator Has Abandoned It. Should We Rely On It?
The OAuth 2.0 protocol seemed promising, but even its creator has abandoned it. Its primary goals are security and interoperability, but it seems unlikely to provide either. Meanwhile we are continuing to act as if it will be completely reliable!
Just How Important is this Cloud Stuff, Anyway?
Yes, there have been serious problems caused by major cloud provider outages. But when the pundits can't see beyond online Halo 4 sessions, Xbox Music and Movie services, Karaoke, ESPN apps, and other pure entertainment, we aren't going to have meaningful discussions.
Is This A Real Dip In Password Guessing? And If So, What Does It Mean?
I have observed a significant long-term downward trend in automated SSH password guessing attacks on a number of systems I monitor. Others I have talked to have seen the same pattern. But what might this mean?
Leo Tolstoy, Anna Karenina, and Cloud Security (Yes, there is a connection!)
Just as Tolstoy's famous opening suggests, we will never find a perfect public cloud provider and their imperfections vary all over the place.
Don't Ignore Your Cloud Servers, Because No News Might Be Bad News No News Might Be Bad News, Here's How to Keep An Eye On Your Cloud Servers
One of my consulting clients discovered that crucial scheduled jobs weren't running. This was in-house, but it would have been even more likely in the cloud. Don't overlook these critical configuration changes and simple tests! The first article tells what happened to them, the second article explains how to prevent it.
What's With All The Linux, I Thought We Were Talking About The Cloud
The majority of cloud systems run Linux. Somehow this continues to surprise and confuse people. Amazon Web Services largely run Linux. Google Compute Engine, their relatively new IaaS service, is only Linux. Even Microsoft's Windows Azure IaaS is available in both Windows and Linux. Yes, Microsoft will rent you Linux cloud servers.
Isn't Corporate Identity Management Far Too Important to be Turned Over to Facebook?
Identity and Access Management or IAM is crucial for organizations moving data and operations into the cloud. Good solutions exist. But some people think that Facebook is somehow an adequate solution for securing the authentication and authorization of access to their data.
Good News: There are New Crypto Options for Digital Certificates!
Pretty much all of Internet security has been based on the RSA algorithm. We have no specific worry about it now, but if someone solved the factoring problem then that would break the Internet. The good news is that a major vendor has announced support for an entirely different algorithm. Diversity is good!
Recent Developments in Paranoia: Stealth Clothing and More
Spring has arrived, but it will soon pass. Surveillance seems to be here for a long time. Artists, students and researchers are working on stealthy clothing including "anti-drone" hoodies and scarves. The good news is that some courts are also taking notice of the government's fixation on all-pervasive surveillance.
What is the Most Dangerous Code in the World?
According to researchers from Stanford University and the University of Texas, it's SSL certificate validation in non-browser software. Many types of on-line financial transactions are at risk because poor design and documentation lead to sloppy programming.
Don't Overlook the Legal Concerns of the Cloud
Some unique legal risks are often overlooked in the cloud, especially when "shadow IT" or "cloud sprawl" happens. Just how much risk are you running without realizing it?
Are We Holding The Cloud to Unrealistic Standards?
911 emergency service, truly life-critical, can't be perfect in the face of natural disasters like last year's derecho in Virginia. Can we really expect the cloud to be better?
A Presidential Executive Order for Cybersecurity: Now What?
President Obama's executive order is finally giving the U.S. Government some needed leadership beyond the fearful intoning of "digital Pearl Harbor" we've been getting from the legislative branch. But will this accomplish more than just further expensive classification and clearances?
What if the Light Switch Demanded All Your Personal Information?
Management may see BYOD as a magical money pot, but who knows what reckless smart-phone app choices may ride in with the apparent savings.
Watch Out, Your Data Might Wander Down the Wrong Back Alley — Part 1 Watch Out, Your Data Might Wander Down the Wrong Back Alley — Part 2
There are multiple ways that your sensitive data might be misrouted on its way between you and your cloud storage or processing. The first part looks at inter-domain routing protocols and their role in security, in which the shortest route between Washington and New York might seem to be through Beijing. The second considers how authoritarian governments can disrupt international connectivity, and how BGPSEC and protect against this meddling. But does the current BGPSEC design remind us of Eisenhower's warning about the risks of a military-industrial complex?
Protect Your Privacy in the Surveilled Cloud
If you put data into the cloud, the U.S. Government can demand that the cloud provider turn over your data and not inform you about it. In that environment, how can personal privacy exist?
The Massively Broadband Cloud Approaches
Developments in radio engineering are leading to a much more immersive communications environment. Storage will move from devices into the cloud, with both advantages and disadvantages for cybersecurity.
Look Out: BYOD means SYSD
Your data is moving into the cloud whether you realize it or not, and whether you want it to or not. The trend of BYOD or "Bring Your Own Device" is accelerating this. It will SYSD — Scatter Your Sensitive Data.
☚ Older blog entries Newer blog entries ☛