Micro-Star International motherboard with AMD Phenom II 4-core processor and Nvidia chipset running Linux.

Linux and Security Blog

Thoughts from Time to Time on Linux and Security

I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.

They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).

December 2014

Getting Started With Linux, Part 1 — Knowledge Versus Skill and Why You Have to Use It

You can only learn a limited amount in a class. Knowledge can be transferred quickly but skill takes practical application. "Use it or Lose It" is certainly true, but you can't get the skill in the first place without using it. For Linux, this means time on the keyboard using the command-line interface.

Getting Started With Linux, Part 2 — Six Free and Easy Ways to Have Your Own Linux Server

Getting Started with Linux

You have to use it to learn the skill. Here are six ways get a free or very cheap Linux machine of your own. This is a very shortened version of my Getting Started with Linux page.

Regin is a Sophisticated New Cyberespionage Threat

The latest detailed reports from Symantec and Kaspersky Labs describe a state-sponsored attack (it certainly looks like NSA possibly with help from GCHQ) that has been used against Belgacom and the European Council, and continues to be found in the wild mostly targeting a handful of countries. In at least one attack it has seized control of a GSM network. Its sophisticated design makes it more capable and harder to detect.

November 2014

USB Firmware Design Flaws Require Behavioral Changes, Patches Won't Help

The BadUSB presentation at BlackHat has been followed by working exploit code posted on GitHub. We can no longer trust unknown USB devices. Given how the USB system is designed, we can't fix this with patches. We have to change how we use those devices.

Darkhotel Shows That Hotel Cyber Security is Even Worse Than We Thought

Darkhotel is an APT or Advanced Persistent Threat that has targeted specific executives of defense contractors and government agencies while they were staying at luxury hotels in Asia. The technology and precision targeting suggest state-level sponsorship.

Meet LibreSSL

2014 has been a rough year for SSL/TLS security. By October it became clear that no version of SSL can be made secure, it's past time to move to TLS. The community that brought us OpenSSH and OpenBSD, the only general-purpose operating system designed specifically for security, has turned their attention to fixing this mess. This is good news!

October 2014

The Shellshock Bug Hits Linux and the Internet of Things Patch Bash Now, Shellshock Exploits Are Widespread

The GNU Bash shell has had a bug since 1994, we just now noticed it. Unfortunately, while the main job of Bash is to provide a powerful command-line interface, it is often used to quickly and easily add functionality to Internet-exposed network services. Scans and attacks started in less than 5 hours after the bug announcement, patch your systems now!

Back Doors Always Become Open Doors

A commercial tool marketed to law enforcement and government for breaking into phones has been used by hackers. Any time a back door is inserted into a system, it eventually gets misused.

Is There Really Such a Thing as Security Through Obscurity?

DARPA is asking for research in a very interesting area: software obfuscation. DARPA wants to create programs that people can run without figuring out how the programs work. That's relatively easy to conceptualize, but very difficult to accomplish.

September 2014

Noisy Side-Channel Attacks Show Why True Security Is Difficult

Side-channel attacks steal information by carefully observing things that aren't the message but which expose information about it. As an analogy, imagine that you notice that the Pentagon and CIA parking lots are unusually full on a Sunday evening, and pizza delivery cars are coming and going frequently. You would wonder what is happening. In recent cybersecurity news, a group that has previously extracted information from computers by listening to high-frequency sounds made by the processor and analyzing radio noise emitted by the systems has now exploited the side channel of electrical noise measureable by touching the system case with a bare hand.

How Secure Are Password Managers?

Password managers that can be built into web browsers and added as plugins make it convenient, and practical, to deal with a large number of complex passwords. But even with a master password locking the password collection, there are still significant security problems. Here are the details.

Security From The Clouds To Orbit

The U.S. Commerce Department's Inspector General is warning that "the nation's next-generation polar-orbiting operational environmental satellite system" has significant security problems. Contractors behaving badly, and nearly 24,000 vulnerabilities listed in the ground system.

Hotel Security and the Internet of Things

The Hilton chain of 11 hotel brands has announced that your smart phone will function as your hotel room key starting next year. Convenience beats security, again.

August 2014

Federate Your Identities Carefully

Identity Federation is important even if you aren't using any cloud services at all, but it becomes much more important as soon as you do. Unfortunately, some attempts to use this security concept have made things worse instead of better. Learn about the covert redirect vulnerability. It isn't a vulnerability of cloud identity protocols, it's a problem with the coding of sites poorly using them.

How Has The Past Year Of NSA Surveillance Revelations Changed The Cloud Market?

The short version is that people are even more worried than they were. Cloud providers are generally very good at data integrity and availability. They should not be trusted for data confidentiality. You have to do the privacy or secrecy work on your own if you and any careful auditors are to have any confidence.

Threats in Space

Satellite communication security has largely relied on physical separation and obscurity. A recent study shows that the systems aren't that obscure, and they have many gaping holes if you just know how to reverse-engineer publicly available firmware updates. The possible exploits are wide-ranging and powerful.

The Energetic Bear and Crouching Yeti at the Watering Hole

Kaspersky Labs has produced another great analysis of a complex APT or Advanced Persistent Threat. Now we know at least some of what it does. Why it does it, to whom, and for whom, remains mysterious.

June–July 2014

Is The World Knocking At Your Door, Or Trying To Kick It In? The Multi-Gigabit DDoS Threat The Multi-Gigabit DDoS Threat, Part 2: Modern Attacks with DNS Amplification The Multi-Gigabit DDoS Threat, Part 3: Turning Up The Heat With NTP Amplification The Multi-Gigabit DDoS Threat, Part 4: Defense with Black Holes, Sinkholes, and the Cloud

You need to know about truly antiquted attacks like misusing the ping command and the Smurf and Fraggle amplification attacks if you want to get through (similarly outdated) certification exams like CompTIA Security+ and ISC2 CISSP. But the new threat environment on the Internet involves multi-gigabit-per-second, up to multi-hundred-gigabit-per-second, deluges of traffic that can overwhelm the connections of most organizations. Here's what you need to know about the threats and the defenses.

Don't Let BYOD Stand For "Bring Your Own Disaster."

Users' personal devices can cause accidental denial-of-service attacks inside your organization. It can save money and make some users happier, but to get to work and not cause more problems than it solves, you have to be very careful about a number of things.

What Is Happening In Quantum Cryptography?

Yes, people are using quantum computers, or at least what are labeled as such, to work on problems at the core of information security. No, it doesn't seem that general-purpose quantum computers capable of factoring multi-hundred-digit numbers are anywhere close to hitting the market, but it's important to keep an eye on this area.

May—June 2014

Why Won't Cloud Providers Give Us Something For Nothing?

The cloud can certainly be cheap, and there are some free offers, but it isn't going to be free forever. Many on-line writers bemoan the loss of free cloud services, and describe ways to shuffle your data around and hop from one free service to another. That doesn't seem like a good way to run an enterprise!

Useful Skepticism Only Comes With Knowledge

You can find a lot of both exciting and scary stories on-line about technology. However, a lot of them are outdated, wrong, or otherwise dangerously misleading. You need to understand the underlying technology in order to be an appropriately cautious reader.

What Is Going On With The Free Operating Systems?

Many subsystems are changing rapidly within the popular Linux distributions. The move to replace init with systemd, adding systemd-journald to the logging infrastructure, is the largest. Even the extremely conservative OpenBSD is preparing for big changes in its DNS, SMTP, and HTTP/HTTPS services. What do you need to know, and when do you need to know it?

Why a Bitcoin Bank?

Bitcoin mystifies me. The cryptography isn't the hard part to understand. It's the way it's used. What's the point of an entirely peer-to-peer payment system with no reliance upon (or supervision and surveillance by) centralized authorities, when the first thing people do is put their Bitcoin holding into virtualized banks?

April—May 2014

Smart Phone and Tablet Problems Can Let Your Cloud Data Slip Out the Back Door

Smart phones and tablets are frequently used for on-the-go (and even at-the-desk) access to data stored and processed "out in the cloud". Did you know that there are two operating systems in smart phones and many tablets, and one of them may contain back doors that the company doesn't fix and may not even discuss?

The Internet Has Serious Trust Problems, Part 1 Part 2: Data Loss Prevention Leads to Trust Loss Part 3: Subordinate CA Certificates Lead to Policy Changes Part 4: Trouble in Turkey, Carefully Corrected Part 5: Response Leads to Corporate Survival or Death

The Public-Key Infrastructure (or PKI) spanning the Internet is intended to provide security, providing server authentication and data confidentiality. In practical terms, letting us be confident that it's really our bank or trusted on-line store with whome we're sharing personal and financial information, and that the data will be safely encrypted and therefore hidden as it traverses the Internet. Well, the system has a lot of problems, and they're caused by people and process issues instead of ciphers and protocols. This series of essays explains what should be happening and how it has failed in a series of prominent cases.

March 2014

Reality Versus Cloud Expectations

Some U.S. Government agencies are saying that public cloud providers have completely unacceptable offerings. That may be true for those would-be customers, but maybe some agencies have entirely unrealistic expectations.

GnuTLS Bug Puts Network Communications at Risk GnuTLS Bug Part 2: What Components Were At Risk? GnuTLS Bug Part 3: You Always Need to Patch New Cloud Servers

There were two huge and related cybersecurity stories in the spring of 2014. Two shared libraries implementing SSL/TLS, GnuTLS and OpenSSL, were found to have serious security problems. The OpenSSL bug, given the catchy name "Heartbleed" and a colorful logo, may have taken attention away from the equally critical GnuTLS bug. Here's a series of essays on what the GnuTLS bug was, what it means, and what to do about it.

February 2014

What Happens When "Shadow IT" Goes Missing? Who Will Maintain Your "Shadow IT"?

Two essays on the topic of "Shadow IT", when management deploys cloud services and then moves critical data outside your organization into the cloud without telling the IT department. Face it, this happens. A lot. There are issues of patching and configuration as well as more mundane things like keeping up with the small but still required payments. What can happen to your data?

Cloud in the Crosshairs: Choose Carefully and Secure Your Cloud Servers

The major cloud providers offer a large range of machine images, thousands to tens of thousands of them. Some are rather outdated, missing many critical security patches, and many have insecure configurations. The bad guys know this, and so they regularly scan the large blocks of IP addresses used by cloud hosting facilities to find publicly reachable weak systems. Don't be a victim!

Linux Scores Highest in UK Government Security Assessment

The cloud is based on Linux and other open-source technology. CESG or the Communications-Electronics Security Group is a component of GCHQ or the Government Communications Headquarters. This makes CESG an analogy to DISA in the U.S. They have published a report giving an Ubuntu Linux distribution the top score.

January 2014

What's The Story of the OpenSSL Hack?

OpenSSL is a vital piece of Internet security. The software package provides everything you need to create your own PKI or Public-Key Infrastructure operation, and many organizations do just that. But the openssl.org web server was hacked. What does this mean for Internet security?

Want Safe Cloud-Based E-Mail? I'm Avoiding Web Mail.

Most people will say that security is important on the Internet, but force them into a choice and ease of use wins in most cases. Web mail is an especially risky form of this choice.

Here's Some Guidance on Developing Secure Cloud Applications

SAFECode and the Cloud Security Alliance have published a new paper on developing secure software for use in the cloud. It has nothing really new, and it isn't really specific to the cloud, but it's all good advice.

Older blog entries Newer blog entries