
Linux and Security Blog
Thoughts from Time to Time on Linux and Security
I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.
They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).
December 2014
Getting Started With Linux, Part 1 — Knowledge Versus Skill and Why You Have to Use It
You can only learn a limited amount in a class. Knowledge can be transferred quickly but skill takes practical application. "Use it or Lose It" is certainly true, but you can't get the skill in the first place without using it. For Linux, this means time on the keyboard using the command-line interface.
Getting Started With Linux, Part 2 — Six Free and Easy Ways to Have Your Own Linux Server
Getting Started with LinuxYou have to use it to learn the skill. Here are six ways get a free or very cheap Linux machine of your own. This is a very shortened version of my Getting Started with Linux page.
Regin is a Sophisticated New Cyberespionage Threat
The latest detailed reports from Symantec and Kaspersky Labs describe a state-sponsored attack (it certainly looks like NSA possibly with help from GCHQ) that has been used against Belgacom and the European Council, and continues to be found in the wild mostly targeting a handful of countries. In at least one attack it has seized control of a GSM network. Its sophisticated design makes it more capable and harder to detect.
November 2014
USB Firmware Design Flaws Require Behavioral Changes, Patches Won't Help
The BadUSB presentation at BlackHat has been followed by working exploit code posted on GitHub. We can no longer trust unknown USB devices. Given how the USB system is designed, we can't fix this with patches. We have to change how we use those devices.
Darkhotel Shows That Hotel Cyber Security is Even Worse Than We Thought
Darkhotel is an APT or Advanced Persistent Threat that has targeted specific executives of defense contractors and government agencies while they were staying at luxury hotels in Asia. The technology and precision targeting suggest state-level sponsorship.
2014 has been a rough year for SSL/TLS security. By October it became clear that no version of SSL can be made secure, it's past time to move to TLS. The community that brought us OpenSSH and OpenBSD, the only general-purpose operating system designed specifically for security, has turned their attention to fixing this mess. This is good news!
October 2014
The Shellshock Bug Hits Linux and the Internet of Things Patch Bash Now, Shellshock Exploits Are Widespread
The GNU Bash shell has had a bug since 1994, we just now noticed it. Unfortunately, while the main job of Bash is to provide a powerful command-line interface, it is often used to quickly and easily add functionality to Internet-exposed network services. Scans and attacks started in less than 5 hours after the bug announcement, patch your systems now!
Back Doors Always Become Open Doors
A commercial tool marketed to law enforcement and government for breaking into phones has been used by hackers. Any time a back door is inserted into a system, it eventually gets misused.
Is There Really Such a Thing as Security Through Obscurity?
DARPA is asking for research in a very interesting area: software obfuscation. DARPA wants to create programs that people can run without figuring out how the programs work. That's relatively easy to conceptualize, but very difficult to accomplish.
September 2014
Noisy Side-Channel Attacks Show Why True Security Is Difficult
Side-channel attacks steal information by carefully observing things that aren't the message but which expose information about it. As an analogy, imagine that you notice that the Pentagon and CIA parking lots are unusually full on a Sunday evening, and pizza delivery cars are coming and going frequently. You would wonder what is happening. In recent cybersecurity news, a group that has previously extracted information from computers by listening to high-frequency sounds made by the processor and analyzing radio noise emitted by the systems has now exploited the side channel of electrical noise measureable by touching the system case with a bare hand.
How Secure Are Password Managers?
Password managers that can be built into web browsers and added as plugins make it convenient, and practical, to deal with a large number of complex passwords. But even with a master password locking the password collection, there are still significant security problems. Here are the details.
Security From The Clouds To Orbit
The U.S. Commerce Department's Inspector General is warning that "the nation's next-generation polar-orbiting operational environmental satellite system" has significant security problems. Contractors behaving badly, and nearly 24,000 vulnerabilities listed in the ground system.
Hotel Security and the Internet of Things
The Hilton chain of 11 hotel brands has announced that your smart phone will function as your hotel room key starting next year. Convenience beats security, again.
August 2014
Federate Your Identities Carefully
Identity Federation is important even if you aren't using any cloud services at all, but it becomes much more important as soon as you do. Unfortunately, some attempts to use this security concept have made things worse instead of better. Learn about the covert redirect vulnerability. It isn't a vulnerability of cloud identity protocols, it's a problem with the coding of sites poorly using them.
How Has The Past Year Of NSA Surveillance Revelations Changed The Cloud Market?
The short version is that people are even more worried than they were. Cloud providers are generally very good at data integrity and availability. They should not be trusted for data confidentiality. You have to do the privacy or secrecy work on your own if you and any careful auditors are to have any confidence.
Satellite communication security has largely relied on physical separation and obscurity. A recent study shows that the systems aren't that obscure, and they have many gaping holes if you just know how to reverse-engineer publicly available firmware updates. The possible exploits are wide-ranging and powerful.
The Energetic Bear and Crouching Yeti at the Watering Hole
Kaspersky Labs has produced another great analysis of a complex APT or Advanced Persistent Threat. Now we know at least some of what it does. Why it does it, to whom, and for whom, remains mysterious.
June–July 2014
Is The World Knocking At Your Door, Or Trying To Kick It In? The Multi-Gigabit DDoS Threat The Multi-Gigabit DDoS Threat, Part 2: Modern Attacks with DNS Amplification The Multi-Gigabit DDoS Threat, Part 3: Turning Up The Heat With NTP Amplification The Multi-Gigabit DDoS Threat, Part 4: Defense with Black Holes, Sinkholes, and the Cloud
You need to know about truly antiquted attacks like
misusing the ping
command and the
Smurf and Fraggle amplification attacks if you want
to get through (similarly outdated) certification
exams like CompTIA Security+ and ISC2 CISSP.
But the new threat environment on the Internet
involves multi-gigabit-per-second, up to
multi-hundred-gigabit-per-second, deluges
of traffic that can overwhelm the connections of
most organizations.
Here's what you need to know about the threats
and the defenses.
Don't Let BYOD Stand For "Bring Your Own Disaster."
Users' personal devices can cause accidental denial-of-service attacks inside your organization. It can save money and make some users happier, but to get to work and not cause more problems than it solves, you have to be very careful about a number of things.
What Is Happening In Quantum Cryptography?
Yes, people are using quantum computers, or at least what are labeled as such, to work on problems at the core of information security. No, it doesn't seem that general-purpose quantum computers capable of factoring multi-hundred-digit numbers are anywhere close to hitting the market, but it's important to keep an eye on this area.
May—June 2014
Why Won't Cloud Providers Give Us Something For Nothing?
The cloud can certainly be cheap, and there are some free offers, but it isn't going to be free forever. Many on-line writers bemoan the loss of free cloud services, and describe ways to shuffle your data around and hop from one free service to another. That doesn't seem like a good way to run an enterprise!
Useful Skepticism Only Comes With Knowledge
You can find a lot of both exciting and scary stories on-line about technology. However, a lot of them are outdated, wrong, or otherwise dangerously misleading. You need to understand the underlying technology in order to be an appropriately cautious reader.
What Is Going On With The Free Operating Systems?
Many subsystems are changing rapidly within the
popular Linux distributions.
The move to replace init
with
systemd
,
adding systemd-journald
to the logging infrastructure, is the largest.
Even the extremely conservative OpenBSD is preparing
for big changes in its DNS, SMTP, and HTTP/HTTPS
services.
What do you need to know, and when do you need
to know it?
Bitcoin mystifies me. The cryptography isn't the hard part to understand. It's the way it's used. What's the point of an entirely peer-to-peer payment system with no reliance upon (or supervision and surveillance by) centralized authorities, when the first thing people do is put their Bitcoin holding into virtualized banks?
April—May 2014
Smart Phone and Tablet Problems Can Let Your Cloud Data Slip Out the Back Door
Smart phones and tablets are frequently used for on-the-go (and even at-the-desk) access to data stored and processed "out in the cloud". Did you know that there are two operating systems in smart phones and many tablets, and one of them may contain back doors that the company doesn't fix and may not even discuss?
The Internet Has Serious Trust Problems, Part 1 Part 2: Data Loss Prevention Leads to Trust Loss Part 3: Subordinate CA Certificates Lead to Policy Changes Part 4: Trouble in Turkey, Carefully Corrected Part 5: Response Leads to Corporate Survival or Death
The Public-Key Infrastructure (or PKI) spanning the Internet is intended to provide security, providing server authentication and data confidentiality. In practical terms, letting us be confident that it's really our bank or trusted on-line store with whome we're sharing personal and financial information, and that the data will be safely encrypted and therefore hidden as it traverses the Internet. Well, the system has a lot of problems, and they're caused by people and process issues instead of ciphers and protocols. This series of essays explains what should be happening and how it has failed in a series of prominent cases.
March 2014
Reality Versus Cloud Expectations
Some U.S. Government agencies are saying that public cloud providers have completely unacceptable offerings. That may be true for those would-be customers, but maybe some agencies have entirely unrealistic expectations.
GnuTLS Bug Puts Network Communications at Risk GnuTLS Bug Part 2: What Components Were At Risk? GnuTLS Bug Part 3: You Always Need to Patch New Cloud Servers
There were two huge and related cybersecurity stories in the spring of 2014. Two shared libraries implementing SSL/TLS, GnuTLS and OpenSSL, were found to have serious security problems. The OpenSSL bug, given the catchy name "Heartbleed" and a colorful logo, may have taken attention away from the equally critical GnuTLS bug. Here's a series of essays on what the GnuTLS bug was, what it means, and what to do about it.
February 2014
What Happens When "Shadow IT" Goes Missing? Who Will Maintain Your "Shadow IT"?
Two essays on the topic of "Shadow IT", when management deploys cloud services and then moves critical data outside your organization into the cloud without telling the IT department. Face it, this happens. A lot. There are issues of patching and configuration as well as more mundane things like keeping up with the small but still required payments. What can happen to your data?
Cloud in the Crosshairs: Choose Carefully and Secure Your Cloud Servers
The major cloud providers offer a large range of machine images, thousands to tens of thousands of them. Some are rather outdated, missing many critical security patches, and many have insecure configurations. The bad guys know this, and so they regularly scan the large blocks of IP addresses used by cloud hosting facilities to find publicly reachable weak systems. Don't be a victim!
Linux Scores Highest in UK Government Security Assessment
The cloud is based on Linux and other open-source technology. CESG or the Communications-Electronics Security Group is a component of GCHQ or the Government Communications Headquarters. This makes CESG an analogy to DISA in the U.S. They have published a report giving an Ubuntu Linux distribution the top score.
January 2014
What's The Story of the OpenSSL Hack?
OpenSSL is a vital piece of Internet security. The software package provides everything you need to create your own PKI or Public-Key Infrastructure operation, and many organizations do just that. But the openssl.org web server was hacked. What does this mean for Internet security?
Want Safe Cloud-Based E-Mail? I'm Avoiding Web Mail.
Most people will say that security is important on the Internet, but force them into a choice and ease of use wins in most cases. Web mail is an especially risky form of this choice.
Here's Some Guidance on Developing Secure Cloud Applications
SAFECode and the Cloud Security Alliance have published a new paper on developing secure software for use in the cloud. It has nothing really new, and it isn't really specific to the cloud, but it's all good advice.
☚ Older blog entries Newer blog entries ☛