“With decades of IT infrastructure built to support changing technologies, there is little ability to baseline the entire infrastructure within the United States,” said Randy Vickers, director of the United States Computer Emergency Readiness Team (US-CERT), in an interview Wednesday. “This variety of platforms and applications provides many possible vectors by which to attack infrastructure.”

Vickers is scheduled to join other IT leaders from government agencies for a panel to discuss the threat of cyber war and how to deter it at the Black Hat security conference in Las Vegas on Thursday.

US-CERT is a division of the Department of Homeland Security (DHS) responsible for responding to and defending against cyber attacks for the federal government’s IT infrastructure. It also is in charge of sharing information and collaborating with state and local governments as well as the private sector to protect critical infrastructure in the U.S.

Vickers said that critical infrastructure is not likely to become less prone to attacks anytime soon. He cited ongoing changes in the IT landscape — such as cloud computing and an increasingly mobile workforce — as conditions that only open up infrastructure to more threats.

“The environment is only going to increase in complexity, and as more threat capabilities are developed the risk to our information infrastructure that we are so heavily dependent upon also increases,” he said.

To achieve its goal to keep an eye on federal networks, the DHS is currently deploying an intrusion-detection and security system called EINSTEIN 2, Vickers said. The system is currently operational at 12 of 19 federal agencies, providing US-CERT with, on average, visibility into more than 278,000 indicators of potentially malicious activity per month, he said.

EINSTEIN 2 should be fully deployed at the federal government by the end of the year, after which the DHS will take security to the next level with EINSTEIN 3, Vickers said.

EINSTEIN 3, developed by the National Security Agency, is the third phase of the Comprehensive National Cybersecurity Initiative (CNCI), and will provide intrusion prevention on top of EINSTEIN 2′s intrusion-detection capability, he said. The first phase of the system — EINSTEIN 1 — is currently in deployment as system that gathers information about network traffic.

US-CERT first revealed details about EINSTEIN 3 in March. At the time, the DHS said the system will do real-time, deep packet inspection and make decisions based on threats by examining network traffic at the edge of federal agency networks.

This activity will redirect agency Internet traffic to DHS cybersecurity systems, which will determine which traffic might be associated with cyber threats and how to respond, they said. The DHS worked with a commercial Internet service provider to do a test deployment of EINSTEIN 3 earlier this year. Vickers said these types of private-public partnerships will continue as the federal government continues to work to secure its network infrastructure against cyber attacks.

“At the end of the day, the architecture for the dot-gov’s cyber perimeter defense will be hybrid of government and private technologies,” he said.

Source

The research, done by Robert Hansen of SecTheory, shows that browsers such as Firefox, Internet Explorer and Chrome have a number of architectural problems that can essentially negate the security that SSL is meant to provide for sensitive Web transactions. The techniques that Hansen has developed, which he demonstrated at the Black Hat conference here Thursday, give an attacker the ability to do any number of nasty things to a target machine, including forcing the download of an executable file, overwriting the URL field in the browser and overwrite secure HTTPS cookies with non-secure cookies.

In all, Hansen found 24 problems before he decided to stop looking. “I had basically had to stop the research because there were just too many issues. I didn’t have time to deal with anymore,” Hansen said.

A big part of the problem, Hansen said in an interview, is that browsers don’t enforce policies that would isolate the tabs in an open browser from one another. This allows an attacker who can control one of the tabs, say a normal non-SSL session, to also affect content in the other tabs, even if they’re using SSL. Hansen identified several techniques that enable him to watch an SSL-protected session and glean a lot of information about what the user is doing, based on timing certain parts of the Web session and knowing how long it takes for part of a site to load. He also can tell whether a user is logged in on a given site and use a specific technique to log the user out so he can then watch the login operation and steal the credentials.

“When you look at it, what does SSL really offer? What this means is that for the average user, against a determined adversary, there really is no protection,” said Hansen, who presented his findings at the Black Hat conference here Thursday. “People give SSL and TLS a lot of credit, when it shouldn’t have any at all.”

SSL is the main transport security used by millions of Web sites to protect data being sent from browsers to Web servers. It’s been shown to be vulnerable to a number of different attacks, including several man-in-the-middle attacks, which could be used in conjunction with some of Hansen’s techniques to completely compromise a supposedly secure Web session.

“The most important thing is that if an attacker can map out the domain ahead of time, he can get a really good feel for how the site is built,” Hansen said. “If there’s a side channel, I can force them to precache some of the content on the page so that I don’t see that again when they reload the page. Then, the only thing you’re seeing are the things that are interesting to the attacker. You can map out the user’s flow around the site and the attacker can force the user to make an SSL connection to them so they can tell which SSL and HTTP headers are being sent in which direction. It’s about narrowing down the number of bytes that are interesting.”

As troubling as the problems that Hansen found are, he emphasized that they don’t mean that the sky is falling.

“You still need to be a man in the middle first and there are probably easier ways to attack people once you are, but there are a lot of issues here,” he said. “If there was better jitter and padding in SSL, a lof of this wouldn’t even be possible.”

Source

First, the U.S. Department of the Health and Human Services (HHS) issued guidance wherein “unsecure protected health information (PHI)” is essentially any PHI that is not encrypted or destroyed. Under this definition, it doesn’t matter how many chains, walls, doors, biometric gizmos and guards with lethal weapons you have at your service. As long as PHI is not encrypted, it is considered unsecured.
A second and more compelling reason why encryption is now a requirement is the introduction of HITECH’s breach notification initiative, which requires HIPAA-covered entities to send notification letters if there is a breach of unsecured PHI. However, as HHS pointed out, the use of encryption grants safe harbor in the event of a breach because encrypted PHI is not unsecured PHI.

Oddly enough, in the same breath, HHS also notes that “covered entities and business associates are not required to follow the guidance.” However, cleaning up the mess behind a breach notification can cost millions of dollars, so one would have to be supremely confident — or reckless — in not taking advantage of the encryption safe harbor. With such mixed signals, though, it is not hard to see why encryption is called ade facto requirement.

What type of encryption?

Since encryption means different things to different people, an important question is “what type of encryption should I use?”

In the past, companies offered hard drives that used strong encryption. However, analysis showed that strong encryption was used but only to protect the password and not the data that was stored on the devices. The actual data stored on the hard drive was encrypted with an encryption algorithm developed by the company, which proved to be anything but strong.

This illustrates the potential pitfalls of choosing any type of encryption package — a lack of strong, secure encryption. Obviously, some encryption programs do a better job of protecting data than others, but how can a company choose the right one?

HHS does not provide any guidance in this area, and that is a smart move. HHS does many things, but it is not in the position to determine the technical requirements that would separate strong from weak encryption. Instead, HHS defers to the National Institute of Standards and Technology (NIST) to direct organizations to a number of special publications on the subject.

The publications are endless, tedious documents which are long on theory and short on technical requirements. However, a little detective work leads to concrete specifications that one can work with.

While these requirements are for federal agencies, they could also serve as a great guide for private practices. Since HHS deferred to NIST when it comes to encryption, companies need to meet the expectations of what NIST considers “proper” encryption for sensitive data.

Further proof that HHS deferred to NIST is found in the guidance, where encryption for “data at rest” and “data in motion” are specifically mentioned. The latter refers to data going through networks, including wireless networks. The former refers to data that is stored: laptops, external hard drives, CDs or DVDs, backup tapes, etc.

Data in motion

Of the two, encrypting data in motion is more straightforward: Valid encryption processes must “comply with the requirements of Federal Information Processing Standards (FIPS) 140–2.” While there are many technical requirements involved, many vendors offer products that are FIPS 140-2 validated, so finding such a solution is easy.

Organizations must look for a solution that is FIPS140-2 validated, not FIPS140-2 certified. The former means that NIST evaluated, and validated, the encryption. The latter is used interchangeably with the former, but is technically meaningless and is mostly marketing speak. While encryption is in the spirit of NIST’s requirements, it hasn’t been validated.

Data at rest

Finding appropriate data at rest encryption requires a little digging. According to the suggested NIST publication — Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices — “Federal agencies must use FIPS-approved algorithms contained in validated cryptographic modules. Whenever possible, AES (Advanced Encryption Standard) should be used for the encryption algorithm because of its strength and speed.”

Also, a footnote makes reference to NIST SP 800-57, “Recommendation for Key Management,” and notes that it “provides detailed information on key management planning, algorithm selection and appropriate key sizes, cryptographic policy and cryptographic module selection.”

This information is relegated to a footnote. This is unfortunate since this publication is what most HIPAA-covered entities are looking for. As organizations review section 5.6.2 of the publication, they can identify encryption algorithms that are valid for use, the minimum key sizes and the length of their validity. In addition, examples are given on how all of the above comes together, and summarized in a table. Any encryption weaker than this, and you might not be covered.

HIPAA-covered entities can expect safe harbor if, and only if, they adhere to these strict standards and guidelines. The fact that a company’s data is encrypted is meaningless without taking into account the NIST requirements. Organizations that properly adhere to HIPAA standards understand the impact of breach notifications. By proactively leveraging the proper encryption technologies, companies of all sizes can avoid these breach notifications while ensuring the security of their sensitive data.

Source

The study of about 100 IT managers also found changes in security staff size over the past year, with it increasing for 15% of responding organizations, decreasing for 24%, and remaining static for 54%. Going forward, 20% of organizations planned to hire more security personnel, 15% planned to downsize, and 51% expected to stay the same.

remaining static or decreasing, and budgets not being allocated to put security processes in place, organizations are going to face greater challenges than ever to their security posture.”
The also study found that just over half of respondents stated that their organization was more secure today, versus 12 months ago. Yet 65% don’t think their organization has “complete visibility” into its security posture at any given time.

Based on the survey results, “security professionals are being asked to do more with less, while at the same time, the organization is being put at a higher risk,” said Tracy Hulver, executive VP of products and marketing at netForensics, in a statement.

Her recommendation is that organizations should look at using tools and technologies that can scale up their response, without adding staff or budget. Examples of such tools include “outsourcing to cloud security, deploying technologies that maximize existing security infrastructure without having to invest in new, big-budget items, [and] acquiring technology via SaaS pricing models.”

Interestingly, even with the majority of organizations seeing increasing numbers of threats, but little or no increase in their security budget, 70% of respondents said they wouldn’t outsource their organization’s security. Then again, such a move might risk making respondents redundant.

Source

How to Become the World’s No. 1 Hacker is purportedly written by Gregory D. Evans, an animated felon who went on to become CEO of Ligatt Security International, a publicly traded company worth about 0.0002 cent per share that bills itself as a full-service computer security firm. Released by the obscure Cyber Crime Media publishing house, the 342-page PDF is a comprehensive, step-by-step guide for consumers who want to learn how to harden their networks against attackers. Unix security, Wi-Fi cracking, and web service configuration are all covered.

But it turns out that huge chunks of the book weren’t written by Evans at all, even though no other authors are credited. For instance, virtually all of Chapter 12 – 5,894 words, to be exact – is identical to this tutorial on port scanning written by Armando Romeo and published on the hackerscenter.com website in early 2008. And 1,750 words found in Chapter 9 were lifted from this manual posted to ethicalhacker.net, including screenshots that make reference to Chris Gates, the original author.

In all, at least 13 of the e-book’s 26 chapters were lifted almost entirely word-for-word from other sources without attribution, according to this analysis from Ben Rothke, a senior security consultant for a professional services firm, who ran the portions through iThenticate, an online tool for spotting plagiarism. Other sources that were used without credit include Security Focus, Auditmypc.com, and Squidoo.com.

“Mr Evans has never asked any permission from me and I’m the only owner of the copyrights of my website,” said Armando Romeo, CEO of eLearnSecurity who says in all five Chapters in How to Become the World’s No. 1 Hacker “have been literally copied and pasted from my guides” on the Hacker Center website. He added that this is the second run-in he’s had with Evans, who regularly appears on local and national TV shows to talk about computer security.

Chris Gates and Donald Donzal, the author and editor respectively of the articles on the Ethical Hacker site, are also steadfast that Evans never had permission to use their content, which was first published published in 2007. Donzal said he’s in the process of filing a take-down demand under the US Digital Millennium Copyright Act.

Evans – who in 2002 was sentenced to 24 months in federal prison after pleading guilty to wire fraud – has vociferously defended his use of the previously published articles. In an interview with The Register, he said he began work on the book in 2008, and largely drew on ghost writers who by contract agreed to submit “original content.” He insisted the submissions were vetted for authenticity by a service he declined to name. But he nonetheless went on to challenge the authors who have stepped forward to complain their work has been misappropriated.

“What you’re doing is you’re saying Greg, you put other people’s stuff in your book, but if I go out on the internet, you cannot tell me who owns those other people’s stuff,” he said. “All you’re doing is you’re telling me that who owns a website where other people publish at that website, but they’re not the owners of the content.”

‘Mitnick under my wing’
Evans, who is African American, has pushed back equally hard against other people asking hard questions about the true origins of his book. In a reference to another company Evans leads, he published a this rebuttal headlined “National Cyber Security Uncovers Racism Within the Computer Security Industry,” and continued to refer to himself as the author of the book.

In an accompanying video blog that was posted late last week, Evans went on to defend his hacker credentials, noting the he was incarcerated on the same floor as Kevin Mitnick during the latter’s five-year prison stint for hacking and fraud crimes.

“When I get in there, I take Kevin Mitnick under my wing,” Evans said in the video. “We used to turn around and have contests like who can get free phone calls, who can get away with making a three-way call without getting caught.”

Evans went on to claim that he advised Mitnick on a plea bargain he was negotiating with federal prosecutors and was in the same room as Mitnick when he learned he was going to be interviewed on the CBS News show “60 Minutes.” Mitnick denies the account.

“He basically misrepresented our relationship, our meetings” Mitnick told The Register. “He certainly didn’t take me under his wing, whatever that means. I didn’t really discuss my case with him because you don’t discuss your case with other people in jail because they’ll become informants.”

According to Mitnick, by the time he was approached by “60 Minutes,” he had been transferred to the Lompoc Federal Correctional Complex and hadn’t seen Evans in months.

Evans “made that whole story up,” Mitnick said. “He was never there.”

Mitnick also challenged the hacking skills of Evans, whose previous books include Memoirs of A Hi-Tech Hustler and Hi-Tech Hustler Scrap Book 2004-2005.

“What I recall of him, he wasn’t too savvy with hacking, but he did understand phone phreaking,” Mitnick continued. Evans’s 1998 prosecution “was a typical fraud case. It wasn’t hacking or phone freaking, really. He seemed to be a nice guy, a very evangelist type personality. I kind of sized him up kind of like a hustler, a grifter.”

Indeed, in video blogs promoting Ligatt Security to potential shareholders, Evans comes across at some points as a high-pressure salesman and at others as a class clown. In this video from last year discussing a deal involving a property known as spoofem.com he shares this nugget:

“I got the news this morning on my way to work, got here late because I caused an accident when I was reading my email and I saw it and I started screaming and I swerved and then this tractor trailer fell over and hit this bus full nuns and it was just [a] mess, but I took off real quick because I got a fast car. They didn’t know it was me, so I’m here doing this video blog. Pray for me.”

Be like ‘Googles’
In the same video a few minutes later, he compared Ligatt shares to those of Google – which he mistakenly refers to as “Googles” – before the stock hit sky-high prices: “It’s just like buying Googles,” he said. “You could have bought Googles years ago. Just imagine if you bought Googles at a penny or less than a penny how trillionaire you’d be today. I’m trying to give you that same vision.”

But it’s fair to say Evans, who says he’s 41 years old, has a temper as well. About a half hour into his interview with The Register, after growing increasingly agitated with the questions, he abruptly stopped the conversation and, through a spokeswoman, refused to continue.

And according to this account from security blogger and podcaster Chris John Riley, someone left a post threatening “to go after you family [sic]” less than 15 minutes after he spoke with Evans on the phone to arrange a taped interview regarding the allegations of plagiarism.

“I will have my friend in your country tracked down [sic] everyone you are friends with and your family and see what you are all about,” the posting stated. The person didn’t sign the message, but the IP address used to leave the message belongs to a Bell South customer in the Atlanta area, where Ligatt Security is headquartered.

Evans – who often refers to himself as the “world’s No. 1 hacker” and is regularly interviewed by various Fox News anchors and affiliates – has yet to say whether he played any role in posting the comments. He terminated his interview with The Register before the issue could be addressed.

Riley said that nothing during his brief conversation with Evans on Wednesday gave any indication there were any hard feelings. But when the time they had arranged to conduct the podcast came, Evans was a no-show.

Said Riley: “I did log onto Skype and I did wait and nothing ever came around. I thought it was funny. To be honest, I think Greg is more bark than bite.”

Source

A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts).

In simple terms, P2P is software installed on your PC and others PCs that allows the sharing of data from each others computers.
Computerworld reports, “One of the more than 3,000 files discovered by the researchers was a spreadsheet containing insurance details, personally identifying information, physician names and diagnosis codes on more than 28,000 individuals. Another document contained similar data on more than 7,000 individuals. Many of the documents contained sensitive patient communications, treatment data, medical diagnoses and psychiatric evaluations. At least five files contained enough information to be classified as a major breach under current health-care breach notification rules.”

In my own research, digging through P2P networks, I’ve uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire families. I’ve found Christmas lists, love letters, private photos, videos, and just about anything else that can be saved as a digital file.

It’s no surprise data is still leaking. File sharing technologies are easier and more user friendly than ever. Faster broadband connections coupled with faster PCs and bigger hard drives make downloading files a snap. Insurance companies, doctor’s offices and hospitals all have computers and those computers are operated by people who like things that are free. Any bored employee who wants to listen to that song he heard on the way to work can simply download Limewire, eDonkey, BearShare, or any other P2P network. Within minutes, that song is on playing on the employee’s iPod, and his employer’s clients’ data is being shared with the world. This type of breech resulted in blueprints for President Obama’s private helicopter being leaked online.

The House Committee on Oversight and Government Reform has asked the Department of Justice and the FTC to help prevent illegal use of peer to peer networks, and in the same letter, asked what the government is doing to protect its citizens. But ultimately, it’s up to you to protect yourself.

Don’t install P2P software on your computer. If you aren’t sure whether a family member or employee may have installed P2P software, check for new, unfamiliar applications. A look at your “All Programs Menu” will show nearly every program on your computer. If you see one you don’t recognize, do an online search to see what it is you’ve found. You should also set administrative privileges to prevent the installation of new software without your knowledge.

If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

The Smartcard Alliance has released an in-depth report called “Medical Identity Theft in Healthcare.”

Source

The US Computer Emergency Readiness Team, which is responsible for securing the government’s systems, got a roasting yesterday in a report published by the Department of Homeland Security’s inspector general.

The detail will come as no surprise to outside security experts, who have long considered the US networks vulnerable to attack.

The report states that US-CERT must share information about threats and trends more quickly and in greater detail with other federal departments so they can better protect themselves.

But a big issue is that it can’t tell these federal agencies to pull their finger out and fix holes in their networks. It doesn’t have the enforcement authority. And because security data from intelligence agencies is classified at various levels, US-CERT has a problem in sharing it out.

There has been progress though. US-CERT, which is part of the Department of Homeland Security, has created a “program to assist federal agencies in protecting their information technology systems against cyber threats. Specifically, it has facilitated cybersecurity information sharing with the public and private sectors through various working groups, issuing notices, bulletins, and reports, and web postings.”

There’s also a unified operations centre, which includes US-CERT, to address threats and incidents. US-CERT has also developed a technical mentoring program to boost skills among its staff. But what staff? The report details US-CERT suffers from staff shortages (according to some reports it is working at less than half strength with just 45 out of 98 positions filled) and it can take up to a year to recruit anyone because of the security clearance process.

Source

According to Milind Govekar, an analyst at Gartner, cloud has rocketed up the list from number 16 to number two in Gartner’s annual CIO survey of key technology investments. “Like with anything new, the primary concern is security,” he says. In fact, the vast majority of clients who inquire about cloud, he says, would rather create a virtualized data center on their own premises—what some call a private cloud—because they’re uncomfortable with the security issues raised by cloud computing and the industry’s ability to address them.

“We are in the early stages of a fascinating journey into a new computing model that, for all its purported advantages, from a security and risk point of view, is a difficult thing to deal with,” agrees Jay Heiser, an analyst at Gartner. “The things that make it easy and appealing—like the immediate plug-and-play productivity—also make it impossible to conclusively assess your relative risks.” Current certifications, such as SAS 70 and ISO 27001 and 27002, are not sufficient, he says, leading to frustration for both buyers and sellers.

For this reason, securing cloud computing environments will be a major focus of vendor efforts over the next year, says Jonathan Penn, an analyst at Forrester Research. In the short term, he sees users having to do a lot of the legwork, but over time, “cloud providers themselves will see the opportunity to differentiate themselves by integrating security,” he says. Security vendors accustomed to selling directly to the enterprise will find that they need these cloud providers as a way to reach the market, Penn says, and as the market matures, customers will want this stuff baked into the services they’re buying. “That will be quite a radical change and a disruption,” he adds.

In the meantime, organizations such as the Cloud Security Alliance (CSA) are working to put some shape around the security issues and the ways to address them. The CSA recently released a summary of the strategic and tactical security pain points within a cloud environment, along with recommendations on how to address them. The organization divided the domains into two broad areas: governance and operations.

Domains grouped under governance include:

governance and ERM
legal and electronic discovery
compliance and audit
information lifecycle management
portability and interoperability
Domains grouped under operations include:

traditional security, business continuity and disaster recovery
data center operations
incident response, notification and remediation
application security
encryption and key management
identity and access management
virtualization
The CSA also summarized the top threats of cloud computing, along with the cloud models each threat most pertains to and guidance for remediation.

The categories of tools that can help address these threats include XML, SOA and application security; encryption tools for data in transit and at rest; smart key management; log management; identity and access management; virtual firewalls and other virtualization-management tools; data-loss prevention; and more. “You’re translating the existing security architecture into the cloud, so there are a lot of different tools you’ll need, some of which already exist and other cases where you need new technology,” Reiser says.

For instance, malware scanning tools will need to look specifically for emerging malware that targets virtual platforms; identity management systems will need to authenticate not just users but also devices and applications; and security information management (SIM) systems will need to log billions of events and analytics.

Forrester also released a list of questions that enterprises should ask to secure their cloud implementation, covering the areas of security and privacy, compliance, and other legal and contractual issues.

Cloud layers

Experts also emphasize that the level of exposure and risk for the three cloud models are very different, and the way of addressing security also differs, depending on which layer you’re engaging with. “The security requirements are really the same, but as you go from SaaS to PaaS and IaaS, the level of control you have over security changes,” says Mike Kavis, founder of Kavis Technology Consulting and CTO at a startup company. “From a logical view, nothing has really changed, but how you physically do it changes dramatically.”

SaaS.

As the CSA explains, with SaaS, the provider’s applications run on a cloud infrastructure and are accessible through a Web browser. The consumer does not manage or control the network, servers, operating systems, storage or even individual application capabilities.
For this reason, the SaaS model integrates the most functionality directly into the offering, with the least consumer extensibility, and “security responsibilities are almost entirely up to the vendor,” Reiser says. “If the vendor doesn’t encrypt data, it’s not encrypted. If there isn’t activity monitoring, you won’t get any.”

PaaS.

With PaaS, consumers create applications using programming languages and tools supported by the vendor and then deploy these onto the cloud infrastructure, the CSA explains. As with SaaS, the consumer does not manage or control the infrastructure—the network, servers, operating systems or storage—but does have control over the deployed applications and possibly the application-hosting environment configurations.
There are fewer customer-ready or built-in security features with PaaS than with SaaS, the CSA says, and those that do exist are less complete, but there is more flexibility to layer on additional security. This means users need to pay attention to application security, as well as security issues surrounding the management APIs, such as authentication, authorization and auditing.

IaaS.

Here, consumers can provision processing, storage, networks and other fundamental computing resources, as well as deploy and run operating systems and applications, according to the CSA. While they don’t manage or control the underlying cloud infrastructure, they do have control over operating systems, storage and deployed applications, and possibly limited control of select networking components, such as host firewalls, the CSA says.
With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itself, but there’s enormous extensibility, according to the CSA. This means users need to manage and secure operating systems, applications and content, typically through an API.

“A lot of the perimeter security is handled by the vendor, but they’re giving you access to virtual machines, so you still have to build the application and provide the infrastructure control,” Kavis says.

With IaaS, virtualization management is a big concern, says Heiser, particularly when it comes to intrusion detection and the integrity of partitioning virtual machines. “You need to mediate separation and make sure they don’t interact with each other,” he says.

Chris Barber, CIO at Wescorp, says he is concerned about multitenancy and hypervisor vulnerabilities. “Since you have multiple users on a single physical box, there may be a security vulnerability that one user could somehow access another user’s virtual machine,” he says.

Source

One way of making this sort of attack more difficult is to make root own the user home directory, files such as ~/.login that are used by the user shell, the ~/.ssh directory and the ~/.ssh/authorized_keys file. This way a hostile party can’t change the configuration, so a successful attack has to involve a long running process that uses ptrace to intercept the shell and divert an attempt to run sudo.

If the non-root user is prevented from using ptrace then things start to become a little more difficult for the attacker. In some quick tests I was able to capture about half the data through messing with /proc/X/fd/0 and /proc/X/fd/1 for a target process, but it seems that it would be difficult to get an entire password that way. To disable ptrace you could compile a kernel without ptrace support, use a SE Linux policy that prevents prevent ptrace access for the sessions in question, or make the user’s shell SETGID.

If the root account and the account used for su or sudo use different authentication methods, where the options include ssh authorized keys, password, and security token (maybe both password and token for the root account) then it does seem that it would provide some Defense in Depth benefits.

sudo can be used to only permit executing certain commands. While this is a real security benefit it doesn’t allow full sysadmin work, merely delegating some portions of operations to people who don’t have full sysadmin rights. As someone needs to have full access to fix any problem that might occur on the machine someone needs to have access to run any command as root. So while sudo is great for providing limited administrative access to certain junior people, it’s not going to stop an attack on a member of the sysadmin team.

Source

As I was logging into Gliffy today for the first time in a few years, I noticed that there were two buttons to submit the login form with: one for a ‘basic’ login and one for a ‘secure’ login. To me, a secure login in 2010 is a basic login. The people behind Gliffy however believe that protecting your login credentials is worth at least $5/mo to you.

In a business model that offers both free and paid accounts, I feel that a company should make you pay for added features, storage, or accessibility to data that you are using their site for. I, like most people, realize that ad-based sites aren’t the preferred option. A site like Gliffy allows for many areas to make users pay for ‘more’. The number of documents you are able to store, file upload size limits, the number of users allowed to access your files. With all of these major points of wanting to upgrade, why nickel-and-dime our security?

It’s appreciated whenever a company offers free service, of any magnitude. What’s not appreciated, however, is when a company feels that they should charge you to securely give your username and a password to a form. The sharing of data networks is only continuing to grow and as-such, a vast majority of web sites (reputable ones, at least) at the very least encrypt your login credentials. Whether they encrypt all data during your session is a whole different matter, but most can agree that protecting credentials is a general necessity.

This isn’t meant to be a launch point for ‘well SSL is useless anyways’. SSL for credential logins is useful in the vast majority of situations people actually deal with every day. At this point in the Internet and networking, not allowing someone to choose to login securely with personal credentials for a reputable and fairly well-known (for the context) company, is ridiculous.

Lastly, I am not complaining that the Gliffy site doesn’t run in SSL for all content, merely that an SSL login should be provided, free of charge, to anyone using their service. This is a standard practice for most web sites and Gliffy should step-up and do the right thing for everyone’s privacy.