• Blackberry Security: Risking the Whole Enterprise

    30Apr
    Author: trent Categories: Security Comments: 0

    I was speaking with a respected colleague today about the security of Blackberries vs. other mobile devices.  The conventional wisdom of the business community, apparently, is that the Blackberry is some form of superhero-grade magical device, impervious to all forms of cybersecurity attack, and hence suitable for handling all levels of sensitive communication (and soon suitable for President Obama).

    It’s true that RIM (Research in Motion), Blackberry’s maker, has an excellent marketing department (and, as excellent marketing departments are hard to come by, I at least give them kudos for that).  They have spun a fantastic tale about how, by simply installing their superduper-secure Blackberry Enterprise Server (BES) product, you have created a secure channel between the enterprise network and a user’s eyes/ears.  As far wireless communications channels go, they have an “ok” solution for securing transport to the Blackberry device itself.  The highest security risk of using a Blackberry is NOT that your data is compromised while being transmitted wirelessly.  Instead, there really are two high risk scenarios when using a Blackberry in an enterprise:

    Read more »

    Tags: , , ,

  • Anti-Virus for Mac OS X?

    30Apr
    Author: randy Categories: Security Comments: 3

    As Apple laptops and desktops gain market share, new users are being introduced to OS X. One of the questions that often comes up is, “Do I need anti-virus software for my Mac?” There has been a lot of debate back and forth as to whether AV software is useful. Apple had a Knowledge Base article recommending the use of multiple anti-virus packages for maximum protection. On December 2, 2008, the article (was at http://support.apple.com/kb/HT2550) was removed from their site. Shortly after the page was removed, an Apple statement telling users that no system is 100% secure and AV software may be helpful was released.

    So what does all this mean for Mac OS X users?
    Read more »

    Tags: , , , ,

  • Encrypted Storage in the Cloud

    21Apr
    Author: ned Categories: Infrastructure, Security Comments: 2

    854998249_6686eb8991_m The smart folks over at Amazon Web Services just published a new white paper titled Creating HIPAA-Compliant Medical Data Applications. I’m a strong believer that it is possible to deploy Internet applications as securely “in the cloud” as in a private data center somewhere, and vendor documentation like this goes a long way toward helping others grasp this reality.

    One weakness is that the white paper barely mentions encrypting data at rest.  Here’s their accurate but incredibly concise statement:

    HIPAA’s Privacy Rule regulations include standards regarding the encryption of all PHI in
    

    transmission (“in-flight”) and in storage (“at-rest”). The same data encryption mechanisms
    

    used in a traditional computing environment, such as a local server or a managed hosting
    

    server, can also be used in a virtual computing environment, such as Amazon EC2 and
    

    Amazon S3.

    Their blog post mentions some software libraries and commercial tools for achieving encryption at rest, but generally leaves any implementation for you to figure out. There are encryption recommendations for software developers and end users, but not for system administrators (aren’t we their key demographic?). Never fear – encrypting your data at risk is easy with Linux! There are many ways to achieve encryption of data when it is stored on disk, but whole-volume encryption is often appealing because it can be implemented completely transparently to the application.

    One of the best tools for securing your data “at-rest” while it is stored on Amazon’s Elastic Block Store (EBS) is dm-crypt. It’s already built into most modern Linux kernels, and gives you extra confidence that noone else could read your EBS volumes. Anyone who’s thinking of deploying any app that stores sensitive information (in “the cloud” or in your data center) should consider implementing dm-crypt on their Linux servers. Below are instructions for creating and using an EBS volume which is protected by dm-crypt encryption…

    Read more »

    Tags: , , ,

  • Passwords… in your ear?

    21Apr
    Author: admin Categories: Security Comments: 0

    earJust a quick update…  if you’re interested in biometrics (see our home made keystroke dynamics demo),  I read an interesting article published by newscientist.com that claims one day our ears may be used to uniquely identify us :

    YOU are the victim of identity theft and the fraudster calls your bank to transfer money into their own account. But instead of asking them for your personal details, the bank assistant simply presses a button that causes the phone to produce a brief series of clicks in the fraudsters ear. A message immediately alerts the bank that the person is not who they are claiming to be, and the call is ended.

    Sounds pretty cool to me.  Read the rest here:

    http://www.newscientist.com/article/mg20227035.200-our-ears-may-have-builtin-passwords.html

    Guess it’s time to clean out that ear wax.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , ,

  • MS SQL Mirroring for High Availability

    16Apr
    Author: admin Categories: Infrastructure Comments: 0

    Recently I needed to setup MS SQL mirroring. As usual there are plenty of guides attempting to describe the process, but inevitably none of them really cut it when you actually start implementing. I’ll try to clear up the process and hopefully provide some help to anyone out there wanting to implement MS SQL mirroring.

    Why?

    Do you have a database or databases? What do you do if they go down? Probably restore from your latest backup (which may or may not be very recent and may take hours to restore). Let’s say you have a scheduled backup that runs every night at 11pm; what if your database/server fails at 10:59pm? What now? SQL mirroring will keep an updated copy of your databases on another server that can easily be “turned on” in case your primary server/databases fail.

    How?

    The primary server is called the “principal” and the secondary server is called the “mirror.” The principal is your live database, and the mirror is your standby copy of the database. In addition to the principal and the mirror, you can introduce another optional server called the “witness.” The witness is a third instance of SQL Server that determines when to failover. This option is only used when you want to do an automatic failover. We chose to implement manual failover to avoid a situation of an unwanted failover.

    Read more »

    Tags: , ,

  • Debugging Nagios performance problems

    12Apr
    Author: ben Categories: Infrastructure Comments: 4

    At Applied Trust we run Nagios, the excellent open source monitoring system, to ensure the availability of our internal system infrastructure and that of our clients. The system monitors roughly 2,740 services on 468 hosts. It has performed flawlessly for the past six or seven years, but over the last few months we began experiencing performance problems (see the 12 month CPU usage graph below). In particular, we were being alerted regularly about excessive load on the monitoring system and, as a consequence of high load, false positive timeouts when connecting to services.

    12 month CPU usage

    12 month CPU usage

    Read more »

    Tags:

  • Conficker

    02Apr
    Author: admin Categories: Infrastructure, Security Comments: 0

    confickerThis is probably one of the most frightening security quotes I’ve heard in a long time (in regard to the latest variant of the Conficker worm):

    Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.

    -SRI (http://mtc.sri.com/Conficker/addendumC)

    The author(s) of the Conficker worm are literally outsmarting the combined collaboration from INDUSTRY LEADERS in security (Microsoft, ICANN, Symantec, F-Secure, ISC, etc..).  I can not stress enough the importance to patch your company’s systems for the MS08-067 vulnerability (the main propagation method Conficker uses).

    Nmap and Nessus have both recently released plugins that allow you to remotely scan for hosts infected by Conficker (A,B,C,D variants at the time of this writing).  I recommend everyone scan their internal networks for Conflcker infected hosts — and then run Microsoft’s Malicious Software Removal Tool on systems reported as possibly being compromised.  The scariest part of Conficker is that the payload can change at any time — millions of computers are helpless and at the will of the author… and we may not realize the intended purpose of Conficker or why it was created until it’s too late.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

Subscribe:

Popular Posts