0

How to boot an encrypted system safely

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

The threat model

You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.

Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.

The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.

You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.

This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.

Overview of the solution

First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)

Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading

0

How to boot an encrypted system safely

These are my notes on how to set up a system securely, in a way that would prevent attackers from being capable of performing an “evil maid attack”.

The threat model

You have a Linux server that you want to protect against data theft and other backdoors. The attacker can get physical access to your hardware, for example by having access to the server room that houses your rack.

Your attacker is funded, but not super well funded. This will not protect you against intelligence agencies.

The attacker can buy a new server that looks just like the one you have. You will not be able to tell the difference from physical inspection.

You want to know that it’s safe to log in to your server after a suspicious power outage or reboot.

This solution assumes that once the system is booted and you log in, you have access to the secret data. In other words, this is not a protection for gaming consoles or kiosks.

Overview of the solution

First of all, full disk encryption using dm-crypt. Obviously. (other FDE also acceptable, of course)

Walking up to the server and typing the passphrase every reboot is not only tedious Continue reading

0

BGP Optimizer Causes Thousands Of Fake Routes

Earlier today many BGPmon users received one or more alerts informing them that their autonomous system (AS) started to announce a more-specific prefix. BGPmon classified many of these alerts as possible BGP man-in-the-middle (MITM) attacks. Here is an example alert:


====================================================================
Possible BGP MITM attack (Code: 21)
====================================================================
Your prefix: 23.20.0.0/15:
Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix
Update time: 2015-03-26 11:27 (UTC)
Detected by #peers: 24
Detected prefix: 23.21.112.0/20
Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US)
Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE)
ASpath: 4608 24130 7545 6939 40633 18978 3257 14618


The alert shows the user was monitoring 23.20.0.0/15, normally announced by Amazon, Inc. (AS14618). In this case however, the detected prefix was the more specific 23.21.112.0/20. The netblock owners would have verified their BGP announcements and quickly recognized they did not originate this more-specific prefix. Further analysis pointed to the suspicion that a bad actor was impersonating Amazon. BGPmon algorithms alerted to this as well, and–within moments of the initial change–marked these events as a possible BGP MITM attack.

One reason for this classification is the way BGPmon understands and interprets AS Continue reading

0

Message to Errata employees

Dear employees,

Starting next week, Errata Security will be following RSA Conference's lead and institute a "Morality Dress Code" in order to deal with the problem of loose women on the premises.

Attire of an overly revealing or suggestive nature is not permitted. Examples of such attire may include but are not restricted to:

• Tops displaying excessive cleavage;
• Tank tops, halter tops, camisole tops or tube tops;
• Miniskirts or minidresses;
• Shorts;
• Lycra (or other Second-Skin) bodysuits;
• Objectionable or offensive costumes.

"Shalim" by Zivya - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Shalim.JPG#/media/File:Shalim.JPG

0

Court throws out lawsuit over storage on iPhones, iPads

A federal court has dismissed a lawsuit against Apple over the amount of storage available in mobile devices that come with iOS 8.The district court in San Jose, California, threw out the proposed class-action suit on Wednesday after Apple filed a motion saying the plaintiffs failed to back up their arguments. The case was dismissed with prejudice, meaning the plaintiffs can’t sue Apple again for the same thing.In the suit, filed last December, Paul Orshan and Christopher Endara charged that Apple misled consumers about how much of the storage on iPhones and iPads was taken up by the OS. For example, they said a 16GB iPhone 6 really had just 13GB of capacity available.To read this article in full or to leave a comment, please click here

0

Court throws out lawsuit over storage on iPhones, iPads

A federal court has dismissed a lawsuit against Apple over the amount of storage available in mobile devices that come with iOS 8.The district court in San Jose, California, threw out the proposed class-action suit on Wednesday after Apple filed a motion saying the plaintiffs failed to back up their arguments. The case was dismissed with prejudice, meaning the plaintiffs can’t sue Apple again for the same thing.In the suit, filed last December, Paul Orshan and Christopher Endara charged that Apple misled consumers about how much of the storage on iPhones and iPads was taken up by the OS. For example, they said a 16GB iPhone 6 really had just 13GB of capacity available.To read this article in full or to leave a comment, please click here

0

Apple asks court to throw out lawsuit over storage on iPhones, iPads

Apple has asked a federal court to dismiss a lawsuit accusing it of misleading  customers about the amount of storage available in mobile devices that come  with iOS 8.Apple filed a motion for dismissal Wednesday at the district court in San Jose,  California, saying the plaintiffs failed to back up their arguments. It wants  the case dismissed with prejudice, which would prevent the plaintiffs from  suing Apple again for the same thing. Judge Edward Davila will now have to rule  on the motion.In the suit, filed last December, Paul Orshan and Christopher Endara charged that Apple misled consumers about how much of the storage on iPhones and iPads was taken up by the OS. For example, they said a 16GB iPhone 6 really had just 13GB of capacity available.To read this article in full or to leave a comment, please click here

0

Apple asks court to throw out lawsuit over storage on iPhones, iPads

Apple has asked a federal court to dismiss a lawsuit accusing it of misleading  customers about the amount of storage available in mobile devices that come  with iOS 8.Apple filed a motion for dismissal Wednesday at the district court in San Jose,  California, saying the plaintiffs failed to back up their arguments. It wants  the case dismissed with prejudice, which would prevent the plaintiffs from  suing Apple again for the same thing. Judge Edward Davila will now have to rule  on the motion.In the suit, filed last December, Paul Orshan and Christopher Endara charged that Apple misled consumers about how much of the storage on iPhones and iPads was taken up by the OS. For example, they said a 16GB iPhone 6 really had just 13GB of capacity available.To read this article in full or to leave a comment, please click here

0

Quick script: backup multiple Alcatel Omniswitch configuration files

A quick batch script I did to backup configuration files of multiple Alcatel Omniswitch via FTP. All files are named boot.cfg so the script renames each file appending the IP address. Create a file with all the IP of switches…

0

Salt – The basics

In my last post, I showed you how I automated my Kubernetes lab build out by using Salt.  This took the build time and cut it by more than 70% (Im guessing here but you get the point).  In addition, I’ve been making all of my changes for the cluster in Salt rather than applying them directly to the host.  Not only does this give me better documentation, it allows me to apply changes across multiple nodes very quickly.  You might be wondering why I chose Salt since I’ve blogged about Chef in the past.  The answer isn’t cut and dry, but Salt just made sense to me.  On top of that, there is VERY good documentation out there about all of the state and state functions so it’s pretty easily consumable.    As I walk through the process I used to create the lab build scripts, I hope you’ll start to catch onto some of the reasons that made me decide to learn Salt.

Let’s start by taking a look at me GitHub repo…

While there’s a lot here, the pieces we really want to talk about are the files that end Continue reading

0

Flaw in common hotel router threatens guests’ devices

Corporate travelers should be warned that a Wi-Fi router commonly used in hotels is easily compromised, putting guests passwords at risk and opening up their computers to malware infections and direct attacks.The good news is that there is a patch for the flaw, but there is no guarantee affected hotels will install it right away.+ More on Network World: 10 young security companies to watch in 2015 +Cylance, a security vendor whose research team found the problem, says 277 InnGate routers in 29 countries are affected. The routers are made by ANTLabs.To read this article in full or to leave a comment, please click here

0

Flaw in common hotel router threatens guests’ devices

Corporate travelers should be warned that a Wi-Fi router commonly used in hotels is easily compromised, putting guests passwords at risk and opening up their computers to malware infections and direct attacks.The good news is that there is a patch for the flaw, but there is no guarantee affected hotels will install it right away.+ More on Network World: 10 young security companies to watch in 2015 +Cylance, a security vendor whose research team found the problem, says 277 InnGate routers in 29 countries are affected. The routers are made by ANTLabs.To read this article in full or to leave a comment, please click here

0

Work Smarter, Not Harder with Security Baseline Configuration Automation

Many security baseline processes are rife with challenges. Whether organizations use scripts to manually brute-force their system-level compliance baseline, or perhaps leverage the all-too-common “Gold Disk” approach, routine security baseline compliance remediation remains largely an unsolved and constant challenge even for the most mature of IT organizations.

Even for organizations that are using an existing management tool to help with their security baselining, issues frequently arise around how to identify systems that require baselining as they come online, and then immediately recognize what needs to be done on those systems in order to verify their compliance.

To add to the challenge, applying a baseline to a newly deployed server or application is one thing, but validating compliance throughout the server and application lifecycle typically requires a separate set of tools or processes, or at very least scripts that are smart enough to smartly change the existing state of a server or application without impacting its availability.

MindPoint Group knew there was a better way. The security folks at MindPoint group are leveraging the power and simplicity of Ansible to bring automation to the problem of security baselines. And thanks to Ansible’s design, the work that MindPoint group has done is Continue reading

0

Cheap mobile subscriptions the bait as Euro operators become more aggressive

Consumers seem to be coming out on top as a growing number of European telecom and cable operators offer discounted mobile subscriptions as a bonus for choosing other services.Bundles with broadband, telephony and TV across fixed and mobile networks are becoming increasingly important for operators across the continent. The latest example is British operator BT, which on Wednesday announced its return to the consumer mobile market.The expressed goal is to offer the best-value, 4G SIM-only mobile deals as a reward for its broadband customers. The cheapest plan costs £5 (US$7.40) per month and includes 500MB of data, unlimited texts and 200 voice minutes. BT’s broadband subscribers can also choose a plan with 2GB of data, unlimited texts and 500 voice minutes for £12 per month, the operator said.To read this article in full or to leave a comment, please click here

0

Cheap mobile subscriptions the bait as Euro operators become more aggressive

Consumers seem to be coming out on top as a growing number of European telecom and cable operators offer discounted mobile subscriptions as a bonus for choosing other services.Bundles with broadband, telephony and TV across fixed and mobile networks are becoming increasingly important for operators across the continent. The latest example is British operator BT, which on Wednesday announced its return to the consumer mobile market.The expressed goal is to offer the best-value, 4G SIM-only mobile deals as a reward for its broadband customers. The cheapest plan costs £5 (US$7.40) per month and includes 500MB of data, unlimited texts and 200 voice minutes. BT’s broadband subscribers can also choose a plan with 2GB of data, unlimited texts and 500 voice minutes for £12 per month, the operator said.To read this article in full or to leave a comment, please click here

0

Nigeria joins list of African countries threatening prison sentences for mobile operators

Nigeria, Africa’s largest telecom market, has joined the list of countries on the continent that will impose prison sentences on officials at mobile operators that continually fail to deliver quality services to customers.Tanzania and Zambia are among African countries imposing prison sentences on mobile operators who do not provide quality telecom services.The Nigeria Consumer Protection Council (CPC) has warned mobile phone operators that it would soon start filing criminal charges against them as a way of whipping them to order. The consumer watchdog, supervised by the Nigerian government under the Federal Ministry of Trade and Investment, said lack of strict punishment for erring companies had led to a situation where consumers no longer get value for their money in the West African country.To read this article in full or to leave a comment, please click here

0

Hands on: AT&T Velocity hits the WiFi hotspot

AT&T Velocity I’m using the ZTE-built AT&T Velocity WiFi hotspot as I write up my quickie review of the device here, and sure enough it’s providing me with ample speed as I fact check on the web during this process. The basic purpose for the device is to provide you with 2.4- or 5-GHz WiFi Internet access – via an AT&T 4G LTE connection -- when you can’t find free or safe WiFi in the wild. You just need to make sure you’re not somewhere that blocks usage of such devices – a practice frowned upon by the FCC.To read this article in full or to leave a comment, please click here

0

US lawmakers push for auctions of gov’t spectrum

A group of U.S. lawmakers has reintroduced legislation aimed at encouraging government agencies to give up their spectrum by allowing the agencies to share in the profits when the spectrum is auctioned to commercial mobile carriers.The Federal Spectrum Incentive Act, introduced in both the Senate and the House of Representatives Thursday, mirrors legislation that was introduced in the House in 2013 but failed to pass. But the need for the bill is growing, sponsors argue, because of the skyrocketing consumer demand for commercial mobile and unlicensed WiFi spectrum.To read this article in full or to leave a comment, please click here

0

Tech companies call on US to end bulk collection of metadata

A slew of tech companies have joined privacy groups in calling for the U.S. government to reform its surveillance practices.An open letter from the tech industry and privacy organizations urges the government to not renew the provision in the Patriot Act that allows for the bulk collection of metadata. That provision, called Section 215, expires in June.“There must be a clear, strong, and effective end to bulk collection practices,” reads the letter, which was signed by the industry group Reform Government Surveillance, whose members include including Apple, Facebook, Google, Evernote, Twitter and Microsoft. Any data collection efforts need to protect user rights and privacy, the letter said.To read this article in full or to leave a comment, please click here

0

Gold Apple Watch buyers will receive special treatment

When the upcoming Apple Watch goes on sale on April 24, it will be the most complex and downright confusing product Apple has ever released, by far. With an assortment of styles, bands, and materials, there will be a seemingly never-ending selection of options for users to choose from.At the same time, the Apple Watch will be the most expensive product Apple has ever released. While the Sport models will start at just $349 (for the 38mm version), the Edition models will start at $10,000 and range all the way up to $17,000. Naturally, not every Apple Store will carry the expensive gold Edition models. During Apple's most recent Apple Watch event, Tim Cook noted that only select stores will carry the device, and in limited quantities at that. What's more, it's been reported that the Edition Apple Watch models will be safely stowed away in secure safes in-store, much in the same way that boutique watch stores protect their most valued merchandise.To read this article in full or to leave a comment, please click here