Linuxinstall.net Episode 124 – Security and Ohio Linux Fest Rock – Recorded Tuesday Aug 26, 2014

1) Introduction

  • Brian – I Hate developing solutions that MS says can’t be done
  • Walt – XBMC Build Complete
  • Joe – MOAR automation and log rotations

2) What we are up to with Linux?

  • It’s Birthday Week in the Linux World!!!!
    • Debian turns 21 on Aug. 16th!
    • Linux turned 23 on Aug. 25th
  • Lumina Desktop
  • Security Topics – Securing your applications communications on the internal network

3) Conclusion

Check out our other work:

OhioLinux Fest October 24-25 (Twitter)

Brian and Greg are presenting on Sat Oct 25 no more details as they come out.

UK Government declares Linux the most secure option…

While only achieving a 9 out of twelve score in the study of the following areas:

  • VPN
  • Disk Encryption
  • Authentication
  • Secure Boot
  • Platform Integrity and Sandboxing
  • Application Whitelisting
  • Malicious Code Detection and Prevention
  • Security Policy Enforcement
  • External Interface Protection
  • Device Update Policy
  • Event Collection for Enterprise Analysis
  • Incident Response

Linux still beat Windows 7 of 12 and Mac OSX’s 8 of 12.  A full synopsis can be found here from TechRepublic.  Remember though no OS scored a perfect score and 9 out of 12 is still only a C.  So there is plenty of room for everyone to improve.

How CloudFlare dealt with a 65Gbps DDOS Attack…

Abraham Williams on Google+ pointed us to an article over on the CloudFlare blog about how they dealt with a recent 65Gbps attack.  The article titled “How to launch a 65Gbps DDOS attack and how to stop one” gives some high level details about how they deal with such attacks and how someone can get 65 Gbps of bandwidth to even start one.  The article does a great job of explaining one method using Open Unrestricted DNS Resolver.  The basic idea is that since DNS can be done with UDP packets you can easily forge the from address and cause the Open Unrestricted DNS Resolver to reply to the targeted computers or network.  This is exploiting two flaws in the internet.  The first that UDP is a fire and forget protocol which doesn’t require any proof of where you are coming from.  The second is that Open Unrestricted DNS Resolver exist or at the least allow UDP requests.  DNS can and should be required to be done over TCP which makes forging the information much harder and less reliable.

They have an article they wrote before this one that talks about and apologizes to their customers for the disruption in the first place.  It’s found here and called “Post Mortem: What Yesterday’s Network Outage Looked Like” .  It is a shinning example of what a company should do when an event like this happens.  It is very transparent, clear and easy to understand and most of all genuine.  While I know it’s great PR it’s not something I see a lot of companies like them doing.

 

Let us know if you have ever dealt with something like this in your job?

Do you think they took the proper response?

What do you think of the post mortem?

Update: Changed Open to Unrestricted becuase as pointed out in the comments below it seemed to imply the awesome DNS service by a similar name.  They, to our knowledge, were not part of the problem.

Episode 52 – When will the world become secure…

Episode 52 – When will the world become secure…
Running Time:  47:06
1) Introduction
Did you try Windows 8 Beta? Kind of looks like Unity…
2) News
3) Conclusion
Recommendations for People to interview
Go to the WebSite to call us via Google Voice
Facebook Fan Page
Follow us on Twitter and Identica as @linuxinstall
Look for us and comment on iTunes, odeo

http://player.wizzard.tv/player/o/j/x/131658063958/config/k-73b443e966a1409d/uuid/root/height/325/width/325/episode/k-3de72af464e459ff.m4v

 

Is linux really more secure?

With the recent breaches at Kernel.org and the Linux Foundation several people have started asking is Linux really more secure?  Our assesment of the sitution is that any OS is only as secure as the users and Admin’s make it.  A weak user password or failing to keep up with system patches both can end with the same result as the Kernel.org breach showed.  Others like Leo Leporte’s Twit Network website were caused by missed updates.  So whether it’s Windows, Linux or the Mac poor choices will always lead to insecurity.  Protect your data and that of your fellow users and use long, safe and secure pass phrases.  if your a system admin or Developer push hard to maintain your systems to a reasonable patch level for your company.

Security breaches just keep on coming…

According to several reports both kernel.org and linux.org were hacked over the last few weeks.  Showing that both linux isn’t perfect and that users are the weakest link in any operating systems armour.  In both cases nothing super secert from the users was stolen.  The kernel.org attack is not an issue, as no one can update the kernel code or other software hosted at the site without a large nuber of contributors being told about the update.  So with everything safe and the users passsword changed we can all breath a sigh of relief and walk away remembering that even simple things like password policies are important.

Please make us accountable for security..

This post is a direct plea to any C level managers or other managers that control what IT people do.  We at LinuxInstall.net are tired of reading about companies like yours getting hacked.  We feel comfortable saying this because while not every industrial market has seen a break in, it’s only a matter of time before they all confess.  So what can you do?

First you should hold everyone accountable for their part of your IT Security, even if they don’t work for that department.  By this we mean that your developers should be held accountable to write secure code.  Your administrators should be expected to follow strict hardening standards.  Everyone else in the company should use strong passwords and be smart about what they click on while visiting a web page.  

So how do you verify that this is all being done?  Start with an audit of every one’s processes which you have performed by outside security experts.  They will be able to accurately evaluate that your standards are both secure enough and being enforced.  With internally developed websites, the cost of outside code reviews should save you from having to spend the money on fraud protection for all of your customers or users.  Read the audits and ask both the auditors and internal staff enough questions to let them know you really did look at it and want more detail or clarifications.  It doesn’t make you look stupid and you will earn more respect this way.  This process will also very likely end with a request for more staff, so be prepared.

For everyone, including IT, forced training about good web surfing habits and passwords are a must for every company.  Regular checks by your security team for weak passwords inside your company will help to scare people straight about the policy.

Finally, listen to your staff.  You pay them to be the experts on this.  Let them be experts.  They are the ones that should be focused on reading about the latest trends and maintaining their skills. To keep up their skills they need to go to both local and remote conferences on coding, security and things of this nature.  That means that you need to spend money on it.  The volume of knowledge around the entire security world is now beyond one person.  Your teams should be both generalists and specialists.  This will let them learn the basics and then focus on their area of interest.  When you get the request to spend money, just review and approve it on the condition of cross training their teammates.

Remember security is every ones concern.  If the company is breached bad enough, going out of business is a real possibility.  With everyone working together and working securely you can take a large step towards securing the net.