August 27, 2014 wags007

Linuxinstall.net Episode 124 – Security and Ohio Linux Fest Rock – Recorded Tuesday Aug 26, 2014

1) Introduction

Brian – I Hate developing solutions that MS says can’t be done
Walt – XBMC Build Complete
Joe – MOAR automation and log rotations
- elasticSearch

2) What we are up to with Linux?

It’s Birthday Week in the Linux World!!!!
- Debian turns 21 on Aug. 16th!
- Linux turned 23 on Aug. 25th
Lumina Desktop
Security Topics – Securing your applications communications on the internal network

3) Conclusion

Follow us on Twitter @linuxinstall
Google + Community

Check out our other work:

Walt Jevack – jevack.com
Brian Wagner – devsopmastery.com
Joe Leuzzi – whatimplayingnow.com

OhioLinux Fest October 24-25 (Twitter)

Brian and Greg are presenting on Sat Oct 25 no more details as they come out.

January 17, 2014 wags007

UK Government declares Linux the most secure option…

While only achieving a 9 out of twelve score in the study of the following areas:

VPN
Disk Encryption
Authentication
Secure Boot
Platform Integrity and Sandboxing
Application Whitelisting
Malicious Code Detection and Prevention
Security Policy Enforcement
External Interface Protection
Device Update Policy
Event Collection for Enterprise Analysis
Incident Response

Linux still beat Windows 7 of 12 and Mac OSX’s 8 of 12. A full synopsis can be found here from TechRepublic. Remember though no OS scored a perfect score and 9 out of 12 is still only a C. So there is plenty of room for everyone to improve.

September 18, 2012 wags007

How CloudFlare dealt with a 65Gbps DDOS Attack…

Abraham Williams on Google+ pointed us to an article over on the CloudFlare blog about how they dealt with a recent 65Gbps attack. The article titled “How to launch a 65Gbps DDOS attack and how to stop one” gives some high level details about how they deal with such attacks and how someone can get 65 Gbps of bandwidth to even start one. The article does a great job of explaining one method using Open Unrestricted DNS Resolver. The basic idea is that since DNS can be done with UDP packets you can easily forge the from address and cause the Open Unrestricted DNS Resolver to reply to the targeted computers or network. This is exploiting two flaws in the internet. The first that UDP is a fire and forget protocol which doesn’t require any proof of where you are coming from. The second is that Open Unrestricted DNS Resolver exist or at the least allow UDP requests. DNS can and should be required to be done over TCP which makes forging the information much harder and less reliable.

They have an article they wrote before this one that talks about and apologizes to their customers for the disruption in the first place. It’s found here and called “Post Mortem: What Yesterday’s Network Outage Looked Like” . It is a shinning example of what a company should do when an event like this happens. It is very transparent, clear and easy to understand and most of all genuine. While I know it’s great PR it’s not something I see a lot of companies like them doing.

Let us know if you have ever dealt with something like this in your job?

Do you think they took the proper response?

What do you think of the post mortem?

Update: Changed Open to Unrestricted becuase as pointed out in the comments below it seemed to imply the awesome DNS service by a similar name. They, to our knowledge, were not part of the problem.

September 21, 2011 wags007

Episode 52 – When will the world become secure…

Running Time: 47:06

1) Introduction

Did you try Windows 8 Beta? Kind of looks like Unity…

Are you talking like a pirate?

2) News

Google gather still more patents…

Security Breaches just keep on happening…Don’t these hackers ever sleep?

Is Linux more secure?

3) Conclusion

Recommendations for People to interview

E-Mail us at podcast@linuxinstall.net

Go to the WebSite to call us via Google Voice

Facebook Fan Page

Look for us and comment on iTunes, odeo

http://player.wizzard.tv/player/o/j/x/131658063958/config/k-73b443e966a1409d/uuid/root/height/325/width/325/episode/k-3de72af464e459ff.m4v

September 21, 2011 wags007

Is linux really more secure?

With the recent breaches at Kernel.org and the Linux Foundation several people have started asking is Linux really more secure? Our assesment of the sitution is that any OS is only as secure as the users and Admin’s make it. A weak user password or failing to keep up with system patches both can end with the same result as the Kernel.org breach showed. Others like Leo Leporte’s Twit Network website were caused by missed updates. So whether it’s Windows, Linux or the Mac poor choices will always lead to insecurity. Protect your data and that of your fellow users and use long, safe and secure pass phrases. if your a system admin or Developer push hard to maintain your systems to a reasonable patch level for your company.

September 21, 2011 wags007

Security breaches just keep on coming…

According to several reports both kernel.org and linux.org were hacked over the last few weeks. Showing that both linux isn’t perfect and that users are the weakest link in any operating systems armour. In both cases nothing super secert from the users was stolen. The kernel.org attack is not an issue, as no one can update the kernel code or other software hosted at the site without a large nuber of contributors being told about the update. So with everything safe and the users passsword changed we can all breath a sigh of relief and walk away remembering that even simple things like password policies are important.

July 13, 2011 wags007

Please make us accountable for security..

This post is a direct plea to any C level managers or other managers that control what IT people do. We at LinuxInstall.net are tired of reading about companies like yours getting hacked. We feel comfortable saying this because while not every industrial market has seen a break in, it’s only a matter of time before they all confess. So what can you do?

First you should hold everyone accountable for their part of your IT Security, even if they don’t work for that department. By this we mean that your developers should be held accountable to write secure code. Your administrators should be expected to follow strict hardening standards. Everyone else in the company should use strong passwords and be smart about what they click on while visiting a web page.

So how do you verify that this is all being done? Start with an audit of every one’s processes which you have performed by outside security experts. They will be able to accurately evaluate that your standards are both secure enough and being enforced. With internally developed websites, the cost of outside code reviews should save you from having to spend the money on fraud protection for all of your customers or users. Read the audits and ask both the auditors and internal staff enough questions to let them know you really did look at it and want more detail or clarifications. It doesn’t make you look stupid and you will earn more respect this way. This process will also very likely end with a request for more staff, so be prepared.

For everyone, including IT, forced training about good web surfing habits and passwords are a must for every company. Regular checks by your security team for weak passwords inside your company will help to scare people straight about the policy.

Finally, listen to your staff. You pay them to be the experts on this. Let them be experts. They are the ones that should be focused on reading about the latest trends and maintaining their skills. To keep up their skills they need to go to both local and remote conferences on coding, security and things of this nature. That means that you need to spend money on it. The volume of knowledge around the entire security world is now beyond one person. Your teams should be both generalists and specialists. This will let them learn the basics and then focus on their area of interest. When you get the request to spend money, just review and approve it on the condition of cross training their teammates.

Remember security is every ones concern. If the company is breached bad enough, going out of business is a real possibility. With everyone working together and working securely you can take a large step towards securing the net.

March 27, 2011 wags007

Have you ever wondered what a root kit was?

Bill Keys on LInuxSecurity.com does a really good job of both explaining what they are and some tips on how to avoid, remove, and detect them. It is a nice easy read that will help you get a good understanding of the topic. Check it out.

March 24, 2011 wags007

59 Open Source Security Tools…

While the title doesn’t lie, “59 Open Source Tools That Can Replace Popular Security Software”. It probably should have been trimmed to 50. Several of the packages are no longer being supported so be sure to go to the links and check the activity on the projects before committing.

This doesn’t meant that like most articles like this there aren’t a few new gems you may not of heard about before. For me with this one it was the modsecurity package. This pacakge is a plugin for Apache that aloow you to set up Web Server Firewall like functionality. As I just had a friend get hacked becuase of a bug in PHP this seems like a great idea to me. I am now going to look into whether we shouldn’t be investigating.

A lot of my favorite security tools are on this list. Things like SpamBayes, Spamassisin and Bacula just to name a few. It’s 4 pages but broken down in to nice list groupings.

February 8, 2011 wags007

DNS Security….

What the heck is DNSSEC? This article does a darn good job of explaining it. If your company isn’t using it might be time to get it roll-out. When you can this is a great way to secure your DNS and still let users work.