You are here: Home / Archives for security

idea for authpf

November 25, 2009 By Leave a Comment

I know some sites trust their servers and let the servers talk to anywhere on the Internet or internally.

Just had a thought, instead all servers should be blocked for all traffic except for business needed traffic. What about updates? The servers need to go fetch updates. (In those cases where the patches/updates are not handled in a centralized method.) Give those who are responsible for patching servers an authpf account that gives the server the permission to go get updates.

When the sysop logouts of the gateway system the rules are reverted back to a very restricted state. The nice part is that this will work 24×7 and the firewall admins need not be around to change the rules.

To further contain possible unwanted behavior, give each application owner their own ID and limit that ID to the specific IPs of the application servers.

What do you think?

Filed Under: Blogs Tagged With: , ,

Whitfield Diffie talks about secure cloud computing

November 17, 2009 By Leave a Comment

In this article Whitfield Diffie talks talks about secure cloud computing.  I take comfort in knowing that he and I used to work for the same company, Sun Microsystems.  There are some really smart people at Sun.  The article is small and I recommend reading it.  I specifically quote part of the article below as it mentions OpenBSD.  I’ve been running OpenBSD for years.

TR: If a full cryptographic solution is far-off, what would a near-term solution look like?

WD: A practical solution will have several properties. It will require an overall improvement in computer security. Much of this would result from care on the part of cloud computing providers–choosing more secure operating systems such as OpenBSD and Solaris–and keeping those systems carefully configured. A security-conscious computing services provider would provision each user with its own processors, caches, and memory at any given moment and would clean house between users, reloading the operating system and zeroing all memory.

An important component of security will be the quality of the personnel operating the data centers: good security training and appropriate security vetting. A secure data center might well be administered externally, allowing a very limited group of employees physical access to the computers. The operators should not be able to access any of the customer data, even as they supervise the scheduling and provisioning of computations.

Filed Under: Blogs Tagged With: ,

Oh great, now the IRS is making my information available (and YOURS too)

October 17, 2008 By Leave a Comment

IRS deploys applications knowing they have security issues

Oh great, the IRS knew about the issues yet still deployed the applications.  Those in charge and who approved this should be fired, IMNSHO.  

Putting applications on the network with known vulnerabilities is not a wise decision, regardless of the data contained within.  Given the nature of the data contained within the IRS everything should be triple checked and any issues fixed immediately.  The risk is huge given the data.  

If the data to be protected was email, not having encryption over the wire within the data center might be an acceptable risk.  However given the nature of the data we are talking about here, the data should be encrypted 100% of the time.

Filed Under: Blogs Tagged With:

"New" TCP DDoS

October 9, 2008 By Leave a Comment

I like what Fyodor has to say about this http://insecure.org/stf/tcp-dos-attack-explained.html

I like this quote

How do you know this is the same bug Robert and Jack found?

I don’t, since they have refused to release full details. But this sounds like the same fundamental bug. Robert and Jack are smart fellows, so, again, I’m sure that they’ve found ways to extend and improve the attack in certain situations. But the simple approach described above is quite effective on its own. You don’t even need to use more specific and esoteric attacks when the basics are so effective.

Especially the last sentence, not rocket science, but follows the KISS principle.

Filed Under: Blogs Tagged With: , ,

What companies are paying for loss of customers data

June 12, 2008 By 1 Comment

Attrition Security Rant: Useless Compensation for Data Loss Incidents

I agree 100% with this article.

 I already have, paid for with my own money, a service that watches my credit report from all three agencies, and notifies me with any change.  I read an article by Bruce Schneier a while ago and came away from that thinking that if someone steals my identity I will find out about it and notify the credit reporting bureaus that it is fraudulent information.  I think I could make a strong case of fraud against the agencies/credit card companies, if they continue to publish this fraudulent information with my credit information.  If the credit card company is so sure that it is myself who signed a credit card agreement with them, in my mind, the burden of proof lies with them.  They must prove, beyond a reasonable doubt, that it was in fact myself who signed up for and entered into the agreement with them.  Obviously the credit card company will never be able to do so, as I did not enter into this fraudulent contract.

Filed Under: Blogs Tagged With: ,