Partition Encryption in Linux

May 17, 2011

Last week, I started getting errors from the external hard drive that I use for backing up my workstation. Since this is probably the sign of an impending failure, I ordered a new one immediately. Also, since external hard drives are lightweight and easy to steal, both the replacement and the drive being replaced are encrypted to protect their data.

In Linux, the most common solution for drive encryption is a combination of dm-crypt and LUKS. If you’re interested in setting up an encrypted drive yourself, you might find this walkthrough useful – I wrote it a few years ago, and still refer to it every time I need to refresh my memory on the command syntax for working with encrypted filesystems under Linux.


Cisco VoIP Exploits

May 13, 2011

Once again, we see the results of telecom functionality moving into the networking space – the old-school telecom people just aren’t ready for the demands of properly securing an IP network. AusCERT has asserted that Cisco VoIP products, out of the box, can be vulnerable to attacks that turn them into listening bugs, that allow an attacker to eavesdrop on conversations, or can be crashed entirely as a Denial of Service attack.

Running any service over an IP network means that you now have TWO sets of security problems to deal with. In much the same way that “dumb” cell phones’ replacement by smartphones add tremendous security headaches, so too does the transition from traditional PBX systems to a VoIP world.


Leaving the Sandbox

May 11, 2011

French security research firm Vupen has claimed to have written an exploit that allows them to escape the Chrome sandbox and launch arbitrary code.

Great.


LastPass

May 6, 2011

There has apparently been a sizable data exfiltration at LastPass, an application service provider who stores passwords for user accounts. The data was of sufficient size that it probably includes hashed “master passwords”, which serve as the crypto keys to unlock the stored passwords on the service.

If you’re using LastPass, you may want to change your password. And you may also want to reconsider the wisdom of storing all of your passwords in a stranger’s datacenter.


Macdefender

May 4, 2011

Macintosh users – welcome to the fake antivirus party.

A new piece of malware called “Macdefender” has been seen in the wild. It is a Javascript installation inside of a compressed ZIP folder, which means that users running as administrators with “Open Safe Files After Download” checked in Safari will launch and install it automatically. Some users are reporting that they were not even prompted for a confirmation password on the installation.


Nikon IAS Cracked

May 3, 2011

The Nikon Image Authentication System has a simple enough mission – it is supposed to provide a cryptographically secure path from the camera to the newsroom, ensuring that any image used can be proven authentic.

Apparently, due to a weakness in the signing key storage in the camera, it doesn’t work. The key can be extracted and used to sign arbitrary image data, “proving” it legitimate.


Fallout in the Cloud

May 2, 2011

The recent Amazon cloud services outage has caused some consternation, especially among the customers who permanently lost data that they had entrusted to Amazon for safekeeping.

It is important to remember that one of the three pillars of information security is “availability”: that is, ensuring that your information environment is robust enough to survive catastrophic events and continue providing information resources to the people who need them. Clearly, simply handing over your business data to a third-party and then washing your hands of responsibility for it is not a valid practice.


Cluster Stego

April 27, 2011

Coincidentally enough after this week’s Definition Monday on steganography, researchers have come up with yet another new stego scheme: this one is based on the cluster fragmentation of particular files on the hard drive. An Open Source implementation is upcoming.

While this doesn’t seem as robust as a system like the (sadly defunct) Linux stegFS project, it’s still a pretty interesting innovation.


Playstation Network Breach

April 27, 2011

Sony is not having a great week. Looks like some “external attacker” has made off with the mother lode of data from the subscription section of Playstation Network.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.


Seattle Wardriving

April 27, 2011

The police in Seattle have seized a black Mercedes thought to be used for large-scale “wardriving” data theft from area businesses. The owners were cruising around the city, looking for small businesses using vulnerable WEP encryption on their wireless networks, and then intercepting data for later use.

If your company has a wireless network, PLEASE be aware of the security implications of what you’re doing. Wireless isn’t like traditional Ethernet – the radio waves can travel right through the walls into the parking lot or other public space, and simple point-and-click eavesdropping tools make it easy for even a technical neophyte to gather data from a misconfigured network.