Summer 2009SecurityAs Evi Nemeth puts it:Unix was not designed with security in mind,and for that reason no UNIX system can be madetruly secure.While I think that statement is becoming lesstrue with the compartmentalization now availablevia virtualization and with the increased securityfrom using mandatory access control systems suchCNT 4603Summer 2009as SELinux, it is still valid.Even the most security-conscious of all of themainstream Unixes, OpenBSD, has had its flaws.The basic flaws are in Unix are+ “Unix is optimized for convenience” – not forsecurity.+ “Unix security is effectively binary”+ Administrative items are outside the kernel, notinside. (For instance, older systems can be foundthat actually had items such as shells as entitiesinside the operating system itself — which I am notCNT 4603Summer 2009sure was any safer than having it outside!)As USAH has it on page 652:Security = 1/(1.072 ∗ Convenience)General rules of security:+ Don’t put files on your systems that areinteresting to hackers. If you do, protect themcryptographically, such as with an encrypted filesystem. Using an encrypted file system that worksfrom a single ordinary file is convenient for users,CNT 4603Summer 2009convenient for system administrators, and still givesbetter security.+ Keep your machines up to date with patches.While this advice is harder to follow in a productionenvironment where patches may have unintendedand unfortunate side-effects, getting behind onsecurity patches is a bad idea. Fortunately, manyproduction environments are isolated by firewallsnot only from the world in general, but also fromdevelopment, q/a, and general user environments –and even maybe running a local firewall also on theCNT 4603Summer 2009server. But some production servers do live closer tothe real world, such as mail servers and web servers,and these are two of the most commonly hackedtypes of servers. Monitoring can also help you findand stop problems.+ “Don’t provide places for hackers to build nests onyour systems.” Don’t leave world-writable FTPservers running, don’t allow poor passwords onmachines exposed to the world, don’t allow file-sharing services such as Winny to run on yoursystems.CNT 4603Summer 2009US Congress probes accidental topsecret file sharingProtecting fed workers from themselvesBy Austin ModineJuly 30, 2009US Congress wants to know if new federal laws are needed to protect government employeesfrom accidental file-sharing.A House of Representatives oversight committee gathered on Wednesday to discusswhether government workers getting their hands on peer-to-peer software poses a riskto privacy and national security.At issue are numerous cases of federal government employees and contractors who installP2P software on computers without realizing the sensitive documents they expose forsharing. According to the committee chairman, this is a problem with the software ratherthan user....Towns laid out several past cases of apparent accidental file-sharing that lead to majorCNT 4603Summer 2009security breaches on LimeWire. In one, the social security numbers and family informationfor every master sergeant in the US Army was made available. Another security breachinvolving the Secret Service resulted in the leak of a file containing a safe house locationfor the First Family. ...CNT 4603Summer 2009As Japanese Bring Work Home, VirusHitches a RideBy Bruce Wallace, Times Staff WriterMarch 21, TOKYOSo far it has spilled military secrets and the private phone numbers of TV stars, airportsecurity access codes and elementary school children’s grades.And the dirty work of this computer virus may not be done.With almost daily reports of more private information being pumped from personalcomputers and splashed over the Internet, there is a growing unease that Japan is underinsidious attack from within.The culprit is a digital worm that infects computers using the file-sharing Winny software,a Japanese computer program that, like the infamous Napster, was designed to allowpeople to easily swap music and movie files.From the Los Angeles Times, March 21st, 2006 atCNT 4603Summer 2009http://www.latimes.com/news/nationworld/world/la-fg-computer21mar21,0,5159274.storyCNT 4603Summer 2009Japanese power plant secrets leaked byvirusMystery malware and file sharing linked to third breachBy John LeydenPublished Wednesday 17th May 2006 16:06 GMTSensitive information about Japanese power plants has leaked online from a virus-infected computer for the second time in less than four months. Data regarding securityarrangements at a thermoelectric power plant run by the Chubu Electric Power in Owase,Mie Prefecture in central Japan spilled online this week as a result of an unnamed virusinfection, the Japan Times reports.The name and addresses of security workers, along with other sensitive data includingthe location of key facilities and operation procedures, found its way onto file-sharingnetworks. A 40 year-old sub-contractor at the plant who installed the Share file sharingprograms on his PC is suspected of provoking the security flap.The power plant suffered a similar incident in January over data that found its way ontoCNT 4603Summer 2009the Winny file sharing network, the most popular P2P network in Japan, which boasts anestimated 250,000 users. That incident provoked a management edict designed to prohibitthe use of file sharing programs, so the occurrence of a similar problem only four monthslater is doubly embarrassing for Chubu Electric Power.Chubu Electric is not the only power firm with problems in this area of net security,however. In June 2005, nuclear power plant secrets had been leaked from a PC belongingto an worker at Mitsubishi Electric Plant Engineering, anti-virus firm Sophos notes. Thatbreach, just like the January security flap at Chubu Electric, was also linked to virusinfection and the Winny file sharing program.From the Register, May 17th, 2006 athttp://www.theregister.co.uk/2006/05/17/japan power plant virus leak/CNT 4603Summer 2009Rules, continued+ Use an IDS+ Monitor your tools reports+ Learn more about security+ Watch for the unusual, particularly in your logs and/tmp directories.CNT 4603Summer 2009How is security compromised?The weakest link is often the human element.Social engineering takes advantage of the factthat people generally are not distrustful, such asdemonstrated by Nigerian 419 schemes and byphishing. Education is the only answer, and eventhen, education