news.cyb/sec/Defense sees cloud computing as insecure:
3.17: 3.29: summary:
. I'm interested in cloud computing primarily because
that is promoted by Google's Chrome OS platform;
however, what makes that platform most secure
is not so much that it relies on cloud computing,
but because it strictly controls the firmware
and this avoids advanced persistent malware .
. the usa's DoD (Dept of Defense) is moving to cloud computing
(saving money by outsourcing to private industry
instead of using DoD's own servers)
but they are not putting all their data there;
because, some of it is too sensitive .
. what they are hoping for
is that they can get private industry
to set up their servers on DoD property,
where physical access to the servers
can be monitored by the DoD .
. another issue is that top secret communications
are done on a network that is separate from
the public's internet .
Showing posts with label SOA. Show all posts
Showing posts with label SOA. Show all posts
2015-03-29
2013-09-26
NSA's globalized internet security
9.26: news.cyb/sec/NSA's globalized internet security:
Sept. 25, 2013, Army Gen. Keith B. Alexander,
Sept. 25, 2013, Army Gen. Keith B. Alexander,
Cybercom commander, and director of NSA,
at the National Press Club
or 4th Annual Cybersecurity Summit .
. in the past year, we saw more than 300
distributed denial-of-service attacks
on Wall Street.
We saw destructive attacks against
Saudi Aramco and RasGas [Co. Ltd.],
and against South Korea .
. U.S. Cyber Command (Cybercom)
has activated the headquarters for
one of its 3 Cyber Force branches:
Cyber National Mission Force,
that defends the nation;
Cyber Protection Force
defends DOD's information environment.
and Cyber Combat Mission Force
will provide assistance to the military
to implement cyber counterattacks .
Cybercom teams are now fully operational
and working side by side with NSA
to defend the nation.
The Army, Navy and Marines
trained about a third of the force in 2013
and they will train a third in 2014
and another third in 2015.
2013-09-19
USA intel has SOA on High-Security Internet
9.11: news.cyb/sec/USA intel has SOA on High-Security Internet:
Sept. 11, 2013
. high-security wide-area networks are
connected by Tesla beam transmissions,
which unlike fiber optic cable,
can be transmitted wirelessly,
and are very difficult to intercept .
. the govt denies this technology even exists,
but they've used it to communicate with submarines,
and a chinese-american collaboration is developing it .]
Sept. 11, 2013
Al Tarasiuk, intelligence community CIO[18:
and assistant director of national intelligence .
. the IC ITE ( Intelligence Community
Information Technology Enterprise )
is a new IT environment that will
vastly improve information sharing
across the intelligence community .
. consolidating IT across the community
was driven by budget considerations.
But today,
it's more than an efficiency play on IT:
intelligence integration,
information sharing and safeguarding .
. that translates into 3 goals:
1: effectiveness,
2: security
3: efficiency .
"In the past, these were mutually exclusive,
but now we'll have more of all 3 goals
because of cloud technologies,
and a [SOA (service-oriented architecture)]
or "service-provider-based business architecture"
providing an IC cloud not on the Internet,
but privately hosted on TS|SCI networks
(top secret / Sensitive Compartmented Information)
. high-security wide-area networks are
connected by Tesla beam transmissions,
which unlike fiber optic cable,
can be transmitted wirelessly,
and are very difficult to intercept .
. the govt denies this technology even exists,
but they've used it to communicate with submarines,
and a chinese-american collaboration is developing it .]
2010-06-01
SOA-style security for linux
news.addn/security/soa for linux:
5.6:
OpenVZ is container-based virtualization for Linux
. this is what could make linux
more secure than mac ? 5.13:
another layer of security wouldn't hurt,
but openVZ is just the open engine for
for a closed product from Parallels .
. Qubes has a complete open betaware isolation solution .
5.13: web:
qubes-os.org/gitweb/
qubes-os.org/trac/wiki/InstallationGuide
In the future it might also run Windows apps.
. critique at threatpost.com .
5.13:
Secure Virtualization Using SELinux (sVirt):
5.6:
OpenVZ is container-based virtualization for Linux
. this is what could make linux
more secure than mac ? 5.13:
another layer of security wouldn't hurt,
but openVZ is just the open engine for
for a closed product from Parallels .
. Qubes has a complete open betaware isolation solution .
5.13: web:
Qubes is an open source operating systemqubes-os.org/trac/wiki/SourceCode
designed to provide strong security for desktop computing.
Qubes is based on Xen, X Window System, and Linux,
and can run most Linux applications
and utilize most of the Linux drivers.
qubes-os.org/gitweb/
qubes-os.org/trac/wiki/InstallationGuide
In the future it might also run Windows apps.
. critique at threatpost.com .
5.13:
Secure Virtualization Using SELinux (sVirt):
"(Crackers have already broken though the xen hypervisor,
as I documented in one of my previous blogs.
Adventures with a certain Xen vulnerability (pdf)
was just published which contains a Xen vulnerability
which allows a process in a virtual machine
to attack the host machine,
and SELinux is pretty much a speed bump in his way.
3.4
What actions are available for an uid 0 process
running in thesystem u:system r:xend t:s0 context?
It turns out that default SELinux policy allows very few.
For instance, we cannot write to system configuration files,
nor load kernel modules.
However, qemu-dm processes also implement
virtual block devices for HVM guests,
and these devices can be backed by raw disk partitions.
In order to make it possible,
the default SELinux policy grants xend t domain
the read-write access to all disk partitions.
The relevant lines in the SELinux reference policy
(from the default selinux-policy-3.0.8-44.fc8.src.rpm)
are: storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
Particularly, qemu-dm (so, the shell executed from it as well)
can write to the blocks on the root filesystem.
Through the use of fixed disk the attacker
is able to trick the host operating system
into loading kernel modules that can take over the machine.
If we had forced the users to label the physical disk partitions,
this vulnerability would not have been exploitable.
Lesson learned.
When it comes to virtualization going forward,
I plan on forcing the user to apply the correct labeling.
KVM/QEMU have nice process separation
and make confinement easier.
virt_manager and libvirt are being built with SELinux
understanding in them.
virt_manager will setup the labeling correctly
when virtual images are installed
and libvirt will make sure they run in the correct domain
when they are launched.
In the future we want to protect not only the host machine
from the virtual machines,
but the virtual machines from each other.
Watch for information on in the future
In conclusion,as we move towards more widespread use of virtualization,
we should avoid making compromises in security
for the sake of usability,
but work toward making security usable.) .
Want to know how to make Linux really secure?
http://www.linuxsecurity.com/content/blogcategory/171/167/
Security Enhanced Linux (SE Linux),
a system of security policies developed by the NSA,
lets you secure Linux at every level from the kernel up.
Find out how EnGarde Secure Linux and others
build and maintain a truly secure server environment.
secure virtualization with MAC
selinuxproject.org/page/SVirt
http://www.linuxsecurity.com/content/blogcategory/171/167/
Security Enhanced Linux (SE Linux),
a system of security policies developed by the NSA,
lets you secure Linux at every level from the kernel up.
Find out how EnGarde Secure Linux and others
build and maintain a truly secure server environment.
secure virtualization with MAC
selinuxproject.org/page/SVirt
Subscribe to:
Posts (Atom)