SysAdmin Headlines


Sunday, May 4, 2014

True ZEN of Security. QUBES give you peace of mind.

QUBES: State of the art security

There is a operating system that you should use if you work with sensitive information and want to maintain a high security environment
It’s called Qubes.
True ZEN of Security. QUBES give you peace of mind.

Qubes is an open-source operating system designed to provide strong security for desktop computing. Qubes is based on Xen and Linux. It can run Linux applications and most Windows programs. 

My operating system is now a digital fortress.
Starting applications from different domains (AppVMs) is very easy.
In this example, the word processor runs in the “work” domain, which has been assigned the “green” taskbar. It is fully isolated from other domains, such as the “untrusted” domain (red) used for random Web browsing, news reading, as well as from the "work-web" domain (yellow), which is used for work-related Web browsing that is not security critical. Apps from different domains run in different AppVMs. Notice the different color frames (labels) and VM names in the titlebars. These are drawn by the trusted Window Manager.
Apps from different domains run in different AppVMs. 

Windows AppVMs are fully integrated with the rest of the Qubes OS system, which includes things such as secure, policy governed, file copy and clipboard.

Windows AppVMs are fully integrated with the rest of the Qubes OS system.

Qubes’ design is based off an important law of software: all programs contain bugs. Some of these are security vulnerabilities. Your computer can get hacked by viewing a Flash video or using JavaScript in your web browser. Your computer could also get hacked by opening a Microsoft Office document, a Acrobat PDF, or a JPG or GIF image. Most publicly known software vulnerabilities have been fixed if you're using the latest version, but there's always the possibility that there are vulnerabilities that have never been reported to the developers. These are called zero day vulnerabilities, and agencies like the NSA, the FBI, and criminal hackers spend lots of money to purchase information about them.

If any piece of software gets compromised, your whole computer is compromised. The attacker can look at your files, log your keystrokes, take screenshots, steal your encryption keys, and read the emails that you type before you even have a chance to encrypt them. This is how the NSA's QUANTUM / FOXACID programs hack people's computers. This is also how the hacker criminal bad guys get to take control of your computer.

Developers can (and should) try to make their software more secure, but software will never be perfect. Trying to not get hacked is difficult when you have powerful adversaries, yet still have to get work done. Short of never connecting your computer to the internet, the best way to stay secure is to minimize the damage caused when you do eventually get hacked and “sandbox” the most vulnerable programs away from the rest of your computer. Qubes makes this more straight-forward than any other operating system I've used.

 Xfce4.10 Window Manager running in Dom0.

Qubes uses virtual machines to let you manage separate “security domains”. A virtual machine (VM) is basically a tiny operating system running inside of your real operating system. If your VM gets hacked, the attacker is able to access the files and read keystrokes in that VM, but not in other VMs or on your host computer. In Qubes all software (besides the desktop environment) is running inside of VMs, and you can easily and efficiently make as many as you need for whatever purposes you need. It's also designed in such a way that if one VM gets infected with malware, the malware won't be there the next time you reboot that VM.

It is always clearly visible to which domain a given window belongs. 

For example, you may want to use an instant messaging application with  encryption to chat with people securely. But IM is notorious for its  vulnerabilities. Attackers can use a flaw in the program to take over your computer by sending you a weird-looking message. In order to use IM as safely as possible, you can create an AppVM that you use only for IM. If a  attacker sends you a weird-looking message that takes over your computer, all it will actually take over is your instant messaging AppVM. The worst that the attacker can do is spy on your chat conversations. Everything else on your computer, such as your work documents, your encryption key, and your passwords, will remain safe from the attacker.

Another example that would be useful: if you're writing an document about a sensitive subject, you can create an AppVM that contains these documents, and any files or drafts associated with the story. If you open a document in this AppVM that tries to phone home to alert someone that it's been opened, it will fail because this AppVM doesn't have internet access. And if you open a malicious document that hacks this AppVM, the malware won't be able to exfiltrate any of your files because it won't have internet access. And finally, if some other part of your computers gets compromised, like your web browser, the attackers won't have access to these sensitive work files.

Temporary AppVMs are ones that you create for a specific purpose and delete when you're done with them. You can use disposable VMs to open documents that you don't completely trust. If that PDF someone emailed you is actually malicious and tries to take over your computer, it will only take over the disposable VM. But if it actually contains something useful, you'll still be able to read it.

You can do this all on one computer using a single desktop manager. This is one of the most powerful features about Qubes.

In Qubes, you run all your programs in domains. Domains are also called AppVMs because they're implemented as lightweight virtual machines (VMs). Not every app runs in its own VM. Each VM represents a security domain. Each domain is based on a single, common TemplateVM. This means that when you create a new AppVM, you don't copy the whole root filesystem needed for this AppVM to work. Each AppVM shares the root filesystem with its respective TemplateVM. An AppVM has read-only access to the filesystem of the Template on which it's based, so an AppVM cannot modify a TemplateVM in any way. This is important, as it means that if an AppVM is ever compromised, the TemplateVM on which it's based will still be safe. This means that creating a large number of domains is cheap: Each one needs only as much disk space as is necessary to store its private files.

In addition to AppVMs and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. This is where you log in to the system. Dom0 is more trusted than any other domain. If dom0 were ever compromised, it would be Game Over. The entire system would effectively be compromised. Due to its importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. Dom0 shouldn't be used for anything else. In particular, you should never run user applications in dom0. That is what your AppVMs are for.

If you install Qubes using the default options, a few domains have already been created for you:


Each domain has a distinct name, and is also assigned a color label. The trusted window manager uses these colors in order to draw window decorations (frames) around the windows of applications running in each domain. These allow you to quickly and easily identify the trust level of a given window at a glance. It's natural to associate red with that which is untrusted and dangerous, green with that which is safe and trusted, and yellow and orange with things in the middle. QUBE also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted.

At the moment you have to be pretty tech savvy in order to get the full benefits of Qubes. And it doesn't hurt if you're already a Linux nerd. I think this can be improved, but Qubes will never be a "turn on and forget" security tool. Which security domains each user needs is completely dependent on their preferences and security needs. But if you understand your needs and understand how to use and configure AppVMs to fit them, you'll be able to use your computer with much higher security than if you were using a traditional OS.

The most recent version of QUBES is available here:

Qubes is for staying secure while still being able to use a wide variety of software that might contain zero day vulnerabilities, but it's not for staying anonymous. Qubes supports cool networking tricks, like making an AppVM where all traffic is forced to go through Tor, but this doesn't incorporate most of the anonymity tricks that Tails excels at.

Bottom line

For maximum security, I would recommend that people use Qubes on their computer for all their everyday, non-anonymous needs: checking email, chatting, using social media and browsing the web, developing software, doing research, writing articles. Since you do all of this work in AppVMs that run Linux (and optionally some of it in AppVMs that run Windows), you get the latest and best tools to work with, and it's simple to install new software. For more sensitive needs where anonymity is important, you can use Tor Browser Bundle inside of an AppVM.

TAILS: The Privacy Tool: Critical to Journalists Reporting on the NSA

TAILS: The Privacy Tool: Critical to Journalists Reporting on the NSA
April 2, 2014
Tails is an Linux operating system that can boot up a computer from a DVD or USB stick. It solves many of the problems users have when setting up encryption by doing it right the first time by default:
  •  Very little setup is required. 
  • It allows users to encrypt sensitive documents.
  • You don’t have to configure any of the settings on any program.
  • It forces all of your web traffic through the Tor anonymity network.
  • It uses GPG encryption and OTR encryption when you are sending an email or an instant message.
Critically, Tails never actually touches your hard drive and securely wipes everything you've done every time you shut it down. This serves two important purposes: first, it helps journalists who are operating in environments or on networks that may already be compromised by governments or criminals. As we learned last week, if you’re working at a big news organization, that’s almost a given. Second, it prevents journalists from leaving any trace of work that they don’t specifically opt-in to leaving. This prevents information leaks in case your computer falls into the wrong hands.
All of these qualities make it an ideal tool for journalists who are either steeped in security training or are coming to encryption for the first time and are a big reason why it won Access's 2014 Innovation Award for Endpoint Security. As always, everyone should remember that no privacy tool—including Tails—can guarantee you 100% security from all adversaries, and like all software, Tails may have vulnerabilities or weaknesses that could be exploited. But that's all the more reason to support the project, so those vulnerabilities can be found and fixed as quickly as possible.
Edward Snowden famously first contacted Laura Poitras using GPG email encryption, which eventually led to her, Glenn Greenwald, and Barton Gellman breaking the biggest story in decades. However, another tool has been even more critical to all of the main NSA journalists, and many people outside the digital security community have never heard of it: Tails, a ground-breaking operating system that forces privacy best-practices by default.

With assurances from the Tails developers and the main players in the NSA revelations, we feel it's safe to tell this story for the first time, and we hope this vital encryption and anonymity project can finally get the credit—and much needed support—it deserves. You can donate to the Tails project by going here.
We asked the three original NSA journalists about how important Tails was to their work. Here's what they had to say:
Laura Poitras:
"I've been reluctant to go into details about the different steps I took to communicate securely with Snowden to avoid those methods being targeted. Now that Tails gives a green light, I can say it has been an essential tool for reporting the NSA story. It is an all-in-one secure digital communication system (GPG email, OTR chat, Tor web browser, encrypted storage) that is small enough to swallow. I'm very thankful to the Tails developers for building this tool."
Glenn Greenwald:
“Tails have been vital to my ability to work securely on the NSA story. The more I've come to learn about communications security, the more central Tails has become to my approach.”
Barton Gellman:
"Privacy and encryption work, but it's too easy to make a mistake that exposes you. Tails puts the essential tools in one place, with a design that makes it hard to screw them up. I could not have talked to Edward Snowden without this kind of protection. I wish I'd had it years ago."

The NSA stories have been the biggest story in journalism in the past decade, yet the tool relied on by the reporters who broke the stories is incredibly underfunded. Tails’ 2013 expense report shows that they only had an operating budget of around 42,000 euros, which is less than $60,000. They have only a handful of core developers and none are able to work full-time because of the lack of funds supporting it.
If you’d like to help journalists uncover more stories like the NSA revelations, help them by helping Tails. You can donate to them right now on our front page, along with other free software projects like Tor, Open WhisperSystems, and the LEAP encryption access project. You can also support Tails’ Knight Open News Challenge proposal, which could also get the Tails team critical funding so they can stay ahead of the security curve.

Thursday, April 10, 2014

Heartbleed may compromise thousands of web sites.

You know a security vulnerability is serious when I start talking about it. Yesterday morning the story of a serious encryption flaw called Heartbleed  exists in OpenSSL, the most widely deployed encryption code on the Internet. It is used in everything from web servers, email servers, instant messaging, VPN's, and more.
When you establish an encrypted connection to a website, be it Google, Facebook or your bank’s online branch, the data is encrypted using the SSL/TLS protocol. Many popular web servers utilize the open-source OpenSSL library to do this job for them. Earlier this week, the maintainers of OpenSSL released a fix for a serious bug in the implementation of TLS feature called “Heartbeat,” which could potentially reveal up to 64 kB of server memory to an attacker.
In other words, the flaw could have enabled anyone on the Internet to read the memory of a machine that’s protected by a vulnerable version of the library. In the worst-case scenario, this small block of memory may contain something sensitive – user names, passwords, or even the private key which is used by the server to keep your connection encrypted. In addition, exploiting Heartbleed leaves no traces, so there is no definite way to tell if a server was hacked and what kind of data was stolen.
Here’s the good news: OpenSSL fixed the bug. Here’s the bad news: there is no way to guarantee that those sites and services affected by Heartbleed are implementing the patch that mitigates it. More bad news: apparently the bug is pretty easy to exploit and may have existed for as long as two years. It means that the security certificates of many popular sites may have been stolen, as well as sensitive user data, including passwords.

The action plan for the user

  • Check if your favorite site was vulnerable. There are online tools to check the presence of the vulnerability, but you also need to know, if it was present before. Luckily, there is a long list of popular websites that were checked against the vulnerability. Good news: Facebook and Google are unaffected. Bad news: Yahoo, Flickr, Duckduckgo, LastPass, Redtube, OkCupid, Hidemyass, 500px and many others was vulnerable. Get ready to act if you have an account on those vulnerable sites;
  • Check if the site is vulnerable now. There is a simple tool for that.
  • When site owners fix the bug, they must consider re-issuing site certificates as well. So get ready to monitor server certificate and make sure you’re using a new one (issued on April 8th or later). To do this, enable the certificate revocation check in your browser.  Here is the sample from Google Chrome settings:
  • This will prevent your browser from using old certificates. To check the certificate issue date manually, click the green lock in the address bar and click the “information” link on the “Connection” tab:
  • The most important step – when the server is patched and certificate is updated, is to change your password immediately. Use this opportunity to revise your password policy and start using simple to remember yet strong passwords. 

Wednesday, April 9, 2014

Heartbleed Bug: serious OpenSSL vulnerability

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected by the SSL encryption used to secure the Internet. SSL provides security and privacy for applications such as web, email, instant messaging (IM) and virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the user names and passwords, instant messages, emails and business critical documents and communication protected by the vulnerable versions of the OpenSSL software. It compromises the secret keys used to identify the service providers and to encrypt the traffic. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

I have been compiling code for over 15 years. If you have servers or applications that use the SSLEAY libraries, your app is vulnerable. Call me at (831) 531-4107. I CAN HELP YOU FIX THIS.

Tuesday, November 12, 2013

Nagios is the shiznit..

Nagios is a powerful monitoring system that enables organizations
to identify and resolve IT infrastructure problems before they affect
critical business processes.
Nagios gives you the peace of mind that comes from knowing your 
organization's business processes won't be affected by unknown outages.

Nagios is a powerful tool that provides you with:
instant awareness of your organization'smission-critical IT infrastructure.
Nagios allows you to detect and repair problems and mitigate future issues
before they affect end-users and customers.
What Nagios Provides:
By using Nagios, you can:
Plan for infrastructure upgrades before outdated systems cause failures
Respond to issues at the first sign of a problem
Automatically fix problems when they are detected
Coordinate technical team responses
Ensure your organization's SLAs are being met
Ensure IT infrastructure outages have a minimal effect on your organization's bottom line
Monitor your entire infrastructure and business processes

How It Works

IT staff configure Nagios to monitor critical IT infrastructure components,
 including system metrics, network protocols, applications, services, servers,
and network infrastructure.

Nagios sends alerts when critical infrastructure components fail and recover,
 providing administrators with notice of important events. Alerts can be 
delivered via email, SMS, or custom script.

IT staff can acknowledge alerts and begin resolving outages and
 investigating security alerts immediately. Alerts can be escalated 
to different groups if alerts are not acknowledged in a timely manner.

Reports provide a historical record of outages, events, notifications, 
and alert response for later review. Availability reports help ensure 
your SLAs are being met.

Scheduled downtime prevents alerts during scheduled maintenance 
and upgrade windows.

Monday, December 26, 2011

Rasberry Pi anyone??

This thing is a game changer for the PC Industry. A single board computer for general purpose applications, due out next month. It is the size of a credit card, has tons of applications, and has unmistakable geek cred. This will run off of AA batteries or 5 volt wall wart. Has HDMI video, audio, USB, SD card slot, and Ethernet. Cost 35 bucks. Boots in about 25 seconds. Read more here:

Ultra low power and very compact, the Raspberry Pi is expected to ship next month, and has a wide range of applications, including media server, Linux desktop, applications development, router/firewall, and multi- blade servers. This little guy could change the world. Manufacter web site is here: