Youry's Blog

Youry's Blog

Archive for the ‘Security’ Category

More than 6 million LinkedIn passwords stolen (By David Goldman @CNNMoneyTech June 7, 2012)

leave a comment »

More than 6 million LinkedIn passwords stolen By David Goldman @CNNMoneyTech June 7, 2012: 9:34 AM ET

Surprise! I thought that LinkedIn has a good security. They have a lot of IT professional and they have probably not a bad budget for IT. Sorry for them. I already changed my password for new one, but need to update all passwords on other sites. I think this is a time when we should use only generated passwords and store them in an online system, which has very good protection and security. It’s difficult but possible. At least one company or one organization should have a good security and even not for free.I think everybody will be agree to pay couple dollars per year to protect all accounts and all passwords. We have hundred millions users in Internet. I think this is a good multi-hundred million business for one web-site.

Youry

Written by youryblog

June 13, 2012 at 2:15 PM

IBM Bans Apple’s Siri on Big Blue Networks for Security Reasons

leave a comment »

IBM Bans Apple’s Siri on Big Blue Networks for Security Reasons:

“IBM has banned Apple’s Siri digital assistant–along with other apps and services–from its networks out of concern for security and privacy. Big Blue realizes the move to enable workers to bring their own devices to work offers both benefits and challenges.”

see more here http://www.eweek.com/c/a/Security/IBM-Bans-Apples-Siri-on-Big-Blue-Networks-for-Security-Reasons-830647/?kc=EWKNLEDP05242012B

Written by youryblog

May 24, 2012 at 1:27 PM

Posted in IT, Security, SecurityNews

“We need good code” – “In Black Hat keynote, Whitfield Diffie formulates three rules for making applications secure in the age of the Internet”

leave a comment »

see more here: http://www.infoworld.com/d/security/cryptography-pioneer-we-need-good-code-188666

March 14, 2012

Cryptography pioneer: We need good code

In Black Hat keynote, Whitfield Diffie formulates three rules for making applications secure in the age of the Internet

By Loek Essers | IDG News Service
1. First you have to know what you have to do,” If a developer knows exactly what the purpose is of the application is going to be, the software becomes more secure.2. programmers need to write good code, Diffie said.

3.  “All good code is expensive,” and more money should be spend on writing really good code so applications can become secure, he said.

 

From me personally. I think the idea to have a Good Code is a GOOD IDEA 🙂

Thanks,

Youry

Written by youryblog

March 19, 2012 at 9:48 PM

Application Development: Skype, NYSE Error Top List of 13 Big Programming Failures of 2010

leave a comment »

Application Development: Skype, NYSE Error Top List of 13 Big Programming Failures of 2010
http://www.eweek.com/c/a/Application-Development/Skype-NYSE-Error-Top-List-of-13-Big-Programming-Failures-of-2010-119831/?kc=EWKNLBOE01072011STR1
By Darryl K. Taft on 2011-01-03

Thank you very to Darryl K. Taft for very interesting information about bugs. The excerpt from his information is below, but I recommend to watch his slideshow on the original website. I did this excerpt for my research purposes only, don’t watch his slideshow for several times.

“… New York Stock Exchange (NYSE) systems, a Skype crash, problems with Chase online banking, faulty automobile systems at Toyota and privacy breaches… The Skype outage, which affected a large number of Skype’s 560 million users, resulted from a bug in the Windows version of the software.
Software application defects are inevitable, but developers have a better chance of catching them if they use enhanced debugging and code analysis platforms and employ Agile methods.”

and some others:
# McAfee’s Glitch: a software update to protect computers against a list of malicious files causing affected computers to shut down and start on a continuous reboot cycle.
# Russian Satellite: In December after the successful launch of the final three GLONASS navigation satellites a programming error caused the carrier rocket to veer off course and lose the Proton-M booster rocket carrying the satellites in the Pacific Ocean north of Hawaii.
# NYSE Timing Error: A timing error on a software update at NYSE Euronext’s electronic Arca exchange prompted an exchange-traded fund tracking the Standard & Poor’s 500 index to drop nearly 10 percent.
# Android Kernel Bug: In November, an analysis of the kernel used in Google’s Android smartphone software turned up 88 high-risk security flaws that could be used to expose users’ personal information.
# Facebook Privacy CSRF: It was discovered, that Facebook has a cross-site request forgery flaw that could have allowed hackers to alter profile information and change privacy settings for individual pages.
# Chase Online Banking: Software from a third-party database company corrupted information in Chase systems and prevented users from logging on. The service was down for two days and had an impact on millions of customers.
# Toyota Electronic Data Recorder: A software bug in electronic data recorders for Toyota (the black box that records the speed of the automobile) was found to have created incorrect readouts. \
# AT&T: exposed a flaw in the software for Alcatel-Lucent’s 3G network equipment, causing users of iPhone4G to experience abnormally slow upload speeds.
# Google Street View: Early in 2010, Google admitted that for the last three years it had been inadvertently collecting private data from WiFi networks as part of its Street View data collection activities.
# German Credit Cards Get Hit with the 2010 Bug: At the beginning of the year, 30 million German credit and debit cards were affected by a software bug that prevented the microchips in the cards from recognizing the year change.
# Windows vs. Linux Supercomputing Flaw: Windows and Linux went head-to-head in a contest for supercomputing speed, but a software bug in the package designed to run the Microsoft test seems to have kept Windows from beating (or at least matching) Linux.
# Medical-Device Recalls: In mid-2010, there were a number of emergency-response systems in the Midwest that malfunctioned around the times of tornadoes and other natural disasters that were software-related. We also saw a number of medical-device-related recalls, like the CareFusion electronic drug-infusion pumps and software issues related to recalled Baxter dialysis machines.

Written by youryblog

January 7, 2011 at 3:45 PM

Why Are Health Data Leaking Online? Bad Software, Study Says

leave a comment »

http://blogs.wsj.com/digits/2011/01/03/why-are-health-data-leaking-online-bad-software-study-says/?KEYWORDS=security
By Jennifer Valentino-DeVries

They say, that “Health documents with sensitive patient information can be found in “peer-to-peer” networks, which people typically use to share music files and the like. The issue can arise when health workers transfer data from firms’ proprietary software to their home computers. If they or someone in their family uses file-sharing software, files can be picked up.”

“Johnson says the biggest culprit for data leakage is hard-to-use software… poorly designed programs force health care industry employees to download files onto their home computers, where they are often forgotten. Johnson says that switching to cloud computing technology would make it possible for smaller businesses to have access to software that is easier to use. However, he notes that cloud computing also opens data up to other threats, including large-scale hackers.”

Written by youryblog

January 7, 2011 at 3:16 PM

Secure Erase in UNIX

leave a comment »

I found this is not a trivial procedure, especially for a UNIX journalled file systems. See:

“One major problem with all of these utilities is that most modern file systems use techniques called “journalling” or “logging” to help prevent file system corruption. Unfortunately, these techniques can also make it nearly impossible to ensure that all traces of a file’s data get overwritten unless you are willing to completely wipe out all data on the disk. Operating system buffers, hardware caches, “bad block” lists and file system corruption (e.g., orphaned inodes which are neither in a file nor in the disk’s free space) can also interfere with the proper operation of these utilities.” http://www.slac.stanford.edu/comp/unix/secure-erase.html

Securely Erasing files:
find directory -type f | xargs shred –remove
rm -rf directory

Securely Erasing free space:
scrub -X /scratch/junk
rm /scratch/junk
but I’ve got this error: “scrub: -X argument cannot exist” and didn’t find any solution.

Securely Erasing an entire partition or disk:

But to the explanation below I would suggest to migrate any journalled partition to ext2 partition on the fly and do what is recommended below:
(from http://www.distrostop.org/forums/index.php?topic=6573.0)

Open a console, as root, convert ext3 to ext2:
tune2fs -O ^has_journal /dev/sdb1
and then:
e2fsck /dev/sdb1
You will also need to amend /etc/fstab (as root) in your favourite text editor to change the entry to ext2. Once you have used the shred command you need to re-convert the file system back to ext3:
tune2fs -j /dev/sdb1

or as in my case make ext2 fs from zero by: sudo mkfs.ext2 /dev/sdb1

From http://www.linuxquestions.org/questions/linux-security-4/secure-unused-disk-space-wipes-dd-and-shred-627070/:
The intent is; To securely wipe a single partition (/dev/hda1).
Method 1: dd if=/dev/urandom of=/dev/sdb1
Method 2:
sudo mount /dev/sdb1 /mnt/extra
dd if=/dev/zero of=/mnt/extra/foo.img
shred -uvz -n 7 /mnt/extra/foo.img

[Method 1] will write 1 pass, Method 2 creates a fake file (foo.img) until the disk is full, then uses shred to delete that file 7 times.
Does that mean that Method 2 is superior to a dd pass ?

Written by youryblog

December 4, 2010 at 1:34 PM

Auto SSH Login without Password

leave a comment »

1. ssh tuneling http://www.revsys.com/writings/quicktips/ssh-tunnel.html

2. How to check tunnel: http://wiki.metawerx.net/wiki/SSHTunnel

Not everything work in Fedora, but this one works very good, at least in the Fedora 13. Good paper
http://linuxtoolkit.blogspot.com/2009/05/auto-ssh-login-without-password.html
Steps 1: At the Host Machine
1. Logon to the root home directory.
2. Make sure the hidden .ssh directory has the permission 700. If not execute the command
chmod 700 .ssh
3. Change Directory to .ssh directory by executing the command
cd .ssh
4. Generate the public-private keys using the ssh-keygen command.
# ssh-keygen -t rsa
5. The resulting file id_rsa and id_rsa.pub rsa type public key
# ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host -> Copy the public key to the remote server:

scp ~/.ssh/id_rsa.pub user@remote.host:pubkey.txt
ssh user@remote.host
mkdir ~/.ssh
chmod 700 .ssh
cat pubkey.txt >> ~/.ssh/authorized_keys
rm ~/pubkey.txt
chmod 600 ~/.ssh/*
exit

See more here: http://www.mtu.net/~engstrom/ssh-agent.php

Some extra steps should be done:
Start the ssh-agent:
eval `ssh-agent`
ssh-add #Add your private key to the agent’s cache:

Test the connection again

Setup an automated start-agent script:
First, click here for his sssha script. It is a BASH shell script, so if you use a different login shell, you will have to modify it. Once you download it, place it in your ~/.ssh/ directory and add this to your ~/.bashrc configuration script, presumably at or near the end:

# setup ssh-agent, if appropriate
if [ -f “$HOME/.ssh/sssha” ]; then
source $HOME/.ssh/sssha
fi

Finally, if you are truly paranoid, make sure to kill your ssh-agent when you are done using any machine on which you have started one. This can be accomplished most simply with ssh-agent -k.

Note: I personally prefer to add an alias to the .bashhrc profile:
alias ssha=’eval \`ssh-agent\`; ssh-add’

and run it manually when I need it.

Written by youryblog

November 19, 2010 at 10:29 AM