University of Kent 2013 - CO899 System security
Presentation of the article:
Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
This document provides an overview of a training course on system and network security for Windows 2003/XP/2000. It discusses what the course will cover, including the native security features of these Windows operating systems, how to lock down and secure Windows systems, and vulnerabilities and countermeasures. It also summarizes new and modified security features in Windows Server 2003 such as the Common Language Runtime, Internet Connection Firewall, account behavior changes, and enhancements to Encrypted File System, IPSec, authorization manager, and IIS 6.0.
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
The document discusses security vulnerabilities found in various security appliance products. It describes easy password attacks, cross-site scripting vulnerabilities with session hijacking, lack of account lockouts, and other issues found across email/web filtering, firewall, and remote access appliances from vendors like Barracuda, Symantec, Trend Micro, Sophos, Citrix, and others. Many appliances were found to have command injection flaws allowing root access. Vendors' responses to reported vulnerabilities varied, with some issues getting addressed within months while others saw no fixes. The author advocates defense-in-depth practices and keeping appliances updated with vendor patches.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. Remote exploits discussed include browser and application memory corruption, JavaScript interface attacks, and maintaining privileged access through "minimal su". The document also mentions man-in-the-middle exploits and privilege escalation techniques.
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
This document provides an overview of a training course on system and network security for Windows 2003/XP/2000. It discusses what the course will cover, including the native security features of these Windows operating systems, how to lock down and secure Windows systems, and vulnerabilities and countermeasures. It also summarizes new and modified security features in Windows Server 2003 such as the Common Language Runtime, Internet Connection Firewall, account behavior changes, and enhancements to Encrypted File System, IPSec, authorization manager, and IIS 6.0.
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
The document discusses security vulnerabilities found in various security appliance products. It describes easy password attacks, cross-site scripting vulnerabilities with session hijacking, lack of account lockouts, and other issues found across email/web filtering, firewall, and remote access appliances from vendors like Barracuda, Symantec, Trend Micro, Sophos, Citrix, and others. Many appliances were found to have command injection flaws allowing root access. Vendors' responses to reported vulnerabilities varied, with some issues getting addressed within months while others saw no fixes. The author advocates defense-in-depth practices and keeping appliances updated with vendor patches.
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. Remote exploits discussed include browser and application memory corruption, JavaScript interface attacks, and maintaining privileged access through "minimal su". The document also mentions man-in-the-middle exploits and privilege escalation techniques.
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Second Edition by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 1133935613
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
The document discusses techniques for fingerprinting operating systems and applications based on their responses during the USB enumeration process. It describes how small differences in the ordering and types of descriptor requests, timing information, and responses to invalid data can be used to identify the OS or application interacting with a USB device. The document also summarizes an exploit against the Windows 8 RNDIS driver that allows overwriting kernel memory by manipulating fields in the USB configuration descriptor.
This document provides an overview of BitLocker encryption in Windows and discusses:
- Why encryption is needed to protect lost or stolen devices and secure data.
- The basics of how BitLocker works including how the full volume encryption key is protected by the volume master key stored on the TPM chip.
- Different protector options for the master key like passwords, USB keys, and TPM authentication.
- Ways an attacker could try to bypass BitLocker including guessing passwords, DMA attacks to access memory, and cold boot attacks.
- Recommendations for implementing BitLocker securely including using a TPM without additional authentication for most devices and disabling DMA ports.
The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
This document provides security tips and recommendations from Sami Laiho, a senior technical fellow specializing in Windows security. Some of the key recommendations include: implementing whitelisting like AppLocker and following the principle of least privilege; using Windows 10 Enterprise over Windows 7 for improved security features; choosing hardware with TPM and virtualization support; applying full disk encryption with BitLocker; restricting administrative access and using tools like Avecto DefendPoint for privilege elevation; and implementing password policies and end user training. Contact information is provided to learn more about security training and services.
System Hardening Recommendations_FINALMartin Evans
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
This document discusses various techniques for sandboxing untrusted code, including chroot jails, system call interposition, virtual machines, and software fault isolation. It notes that completely isolating applications is often inappropriate, as they need controlled ways to communicate. The key challenges are implementing reference monitors to enforce isolation policies and specifying the right policy for each application to define what behavior is allowed.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
This document discusses various web application security topics including SQL injection, cross-site request forgery (CSRF), cross-site scripting (XSS), session tokens, and cookies. It provides examples of each type of attack, how they work, their impact, and strategies for prevention. Specific topics covered include SQL injection examples using single quotes, comments, and dropping tables; CSRF examples using bank transfers and router configuration; and XSS examples using persistent, reflected, and DOM-based techniques.
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
The document discusses using PowerShell for remote security assessments. It describes using SSH with PowerShell to remotely manage Windows and Unix machines. A better solution is to use Windows Remote Management (WinRM) and WS-Management to create PowerShell sessions on remote machines, allowing administrators to run commands and scripts remotely with the same syntax. Examples are provided for using PowerShell to generate user lists, scan for malicious processes, kill processes, and parse event logs across multiple remote machines.
This document discusses various types of malware behaviors including downloaders and launchers, backdoors, credential stealers that use techniques like GINA interception, hash dumping tools like Pwdump, keystroke loggers, and persistence mechanisms like registry modifications and DLL load-order hijacking. It also covers user-mode rootkits that hide malware by hooking the import address table or inline hooking API functions.
This document discusses security considerations for Docker containers. It covers three main aspects: securing the platform/infrastructure by hardening the Docker engine and hosts; securing container content through image management, content trust, and secrets management; and securing access and operations through authentication, authorization, access control, auditing, and multi-tenancy. While containers provide isolation and security benefits, the document emphasizes that containers must still follow security best practices to prevent compromise, especially as container usage evolves from individual services to larger applications.
Container security Familiar problems in new technologyFrank Victory
Container adoption is on the rise across companies of every size and industry. While containerization is a new and exciting paradigm, it brings with it some of the same technical and organizational issues that security teams have always faced. This presentation will dive into a selection of these familiar issues and suggested solutions to help security teams get a better handle on containers and keep up with the deployment pace that DevOps requires.
Check out the Denver Chapter of OWASP!
meetup.com/denver-owasp and our annual conference
www.snowfroc.com
This document discusses various ways that back-end components of web applications can be attacked by injecting malicious code or commands. It provides examples of how user input could be used to exploit vulnerabilities in OS commands, scripting languages, file paths, HTTP requests, and SMTP mail services. The key risks are command injection, path traversal, remote file inclusion, XML external entity injection, and HTTP/SMTP parameter injection. The document also offers suggestions for preventing these attacks, such as input validation, output encoding, and limiting file system and network access.
The document discusses securing classified networks and sensitive data through the use of a Secure Network Access Platform (SNAP). SNAP allows users to securely access multiple isolated security domains from a single thin client desktop while preserving network isolation. It implements role-based access control, mandatory access controls, and label-based security to control access between security domains. SNAP leverages the security capabilities of the Solaris 10 operating system with Trusted Extensions to provide a certified, multi-level secure computing environment for government users.
z/OS Authorized Code Scanner (zACS) is a tool that provides the ability to test PCs and SVCs and client’s authorized code to provide diagnostic information for subsequent investigation as needed.
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
The document discusses several new security features in Windows 10 including Credential Guard, Microsoft Passport, Device Guard, Enterprise Data Protection, and Windows Hello. Credential Guard isolates credential material and passwords from malicious or compromised processes and apps. Microsoft Passport aims to create a world without passwords by utilizing familiar devices secured by hardware for user credentials. Device Guard uses virtualization-based security and Windows Defender to help protect systems from malware and zero-day attacks. Enterprise Data Protection separates and contains corporate data on devices to protect it wherever it resides. Windows Hello allows biometric and PIN sign-in for convenient and secure user authentication.
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
The document discusses techniques for fingerprinting operating systems and applications based on their responses during the USB enumeration process. It describes how small differences in the ordering and types of descriptor requests, timing information, and responses to invalid data can be used to identify the OS or application interacting with a USB device. The document also summarizes an exploit against the Windows 8 RNDIS driver that allows overwriting kernel memory by manipulating fields in the USB configuration descriptor.
This document provides an overview of BitLocker encryption in Windows and discusses:
- Why encryption is needed to protect lost or stolen devices and secure data.
- The basics of how BitLocker works including how the full volume encryption key is protected by the volume master key stored on the TPM chip.
- Different protector options for the master key like passwords, USB keys, and TPM authentication.
- Ways an attacker could try to bypass BitLocker including guessing passwords, DMA attacks to access memory, and cold boot attacks.
- Recommendations for implementing BitLocker securely including using a TPM without additional authentication for most devices and disabling DMA ports.
The document discusses shielded virtual machines (VMs) which are a new security feature in Windows Server 2016 that protects VMs from potential compromise of the host machine. Shielded VMs use virtual secure mode and virtual trust levels to isolate VM memory and processors from the host. The host guardian service verifies that the host is authorized to run a shielded VM by checking a store of keys for trustworthy hosts.
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
This document provides security tips and recommendations from Sami Laiho, a senior technical fellow specializing in Windows security. Some of the key recommendations include: implementing whitelisting like AppLocker and following the principle of least privilege; using Windows 10 Enterprise over Windows 7 for improved security features; choosing hardware with TPM and virtualization support; applying full disk encryption with BitLocker; restricting administrative access and using tools like Avecto DefendPoint for privilege elevation; and implementing password policies and end user training. Contact information is provided to learn more about security training and services.
System Hardening Recommendations_FINALMartin Evans
The document provides system hardening recommendations for Windows 7 workstations and Windows Server 2012 at Verisk Health. It includes recommendations for account policies, local policies, Windows Firewall settings, network list manager policies, and public key policies. The recommendations aim to enhance security by restricting user permissions, enabling encryption, and locking down network access and system objects. Implementing the changes would help protect sensitive data like PHI and PII but also require carefully considering each setting's potential impact.
The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
This document discusses various techniques for sandboxing untrusted code, including chroot jails, system call interposition, virtual machines, and software fault isolation. It notes that completely isolating applications is often inappropriate, as they need controlled ways to communicate. The key challenges are implementing reference monitors to enforce isolation policies and specifying the right policy for each application to define what behavior is allowed.
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
This document provides a checklist for hardening the security of Windows Server systems. It outlines best practices for organizational security, preparing, installing, and configuring Windows Server, as well as user account, network, registry, and general security settings. It also addresses audit policy, software security, and finalization steps like imaging servers. Implementing the guidelines can help reduce security vulnerabilities and the risk of attacks compromising critical systems and data.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
This document discusses various web application security topics including SQL injection, cross-site request forgery (CSRF), cross-site scripting (XSS), session tokens, and cookies. It provides examples of each type of attack, how they work, their impact, and strategies for prevention. Specific topics covered include SQL injection examples using single quotes, comments, and dropping tables; CSRF examples using bank transfers and router configuration; and XSS examples using persistent, reflected, and DOM-based techniques.
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
The document discusses using PowerShell for remote security assessments. It describes using SSH with PowerShell to remotely manage Windows and Unix machines. A better solution is to use Windows Remote Management (WinRM) and WS-Management to create PowerShell sessions on remote machines, allowing administrators to run commands and scripts remotely with the same syntax. Examples are provided for using PowerShell to generate user lists, scan for malicious processes, kill processes, and parse event logs across multiple remote machines.
This document discusses various types of malware behaviors including downloaders and launchers, backdoors, credential stealers that use techniques like GINA interception, hash dumping tools like Pwdump, keystroke loggers, and persistence mechanisms like registry modifications and DLL load-order hijacking. It also covers user-mode rootkits that hide malware by hooking the import address table or inline hooking API functions.
This document discusses security considerations for Docker containers. It covers three main aspects: securing the platform/infrastructure by hardening the Docker engine and hosts; securing container content through image management, content trust, and secrets management; and securing access and operations through authentication, authorization, access control, auditing, and multi-tenancy. While containers provide isolation and security benefits, the document emphasizes that containers must still follow security best practices to prevent compromise, especially as container usage evolves from individual services to larger applications.
Container security Familiar problems in new technologyFrank Victory
Container adoption is on the rise across companies of every size and industry. While containerization is a new and exciting paradigm, it brings with it some of the same technical and organizational issues that security teams have always faced. This presentation will dive into a selection of these familiar issues and suggested solutions to help security teams get a better handle on containers and keep up with the deployment pace that DevOps requires.
Check out the Denver Chapter of OWASP!
meetup.com/denver-owasp and our annual conference
www.snowfroc.com
This document discusses various ways that back-end components of web applications can be attacked by injecting malicious code or commands. It provides examples of how user input could be used to exploit vulnerabilities in OS commands, scripting languages, file paths, HTTP requests, and SMTP mail services. The key risks are command injection, path traversal, remote file inclusion, XML external entity injection, and HTTP/SMTP parameter injection. The document also offers suggestions for preventing these attacks, such as input validation, output encoding, and limiting file system and network access.
The document discusses securing classified networks and sensitive data through the use of a Secure Network Access Platform (SNAP). SNAP allows users to securely access multiple isolated security domains from a single thin client desktop while preserving network isolation. It implements role-based access control, mandatory access controls, and label-based security to control access between security domains. SNAP leverages the security capabilities of the Solaris 10 operating system with Trusted Extensions to provide a certified, multi-level secure computing environment for government users.
z/OS Authorized Code Scanner (zACS) is a tool that provides the ability to test PCs and SVCs and client’s authorized code to provide diagnostic information for subsequent investigation as needed.
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
The document discusses several new security features in Windows 10 including Credential Guard, Microsoft Passport, Device Guard, Enterprise Data Protection, and Windows Hello. Credential Guard isolates credential material and passwords from malicious or compromised processes and apps. Microsoft Passport aims to create a world without passwords by utilizing familiar devices secured by hardware for user credentials. Device Guard uses virtualization-based security and Windows Defender to help protect systems from malware and zero-day attacks. Enterprise Data Protection separates and contains corporate data on devices to protect it wherever it resides. Windows Hello allows biometric and PIN sign-in for convenient and secure user authentication.
Eamonn O Raghallaigh The Major Security Issues In E CommerceEamonnORagh
The document discusses security issues and risks facing the e-commerce industry. It covers fundamental security requirements like privacy, integrity, authentication, and non-repudiation. Examples are given of security breaches like a data theft from an Irish jobs website. Different types of technical attacks are outlined such as denial of service attacks, brute force attacks, and distributed denial of service attacks. Non-technical threats like phishing and social engineering are also discussed. The conclusion states that the e-commerce industry faces ongoing security challenges due to increasing attacker knowledge and novel strategies, and recommends multi-layered security, privacy policies, and strong authentication/encryption to minimize risks.
This document provides an overview of Linux security and auditing. It discusses the history and architecture of Linux, important security concepts like physical security, operating system security, network security, file system security and user/group security. It also describes various Linux security tools that can be used for tasks like vulnerability scanning, auditing, intrusion detection and password cracking.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
Linux and Windows are both operating systems but have key differences. Linux was first released in 1991 as an open source OS developed by Linus Torvalds, while Windows was first released in 1985 as a proprietary OS developed by Microsoft. Linux can be freely downloaded and distributed, though some paid versions exist, while Windows is more expensive to obtain. Both OSes can be used by home and business users but run on different hardware, with Linux supporting more devices.
The document summarizes key points about privacy in e-commerce from a presentation given by Aleksandr Yampolskiy, head of security and compliance at Gilt Groupe. It discusses how much personal information is readily available online, the difference between privacy and security, why people disclose personal information, challenges with privacy in e-commerce, and solutions companies can implement like having a clear privacy policy and controlling access to customer data.
Report of Advance car security system major projectAmi Goswami
The Arduino Mega 2560 is a microcontroller board based on the ATmega2560. It has 54 digital input/output pins, 16 analog inputs, 4 UARTs, a 16 MHz crystal oscillator, a USB connection, a power jack, an ICSP header, and a reset button. It contains everything needed to support the microcontroller. It can be powered via the USB port or an external power supply. It has 256KB of flash memory for storing code, 8KB of SRAM, and 4KB of EEPROM. The board operates at 5V and each I/O pin can provide or receive 20mA of current. It supports SPI, TWI, PWM, analog input, and serial communication.
Privacy and Security Issues in E-Commerce Titas Ahmed
This document discusses privacy, security, and authentication issues in e-commerce. It outlines that privacy means information exchanged must be kept private, integrity means information cannot be altered, and authentication means both parties must prove their identity. It notes attackers can target shoppers, their computers, network connections, and website servers. Finally, it provides references on e-commerce security issues and solutions.
This document compares Linux and Windows operating systems. It discusses their origins, differences in being open source versus proprietary, graphical user interfaces, available applications, hardware support, ease of use, distributors, pricing, and security considerations. While Linux is free and open source, Windows has a larger user base and more available software. Both systems have advantages and continuing development will impact their future positions relative to one another.
This document discusses various e-business security issues in cyberspace. It outlines basic security issues like authentication, authorization, confidentiality, integrity and non-repudiation. It also describes common security threats like denial of service attacks, unauthorized access, and theft/fraud. Finally, it explains different types of security techniques used like encryption, decryption, cryptography, virtual private networks, digital signatures, and digital certificates.
This presentation will give complete information regarding security issues related to cloud computing. To learn cloud computing fill up a simple form.
http://bit.ly/aDegGN
This document discusses cloud security and provides an overview of McAfee's cloud security solutions. It summarizes McAfee's cloud security program, strengths, weaknesses, opportunities, threats, and competitors in the cloud security market. It also discusses Netflix's migration to the cloud for its infrastructure and content delivery and outlines Netflix's cloud security strategy.
This document discusses security issues in e-commerce, including authentication and identification, privacy, data protection, and system security. It covers legal requirements around electronic signatures, identity theft, privacy rights, data protection rules for sensitive personal data, and security measures to protect systems from unauthorized access. Overall, the document examines the key challenges of maintaining security and privacy in e-commerce transactions and systems in light of relevant Indian laws.
1. Formulate a testing plan with the client to identify systems to evaluate and the scope of testing allowed.
2. Remotely or locally access the target systems to find vulnerabilities by simulating common attacks.
3. Report any found vulnerabilities to the client along with recommendations on how to remedy security issues.
This document discusses the history and definitions of cloud computing. It begins with various definitions of cloud computing from Wikipedia between 2007-2009 which evolved to emphasize dynamically scalable virtual resources provided over the internet. It then covers common characteristics of cloud computing like multi-tenancy, location independence, pay-per-use pricing and rapid scalability. The rest of the document details cloud computing models including public, private and hybrid clouds. It also outlines the different architectural layers of cloud computing from Software as a Service to Infrastructure as a Service. The document concludes with a discussion of security issues in cloud computing and a case study of security features in Amazon Web Services.
The document discusses security threats and solutions for e-commerce. It outlines various threats like human error, espionage, hacking and fraud. It then describes goals of network security like confidentiality, integrity and authentication. Further, it explains encryption techniques like symmetric algorithms (DES, 3DES, AES), asymmetric algorithms and digital signatures to secure e-commerce transactions and communication channels. Key requirements for e-commerce security are also highlighted such as message privacy, integrity, authentication and non-repudiation of transactions.
This document provides an overview of information security. It defines information and discusses its lifecycle and types. It then defines information security and its key components - people, processes, and technology. It discusses threats to information security and introduces ISO 27001, the international standard for information security management. The document outlines ISO 27001's history, features, PDCA process, domains, and some key control clauses around information security policy, organization of information security, asset management, and human resources security.
Web security involves protecting information transmitted over the internet from attacks like viruses, worms, trojans, ransomware, and keyloggers. Users can help secure themselves by using antivirus software, avoiding phishing scams, and reporting spam. Larger attacks often involve botnets, which are networks of infected computers that can overwhelm websites and services with traffic through distributed denial of service attacks.
The document provides an introduction to cloud security, including a review of cloud computing, a discussion of common security challenges in cloud environments, and an overview of the top threats to cloud computing. It describes key characteristics of cloud computing like on-demand access and elastic resources, and different cloud service models including infrastructure as a service, platform as a service, and software as a service. Security issues related to virtualization, multi-tenancy, and the use of application programming interfaces are also discussed.
The document discusses various tactics, techniques and common knowledge for detecting cyber attacks. It outlines general security problems like authenticity, authorization, confidentiality, integrity and availability. It then discusses specific techniques used in cyber attacks like escalation of privilege, credential dumping, modifying file system permissions and disabling security tools. It provides details on how each technique works and potential ways to detect them, such as monitoring specific Windows registry keys or processes. The overall document serves as a guide on common cyber attack vectors and approaches for detection.
The document provides information about a cloud technology associate certification course, including details about the course, benefits of pursuing cloud certification through an unemployment program, and an overview of cloud computing concepts. The first day focuses on introductions, an overview of cloud characteristics and service models, the evolution of cloud from earlier computing approaches, cloud architectures, and benefits and limitations of cloud computing. The trainer has extensive experience in IT management and multiple technical certifications.
This document provides an overview of container security best practices. It discusses challenges in securing components of the container infrastructure like images, registries, runtimes and orchestrators. It outlines common container threats like privilege escalation attacks and misconfigured containers. The document recommends mitigations like using vetted base images, access controls, network segmentation and updating components. It also references resources like the OWASP Docker Top 10, NIST container security guide and CIS Docker benchmark that provide guidelines for container hardening. In summary, the key is to monitor components, limit access, use segmentation and follow security standards to protect the container environment.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
The document provides information about using PERKESO funds to upskill and certify oneself after being retrenched. It lists various certification programs that PERKESO funds can cover, including PRINCE2, ITIL, Agile Scrum Master and cloud computing certificates. The cost of each certification program is up to RM6,000. It also introduces the trainer, Leo Lourdes, who has many IT management and project management certifications. In addition, the document outlines the benefits of connecting a local cloud network to the public internet, including increased risks around security, privacy and compliance that need to be addressed.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
There’s a constant rise of the container usage in the existing cloud ecosystem.
Most companies are evaluating how to migrate to newer, flexible and automated platform for content and application delivery.
The containers are building themselves alone across the business, but who's securing them?
This presentation discusses the evolution of infrastructure solutions from servers to containers, how can they be secured.
What opensource security options are available today?
Where is the future leading towards container security?
What will come after containers?
The document outlines a 12 step guide to securing cloud deployments using open source tools. It discusses responsibilities in securing infrastructure, protecting networks using tools like VPCs and firewalls, hardening machine images, encrypting data at rest and in transit, patching and access control for instances, application security best practices, auditing and monitoring, validation testing, automating security processes, and updating security policies. The steps provide a continuous process to improve cloud security.
Cloud security what to expect (introduction to cloud security)Moshe Ferber
This document provides an overview of cloud security presented by Moshe Ferber, a certified cloud security professional. It introduces cloud computing models including SaaS, PaaS, and IaaS. For IaaS, the document discusses that while the underlying infrastructure is managed by the cloud provider, customers are responsible for the security of guest operating systems, applications, and data. It also covers key IaaS security considerations like virtual machine access control, network visibility limitations, and the division of security responsibilities between customers and providers.
This document discusses ongoing security for embedded Linux devices. It describes Timesys' security notification service which monitors Common Vulnerabilities and Exposures (CVEs) and notifies customers of relevant issues. The service filters CVE data, disambiguates package names, and flags false positives. Notifications are sent via a RESTful API or through a LinuxLink user account. The meta-timesys layer integrates these security features into builds using OpenEmbedded RPB BSP. Ongoing security helps minimize known vulnerabilities over the product lifecycle.
The document outlines a 12-step program for developing network security strategies. It discusses identifying network assets and security risks, analyzing security requirements and tradeoffs, developing a security plan and policy, implementing technical security strategies, and maintaining security. It also covers securing different parts of the network like internet connections, servers, remote access, services, and wireless networks using mechanisms like firewalls, authentication, encryption, and wireless security protocols.
An introduction to Linux Container, Namespace & Cgroup.
Virtual Machine, Linux operating principles. Application constraint execution environment. Isolate application working environment.
The document provides information about cloud computing certification programs available through PERKESO, Malaysia's social security organization, for retrenched workers. It details several certification programs available in areas like PRINCE2, ITIL, security, and cloud computing. It also provides contact information for a trainer who can provide the certifications. The goal is to help retrenched workers upgrade their skills and certifications to improve their job prospects using PERKESO funds available for training and upskilling.
Security in the cloud Workshop HSTC 2014Akash Mahajan
A broad overview of what it takes to be secure. This is more of an introduction where we introduce the basic terms around Cloud Computing and how do we go about securing our information assets(Data, Applications and Infrastructure)
The workshop was fun because all the slides were paired with real world examples of security breaches and attacks.
Slides for a college course based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/123/123_S18.shtml
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
Introduction to the Android OS. the Android Developers Kit, Android Emulators, Rooting Android devices, de-compiling Android Apps. Dex2jar, Java JD_GUI and so on. During the presentation I will pull an App apart and show how to bypass a login screen.
What better way to express the Zombie Apocalypse then with mobile devices. They are ubiquitous. they are carried everywhere, they go everywhere. Having a decent understanding of the Operating System and it’s vulnerabilities can go a long way towards keeping your device protected.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Presentation of the OECD Artificial Intelligence Review of Germany
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud computing
1. Original Article by Salah K, et al, Computers & Security (2012), http://dx.doi.org/10.1016/j.cose.2012.12.001
Analyzing the security of
Windows 7 and Linux for cloud computing
Vincent Giersch - vg66
2. Contents
•Authors
•Main points of the article
•Introduction to the cloud computing
•Infrastructure as a Service (IaaS)
•Authentication
•Authorization
•Network security
•Accounting
•Privacy and encryption
•Conclusion
•Criticism and improvements
3. Authors background
•Khaled Salah
Electrical and Computer Engineering Department,
Khalifa University of Science Technology and Research (United Arab
Emirates)
•Jose M. Alcaraz Calero
Department of Computer Science, Engineering Technical School,
University of Valencia (Spain)
•Jorge Bernal Bernabé and Juan M. Marín Perez
Cloud and Security Lab, HewlettePackard Laboratories, Stroke Gifford,
Bristol (UK)
•Sherali Zeadally
Department of Computer Science and Information Technology,
University of the District of Columbia, Washington (USA)
17. Windows Authentication Architecture
Windows Authentication
(Local Security Authority)
Win Logon
MSV1_0
Kerberos
CredSSP
NTLM
DigestSSP
Interactive authentication
Main component which use AP and SSP
• Authentication Packages (AP) :
• DLL which encapsulate authentication logic
• Perform the logon in the OS
• Security Support Providers (SSP) :
• DLL which implement the SSPI
• SSPI also provides non-interactive authentication
18. Linux Authentication Architecture
Linux Authentication
Login
pam_unix
pam_guest
pam_kbr5
pam_radius
Login processus (/bin/login) interacts with the libpam
(Pluggable Authentication Modules).
All the modules implements the PAM abstraction layer
and are build and load as dynamic libraries.
19. cloud providers OS Images
• Usually cloud providers modify OS image to configure the
authentication (e.g. add SSH keys)
• High security threat: the provider has access to the content of the VM
• No possibility of encryption: adding keys would be impossible
20. Usage of an IDM
• Windows and Linux provide authentication abstraction mechanisms
• Utilisation of an Identity Management System (IdM)
• Separation of the authentication from the image file system
• Should be managed by the tenant organization
• Example: Kerberos, OpenID, SAML
• Problem: a fake IdM could be use if an attacker has access to file
system or RAM
22. Authorization: access control
• Manages privileges granted for an authenticated user
• Checks ands enforce these privileges when user perform actions over
securable objects.
23. access control on Windows 7
Different access control subsystems executed simultaneously at runtime
First access control:
• Controls all resources managed in the OS
e.g. a file, directory, process, registry key, windows service, printer, etc.
• Each securable object has a security descriptor
• This descriptor manage 2 ACL:
• Discretionary Access Control List (DACL)
• System Access Control List (SACL)
24. access control on Windows 7
Second access control, Mandatory Integrity Control (MAC):
• Controls the access to securable objects
• Addition to the discretionary access control (DAC)
• Each user / securable object has a security level
low, medium, high, system
• To access to an object: user need a higher security level than required
• Otherwise access is denied even it is authorized by another AC system
25. access control on Windows 7
Third access control, AppLocker:
• Controls the execution of the processes
• A Windows Service (Application Identity service) intercepts the execution
• This service checks if the user has required right to execute the application
• AppLocker policy uses application attributes
Signed certificate, vendor name, application name and version
• Advantage: The policy persists after application updates
• Can be manually configured or using the Group Policy Management
26. access control on LINUX
Linux provides different access control mechanisms
First access control:
• Secure every object in the file system
Regular file, directory, device and process
• Associated with an access right mask and a user and a group
• User and group that execute a process are used to check rights while
accessing to secured
• When a user execute a process, it stores this user and group, there are
used when the process access to secure objects
• 3 permissions: read, write, execute with 3 levels: user, group, other.
27. access control on LINUX
In modern distributions, this authorization model is extended with an ACL:
28. access control on LINUX
Recent Linux distributions have additional access control mechanism,
Mandatory Access Control (MAC).
There are multiple implementation of this MAC:
• AppArmor
• TOMOYO
• SELinux
• GRSecurity
After comparing these implementation, the authors chose SELinux.
29. Authorization
• Windows and Linux authorization mechanisms store AC information
inside the securable file objects
• The system need at least one admin user, it usually true in case of IaaS
• Problem: file that belongs to users who are not registered in the OS, for
example an external IdM
• This is an approach followed by AppLocker, which protects agains
external intruders and cloud provider from executing undesired code in
the guest OS.
31. Network security
• All network can potentially be monitored
Man-in-the-middle, or by the cloud provider (hypervisors, routing equipments, etc.)
• Usually the possibility of network configuration are limited
Hard to reproduce a particular networking topology or configuration
• IPs addresses provided by the cloud provider
Already used before ? How ? Blocked by some firewalls ?
• MAC addresses uses in firewalls: virtualized adapters
MAC addresses are managed by the cloud provider and change when using IaaS features
• Create policies based on hostnames instead of IP addresses
Windows: Still not possible with Windows firewall (possible using Zone-Alarm)
Linux: Possible with Netfilter and IPTables
• New issue: DNS poisoning and spoofing
DNSSec can be used to validate and trust DNS responses
33. Accounting
• Logs are usually stored unencrypted in local file system
• Can be accessed by the attacker and potentially modified
• Could be destroyed when using snapshots, images, etc.
• Logs must be stored in a separated logging system
• These logs should be ciphered by the source OS if this logging system is
provided by the cloud provider
• So we have similar problems than the provisioning of user credentials:
the initial configuration and provisioning of the VM
35. Privacy of ram memory
Could be protected by different methods:
• Address Space Layout Randomization (ASLR)
• Used in Linux 2.6.38 and Windows 7
• Loads critical application execution code into random memory location every time the system boot
• Randomizes locations of the stack, heap, Process Environment Block and Thread Environment Block
• Hard to extract sensible information from a dump of the memory
• Disabling FireWire port
This kind of port enables direct access without security restrictions to the memory
Potential vulnerability highlighted:
“Recently, all tools using AES-based encryption are being rapidly cracked by mean of the extraction of the
AES keys when memory dumps are available.”
→ Use memory encryption at run-time
For example on Linux, METAL (Memory Encryption and Transparent Aegis Library)
36. Disk encryptiON
• Windows: BitLocker
Supports only the Cipher Block Chaining (CBC) using IV derived from the sector number
• Linux 2.6.38: dm-crypt / LUKS
dm-crypt supports IEEE P1619 standards, for example XTS-AES
• Encrypt the complete disk, all partitions and hibernate files
• Place a bootable software in the MBR which request the decryption key
• Two-factor authentication by USB or TPM (Trusted Platform Module)
• Based on AES symmetric encryption
Still vulnerable on runtime:
The file system decryption key is located at some point of the memory.
37. Network encryptiON
Windows 7
• DirectAccess, an easy and secure way of establishing VPNs
Automatic bi-directional connection using IPv6 and IPsec
Able to encapsulate IPv6 traffic into IPv4 with 6to4 or Teredo
Able to use IP over HTTPs in case of firewall or proxy
Linux
• Openswan, a popular IPsec implementation
• OpenVPN, the most used VPN over SSL solution
All DirectAccess features are available in Linux but the configuration
and the management of DirectAccess is more easy and intuitive
40. conclusion
• Use your own OS images
• Externalise your IdM
• Externalise your logs encrypted
• Encrypt all your communications
• Encrypt your volumes
• Use memory encryption at run-time
42. Criticisms
• “IaaS cloud provider use different solutions such as Openstack, Cloudstack,
Amazon EC2 [...]”
Amazon EC2 is a IaaS cloud provider itself, not a solution for IaaS provider.
• “[...] it requires the cloud provider to allow customers to manage DNS servers
to resolve the hostnames inside the virtual infrastructure.”
Anyone can create and manage their own DNS servers and DNS zones,
customer just needs the possibility to customize DNS reverses.
• Some advises have a limited application (e.g. FireWire, USB, TPM)
• No explanations of the choice of SELinux
43. Areas for Improvement
• Differences between public and private cloud infrastructure
• Isolation in public cloud
• Generalisation to other UNIX systems