After a long hiatus, Security Musings is returning to its roots. This blog is going to be equal parts education and entertainment – you’ll learn some things, and you’ll learn some things that make me angry. I won’t follow a set frequency although I intend to post at least twice a month. The look and feel has changed, and I’m sure some older posts may not look right. I’m not going to dwell on that unless specific requests are made to get certain posts working again. It’s time to move forward.

We’re located in the northern Virginia area – where Friday night brought a derecho which is basically a hurricane on land. Unfortunately, our county lost 911 service, and 3 days later, it’s still not quite back up. The 911 service is run by Verizon, which said that both primary and backup power was lost. Amazon Web Services lost Netflix, Foursquare, Pinterest, and other sites. So – assuming that these services were in a traditional data center, what happened? These buildings are supposed to have backup generators – why didn’t they kick in? Did they not test the generators, or the ATS (automatic transfer switch)? People pay data centers for continuous power – and most offer 5 9s of power (~5[…]

A few years back, I was working as a tech writer for a company which made medical software. We were trying to get an important certification that we’d need to sell our product. And a crucial part of that was good documentation: we had to show how it worked, what it did, how it tracked everything, how it was secure, etc. Well, that’s what you have a tech writer for, so all is good. It’s important to know, I didn’t have any existing documentation to work with. There was a wiki which had the developers’ notes in it, but that’s it. Nothing by way of formal hand-it-to-an-outside-entity documentation. Okay, that’s not too abnormal; tech writing is expensive, and many companies[…]

I recently had the pleasure of performing one of the best security assessments I’ve ever done. It was great: I didn’t find any gaps. Not a one. To some people, it might come as a surprise that I’d consider that a good assessment. And I’ll admit, it made me a bit suspicious. Nothing? Seriously? Well, I had to look into why, and I’ll get to that in a moment. But let’s cover something else first. I’ve been on both sides of the table for security audits. Being audited is Not Fun. You have someone coming in, looking over all your processes, and it’s up to you to prove that you’re doing what you’re actually doing, often for reasons that seem[…]

While I did my thesis on this topic back in 2001, I haven’t used the knowledge or skills I gained from it much – or really at all. But I think it’s an interesting topic, and one that security folks and system administrators should at least be passingly familiar with. The technology has certainly changed since I did my thesis. When you look at an IP address or even domain name in your logs – where is that person coming from? You might need to know for forensics purposes, or even “cyberwarfare” purposes. Keep in mind that spoofing an IP address isn’t rocket science, and just knowing if the IP address in your logs is the one doing the activity[…]

I’ve mentioned Whole Disk Encryption in the past. There are a number of products, both free and paid, which will allow you to encrypt your entire hard disk, or the hard disks on your servers. In a recent study whole disk encryption (referred to as FDE in the study) has been shown to significantly hamper investigation. Basically, the encryption is too good. Even with techniques like cryogenic RAM freezing it’s often unlikely that the encryption can be bypassed. But there’s a huge, gaping hole in such protection: you can’t USE encrypted data. For it to be accessible and usable, it has to be decrypted. (In other news, it is not possible to open properly locked doors, nor to pass through[…]