LUKS is the upcoming standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provide secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.
While LUKS is a standard on-disk format, there is also a reference implementation. LUKS for dm-crypt is implemented in an enhanced version of cryptsetup. Design
LUKS was designed according to TKS1, a template design developed in [TKS1] for secure key setup. LUKS closely reassembles the structure recommended in the TKS1 paper, but also adds meta data for cipher setup management and LUKS also supports for multipe keys/passphrases.
Why LUKS?
* compatiblity via standardization,
* secure against low entropy attacks,
* support for multiple keys,
* effective passphrase revocation,
* free
I am pleased to let you know that today Sophos has made public our intent to acquire Utimaco, the recognized global leader in the encryption of data on computers, disks and removable media.
This potential combination allows Sophos to better address your data protection needs beyond anti-virus, anti-spam and web protection. Our future direction integrates information control and security compliance with existing anti-malware infrastructure to make security more manageable, and merging with the market leader in mobile data security provides a strong foundation for growth and leadership.
The acquisition process will take some months, but we anticipate being able to engage with enterprise customers in the interim through a partnership with Utimaco. Feel free to contact your account manager, or visit our website for more details from time to time.
We are very enthusiastic about Utimaco’s engineering excellence and commitment to customer service, and are confident that the merger will only enhance the experience you have with Sophos, and I look forward to demonstrating that in the months ahead.
RBL is an abbreviation for “Real-time Blackhole List”. As mentioned below, “RBL” was the name of the first system to use this technology, a proprietary MAPS DNSBL, and “RBL” is a registered trademark[1]. Some pieces of mail software have configuration parameters that use “RBLs” or “RBL domains” when any DNSBLs can be used, not just the MAPS RBL.
DNSBL is an abbreviation that sometimes stands for “DNS blacklist”, although different DNSBL operators define the term in various ways. The use of the word “blacklist” is somewhat controversial. The reasons cited include its association with Joseph McCarthy and legal liability [2]. Instead, some people have suggested that DNSBL should stand for “DNS blocklist” even though DNSBLs are not always used for direct blocking, or “DNS blackhole list” based on the RBL expansion, even though the DNSBL method does not create true blackholes. A minimally controversial expansion of the acronym is “DNS-Based List” [3][4][5]
DNSWL is an abbreviation for “DNS whitelist”. It is a list of IP addresses that some people may want to treat more favourably.
RHSBL is an abbreviation for “Right Hand Side Blacklist”. This is similar to a DNSBL but it lists domain names rather than IP addresses. The term comes from the “right-hand side” of an email address — the part after the @ sign — which clients look up in the RHSBL.
URIBL is an abbreviation for “Uniform Resource Identifier Blacklist”. A URIBL lists domain names and IP addresses that appear in URIs such as web sites mentioned in message bodies. It contrasts with an RHSBL which lists domain names used in e-mail addresses [6].
If you got email problem like the my previous post , u may check it inside your terminal by installing rblcheck by doing
sudo apt-get install rblcheck
Here are some output :
$ rblcheck
rblcheck: no IP address(es) specified
rblcheck 1.5-20020316
Copyright (C) 1997, 1998, 1999, 2000, 2001 Edward S. Marshall
Usage: rblcheck [-qtlcvh?] [-s <service>] <address> [ <address> ... ]
-q          Quiet mode; no output
-t          Print a TXT record, if any
-m          Stop checking after first address match in any list
-l          List default RBL services to check
-c          Clear the current list of RBL services
-s <service> Add a new service to the RBL services list
-h, -?      Display this help message
-v          Display version information
<address>   An IP address to look up; specify `-’ to read multiple addresses from standard input.
Time to test 1 IP address which is a.b.c.d
$ rblcheck a.b.c.d
a.b.c.d not RBL filtered by xbl.spamhaus.org
a.b.c.d not RBL filtered by sbl.spamhaus.org
a.b.c.d not RBL filtered by list.dsbl.org
a.b.c.d not RBL filtered by dnsbl.njabl.org
a.b.c.d not RBL filtered by dul.dnsbl.sorbs.net
a.b.c.d not RBL filtered by l1.spews.dnsbl.sorbs.net
Sophos has recently launched the beta of Sophos Anti-Virus 7.0 for UNIX. Initially this will be for Solaris 9 & 10 Sparc platform and allows users to centrally control policies, consolidate alerts and view reports etc.
Anyone wishing to join the beta program should contact betaprogram@sophos.com as soon as possible.
But why bother, I hear you ask. Doesn’t malware only affect Windows? So why do I need to add anti-virus to a platform that isn’t affected?
We may note of course that the first internet worm infected UNIX machines, and the first rootkits were trojanised versions of UNIX system utilities. You may say it is ancient history.
More recently our own analysis shows that nearly half the compromised web servers hosting malware are running Apache, and 70% of the infections caught on our linux honeypot are a six year old virus called Rst-B. And the most commonly infected files are trojanised versions of Unix system utilities downloaded by hackers after a successful break-in.
Another good reason is the story of Typhoid Mary . The story goes that a health inspector was investigating an outbreak of Typhoid. His initial report was as follows:
“I had my first talk with Mary in the kitchen of this house. . . . I was as diplomatic as possible, but I had to say I suspected her of making people sick and that I wanted specimens of her urine, feces and blood. It did not take Mary long to react to this suggestion. She seized a carving fork and advanced in my direction. I passed rapidly down the long narrow hall, through the tall iron gate, . . . and so to the sidewalk. I felt rather lucky to escape.�
Using other platforms as files servers, or hosting business critical applications makes a great deal of sense, but although modern malware does target the Windows operating system, protecting any UNIX servers, helps prevent reinfection of those desktops from your very own Typhoid Mary.
You may of course disagree with me and you’re confident that your UNIX servers are clean, in which case why not join the beta program and prove me wrong.
PS. The photo above is of Chris Northwood. Chris is a placement student who is working as a developer on our Sophos Anti-Virus for Linux/UNIX R&D team. Apparently the rest of the team chose Chris for the photoshoot as they thought he looked the smartest of all of them.
Ubuntu Client configuration: (this is my configuration,u guys may configure in your ways!)
### OpenVPN Client Conf (pfsense.ovpn) ###
float
port 1194
dev tun
proto tcp-client
cipher BF-CBC
remote yourpfsenseHOST 1194
ping 10
persist-tun
persist-key
tls-client
ca /where/your/openvpn/cert/stored/ca.crt
cert /where/your/openvpn/cert/stored/fenris.crt
key /where/your/openvpn/key/stored/fenris.key
ns-cert-type server
comp-lzo
pull
verb 4
daemon
pfSense server configuration:
### openvpn_server1.conf ###
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
server 192.168.b.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push “route 192.168.a.0 255.255.255.0″
lport 1194
ca /var/etc/openvpn_server1.ca
cert /var/etc/openvpn_server1.cert
key /var/etc/openvpn_server1.key
dh /var/etc/openvpn_server1.dh
comp-lzo
persist-remote-ip
float
$ ping 192.168.a.b
PING 192.168.a.b (192.168.a.b) 56(84) bytes of data.
64 bytes from 192.168.a.b: icmp_seq=1 ttl=64 time=45.4 ms
64 bytes from 192.168.a.b: icmp_seq=2 ttl=64 time=43.2 ms
64 bytes from 192.168.a.b: icmp_seq=3 ttl=64 time=43.3 ms
64 bytes from 192.168.a.b: icmp_seq=4 ttl=64 time=41.3 ms
64 bytes from 192.168.a.b: icmp_seq=5 ttl=64 time=43.4 ms
— 192.168.a.b ping statistics —
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 41.315/43.357/45.427/1.327 ms
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
Encryption
No one else can read your instant messages.
Authentication
You are assured the correspondent is who you think it is.
Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.
Privacy Levels
A conversation can have one of four privacy levels:
Alice and Bob are communicating with no cryptographic protection; they are not using OTR at all. Mallory, who is watching the network, can read everything they are saying to each other.
Alice and Bob are using OTR, and they have authenticated each other. They are assured that they are actually talking to each other, and not to an imposter. They are also confident that no one watching the network can read their messages.
Alice and Bob are using OTR, but they have not authenticated each other, which means they do not know for certain who they are talking to. It is possible that Mallory is impersonating one of them, or intercepting their conversation and reading everything they say to each other.
Alice was talking to Bob using OTR, but Bob has decided to stop using it. In this level, Alice is prevented from accidentally sending a private message without protection, by preventing her from sending any further messages to Bob at all. She must explicitly either end her side of the private conversation, or else start a new one.
p/s:i need to use it since precaution issues about IM came out … guys … lets start encrypt what ever we think it need to encrypt .. don’t let the others (man in the middle) got it …..
Now days .. have u all wonder what is the other ways that info can leak out from ya organization/company/etc ? IMHO Instant Messenger(IM) is one of it. Previously my CEO have asking me, did someone can know/read/monitor what is he doing with the IM? i said yes it is .. then im asking about the company policies? is it staff’s are allow to IM? “Yes, let they use the IM .. no need to block/prevent the staff using it …” thats was the answer …
so thanks to the great job to dakronebecause he just release his new code called “Yahsnarf” after releasing the “AIMsnarf” previously.
With his code/project, maybe it help sys admin, security & network analyst work more easier. Here are some of description about Yahsnarf taken from his post:
Yahsnarf requires Ruby, ruby-pcap and bit-struct (Thanks Matasano for introducing me to bit-struct, made this script take about 1/4rd the time to write)
I’m also currently working on an NSM-Console module for Yahsnarf.
This script is a little different than Aimsnarf, mostly because Aimsnarf was the first program I ever wrote in Ruby, so it tended to be just a little rusty, without the best design practices. For one, Yahsnarf is way smaller than Aimsnarf (70 lines to around 150), and Yahsnarf follows an object-oriented design. Enough of that, here’s what you can expect to see:
shell> sudo ./yahsnarf.rb -i en1
Use '-h' to display usage
Capture/Decoding...
buddy1 --> buddy2: This is a test of yahsnarf
buddy2 --> buddy1: A test this is of yahsnarf; it's awesome!
buddy1 --> buddy2: thanks for the help
You can also use ./yahsnarf.rb -r <pcapfile> to read and extract from a network capture file.
Pretty simple eh? Replace buddy1 and buddy2 with the screen names of the conversationalists. There are a few issues I’m still working out, like usernames not always showing up (they could for the most part). Also, this obviously does not work on encrypted messages (OTR or otherwise), so if you value your privacy, use encryption.
Remember, don’t ever say anything over IM that you wouldn’t mind the world knowing, you never know who could be listening in
Sophos appeals for computer users to send in pictures to increase accuracy of new RAPIL system
IT security and control firm Sophos today announced its new RAPIL (Recognition and Analysis of Potentially Intruding Lifeforms) system which is able to produce a real-time forensic analysis of a PC or Mac user’s facial features to determine if they exhibit any characteristics commonly associated with hackers.
The new system uses webcams, now in widespread use on modern computers, to assess the facial characteristics of computer users, and cross-references them against features typically found in cybercriminals. Current tests show that with a clear background and provided the face is free of any obstructions, including hats, moustaches and sunglasses, the beta version of RAPIL has a success rate of 97.78 percent.
As the amount of malware created each month continues to grow, Sophos experts note that most hackers are now working for organised criminal gangs intent on breaking into the PCs of innocent victims to steal sensitive and confidential information which can then be used for financial gain. Until today, most security companies have focused their efforts on preventing these attacks by detecting the malicious software and stopping it running. With RAPIL, Sophos can identity and stop the hacker before the malware is ever even written.”Being able to stop the hackers before they even get a chance to write their malware, let alone spread it, is a breakthrough in the fight against cybercrime. Frankly this technology will put Sophos lightyears ahead of its competitors,” said Graham Cluley, senior technology consultant at Sophos. “With the amount of new cyberattacks we’re discovering every month, it’s increasingly difficult for computer users to ensure there are no holes in their security defences and that their PCs are fully defended. With our new solution that can identify key physical characteristics, we can literally see when someone has hacker written all over them.”
Sophos RAPIL blocks people it believes to be hackers from accessing computers.
RAPIL samples the signal from the webcam 32 times a second. Using various new and existing machine learning techniques, such as K-Means clustering, SVM classifiers, decision trees, cross validation and genetic programming, thousands of facial characteristics including retinal patterns, shape of the philtrum, symmetry of the lips, size of the forehead and facial expression are tested to establish the probability of the user being a hacker. Once identified as a cybercriminal, the PC screen automatically goes blank, the keyboard freezes and the first 512 GB of the hard drive is encrypted with a user-defined key – many hard drives will therefore be encrypted in their entirety. The solution is fully protected against rootkits which hackers may attempt to use to disable it.
At present, advanced evasion techniques such as facial polymorphism and metamorphism can be used by hackers to evade the system. The face is polymorphic if it is randomly obstructed by an item such as a hat, moustaches and glasses. Facial metamorphism, which occurs when the user changes their facial characteristics for every command run on the system, is even more difficult to detect. As part of the beta testing for RAPIL v0.401, Sophos is appealing for computer users to upload polymorphic pictures of themselves to help improve the accuracy of RAPIL still further.
To add to the Sophos library of faces and help the fight again cybercrime, please upload your photographs at: www.flickr.com/groups/ra-pil
Imunizator makes bogus claims that Apple Macs have privacy problems
Experts at SophosLabsâ„¢, Sophos’s global network of virus, spyware and spam analysis centers, have advised the Apple Macintosh community not to panic following the discovery of another Trojan horse for the Mac OS X platform. Instead, Apple Mac lovers are advised to ensure that they continue to take personal computer security seriously and have a secure defense in place.
The Trojan, named Troj/MacSwp-B (also known as Imunizator), tries to scare Mac users into purchasing unnecessary software by claiming that privacy issues have been discovered on the computer.
Imunizator makes bogus claims about Apple Mac’s privacy in an attempt to fool users into purchasing software.
“Windows users are no stranger to scareware like this, but it is rarer on the Apple Macintosh. Nevertheless MacSwp-B’s discovery does follow fast on the heels of other malware that has been identitifed on the Mac OS X platform in recent months,” said Graham Cluley, senior technology consultant for Sophos. “Cybercrime against Mac users may be small in comparison to Windows attacks, but it is growing. Apple Macintosh users need to learn from the mistakes made by their Windows cousins in the past and ensure that they have defenses in place, are up-to-date with patches and exercise caution about what they run on their computer.”
Sophos experts note that the new Trojan horse is closely related to another piece of Mac scareware, MacSweeper, which was being deployed in an attack via online adverts on British TV websites last month.
“It’s not unusual to see hackers repackage their malware in a variety of disguises to try and sneak it past anti-virus software,” explained Cluley.
Earlier this week, Sophos reported that a man has been accused of breaking anti-spyware laws by allegedly scaring people into purchasing bogus Windows security software. Criminal attacks against Mac users, although much rarer, have become more motivated by money since late 2007.
In January Sophos published its annual Security Threat Report, which described how financially motivated hackers had targeted Apple Mac computers with malware for the first time.
