Spliced feed for Security Bloggers Network

Chinese advance-fee scam via Skype [The Dark Visitor] Posted: 01 Nov 2008 07:36 AM CDT Thanks to Websense Security Labs for informing us about a new advance-fee scam targeting Chinese Skype users.  Apparently, Chinese users get a message indicating that they have won a significant sum of money and prizes.  They are directed to a phishing website where they fill out contact information for the prizes but nothing too suspicious.  Finally, they are redirected to a bank transfer page where they will have to send in a fee of several hundred RMB to collect the prize.  I wonder if the officials reading Tom Skype users’ messages are falling for this too.

Win a free full conference pass to CSI [StillSecure, After All These Years] Posted: 01 Nov 2008 06:56 AM CDT I wrote about it yesterday but not sure I made it clear enough. I am going to award a full conference pass to the CSI show Nov 15-21 at the Gaylord National.  All you have to do is leave a comment with your email address about how going to educational conferences like CSI have helped you in your career.  I will pick the best one next week.  A full conference pass is more than 2,000 dollars, so it is a great chance.  BTW, I am not talking about just an exhibit pass, but a full conference pass to all of the sessions too. So leave your comment and may be the best person win!

Links for 2008-10-31 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 01 Nov 2008 12:00 AM CDT Mining enterprise SIM logs for relevant security event data Security School: Getting the most out of your SIM deployment Data loss prevention: Data Protection Security School: Security Schools: SearchSecurity.com ModSecurity Blog: Is Your Website Secure? Prove It.

The Geek 100 Pt. 5: Science and Electronics [HiR Information Report] Posted: 01 Nov 2008 12:00 AM CDT See the whole series: The Geek 100 This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill... yet. Science. Every geek should be able to: Build a dry-ice bomb Build a gas-turbine engine from junkyard parts Build a usable battery from household materials Build an electric motor/generator from household materials Build some form of a rocket motor Comprehend and express orders of magnitude Make a non-Newtonian "Oobleck" fluid Make an explosion using only a few plastic containers, electricity and water Know how to make hot-packs or cold-packs with simple chemical reactions Use the Scientific Method Electronics. Every geek should be able to: Access debug mode on a mobile phone (preferably your own) Build a simple FM transmitter Build logic gates with discrete components Burn an (E)EPROM Calibrate and read an oscilloscope Program a microcontroller Properly use a digital multimeter to measure electric current Solder surface-mount components Use a logic probe Use a schematic diagram to assemble a simple circuit from parts See the whole series: The Geek 100

Links for 2008-10-31 [del.icio.us] [HiR Information Report] Posted: 01 Nov 2008 12:00 AM CDT ShellBags Registry Forensics « SANS Computer Forensics, Investigation, and Response Lots of juicy information stored in the registry that can leak information about deleted data. There's also a link to the forensic data mining tool that was made to take advantage of this flaw.

Book It! [BumpInTheWire.com] Posted: 31 Oct 2008 11:28 PM CDT Oklahoma 45 Nebraska  20

Skimming not a violation of PCI DSS [PCI Blog - Compliance Demystified] Posted: 31 Oct 2008 10:42 PM CDT It is important to remember that credit card skimming is an entirely different type of fraud than what the PCI DSS is meant to protect against. Remember that the PCI program has several sub-sections: PCI DSS, PCI PED, and PCI PA-DSS. Each of these are meant to address a different piece of the pie. The PCI DSS is meant to protect against the electronic and paper theft of credit card data within an organization. This applies to the 12 ‘digital dozen’ requirements and sub-requirements. It is not meant to protect against credit card skimming, which is a problem I don’t know anyone can solve. (Though the implementation of Chip-PIN plus iCVV may reduce this in the future.) In fact, skimming, cloning, and other credit card fraud is something that’s rather difficult to curtail.  But there is a difference between what PCI DSS is meant to protect and skimming fraud.  You see, skimming requires a physical presence.  If you are skimming the magnetic stripe or the RFID component, the attacker needs to be there physically.  This reduces the risk because (1) the attacker exposes themselves to greater risk of capture, and (2) these types of schemes do not scale well. In I can hack into a computer network (i.e. retailer, restaurant, university) and copy credit card data it does not require a physical presence and I can copy as much data as exists.  If the computer system or point of sale (POS) machine contains a million credit card numbers then viola!  In order to capture that same level of data from individuals via skimming would take a considerably longer period of time. The goal is always to focus on risk reduction because risk may well never reach zero (or will simply be cost prohibitive.)  By properly applying the PCI controls for data security, PIN pad security, and application security you can help reduce your risk of financial loss.

Oh noes! They be stealin' our garage doors! (Misc) [HiR Information Report] Posted: 31 Oct 2008 08:11 PM CDT A few things: First, Cowtown Computer Congress finally got blueprints of the building our hacker space will be located in. That's good news. The bad news? The awesome garage door we thought we'd have might be on the chopping block according to the blueprint -- as shown below the lolrus (which is actually a huge seal since it doesn't have tusks) Not cool. We're gonna try to have them leave the garage door. Also, CCCKC will be thowing a "build it for them to throw it" party on Nov. 22, a few days before the Plaza Lighting Ceremony. This event for CCCKC members will get a bunch of geeks together to build LED Throwies.  The plan is to use the throwies for the fund-raiser on the 26th. What better time of year to lob magnetized LEDs at things than the official kick-off of Kansas City's Holiday Season? Become a member of CCCKC, come out and help us build some throwies, and then kick it with all of us at the next fund raiser. Last but not least, I posted a fun project over at i-Hacked today.  Not many people knew that my RJ45 cuff links at DefCon were actually functional ethernet loopback testers. I walk you through the steps to build your own ethernet loopback tester that you can keep on your keychain or use as cuff links (if you make two). Photos below:

Security, Drinking Straws, Cavities and Wrinkles... [Rational Survivability] Posted: 31 Oct 2008 07:33 PM CDT I was reading an article on SlashFood titled "Drinking Straw: Friend or Foe" and chuckled at the parallels to the reflexive hyping, purchase and (oft failed) use of "solutions" in the security space.  Sometimes I think we need a securitysnopes.com: Recently, a friend passed along a tip from a dermatologist: Stop sipping through straws. The doctor said it was the number one cause of wrinkles. Even more recently, at lunch one day my aunt relayed some info from her husband, an orthodontist. He said that drinking through a straw prevents cavities and tooth decay, since straws allow sugary beverages to bypass your teeth. When my aunt said this, everybody around the table (six women) stuck straws in their drinks. But when I countered with the skincare side of the question, my aunt was the first to pluck her straw right back out again. Brings new meaning to "security sucks."  What's your favorite "security straw" analogy? /Hoff

CISM [Kees Leune] Posted: 31 Oct 2008 06:33 PM CDT Back in July, I blogged that I had passed my CISM exam. Today I was pleasantly surprised that all the paperwork had cleared and that I am now officially certified. Dear Dr. Kees Leune, CISM,CISSP Congratulations! We are pleased to inform you that on 31 October 2008 the CISM Certification Board approved your application and awarded you the Certified Information Security Manager (CISM) designation. What's next? We'll see. It's probably time for something more technical. Maybe a SANS class, or maybe something more off-beat, such as the training programs offered by Offensive Security. For the time being, I think I'll just ride the flow a bit and see what comes my way.

OpenBSD 4.4 is hitting the mirrors now! [HiR Information Report] Posted: 31 Oct 2008 05:43 PM CDT OpenBSD 4.4 is scheduled to be officially released November 1, 2008 (that would be tomorrow as of writing). It's already on some of the FTP mirror sites, though. I am installing this TONIGHT. I may try Ubuntu Intrepid Ibex that was released this week as well, but I'm really more excited about OpenBSD. I'm a little bit of a fanboy, if you can't tell.

Heroes: Neil Alden Armstrong [Infosecurity.US] Posted: 31 Oct 2008 03:39 PM CDT Neil Armstrong, is today’s Infosecurity.US Hero, a quiet, humble man, and the first human to set foot on the moon. A short expert from the official NASA page appears after the break, as well as a video of the first moon landing. From NASA: “Neil Alden Armstrong was born on August 5,1930 in Wapakoneta, Ohio. He [...]

Friday Summary: Happy Halloween! [securosis.com] Posted: 31 Oct 2008 02:28 PM CDT Man, I love Halloween; it is the ultimate hacker holiday. When else do we have an excuse to build home animatronics, scare the pants off people, and pretend to be someone else (outside of a penetration test)? Last year I built something I called “The Hanging Man” using a microcontroller, some windshield wiper motors, wireless sensors, my (basic) home automation system, and streaming audio. When trick or treaters walked up to the house it would trigger a sensor, black out the front of the house, spotlight a hooded pirate hanging from a gallows, push out some audio of a screaming guy, drop him 15 feet so he was right over the visitors, and then slowly hoist him back up for the next group. This year Adrian and I were pretty slammed so I not only didn’t build anything new, I barely managed to pull the old stuff out. Heck, both of us have big parties, but due to overlapping travel we can’t even make it to each other’s events. But next year… next year I have plans. Diabolical plans… It was a relatively quiet week on the security front, with no major disasters or announcements. On the election front we’re already hearing reports of various voting machine failures, and some states are looking at pulling them altogether. Personally, I stick with mail in ballots. This year election day will be a bit surreal since I’ll be in Moscow for a speaking engagement, and likely won’t stay up to see who won (or whose lawyers start attacking first). While I’m in Moscow, Adrian will be speaking on the Information Centric Security Lifecycle in Chicago for the Information Security Magazine/TechTarget Information Security Decisions conference. I’m a bit sad I won’t be up there to see everyone, but it was impossible to turn down a trip to Moscow. So don’t forget to vote, please don’t hack the vote, and hopefully I won’t be kidnapped by the Russian Mafia next week… Webcasts, Podcasts, and Conferences: The Network Security Podcast, Episode 125. David Mortman joins us to talk about his new gig at Debix and a recent study they released on identity theft and children. I posted a pre-release draft of my next Dark Reading column The Security Pro’s Guide to Thriving in a Down Economy up on the Hackers for Charity Informer site. This is a subscription site many of us are supporting with exclusive and early content to help generate funds for HFC. And by posting, I helped feed a child in an underdeveloped country for a month… Favorite Securosis Posts: Rich: The Five Stage of Cloud Computing Grief. Seriously, this cloud stuff is getting over the top. Adrian: Seems that the people behind Arizona proposition 200 should be hauled in front of the FTC for misleading advertising; this is the most grotesque example I have seen on a state ballot measure. Favorite Outside Posts: Adrian: The Hoff has been on a roll lately, but the post that caught my attention was his discussion of the security and compliance shell game of avoidance through SaaS and ‘Cloud’ services. I mean, it doesn’t count if my sensitive data is in the cloud, right? Rich: Martin asks a simple and profound question. What the hell are you doing with those credit card numbers in the first place?!? (He used nicer words, but you get the point). Top News: What a shock, there’s a worm taking advantage of last week’s RPC flaw in Microsoft Windows. ICANN is going after a fraud-supporting domain name registrar in Estonia. Heck, I think we should go after criminal hosts more often. Maryland and Virginia are dropping electronic voting and going back to paper. Amrit on the 10th anniversary of the Digital Millennium Copyright Act. The DMCA has done more to stifle our rights than to actually protect content. On the positive side, the DMCA has actually somewhat helped website operators and hosts by offering some protection when they host infringing materials, since they have to respond to takedown notices, but aren’t otherwise penalized. A Facebook worm uses Google to get around Facebook security. Most of these sites are a mess because preventing user generated content from abusing other users is a very hard problem. Even when they bother to try. More voting machine idiocy. And here. Look folks, it isn’t like we don’t know how to manage these things. Walk into any casino and you’ll see highly secure interactive systems. Can you imagine how much fun Vegas would be if they treated the slots like we treat voting machines? Blog Comment of the Week: Dryden on The Five Stages of Cloud Computing Grief: My version: Denial: We can't secure the cloud. Anger: Why the f&*k is my CIO telling me to secure the cloud? Bargaining: Can you please just tell me how you think we can secure the cloud? Depression: They're deploying the cloud. Acceptance: We can't secure the cloud. Disclaimer: “Cloud” can be replaced with virtually (pun intended) any technology. See you all in 2 weeks… -Rich

Fun Reading on Security AND Compliance – 9 [Anton Chuvakin Blog - "Security Warrior"] Posted: 31 Oct 2008 02:05 PM CDT Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #9, dated October 30th, 2008. BTW, I am renaming it into "Fun Reading on Security AND Compliance" "A Gartnergate?" What happened after Mr Pescatore uttered his now famous 12 words: "The best security program is at the business with the happiest customers." This (complete with Gunnar's famous "firewalls+SSL" chart), this – will add more as this snowballs. Do you have an "ignorable" security policy? If yours is BOTH "ignorable" and "unfair", then fuggedaboutit. Cisco survey kinda proves it. A few fun comments are here ("If people can't get their jobs done without having to find a way to circumvent policy then the policy is wrong.") Risk and clouds – here, here, here and here in poetic form (!). Fun reading, but you know what? For many, many organization, what they have today is LESS secure than any future cloud computing advance… Richard Bejtlich drop-kicks SIEM too, then kicks it in the balls. Then kicks the dead horse (1,2,3) Excellent reminder about why people don't care about security with a fabled quote from MJR (yes, it is my fave too!) Overall, Rich "reassures" with: "Don't worry. When things get bad enough, we'll get the call. If you've kept your documentation and communications up, you won't get shafted with the proverbial short end." A few essays on risk, from ANSI, from Schneier and from BlogInfoSec (part 1 and part 2, especially read part 2) So, what do CTOs really do every day? Interesting summary here and here. Fun exploration of security x privacy x compliance. Burton Group opines on which security technologies will fare better/worse during "The crisis" A really fun interview with our CEO Philippe Courtot here. More on IT vs IT security, this time from Richard. Do you want people like that doing "security"? A normal call center employee recognizes fraud, but their so-called "outsource security dept" authorizes the scam. Niiice. Finally, "Robots Hunt 'Non-Cooperative Humans' in Army Plan" No comment :-) Enjoy! About me: http://www.chuvakin.org

State Department Data Theft [securosis.com] Posted: 31 Oct 2008 01:15 PM CDT This story has it all … theft of State Department data, forged credit cards, multi-government branch conspiracy, and murdered suspects.  Sounds like an afternoon soap opera more than a Stolen Passport Data story from the Washington Post:    … On March 25, D.C. police officers on a routine patrol stopped a car on the suspicion that its windows were excessively tinted, an apparent violation of city law. Smelling marijuana, the officers searched the car and discovered that the 24-year-old driver was carrying 21 credit cards not in his name and printouts of eight passport applications — and that four of the names on the passport applications matched the names on four of the credit cards … But the investigation was hampered because Harris was fatally shot while getting into his car in Northeast Washington on April 17, just days after appearing in court on fraud charges and shortly after he agreed to cooperate in the probe …   The passport applicant database, given the type, quality and quantity of data contained therein, is like winning the identity theft lottery.  The State Department has some ’splainin to do!  -Adrian

VMWare Security Advisory: Updated ESX Internal Packages [Infosecurity.US] Posted: 31 Oct 2008 11:34 AM CDT VMWare Inc. (NasdaqGS: VMW) has announced a security advisory, focused on their ESX Server product line - a bare metal hypervisor for virtual machines - (specifically an update to the  libxml2, ucd-snmp, libtiff packages). MITRE has assigned CVE-2008-3281 CVE-2008-0960 CVE-2008-2327 to the vulnerabilities targeted by this update. The full announcement appears after the break, along with [...]

Genius: Richard Feynman, Ph.D. [Infosecurity.US] Posted: 31 Oct 2008 11:27 AM CDT Infosecurity.US starts it’s Genius Series with indisputably one of the most important minds of the twentieth century, Richard Feynman, Physicist, Noble Laureate, and winner of the Nobel Prize in Physics 1965. A short, abridged biography appears after the break. Richard  Feynman, born May 11, 1918 in NYC, studied at MIT. He was awarded his B.Sc. in [...]

ICANN: EstDomains Termination Stayed [Infosecurity.US] Posted: 31 Oct 2008 10:08 AM CDT Troubling update to the ESTDomains/Atrivo controversy (and yesterday’s welcome revelation of the apparent termination - now on hold - of EstDomains’ Registrar Accreditation: ICANN has issued a stay, pursuant to their ‘analysis’ of ESTDomains claims to the contrary. Quite frankly, this is no surprise, given the sheer volume of illicit gain garnered by the ESTDomains criminal [...]

Shimel: Security Bloggers Network Designated Press Bloggers At CSI Conference [Infosecurity.US] Posted: 31 Oct 2008 10:00 AM CDT Alan Shimel, security blogger extraordinaire (his blog - StillSecure After All These Years is today’s MustRead), and a senior executive at StillSecure, has announced the designation of the Security Bloggers Network [Infosecurity.US is a SBN member blog] as Press at the annual Computer Security Institute (CSI)  Conference slated for November 15th to the 21st, 2008 [...]

Microsoft Security Advisory: Cumulative Update - ActiveX Kill Bits [Infosecurity.US] Posted: 31 Oct 2008 08:58 AM CDT Microsoft Corporation (NasdaqGS: MSFT) has announced a new  Security Advisory monikered Cumulative Security Update of ActiveX Kill Bits. Specifically, the update sets the kill bits for third-party software, which, coincidentally, are enumerated after the break. From the Advisory: This update sets the kill bits for the following third-party software: Microgaming Download Helper. Microgaming has issued an advisory and [...]

The Geek 100 Pt. 4: Development and Cryptography [HiR Information Report] Posted: 31 Oct 2008 06:00 AM CDT See the whole series: The Geek 100 This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill... yet. Props to my friend Joshua Kriegshauser for help with the Software Development skills. I'm not a coder. He's the Technical Director of the EverQuest II team at SCEA. That makes him more than qualified to help me out here. Software Development. Every geek should be able to: Competently program in a compiled language Competently program in a script-interpreted language Create dynamic web pages that are resistant to XSS, CSRF and Injection Display at least casual knowledge of assembly language Describe endianness and which endians are used on popular platforms Have a firm understanding of object oriented programming Integrate a captcha into a web form Reverse-engineer and debug software Use a hex editor Use a revision-control system Cryptography. Every geek should be able to: Analyze a substitution cipher Encrypt and tunnel arbitrary traffic Explain both strengths and weaknesses of asymmetric encryption Explain the significance of hash functions Explain Enigma (Fun Link) Implement a quick, secure symmetric cipher algorithm Implement steganography Set up full-drive-encryption Set up SSH with public keys Use an effective manual encryption scheme See the whole series: The Geek 100

Google Hacking and the Dangers of Search Engines [ImperViews] Posted: 31 Oct 2008 03:02 AM CDT Earlier this week, I presented at the RSA Europe Conference in London. The presentation topic was Internet search engines (in particular Google) and Web application security. I presented a set of threat vectors in which attackers do not interact directly with either the target application or the victim, but rather operate through search engines. Some of the techniques (i.e. Google Hacking) have traditionally been used for the reconnaissance stage of the attack. I discussed alternative uses such as sensitive data extraction, worm proliferation, malware distribution and more. My main concerns with respect to these threats are: -Lack of awareness (and hence the lack of proper mitigation tools). -Search engine operators, while trying to mitigate some of the issues, do not distinguish between application owners and potential attackers. For example, there is a limit to the search rate based on source IP address. While true attackers are hardly affected by this, site owners are denied the possibility of automated, proactive mitigation. Together with SQL Injection rennaisance, I think that search engine related threads are a growing trend in web application threats.  - Amichai

Links for 2008-10-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 31 Oct 2008 12:00 AM CDT Log4j Best Practices Log4j Best Practices Julius Davies, June 9th, 2008 Before You Do Anything Else Take a look at this logging checklist by Anton Chuvakin. HOSTED SERVICES: Security Reaches For the Clouds - 09..2008 - Bank Technology News Article Cloud Computing - The Good, The Bad, and the Cloudy « Amrit Williams Blog CLOUD COMPUTING - STORMY WEATHER? | RiskAnalys.is Emergent Chaos: CTOs, Product Management and Program Management The role of a good CTO is to understand the market and customer pain, shape consensus around what a solution looks like, spec that solution, then drive implementation and the inevitable tradeoffs and ship a solution which makes customers happy. There's also a responsibility to be a company leader, hiring, shaping the culture, and participating in the executive decisions the company makes. Sometimes, there's a need to step in and build. But a large part of the CTO role is that of the program manager. I think this is why I'm able to succeed as a program manager—I've been at it for a while. Layer 8 - Why Security, Privacy and Compliance don’t mix ANSI Launches Guide to Help Calculate Cyber Security Risk - Security/Perimeter - DarkReading The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 2) | BlogInfoSec.com

Links for 2008-10-30 [del.icio.us] [Anton Chuvakin Blog - "Security Warrior"] Posted: 31 Oct 2008 12:00 AM CDT Log4j Best Practices Log4j Best Practices Julius Davies, June 9th, 2008 Before You Do Anything Else Take a look at this logging checklist by Anton Chuvakin. HOSTED SERVICES: Security Reaches For the Clouds - 09..2008 - Bank Technology News Article Cloud Computing - The Good, The Bad, and the Cloudy « Amrit Williams Blog CLOUD COMPUTING - STORMY WEATHER? | RiskAnalys.is Emergent Chaos: CTOs, Product Management and Program Management The role of a good CTO is to understand the market and customer pain, shape consensus around what a solution looks like, spec that solution, then drive implementation and the inevitable tradeoffs and ship a solution which makes customers happy. There's also a responsibility to be a company leader, hiring, shaping the culture, and participating in the executive decisions the company makes. Sometimes, there's a need to step in and build. But a large part of the CTO role is that of the program manager. I think this is why I'm able to succeed as a program manager—I've been at it for a while. Layer 8 - Why Security, Privacy and Compliance don’t mix ANSI Launches Guide to Help Calculate Cyber Security Risk - Security/Perimeter - DarkReading The Difference between Quantitative and Qualitative Risk Analysis and Why It Matters (Part 2) | BlogInfoSec.com

Virtualization? Give me a better OS instead! [Security Balance] Posted: 30 Oct 2008 11:18 PM CDT Do we really need to go that deep into virtualization? I may sound dumb to try to reason against something that everybody is embracing, but that’s usually what I like to do about hypes OK, you’ll probably throw a lot of advantages of virtualization on me. And I agree that most of them are true. I was reading that some companies are being able  to increase their hardware processors utilization from 10 to 60% through virtualization. There is also all that high availability stuff from VMotion and other new products that are being released everyday. OK, but… Let’s go back some years and see how we end up where we are. Imagine that you had to put two new applications in production, A and B. To ensure proper segragation you decide to put both applications on their own servers, X and Y. Of course, are they are both critical apps, you also build servers Z and V for high availability purposes. In a few months, people start to complain the servers utilization is too low. They are consuming too much power, rack space, blah blah blah. Ok, then someone gets a nice rabbit from a hat called virtualization. Wow! Now you transform the hardware X and Y into VM servers (or whatever you wanna call it), build separate VMs for A and B and as you VM product has a nice feature of dynamically moving images from a box to another, you don’t need Z and V anymore. Wow! You’ve just saved 50% of servers related cost! OK,  could probably be worried about putting those application in the same “real” box. After all, you decided before that they should be running on different servers, and here they are on the same box! But you look into the problem and notice: - One virtual server cannot interact with the other - Problems caused by application A still can’t cause problems on application B server - A security breach on virtual server A will not affect virtual server B Ok, everything is still good and you go to bed happy with the new solution. No, people are greedy! Seriously, now that we have all those servers on the same box, why can’t we have a little more control over their access to resources available? Like, if one server is not using all memory allocated to it, why can’t the other one use that when it needs? Same for processing power, storage? But in order to do that the Hypervisor would need a better view into what is happening into those black boxes…why not make them aware of the VM environment? Build APIs that allow communication between the guest OSes and the hypervisor? Nice! Now things are starting to get really advanced! But where is that segregation that was mentioned before? Won’t all this interaction between the HV and the guest OSes reduce the isolation? Of course it will! Some attacks from guest OSes to the HV or to other guest OSes are now possible. Anyway, it’s the price for better management and better resource utilization. Isn’t it? Yes, it is. We already knew it! Isn’t it the price to put two application on the same REAL box? Let’s see. We want hardware resources to be shared by the applications and something controlling it. One application shouldn’t be affected by the other or access non-authorized resources. And we want high availability too. Well, please tell me if I’m wrong, but for me these things are just the requirements of a good Operating System with cluster capabilities! Virtualization guys usually refer to mainframes as a virtualization success case. They are right about it. But on mainframes LPARs (their name for VMs) are usually used to isolate completely different environments, like development and production. It is very common to find several applications running on the same LPAR, being segregated only by the OS and Security Manager (that can be seen as part of the OS). Usually, LPARs are used because organizations can’t afford different hardware for things like, testing, certification and development, whilst on the “new virtualization” world VMs are used to optimize resource utilization. As far as I remember from my Operating System course classes from university, that was the Operating System role. Are we creating this beast because we couldn’t produce a Operating System that does its job?

You are subscribed to email updates from Security Bloggers Network To stop receiving these emails, you may unsubscribe now.	Email Delivery powered by FeedBurner
Inbox too full? Subscribe to the feed version of Security Bloggers Network in a feed reader.
If you prefer to unsubscribe via postal mail, write to: Security Bloggers Network, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610