Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Desktop 15 SP2

Total Page:16

File Type:pdf, Size:1020Kb

Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP2 Security and Hardening Guide Security and Hardening Guide SUSE Linux Enterprise Desktop 15 SP2 Introduces basic concepts of system security, covering both local and network security aspects. Shows how to use the product inherent security software like AppArmor, SELinux, or the auditing system that reliably collects information about any security-relevant events. Supports the administrator with security-related choices and decisions in installing and setting up a secure SUSE Linux Enterprise Server and additional processes to further secure and harden that installation. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xvi 1 Available Documentation xvi 2 Giving Feedback xvii 3 Documentation Conventions xviii 4 Product Life Cycle and Support xx Support Statement for SUSE Linux Enterprise Desktop xx • Technology Previews xxi 1 Security and Confidentiality 1 1.1 Overview 1 1.2 Passwords 2 1.3 System Integrity 2 1.4 File Access 3 1.5 Networking 4 1.6 Software Vulnerabilities 4 1.7 Malware 5 1.8 Important Security Tips 6 1.9 Reporting Security Issues 7 2 Common Criteria 8 2.1 Introduction 8 2.2 Evaluation Assurance Level (EAL) 8 2.3 Generic Guiding Principles 9 2.4 For More Information 11 iii Security and Hardening Guide I AUTHENTICATION 13 3 Authentication with PAM 14 3.1 What is PAM? 14 3.2 Structure of a PAM Configuration File 15 3.3 The PAM Configuration of sshd 17 3.4 Configuration of PAM Modules 20 pam_env.conf 20 • pam_mount.conf.xml 21 • limits.conf 21 3.5 Configuring PAM Using pam-config 22 3.6 Manually Configuring PAM 23 3.7 For More Information 23 4 Using NIS 25 4.1 Configuring NIS Servers 25 4.2 Configuring NIS Clients 25 5 Setting Up Authentication Clients Using YaST 27 5.1 Configuring an Authentication Client with YaST 27 5.2 SSSD 27 Checking the Status 28 • Caching 28 6 LDAP—A Directory Service 29 6.1 Structure of an LDAP Directory Tree 29 6.2 Installing the Software for 389 Directory Server 32 6.3 For More Information 32 7 Network Authentication with Kerberos 33 7.1 Conceptual Overview 33 7.2 Kerberos Terminology 33 iv Security and Hardening Guide 7.3 How Kerberos Works 35 First Contact 35 • Requesting a Service 36 • Mutual Authentication 37 • Ticket Granting—Contacting All Servers 37 7.4 User View of Kerberos 38 7.5 Setting up Kerberos using LDAP and Kerberos Client 39 7.6 Kerberos and NFS 42 Group Membership 43 • Performance and Scalability 44 • Master KDC, Multiple Domains, and Trust Relationships 45 7.7 For More Information 46 8 Active Directory Support 47 8.1 Integrating Linux and Active Directory Environments 47 8.2 Background Information for Linux Active Directory Support 48 Domain Join 50 • Domain Login and User Homes 51 • Offline Service and Policy Support 52 8.3 Configuring a Linux Client for Active Directory 53 Choosing Which YaST Module to Use for Connecting to Active Directory 54 • Joining Active Directory Using User Logon Management 55 • Joining Active Directory Using Windows Domain Membership 59 • Checking Active Directory Connection Status 62 8.4 Logging In to an Active Directory Domain 62 GDM 62 • Console Login 63 8.5 Changing Passwords 63 9 Setting Up a FreeRADIUS Server 65 9.1 Installation and Testing on SUSE Linux Enterprise 65 II LOCAL SECURITY 68 10 Physical Security 69 10.1 System Locks 69 v Security and Hardening Guide 10.2 Locking Down the BIOS 70 10.3 Security via the Boot Loaders 71 10.4 Retiring Linux Servers with Sensitive Data 71 scrub: Disk Overwrite Utility 72 10.5 Restricting Access to Removable Media 73 11 Automatic Security Checks with seccheck 75 11.1 Seccheck Timers 75 11.2 Enabling Seccheck Timers 75 11.3 Daily, Weekly, and Monthly Checks 76 11.4 Automatic Logout 78 12 Software Management 79 12.1 Removing Unnecessary Software Packages (RPMs) 79 12.2 Patching Linux Systems 81 YaST Online Update 82 • Automatic Online Update 82 • Repository Mirroring Tool—RMT 82 • SUSE Manager 83 13 File Management 85 13.1 Disk Partitions 85 13.2 Checking File Permissions and Ownership 86 13.3 Default umask 86 13.4 SUID/SGID Files 87 13.5 World-Writable Files 88 13.6 Orphaned or Unowned Files 89 vi Security and Hardening Guide 14 Encrypting Partitions and Files 90 14.1 Setting Up an Encrypted File System with YaST 90 Creating an Encrypted Partition during Installation 91 • Creating an Encrypted Partition on a Running System 92 • Encrypting the Content of Removable Media 92 14.2 Encrypting Files with GPG 93 15 Storage Encryption for Hosted Applications with cryptctl 94 15.1 Setting Up a cryptctl Server 95 15.2 Setting Up a cryptctl Client 97 15.3 Checking Partition Unlock Status Using Server-side Commands 100 15.4 Unlocking Encrypted Partitions Manually 101 15.5 Maintenance Downtime Procedure 101 15.6 For More Information 101 16 User Management 102 16.1 Various Account Checks 102 Unlocked Accounts 102 • Unused Accounts 102 16.2 Enabling Password Aging 103 16.3 Stronger Password Enforcement 105 16.4 Password and Login Management with PAM 105 Password Strength 106 • Restricting Use of Previous Passwords 107 • Locking User Accounts After Too Many Login Failures 108 16.5 Restricting root Logins 109 Restricting Local Text Console Logins 109 • Restricting Graphical Session Logins 111 • Restricting SSH Logins 111 16.6 Setting an Inactivity Timeout for Interactive Shell Sessions 112 vii Security and Hardening Guide 16.7 Preventing Accidental Denial of Service 114 Example for Restricting System Resources 114 16.8 Displaying Login Banners 117 16.9 Connection Accounting Utilities 118 17 Spectre/Meltdown Checker 119 17.1 Using spectre-meltdown-checker 119 17.2 Additional Information about Spectre/Meltdown 121 18 Configuring Security Settings with YaST 122 18.1 Security Overview 122 18.2 Predefined Security Configurations 123 18.3 Password Settings 124 18.4 Boot Settings 125 18.5 Login Settings 125 18.6 User Addition 125 18.7 Miscellaneous Settings 125 19 Authorization with PolKit 127 19.1 Conceptual Overview 127 Available Authentication Agents 127 • Structure of PolKit 127 • Available Commands 128 • Available Policies and Supported Applications 128 19.2 Authorization Types 130 Implicit Privileges 130 • Explicit Privileges 131 • Default Privileges 131 19.3 Querying Privileges 131 19.4 Modifying Configuration Files 132 Adding Action Rules 132 • Adding Authorization Rules 133 • Modifying Configuration Files for Implicit Privileges 134 19.5 Restoring the Default Privileges 135 viii Security and Hardening Guide 20 Access Control Lists in Linux 137 20.1 Traditional File Permissions 137 The setuid Bit 138 • The setgid Bit 138 • The Sticky Bit 139 20.2 Advantages of ACLs 139 20.3 Definitions 139 20.4 Handling ACLs 140 ACL Entries and File Mode Permission Bits 141 • A Directory with an ACL 142 • A Directory with a Default ACL 145 • The ACL Check Algorithm 147 20.5 ACL Support in Applications 148 20.6 For More Information 148 21 Certificate Store 149 21.1 Activating Certificate Store 149 21.2 Importing Certificates 149 22 Intrusion Detection with AIDE 151 22.1 Why Use AIDE? 151 22.2 Setting Up an AIDE Database 151 22.3 Local AIDE Checks 154 22.4 System Independent Checking 156 22.5 For More Information 157 III NETWORK SECURITY 158 23 X Window System and X Authentication 159 24 SSH: Secure Network Operations 160 24.1 ssh—Secure Shell 160 Starting X Applications on a Remote Host 161 • Agent Forwarding 161 ix Security and Hardening Guide 24.2 scp—Secure Copy 161 24.3 sftp—Secure File Transfer 162 Using sftp 162 • Setting Permissions for File Uploads 163 24.4 The SSH Daemon (sshd) 164 Maintaining SSH Keys 165 • Rotating Host Keys 165 24.5 SSH Authentication Mechanisms 166 Generating an SSH Key 167 • Copying an SSH Key 167 • Using the ssh- agent 168 24.6 Port Forwarding 169 24.7 Adding and Removing Public Keys on an Installed System 170 24.8 For More Information 170 25 Masquerading and Firewalls 172 25.1 Packet Filtering with iptables 172 25.2 Masquerading Basics 175 25.3 Firewalling Basics 176 25.4 firewalld 177 Configuring the Firewall with NetworkManager 178 • Configuring the Firewall with YaST 178 • Configuring the Firewall on the Command Line 179 • Accessing Services Listening on Dynamic Ports 183 25.5 Migrating from SuSEfirewall2 186 25.6 For More Information 188 26 Configuring a VPN Server 189 26.1 Conceptual Overview 189 Terminology 189 • VPN Scenarios 190 26.2 Setting Up a Simple Test Scenario 192 Configuring the VPN Server 193 • Configuring the VPN Clients 194 • Testing the VPN Example Scenario 195 x Security and Hardening Guide 26.3 Setting Up Your VPN
Recommended publications
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Efficiently Mitigating Transient Execution Attacks Using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M
    Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M. Frans Kaashoek, and Nickolai Zeldovich, MIT CSAIL https://www.usenix.org/conference/osdi20/presentation/behrens This paper is included in the Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation November 4–6, 2020 978-1-939133-19-9 Open access to the Proceedings of the 14th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX Efficiently Mitigating Transient Execution Attacks using the Unmapped Speculation Contract Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M. Frans Kaashoek, and Nickolai Zeldovich MIT CSAIL Abstract designers have implemented a range of mitigations to defeat transient execution attacks, including state flushing, selectively Today’s kernels pay a performance penalty for mitigations— preventing speculative execution, and removing observation such as KPTI, retpoline, return stack stuffing, speculation channels [5]. These mitigations impose performance over- barriers—to protect against transient execution side-channel heads (see §2): some of the mitigations must be applied at attacks such as Meltdown [21] and Spectre [16]. each privilege mode transition (e.g., system call entry and exit), To address this performance penalty, this paper articulates and some must be applied to all running code (e.g., retpolines the unmapped speculation contract, an observation that mem- for all indirect jumps). In some cases, they are so expensive ory that isn’t mapped in a page table cannot be leaked through that OS vendors have decided to leave them disabled by de- transient execution. To demonstrate the value of this contract, fault [2, 22].
    [Show full text]
  • Bank of Chile Affected by Cyber-Attack Malware Found Pre
    JUNE 2018 Bank of Chile Affected By Cyber-Attack On May 28, 2018, the Bank of Chile, the largest bank operating in the country, declared in a public statement that a virus presumably sent from outside of the country affected the bank’s operations. According to the announcement, the virus was discovered by internal IT experts on May 24. It impacted workstations, executives’ terminals, and cashier personnel, causing difficulties in office services and telephone banking. After the emergency, the Bank of Chile activated its contingency protocol by disconnecting some workstations and suspending normal operations to avoid the propagation of the virus. Although the virus severely affected the quality of banking services, the institution assured that the security of transactions, as well as client information and money remained safe at all times. Pinkerton assesses that cyber-attacks targeting financial institutions and international banks form part of a trend that is likely to continue increasing in 2018. So far, Pinkerton Vigilance Network sources had identified Mexico and Chile as the two most impacted by cyber-crimes in Latin America; however, Pinkerton finds that no nation is exempt from becoming a target. Clients are encouraged to review the standard regulations on cyber- security for their banks and its contingency protocols in the event of cyber-attacks. Any unrecognized banking operation or phishing scam should be reported as soon as possible to the Bank of Chile emergency phone line (600) 637 3737. For further information concerning security advise from the Bank of Chile, the following website can be consulted: https://ww3.bancochile.cl/wps/wcm/connect/personas/portal/seguridad/inicio-seguridad#Tab_ Acorden_Respon3.
    [Show full text]
  • An Empirical Evaluation of Misconfiguration in Internet Services
    TECHNISCHE UNIVERSITÄT BERLIN FAKULTÄT FÜR ELEKTROTECHNIK UND INFORMATIK LEHRSTUHL FÜR INTELLIGENTE NETZE UND MANAGEMENT VERTEILTER SYSTEME UND LEHRSTUHL FÜR SECURITY IN TELECOMMUNICATIONS An Empirical Evaluation of Misconfguration in Internet Services vorgelegt von Tobias Fiebig geb. Wrona, MSc Geboren in Dissen am Teutoburger Wald Fakultät IV – Elektrotechnik und Informatik der Technischen Universität Berlin zur Erlangung des akademischen Grades DOKTOR DER INGENIEURWISSENSCHAFTEN (DR.-ING.) Promotionsausschuss: Vorsitzender: Prof. Dr.-Ing. Sebastian Möller, TU Berlin Gutachterin: Prof. Anja Feldmann, Ph. D., TU Berlin Gutachter: Prof. Dr. Jean-Pierre Seifert, TU Berlin Gutachter: Prof. Dr. Steve Uhlig, Queen Mary University of London Tag der wissenschaftlichen Aussprache: 16. Juni 2017 Berlin 2017 Für meinen Opa. I Abstract Within the past thirty years we have seen computers rise from room sized niche equipment to handy pocket sized devices found in every household. At the same time there has been a signifcant increase in the research effort on computer security. The literature is full of sophisticated attacks to obtain confdential information from computer systems, compro- mise them, or prevent them from being used at all. Simultaneously, mitigations to these attacks are as well studied. Technically, current attacks could be mitigated by deploying these techniques. In fact, there is a constant stream of new, complex techniques to ensure the confdentiality, integrity, and availability of data and systems. However, even the recent past has not been short of security incidents affecting billions of people. Yet, these incidents are usually neither enabled nor mitigated by these complex techniques. On the contrary, we fnd that these breaches are usually caused by something far more simple: Human error in deploying and running network services, e.g., delayed software updates, or, no authentication and authorization being confgured even though it would have been available.
    [Show full text]
  • VULNERABLE by DESIGN: MITIGATING DESIGN FLAWS in HARDWARE and SOFTWARE Konoth, R.K
    VU Research Portal VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE Konoth, R.K. 2020 document version Publisher's PDF, also known as Version of record Link to publication in VU Research Portal citation for published version (APA) Konoth, R. K. (2020). VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal ? Take down policy If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. E-mail address: [email protected] Download date: 07. Oct. 2021 VULNERABLE BY DESIGN: MITIGATING DESIGN FLAWS IN HARDWARE AND SOFTWARE PH.D. THESIS RADHESH KRISHNAN KONOTH VRIJE UNIVERSITEIT AMSTERDAM, 2020 Faculty of Science The research reported in this dissertation was conducted at the Faculty of Science — at the Department of Computer Science — of the Vrije Universiteit Amsterdam This work was supported by the MALPAY consortium, consisting of the Dutch national police, ING, ABN AMRO, Rabobank, Fox-IT, and TNO.
    [Show full text]
  • The Hi-Tech Crime Trends
    Октябрь 2018 group-ib.ru The Hi-Tech Crime Trends 2018 Hi-Tech Crime 2 Trends 2018 СОДЕРЖАНИЕ 1. Ключевые выводы 3 2. Прогнозы 7 3. УЯЗВИМОСТИ микропроцессоров и прошивок 10 Аппаратные уязвимости 10 Уязвимости BIOS/UEFI 12 4. САБОТАЖ И ШПИОНАЖ 15 Целевые атаки на критическую инфраструктуру 16 Массовые атаки с нечеткой целью от Black Energy 18 Атаки на банки с целью саботажа 18 Атаки на роутеры и другие устройства 19 Тренды в тактиках атак с целью саботажа и шпионажа 20 5. Хищения 22 Оценка рынка высокотехнологичных хищений в России 22 Целевые атаки на банки 23 SWIFT и локальные межбанковские системы 24 Карточный процессинг 25 Платежные шлюзы 26 Банкоматы 28 Атаки на клиентов банков 32 – с помощью троянов для ПК 32 – с помощью Android-троянов 36 – с помощью веб-фишинга 38 Кардинг 40 6. Угрозы для криптовалютного рынка и блокчейн-проектов 45 Атаки на блокчейн-проекты 45 Манипуляции курсами криптовалют 46 Атаки на ICO 46 Целевой взлом криптобирж 48 Криптоджекинг 49 Атака 51% 50 Hi-Tech Crime 3 Trends 2018 от финансово-мотивированных киберпреступников 1. КЛЮЧЕВЫЕ к проправительственным хакерам. Их действия направлены на обеспечение долговременного присутствия в сетях объектов критической инфра- ВЫВОДЫ структуры с целью саботажа и шпионажа за компа- ниями энергетического, ядерного, водного, авиационного и других секторов. • Значительная часть атак была направлена на энер- гетический сектор. Помимо первого специализи- рованного ПО для атак на энергосети Industroyer, обнаруженного в 2016 году, объектам отрасли угрожает Triton — фреймворк, воздействующий Аппаратные уязвимости на систему безопасности производственных и безопасность BIOS/UEFI процессов (Safety Instrumented System — SIS) от Schneider Electric. • Если в прошлом году основное внимание специ- алистов по безопасности было связано с эпиде- • В 2017 и в 2018 годах были выявлены две угрозы миями WannaCry, NotPetya, BadRabbit, то в 2018 с нечеткой целью: шифровальщик BadRabbit году самой значительной проблемой стали side- и вредоносная программа для роутеров VPNFilter.
    [Show full text]
  • Aviation-ISAC Daily Aviation Memo 22 May 2018
    TLP WHITE Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. www.aisac-summit.com Aviation-ISAC Daily Aviation Memo 22 May 2018 Cyber Security News • Intel Warns that its New Spectre variant 4 patch will degrade performance up to 8% • Mirai-variant attack launched from Mexico CVE-2018-10561 CVE-2018-10562 • The operations and economics of organized criminal email groups • SamSam ransomware still active, targets Health Care Providers • VMware Patches Fusion, Workstation Vulnerabilities CVE-2018-6962 CVE-2018- 6963 CVE-2018-3639 • Dell Patches Vulnerability in Pre-installed SupportAssist Utility • FireEye Launches OAuth Attack Testing Platform • Microsoft to Block Flash in Office 365 Aviation Tech • Auckland Airport Uses Traffic and Passenger Flow Measurement Technology Legislation & Regulation News • FAA Moved Slower Than Usual on Engine Warning Ahead of Southwest Fatality • UK Groups Issue Drone collision guidance to pilots and ATC Staff Physical Security News • Federal Law Leaves Marijuana in a No-Fly Zone • Lab Monkey escapes and runs free in San Antonio Airport Miscellaneous News • Saudia A330 made an emergency landing at Jeddah with the nose gear retracted • Delta Creates Pop-Up Lounge for Middle Seat Passengers U.S. Department of Transportation Crisis Management Center Daily Report Indicates Actionable Intelligence FEATURES Cyber Security News Intel Warns that its New Spectre variant 4 patch will degrade performance up to 8% From ZDNet (05.22.2018) Liam Tung Intel's upcoming microcode updates to address the just- revealed Spectre variant 4 attack are likely to put a significant drain on CPU performance.
    [Show full text]
  • The Android Platform Security Model∗
    The Android Platform Security Model∗ RENÉ MAYRHOFER, Google and Johannes Kepler University Linz JEFFREY VANDER STOEP, Google CHAD BRUBAKER, Google NICK KRALEVICH, Google Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This paper aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model. CCS Concepts: • Security and privacy → Software and application security; Domain-specific security and privacy architectures; Operating systems security; • Human-centered computing → Ubiquitous and mobile devices. Additional Key Words and Phrases: Android, security, operating system, informal model 1 INTRODUCTION Android is, at the time of this writing, the most widely deployed end-user operating system.
    [Show full text]
  • Network Security with Internet World Wide Threat
    International Journal of Multidisciplinary Research and Growth Evaluation www.allmultidisciplinaryjournal.com International Journal of Multidisciplinary Research and Growth Evaluation ISSN: 2582-7138 Received: 12-12-2020; Accepted: 17-01-2021 www.allmultidisciplinaryjournal.com Volume 2; Issue 1; January-February 2021; Page No. 214-218 Network security with internet world wide threat Muhammad Khuzaifah Nasution1, Nuzri Rachmat Al Qabri2, Iskandar Muda3 1-3 Universitas Sumatera Utara, Medan, Indonesia Corresponding Author: Muhammad Khuzaifah Nasution Abstract The development of information systems today is followed information systems. This research studies various attack by an increase in attacks on information systems. This is due techniques on information systems. To facilitate to the growing number of information systems that store identification, these attacks are classified based on the sensitive data for users such as telephone numbers, components of the information system. The results of this population identification numbers, birth dates and even bank study indicate that there are attacks aimed at each component account numbers. These data are very prone to be misused by of the information system. At the end of this study provides irresponsible parties. So security is one of the factors that suggestions to minimize the impact of attacks and to improve must be the main consideration in the development of information system security. Keywords: Network Security, Virus, Treat From World Wide Web 1. Introduction Today Information Technology has entered human life massively. Various Information Systems were developed to facilitate human life. It is not uncommon for this information system to store user data and even personal data such as telephone numbers, birth dates, population identification numbers, bank account numbers and so on.
    [Show full text]
  • Mitigation Overview for Potential Side- Channel Cache Exploits in Linux* White Paper
    Mitigation Overview for Potential Side- Channel Cache Exploits in Linux* White Paper Revision 2.0 May, 2018 Any future revisions to this content can be found at https://software.intel.com/security-software- guidance/insights/deep-dive-mitigation-overview-side- channel-exploits-linux when new information is available. This archival document is no longer being updated. Document Number: 337034-002 Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request. Intel provides these materials as-is, with no express or implied warranties. Intel, the Intel logo, Intel Core, Intel Atom, Intel Xeon, Intel Xeon Phi, Intel® C Compiler, Intel Software Guard Extensions, and Intel® Trusted Execution Engine are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Copyright © 2018, Intel Corporation. All rights reserved. Mitigation Overview for Potential Side-Channel Cache Exploits in Linux* White Paper May 2018
    [Show full text]
  • 2018 Midyear Security Roundup: Unseen Threats, Imminent Losses DATA
    Unseen Threats, Imminent Losses 2018 Midyear Security Roundup TREND MICRO LEGAL DISCLAIMER Contents The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The 04 information contained herein may not be applicable to all situations and may not reflect the most current situation. Serious vulnerabilities discovered in Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the hardware make patching even more particular facts and circumstances presented and nothing challenging herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. 09 Translations of any material into other languages are intended solely as a convenience. Translation accuracy Cryptocurrency mining detections more is not guaranteed nor implied. If any questions arise than doubles while ransomware remains related to the accuracy of a translation, please refer to the original language official version of the document. Any an enterprise threat discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 14 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro Mega breaches rise even as GDPR makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree penalties loom that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied.
    [Show full text]
  • Speculative Dereferencing: Reviving Foreshadow (Extended Version)
    Speculative Dereferencing: Reviving Foreshadow (Extended Version) Martin Schwarzl1, Thomas Schuster1, Michael Schwarz2, and Daniel Gruss1 1Graz University of Technology, Austria 2CISPA Helmholtz Center for Information Security, Germany Abstract. In this paper, we provide a systematic analysis of the root cause of the prefetching effect observed in previous works and show that its attribution to a prefetching mechanism is incorrect in all previous works, leading to incorrect conclusions and incomplete defenses. We show that the root cause is speculative dereferencing of user-space registers in the kernel. This new insight enables the first end-to-end Foreshadow (L1TF) exploit targeting non-L1 data, despite Foreshadow mitigations enabled, a novel technique to directly leak register values, and several side-channel attacks. While the L1TF effect is mitigated on the most re- cent Intel CPUs, all other attacks we present still work on all Intel CPUs and on CPUs by other vendors previously believed to be unaffected. 1 Introduction For security reasons, operating systems hide physical addresses from user pro- grams [34]. Hence, an attacker requiring this information has to leak it first, e.g., with the address-translation attack by Gruss et al. [17, §3.3 and §5]. It allows user programs to fetch arbitrary kernel addresses into the cache and thereby to resolve virtual to physical addresses. As a mitigation against e.g., the address- translation attack, Gruss et al. [17, 16] proposed the KAISER technique. Other attacks observed and exploited similar prefetching effects. Meltdown [41] practically leaks memory that is not in the L1 cache. Xiao et al. [72] show that this relies on a prefetching effect that fetches data from the L3 cache into the L1 cache.
    [Show full text]