Cedval’s website

Is the Linux desktop ready for the enterprise? Unfortunately no!

I like Linux, I really do. I’ve been using Linux daily, as a system admin and as a user, for the last 12 years. I tried many distributions and versions. My home workstation is exclusively running Linux for the past 8 years, and I enjoy it.

However, I never had a Linux laptop to work with at client sites. That was going to change. In March 2010, I decided to installed Linux on my MacBook Pro (3,1). So I formatted my beloved Mac OS X partition and installed openSUSE 11.2 (I also upgrade to 11.3 when it was released) with KDE 4.4 as the desktop. I knew it wasn’t going to be easy, I knew I was going to have some gliches, but I wanted to have my first Linux work laptop and see if it was ready for the enterprise desktop. Below, I’ll describe my experience using openSUSE 11.2/11.3, KDE 4.4 and various applications, as well as the bugs I faced during the 6 months on Linux.

Let me start with openSUSE 11.2 and KDE 4 as a general overview. At first glance it looked very polish, very eye-candy, for both the installation and the desktop, especially with Compiz running. Although I’m running KDE 4 on my home workstation, I still prefer the speed and stability of KDE 3.5. I must say that I was very disappointed when I saw the early KDE 4 versions. Hopefully, the KDE team have made good progress and KDE 4.4 is a lot better. The file manager, Dolphin, is well done, the start menu is neat and useful. As usual, KDE has a lot of preference options through the Control Center, that is one of the reason why I prefer KDE over GNOME.

That being said, after the first login I noticed a popup asking for a crypto password. I had encrypted my Linux partition as I have confidential work documents on my Laptop. I didn’t know what that password box was as everything seemed to work properly. I later found out that whatever I was entering (good password, wrong passwords, nothing) it didn’t seem to make a difference. That popup was present at every login…

One of the first thing I did after the basic KDE configuration was to install Evolution so I could use my Exchange accounts. Evolution is the GNOME e-mail client, but I had to use it as Kmail (the KDE mail client) doesn’t support Exchange. I was able to configure and use my first account running on Exchange 2003. However, my first deception came quite quickly when I discovered that Evolution wasn’t supporting my second account on Exchange 2007. I had to use it via IMAP, which wasn’t my first choice. Other than that, Evolution was working fine most of the time… Except that the exchange plugin stopped working randomly. A simple close/open of the application was solving the problem.

Next, I decided to open some documents to verify the compatibility between Microsoft Office and OpenOffice.org. Here comes my second deception (although I already knew compatibility wasn’t perfect), documents were readable but really, really messed up half of the time. So I had the idea of trying WINE (the WINdows Emulator) to install Microsoft Office (and maybe use Outlook at the same time). Unfortunately, I wasn’t able to do so even using different WINE and Microsoft Office versions. What I ended up doing for the couple months I used Linux on the MacBook Pro was to read documents with OpenOffice.org, but modify them using Microsoft Office in a Windows XP VM on VMware.

Speaking of VMware, I have nothing to say against it, all the time I used it (and still use it on Mac OS X) it worked perfectly. VM boot was fast, it was responsive, graphical speed was fine.

So I went on with web browsing. I wanted to use Konqueror, the KDE web browser, but unfortunately, my only mandatory plugin, Xmarks, isn’t available for it. I decided to use a mix of FireFox and Google Chrome, both worked fine, I have not much to complain about other than flash crashing from time to time on Google Chrome.

Finally, let me talk a bit about Amarok 2, the KDE audio player. I’ve been using it for a while and it is not bad, but there is a long way to go before it is as stable and as useful as Amarok 1.4 to manage a music collection. I still find it a bit primitive compared to what I consider, the best audio player and music collection manager in the world, Amarok 1.4 (it even surpasses iTunes by a lot). However, I do have faith that the Amarok team will improve it and make it as good as its predecessor.

Those are only a few examples of glitches I had during those months. I could elaborate on glitches of more applications like KRDC (Remote desktop application), Plasma Workspace widgets, NetworkManager, etc. But I think I made the point, it is not ready for the enterprise, yet! While I mention openSUSE and KDE, I know it is not specific to those distribution/desktop, but it is what I used for the past 6 months.

I’d like to conclude by saying that this article was written from an enterprise user point of view. The Linux desktop is nice for the geek in you, but the professional may find it painful… That said, if it’s not ready for the enterprise desktop, it is for a long time, ready as a network server! Linux is the OS of choice when it comes to network servers. I’ve been a Linux system administrator for many years and nothing’s equal to the versatility and the power of the Linux command line. But today, I’m writing this article from my MacBook Pro running… Mac OS X…

Biometric authentication for iPhone apps (Help Net Security)

An interesting way to secure apps on the iPhone http://ow.ly/2kkqU

Millions of Home Routers Are Hackable – Slashdot

A researcher from the security firm Seismic, Craig Heffner, found a way to exploit a 15 years old DNS vulnerability on about half of the existing homer routers models. He plans to release his tool at Black Hat 2010.

Source: http://it.slashdot.org/story/10/07/16/122259/Millions-of-Home-Routers-Are-Hackable

Credit Card Hackers Visit Hotels All Too Often – NY Times

According to a study made by Trustwave, 38% of last year credit card hacking involve the hotel industry! Find out why in the article below.

Article: http://www.nytimes.com/2010/07/06/business/06road.html?_r=1&src=busln

Breakfast conference: IT services conformity using open source solutions

We are pleased to announce, as part of ISIQ’s “Carrefour PME Sécurité” program our presentation entitled “Aide à la conformité des services TI grâce aux logiciels libres”.

Presentation will be in french.

Date of event: March 31st at 7:30 a.m.
Location: CRIM’s offices, 405, avenue Ogilvy, office 101.

The cost is $35, breakfast is included…

Hope to see you there…

François Meehan

Review of the first Kevin D. Mitnick book – The Art Of Deception

I am, today, reviewing the book The Art Of Deception from Kevin D. Mitnick that I red a while ago. This book was issued in 2002, but this is still a hot topic.

The Art Of Deception (ISBN-13: 978-0764542800), the first Kevin D. Mitnick’s book is another type of Information Security lecture. Kevin was for a long time the FBI most wanted computer hacker. Now a security contractor, he shares with us in this book, his acquired experiences over the years. Instead of going in details on how to break firewalls and code, Kevin wrote about his specialty: Social Engineering.

I first decided to buy this book to learn more about Social Engineering, and I must say that Kevin’s mission was successful, I learned a lot. Going through the chapters, you discover a whole new way to attack networks, through the weakest link: people controlling and using it.

As I’ve been working in Information Security for a few years, I often hear that “a secretary wouldn’t give away her password” either because she is smart or because she knows not to do so. That being said, this book makes you realize how easy it can be to fool that “smart” secretary into giving away her password to an attacker that uses Social Engineering, not because she is not smart, but because Social Engineering is all about using influence and persuasion to get to the goal: information gathering. That information can be in different form, be it a username, a password, a merchant ID or a PIN, etc. Several techniques can be learned throughout this book, where most of them are build on Trust an employee may have to a manager, service provider or law officer. By impersonating those roles, an attacker can play the game with his own rules and exploit that trust.

The book gives you a lot of phone call examples (maybe a bit too many as it becomes redundant near the end), to makes you think about ways information leakage can happen. Examples range from one simple call to multiple, more complex, phone calls. If you are already a Social Engineering expert, you can benefit from those examples by improving your skills and techniques.

While phone calls are mostly used in Part one and two of the book, Part three goes more in depth by using physical and computer related attack. Stories are written to keep your mind busy with questions like “what would I do in that situation?”, “would I fall for this?” or “Do I verify guest identity properly?”. On their side, computer attacks are going where most of us, security professional, are more comfortable. Phishing, dictionary and Trojan horse attack are all used in conjunction with Social Engineering to gather information.

The last chapter, “Chapter 16 – Recommended Corporate Information Security Policies”, can be very useful to someone writing policies for an enterprise. Kevin did a nice job to include often forgotten policies related to the main topic. Each of them has a short explanation that was proven useful to me.

If you are looking for easy and entertaining reading as well as a way to learn about Social Engineering, I encourage you to buy that book. Even if some parts starts to be redundant near the end, it is definitely a must have on that topic.

Destructive worm in the wild – Upgrade your anti-virus

The ESET enterprise  (http://www.eset.eu) posted a news about a worm going around that destroy the MBR (Master Boot Record) of affected computers. They also highlighted that the data restoration is more complicated than usual.

As part of security best practice, we would like to remember you to verify that your anti-virus signatures are updated daily.

Article: http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm

More than 25 million malwares last year…

For the first time ever, more than 25 million strains of malware were created last year.  This is far more than the maximum of 15 million per year that have been identified up to now.  Interetingly, 66% of the new malware were banking Trojans, and the next most popular were fake antivirus software.

Read more:  http://news.techworld.com/security/3209606/malware-strains-bust-25-million-barrier/?cmpid=TD1N8&no1×1

One time passwords not enough

One-time passwords and phone-based user authentication are no longer enough to protect against banking fraud,  according to a new report from Gartner.  Criminals are apparently increasingly able to steal credentials or otherwise overwhelm such measures.  In most instances, the crooks used sophisticated keystroke logging Trojan horse programs to steal login credentials from company employees authorised to initiate funds transfers on behalf of the business, according to the FBI.  A number of banking clients have reported being victimised or targeted by attacks involving the use of malicious code hidden in web browsers to intercept and corrupt banking transactions. Trojans lurk in the users’ browser and get activated when a banking site is visited.  The user gets an error message, and  the trojan does its dirty work behind the scenes….

Read more:   http://news.techworld.com/security/3208789/hackers-getting-to-grips-with-secure-authentication-warns-gartner/?pn=1

Cloud computing brings security risks

While cloud computing services can result in more robust, scalable and cost-effective defences against certain kinds of attacks, the European Network and Information Security Agency (ENISA) also says that cloud computing users face problems including loss of control over data, difficulties proving compliance, and additional legal risks as data moves from one legal jurisdiction to another. Other areas of concern are vendor lock-in, failure of mechanisms separating different companies, management interfaces that get accessed by hackers, data not deleted properly and malicious insiders.

Read more:   http://news.techworld.com/virtualisation/3206980/cloud-computing-brings-security-risks-says-report/?cmpid=TD1N4