User: Password:
|
|
Subscribe / Log in / New account

Security

USB laptop firewall runs Linux

May 30, 2007

This article was contributed by Jake Edge.

A new firewall product for Windows laptops would generally be greeted with yawns from the Linux community, but the newly announced Yoggie Pico has some features that may be of interest. The Pico is a device that contains a 'security processor' running Linux and whole slew of free and open source security applications in a USB 'key' form factor. The intent is to provide a laptop user on the road the same level of security as they would have behind the corporate firewall.

At its core, the Pico has an Intel CPU, some RAM and two separate banks of flash. At boot time, it copies the read-only version of the software from one bank to the other and runs from the copy; an attempt to ensure that even if the Pico is successfully compromised, a reboot will restore it. A driver is installed on the laptop that snags all network traffic just above the link layer and sends it off to the Pico for filtering. This allows traffic from all network interfaces to be intercepted.

The Pico provides firewall protection and Network Address Translation (NAT) via iptables and runs Snort for intrusion detection/prevention. It also does content filtering of various internet protocols (HTTP, FTP, POP3 and SMTP) to stop viruses, spyware, phishing and spam. It has three proprietary, patent-pending, modules that in some, unspecified way correlate the information gathered by the other security software to detect and thwart previously unknown threats.

If you can believe everything that is said on the website, the Pico will protect a laptop from any known or unknown threat immediately upon plugging it in. One suspects the reality falls somewhat short of the hype. Statements like: 'simply plug it to your laptop and you are completely secure' are at best exaggerated, at worst deceptive; security is a process and a set of tradeoffs, not a destination. How those tradeoffs are administered is glossed over as well; too much configurability can be error-prone, while too little can lead to unusable rigidity.

There certainly is a niche for this kind of protection; laptop security is often the Achilles heel of a company's network security. The Pico driver provides administrators a means to disallow network traffic when the Pico is not present which may help keep laptops from bringing home various ills. As a separate hardware device that does not rely on much from the host OS, the Pico could provide a nice laptop security device; it remains to be seen if its $180-200 price point is attractive.

Yoggie plans to release a driver for Linux (as well as Mac OS X and Windows Vista) sometime soon, but because it is relatively easy to run the same applications on the laptop itself, it may not be a big seller in that (already small) market. Depending on how hackable the device is, there might be a rather larger market for a USB attached computer that can run Linux. It will be interesting to see whether Yoggie stands in the way or actively assists anyone interested in modifying their Pico for purposes other than what the company had in mind. And if Linux hackers can figure out how to 'mod' it and talk to it, with or without Yoggie's help, some very interesting applications could result.

Some rumblings about GPL compliance have been heard in the community (for example see the comments on the LWN announcement). No links to source code could be found on the website; it is possible that the code is shipped with the device though there are indications that is not happening either. From the website, it would appear that the company has been shipping a similar Gatekeeper device with a different form factor and connectivity. It appears to have substantially the same software and one would have hoped that any GPL compliance issues would have been resolved then. An answer to an inquiry about the code is pending, stay tuned.

Comments (5 posted)

Brief items

Google, Yahoo, Facebook Extensions Put Millions of Firefox Users At Risk (Wired)

Wired reports on a vulnerability in a number of Firefox extensions. "Unlike almost all of the extensions hosted at Mozilla, the foundation that created the open-source Firefox browser, these commercial extensions check for updates from servers controlled by their respective corporate overlords. And they fail to check for extensions from servers with SSL certificates, which most users know as sites that start with https://. That means that users who open their browsers when using an open wireless connection are vulnerable to a hacker being able to intercept these third-party extensions' checks for updates at a plain http:// site and then pretend to be the update server."

Update: here's the disclosure of the vulnerability from Christopher Soghoian, the researcher who found it.

Comments (20 posted)

New vulnerabilities

freetype: arbitrary code execution

Package(s):freetype CVE #(s):CVE-2007-2754
Created:May 24, 2007 Updated:June 1, 2010
Description: The Freetype font rendering library versions 2.3.4 and below has an integer sign error. Remote attackers may be able to create a specially crafted TrueType Font file with a negative n_points value that will cause an integer overflow and heap-based buffer overflow, allowing the execution of arbitrary code.
Alerts:
Gentoo 201006-01 freetype 2010-06-01
Fedora FEDORA-2009-5644 freetype1 2009-05-28
Fedora FEDORA-2009-5558 freetype1 2009-05-28
CentOS CESA-2009:0329 freetype 2009-05-22
Red Hat RHSA-2009:1062-01 freetype 2009-05-22
Red Hat RHSA-2009:0329-02 freetype 2009-05-22
Debian DSA-1334 freetype 2007-07-18
SuSE SUSE-SA:2007:041 freetype2 2007-07-04
Fedora FEDORA-2007-561 freetype 2007-06-18
Mandriva MDKSA-2007:121 freetype2 2007-06-13
Foresight FLEA-2007-0025-1 freetype 2007-06-13
Red Hat RHSA-2007:0403-01 freetype 2007-06-11
Debian DSA-1302-1 freetype 2007-06-10
Fedora FEDORA-2007-0033 freetype 2007-06-01
Ubuntu USN-466-1 freetype 2007-05-30
Gentoo 200705-22 freetype 2007-05-30
Trustix TSLSA-2007-0019 fetchmail, freetype, gd, libpng, python24 2007-05-25
rPath rPSA-2007-0108-1 freetype 2007-05-23
Foresight FLEA-2007-0020-1 freetype 2007-05-21
OpenPKG OpenPKG-SA-2007.018 OpenPKG Enterprise E1.0-SOLID freetype-2.2.1-E1.0.1 2007-05-24

Comments (none posted)

gforge: arbitrary code execution

Package(s):gforge CVE #(s):CVE-2007-0246
Created:May 24, 2007 Updated:May 30, 2007
Description: The CVS browsing interface from the Gforge collaborative development tool does not properly escape URLs. This can be used by an attacker to execute arbitrary shell commands with the privileges of the www-data user.
Alerts:
Debian DSA-1297-1 gforge-plugin-scmcvs 2007-05-24

Comments (none posted)

madwifi: denial of service

Package(s):madwifi CVE #(s):
Created:May 25, 2007 Updated:June 6, 2007
Description: From this Secunia advisory: "Some vulnerabilities have been reported in MadWifi, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service)."
Alerts:
Foresight FLEA-2007-0021-2 madwifi 2007-05-24
Foresight FLEA-2007-0021-1 madwifi 2007-05-24

Comments (none posted)

mod_jk: proxy bypass

Package(s):mod_jk CVE #(s):CVE-2007-1860
Created:May 30, 2007 Updated:March 7, 2008
Description: From the Red Hat advisory: "Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content."
Alerts:
SuSE SUSE-SR:2008:005 acroread, asterisk, cacti, compat-openssl097g, icu, libcdio, wireshark/ethereal, Jakarta, perl-tk 2008-03-06
Gentoo 200708-15 mod_jk 2007-08-19
Debian DSA-1312-1 libapache-mod-jk 2007-06-18
Red Hat RHSA-2007:0380-01 mod_jk 2007-05-30
Red Hat RHSA-2007:0379-01 mod_jk 2007-05-30

Comments (none posted)

otrs2: code injection

Package(s):otrs2 CVE #(s):CVE-2007-2524
Created:May 30, 2007 Updated:June 8, 2007
Description: The otrs2 ticket request system fails to properly sanitize input data, allowing the injection of arbitrary code.
Alerts:
Debian DSA-1298-1 otrs2 2007-05-28

Comments (3 posted)

pulseaudio: denial of service

Package(s):pulseaudio CVE #(s):CVE-2007-1804
Created:May 30, 2007 Updated:March 10, 2008
Description: The pulseaudio network code suffers from a denial of service vulnerability exploitable by an unauthenticated attacker.
Alerts:
Mandriva MDVSA-2008:065 pulseaudio 2007-03-09
Ubuntu USN-465-1 pulseaudio 2007-05-25

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds