Google | Project Vault

Google’s Project Vault Is A Secure Computing Environment On A Micro SD Card, For Any Platform

 

Project Vault is a secure computer contained entirely on a micro SD sized device. Google’s ATAP said the micro SD format made sense because there’s already advanced security features on your phone, contained in the SIM card, which protects the things important to carriers. Vault is designed to be an equivalent, but designed to project a user’s important content.

They went with the micro SD form factor so that they could have more data throughput to project video, and they wanted storage (Vault has 4GB of data storage on board) and they wanted modularity, so you could take it wherever you wanted.

Onboard the Vault itself is an ARM processor running ARTOS, a secure operating system focused on privacy and data security. It also has an NFC chip and an antenna (for proving that you are in control and that it’s correctly authorized). Finally, there’s a suite of cryptographic services, including hashing, signing, batch encryption and a hardware random number generator.

 

 

Vault provides two-factor auth in a way that’s easy enough for anyone to use, and developers don’t have to do anything to get stuff ready to work with it – the system sees it as generic storage device with a standard file system.

Said file system includes just two files, one for read and one for write, that any app has to go through in order to communicate with Vault. This also means that it works with any operating system, including Android, Windows, OS X and Linux, since essentially it’s just a generic storage device to the host computer or phone.

 

 

Today, ATAP is releasing the open source development kit so that people can understand and test it prior to it going live. They’ve also built an enterprise-targeted first product version that’s being used internally at Google right now, and there are plans to eventually make consumer-focused hardware, too.

In a demo, ATAP showed how Vault could be used to secure a chat conversation. Once the Vault micro SD is installed, the chat application just opens the virtualized two-file system with the read/write I/O. Vault takes care of encrypting the message and then sending it though as cypher text. The phones automatically decrypt the conversation, but never actually see any keys or algorithms on either end.

 

Credit: Darrell Etherington

Lynis – Auditing tool for Unix/Linux v1.3.5

Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

This software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits.

Intended audience:

Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:

  • Available authentication methods
  • Expired SSL certificates
  • Outdated software
  • User accounts without password
  • Incorrect file permissions
  • Configuration errors
  • Firewall auditing

Change log

New:
– OS detection for Mageia Linux, PCLinuxOS, Sabayon Linux and Scientific Linux
– Added some initial systemd support (e.g. boot services)
– Test to display if any known MAC framework is implemented [MACF-6290]

Changes:
– Improved support for Slackware Linux (OS and version detection)
– Added systemd support (boot and running services) for Linux systems [BOOT-5177]
– Added systemd support (default runlevel) for Linux systems [KRNL-5622]
– Extended USB storage check in modprobe.d directory [STRG-1840]
– Improved output, reporting and check for kernel update [KRNL-5788]
– Optimized code and output of test to check writable scripts [BOOT-5184]
– Fixed detection for writable scripts [BOOT-5184]
– Improved detection IPv6 addresses for Slackware and others [NETW-3008]
– Minor addition to SSH PermitRootLogin check [SSH-7412]
– Extended cronjob tests, reporting and logging [SCHD-7704]
– Extended umask check in /etc/profile [AUTH-9328]
– Added suggestion about BIND version [NAME-4210]
– Merged test NTP daemon test TIME-3108 into TIME-3104
– Improved support for Arch Linux (output, detection)
– Extended common list of directories with SSL certifcates in profile
– New function GetHostID() to determine an unique identifier of the machine
– Added a tests_custom file template
– Perform file permissions test on tests_custom file
– Improved OS detection and extended logging on several tests
– Several layout improvements
– Extended update check functions and output
– Cleaned up reporting and extended it with exceptions

Credit: ToolsWatch