Wednesday, December 31, 2008

Unmasking the Mysteries of the Moodle User/Course Database: Part I

CAVEAT: From this blog post you'll [correctly] conclude I have way too much time on my /hands, but heh, when you work on your day off you can be as inefficient as you like!

(Oh yeah and all of this, running moodle, mysql, mysql GUI tools, gimp, etc. was all done on my Netbook. These are decent little machines. I'm glad I bought a hard drive instead of a flash because you can use them for real apps. All in a 2 pound package. I would recommend an external mouse/trackball if you want to save you thumbs). A bit hotter than


mfranz@mfranz-s10:~$ uptime
09:23:44 up 15:39, 4 users, load average: 0.53, 0.63, 0.59

mfranz@mfranz-s10:~$ free
total used free shared buffers cached
Mem: 1543920 1505324 38596 0 106532 571888
-/+ buffers/cache: 826904 717016
Swap: 1983988 668 1983320


A bit hotter (CPU-wise) than I'd like but Opera was the only thing that bogged down a bit.

The Problem: How do you programmatically find out which students are enrolled in a given moodle course? Since the new authorization/enrollment model implemented in Moodle 1.7 (IIRC) this becomes a little more difficult because the data is spread across a number of tables in the moodle database

Basically you want to find out something like this.



I'm the only student in CF102.

So we start with mdl_user (the table we retreived the metadata on in a previous blog)



Remember, my id is 3

Now to look at the courses (mdl_course)



Remember that CF102 has an id of 3 as well.

Here is where it starts to get interesting. The role_assignment table shows that my user has a roleid of 5 and a contextid of 11. Both of these are necessary to understand what a given use can or cannot do/view in terms of course content.



The role_capabilities table defines what roleid 5 is.



The roleid of 5 corresponds to a student and and the capability is self-explanatory.

Now back to the contextid (from the role_capabilities table), which is the indirect link to the course through the mdl_context table. For once I actually highlighted the correct row. In this case we are interested in a contextid of 11.



I cut the field names off, but the third field is instanceid (which is 3) and points us back to the courseid which corresponds to CF102.

Simple, eh?

In the next blog post on this topic I'll write some Python/SQLAlchemy code to retreive a list of users that are enrolled in a given course or which courses a student is enrolled in.

Tuesday, December 30, 2008

Why use Python to access your Moodle User Database?

Well, besides that PHP is an absolute shit for brains language and basic stuff like yaml, displaying syntax errors in imported modules and other sane things you would expect after using Python or Ruby just ain't there.

And oh yeah, and it is is butt ugly ($, ->, ::, ?> etc.)

Not only that because because I was able to whip this up cool script with SQLAlchemy (no I'm not using the ORM, just want to avoid MysqlDB)

mfranz@mfranz-s10:~/crap$ cat alctest.py
#!/usr/bin/env python
from sqlalchemy import *
from pprint import pprint
e = create_engine("mysql://moodle:blackboard@127.0.0.1/moodle")
m = MetaData(e)
user_table = Table('mdl_user',m,autoload=True,autoload_with=e)
pprint(user_table.columns.keys())
mfranz@mfranz-s10:~/crap$ ./alctest.py
[u'id',
u'auth',
u'confirmed',
u'policyagreed',
u'deleted',
u'mnethostid',
u'username',
u'password',
u'idnumber',
u'firstname',
u'lastname',
u'email',
u'emailstop',
u'icq',
u'skype',
u'yahoo',
u'aim',
u'msn',
u'phone1',
u'phone2',
u'institution',
u'department',
u'address',
u'city',
u'country',
u'lang',
u'theme',
u'timezone',
u'firstaccess',
u'lastaccess',
u'lastlogin',
u'currentlogin',
u'lastip',
u'secret',
u'picture',
u'url',
u'description',
u'mailformat',
u'maildigest',
u'maildisplay',
u'htmleditor',
u'ajax',
u'autosubscribe',
u'trackforums',
u'timemodified',
u'trustbitmask',
u'imagealt',
u'screenreader']

Now that I've got that off my chest.

So what I was trying to do, since Moodle is PHP (and I'm stuck with Moodle) and we are a PHP shop and I thought I would do the right thing and try to use PHP even though I hate it, know it is evil, etc.

The app is in PHP and there are obviously some higher-level APIs/ for accessing Moodle tables, so it makes sense I should write my scripts in PHP?

And there were.So I started using DML (although I was using Pre-2.0 has awful documentation on the wiki, so I basically had to look at the source, which at least has decent internal documentation) to provide external (meaning not through the Moodle web UI) to the Moodle user database.

But that took way too long. Of course it has been years since I've touched any PHP, so I'll admit that was part of the problem. Mainly, forgetting semi-colons. What kind of insane language requires semi-colons as statement separators?

I was contemplating some a weird hack (which I know works just fine, because I've done it before) of sending YAML over SSH (in lieu of XMLRPC, which is a pain in the ass to secure) but php-syck is completely broken with CentOS and I wasn't able to build the PHP module manually, which I shouldn't have to, anyway.

So the long and short of it. I completed in Python (and my Python is rusty) in an hour what took me 3-4 in PHP so Python it is. Honestly, much of the time could have been saved If PHP had an interactive interpreter like Ruby or Python so could quickly test out the new APIs I was learning, inspect objects, etc.

Verisign: Hardly (or, do we have a new disclosure model here?)

Now I only caught that last 5-10 minutes of the Q&A from the big talk this morning and what I heard (especially about the differences among browser implementations) was pretty interesting. Wish I would have heard the whole thing.

The whining form vendors (or so it is said in the blogs) about "wish they had been told earlier" has been amusing. Waaah.

And I like this new disclosure model (which turns the existing model upside down, vendors have to sign NDAs instead of the the researchers, brilliant!) end the fact that there is a real exploitation (however limited) prior to a fix which brings the end-user community into the disclosure dance.

However, I can't help but think this was sort of a letdown (and I don't think it is just because crypto puts me to sleep) and I liked this summary from This morning's MD5 attack - resolved

Q: Is Internet security broken?
A: Hardly. The presenters of this morning's paper stressed that it took them a long time and a great deal of computational power to succeed in their collision attack. VeriSign has already eliminated the attack as a possibility.


It bothered me that this was positioned as "critical internet infrastructure" attack/vulnerability/compromise to me which pretty much means routing or nameservice or some other collosal failure in the transport layer or below. Which this was not. Web security completely broken I could buy but Internet security, let alone Critical Internet Infrastructure security.

Hardly is a pretty good summary.

Monday, December 29, 2008

Some Non-Speculation on the CCC Breaking the CII Talk Tomorrow

I'll fess up right away. I have no interest in playing hermenuetical games with redacted texts or trying to divine the flaws that will be released tomorrow.

And the first time I read the talk writeup I thought, "Oh, God, here we go again... more preconference disclosure bullshit."

And of course they were allready at it over on Dailydave. BGP. Crypto. Everybody loves BGP and Crypto. Some new DoS?

Get ready for the FUD machines to start. Time to get ill. Get the bucket ready. But after reading HD's blog (which was based on knowledge of the vulnerability) a second time (once wasn't enough) I'm thinking perhaps this one is different:

Their research combined a known weakness in one area with a massive resource investment in another to show that a third party was vulnerable to a practical attack that affects the security of all Internet users. Security researchers often release code and technical documentation to demonstrate a flaw, but in this case, they went a step further and used the attack in the real world to obtain proof that it works.

Not in terms of the vulnerability (or vulnerabilities) to be disclosed (although that very well be) but as way of disclosing critical vulnerabilities that does neither trivializes nor desensitizes flaws that need to be addressed by vendors and the end-user community. The current model isn't working so well.

As you can already see, if folks within the hacker/researcher community (who should know better) conflate all the scary Internet infrastructure vulnerabilities of course folks technology journalists will.

In the broader IT press, Kaminsky's DNS will be treated the same as Watson's TCP as Gont's ICMP as Oulu's ASN.1/SNMP as Guardent's TCP as Lee' TCP, etc. ad naeseum.

(If I weren't typing on this damn Netbook I'd add links but google them yourself if you are interested. But you get the point)

Within the mainstream media, each of these will be covered with approximately the same number of words, the same oversimplification and carefully selected, out of context quotes, regardless of the technical merit of the research, regardless of the scope of the flaws, and the professionalism (or lack thereof) of the finders.

And each time there where will be the Oh-My-God-the-Internet-is-Doomed-thank-God-for-the-Hackers-that-Saved-It narrative.

(Compare the recent wired article on Summer DNS flaws with the coverage of the 2003 TCP vulnerability discovered by Paul (Tony) Watson (aka the man that saved the Internet) and you will see an eerie similarity.)

Another wasted news cycle, and despite the claims of the finders, the security of th e Infrastructure is not improved. End users are either confused or cynical. It is conference season again. It is just too easy to dimiss the research as an individual trying to make a name for themselves and climb the corporate security ladder, a consulting company marketing its services or a vendor hawking their wares in the guise of a BlackHat talk.

Unless there is proof.

And that is where it looks like this will be different. There is a huge difference between what you can prove with a few boxes in your basement, a one-rack testbed with 50-100k of gear, an ISP with live users, or the larger Internet.

Each environment to demonstrate attack vectors and vulnerabilities is increasingly less contrived and more and more like reality. Each is an environment less out of the control of the attacker/adversary/researcher which is where it starts to get interesting. Meaning attacks on an Internet scale.

That is why real incidents (i.e. the smurf attacks of 98, the DDoS of 2000, the worms) teach far better lessons. They provide real data. They impact the bottom lines of vendors and users and impact operational best practicies.

Compare that with flash in the pan vulnerability presentations and you'll see why in the long run I wish more researchers would go beyond proof of concept and operationalize their exploits and discovered vulnerabilities.

Regardless of the technical details of the disclosure, it will be interesting to watch what happens. Will this be more of the same or the start of something new?

Sunday, December 28, 2008

Libgmail, Twitter, Ideapad S10 Hardware Info on Linux

Not sure why but (under Ubuntu) the fan has been running nonstop for the past hour (not sure why, perhaps because the temperature is 61 C, who knows) even booted into fluxbox. I have a little project/tool involving gmail that I'm hoping to get done before the end of the year (not a vuln or anything, don't get too excited) that I've had my head in libgmail for the past 24 hours as well as starting to sort of get the point of Twitter (notice my tweets on the side) but I started poking around at /proc and lshw/dmidecode, etc on the S10. There is definitely something funky with power management. A couple of times (even under XP) the battery value doesn't show up properly and gnome-power-manager doesn't start up properly 20-25% of the time.

description: VGA compatible controller
product: Mobile 945GME Express Integrated Graphics Controller
vendor: Intel Corporation
physical id: 2

description: Ethernet interface
product: NetLink BCM5906M Fast Ethernet PCI Express
vendor: Broadcom Corporation
capabilities: pm vpd msi pciexpress bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=tg3 drive rversion=3.94 latency=0 link=no module=tg3 multicast=yes port=twisted pair

description: Wireless interface
product: BCM4312 802.11b/g
vendor: Broadcom Corporation
capabilities: pm msi pciexpress bus_master cap_list ethernet physical wireless

processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 28
model name : Intel(R) Atom(TM) CPU N270 @ 1.60GHz
stepping : 2
cpu MHz : 800.000
cache size : 512 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yesflags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx constant_tsc arch_perfmon pebs bts pni monitor ds_cpl est tm2 ssse3 xtpr lahf_lm
bogomips : 3191.95
clflush size : 64
power management:
cpuid level : 10
wp : yes00:00.0 Host bridge: Intel Corporation Mobile 945GME Express Memory Controller Hub (rev 03)
00:02.0 VGA compatible controller: Intel Corporation Mobile 945GME Express Integrated Graphics Controller (rev 03)
00:02.1 Display controller: Intel Corporation Mobile 945GM/GMS/GME, 943/940GML Express Integrated Graphics Controller (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 02)
00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 02)
00:1c.2 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 3 (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 (rev 02)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 (rev 02)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 02)
00:1f.1 IDE interface: Intel Corporation 82801G (ICH7 Family) IDE Controller (rev 02)
00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) SATA IDE Controller (rev 02)
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 02)
02:00.0 Ethernet controller: Broadcom Corporation NetLink BCM5906M Fast Ethernet PCI Express (rev 02)
05:00.0 Network controller: Broadcom Corporation BCM4312 802.11b/g (rev 01)

Wednesday, December 24, 2008

Belief comes last

My wife turned me on to this...

Are you down with OSCP?

I'm generally weary (not wary!) about anything related to SSL or MITM  (and particularly SSL MITM's) but Traffic for Revoked TLSv1 Certificate is actually pretty interesting drink coffee while only the 1 year old is up and toddling around, catch up on blogs on your new Netbook activity.

And Richard's traffic dissection, reminded its been weeks (months?) since I've fired up Wireshark. Tcpdump, every other day, but Wireshark, not so much lately.

Merry Christmas!

Tuesday, December 23, 2008

Ideapad S10 Upgrade Complete

So I only ended up working a half-day today, so this afternoon (in between watching the kids and doing some last minute shopping for Christmas) I put in my old 120GB drive from my wife's dead MacBook and started the arduous process of copying a drive image from the original 80GB drive that ships with it, to the new. 

(The added bonus was that I Ubuntu automatically mounted the HFS+ so I was able to recover a bunch of picture from iPhoto and phone booth)

And none of this would have been possible without UNetbootin.

It is definitely the hero of the day.

So the S10 has a weird partitioning layout. It only uses the first half of the drive (in my case 80GB) for the XP Home (FAT32) partition there are 3-4 other partitions, some more or less hidden for the backup features that I would know about if I had bothered to break the seals on the product documentaiton.

Of course dd|gzip (then back again)  on an Atom processer takes forever so there was a lot of downtime. 40 GB images. I think it compressed down to 7GB or so, but to and from an external USB drive. You get the point. Drive imaging is slow, but now I have a dual boot (8.10 and XP Home) S10. This is the 2nd time I installed 8.10 and the long and short of it it is supported pretty well. No more quirks than on other Laptop hardware.

Monday, December 22, 2008

First Ideapad Blog

Well my Lenovo Ideapad S10 came today, several days ahead of schedule. I guess one of the benefits of a global economic downturn is fulfillment centers chock full of crap that people shouldn't be buying in the first place.

It turns out I had ordered a white one. Oh well, couldn't remember. I thought that might be the case. That's OK need to find some small stickers (OpenBSD, not!) to put on it to look cool.

Still running XP for now (will probably leave it on the 80GB that came with it) but I did boot off 8.10 from a USB key and the only thing that didn't appear to work was the batter life indicator. I didn't try WPA, only briefly hopped on a neighbor's open AP to test the browser because I couldn't remember my WPA2 key and haven't added the MAC to the router yet. Popped in the RAM from my wife's MacBook and up to 1.5.

If you ordered the sleeve (and are a man who is not manly enough to not care if you had a pink notebook sleeve) it is reversible.

So here are the first impressions:
  • It is definitely smaller than I expected, and the keyboard is more cramped than I expected. TAB key is very tiny making shell expansion difficult under cygwin/remote system. But it is usable (typing on it now)
  • Performance is snappier than I thought, given the lousy benchmarks I read about. Chrome on Atom is a nice platform.
  • It definitely feels solid, not like a toy, as I envisioned the Dell Mini 9 to be. Hinges are nice and stiff.
  • Get rid of Norton and their stupid phishing toolbars which suck up screen geometry. Lots of apps barely fit.
  • The touchpad rocks. Hell of a lot better than crappy Dell touchpads (at least the ones I used on Latitude/Precision.
  • It is sort of tricky removing/putting the expansion cover (for HD and RAM) on and off. I was afraid I was going to break it.
  • The is a  noticible audible blowing sound (the fan I believe)
  • Speakers are about what I expect. Not great. Not terrible.
  • Watched the start of the latest episode of Chuck on Hulu and was decent.

Sunday, December 21, 2008

Forget about OWASP, go for Webkin Application Security!



So my daughter received an early Christmas present, a Webkins Clydesdale horse, and when I registered this "adopted" pet (as an adoptive parent, I'm always find stuff like this mildly offensive) I was shocked to see the number of disclaimers, guidance on passwords security, protecting your secret code, etc. during the initial registration far exceeds many security products and public web portals, online banking sites, etc.

And most effective was the animated goose (with glasses propped down on her nose) scolding you about the dangers of a weak password or sharing your secret code.

Of course coming up with the squid proxy whitelist was sort of painful because they use a lot hardcoded IP address in their app like below:

1229885588.050 117 192.168.10.103 TCP_MISS/200 1081 GET http://www.webkinz.com/XML/InstanceFactory/InstanceFactoryData.xml? - DIRECT/66.114.49.27 text/xml
1229885588.056 139 192.168.10.103 TCP_MISS/200 2406 GET http://www.webkinz.com/XML/L10N/TransList.xml? - DIRECT/66.114.49.27 text/xml
1229885615.945 136 192.168.10.103 TCP_MISS/200 851 GET http://www.webkinz.com/XML/WEBSTAT/call_config.xml? - DIRECT/66.114.49.27 text/xml
1229885615.977 953 192.168.10.103 TCP_MISS/200 6437 GET http://www.webkinz.com/XML/vnum_API.xml? - DIRECT/66.114.49.27 text/xml
1229885616.007 177 192.168.10.103 TCP_MISS/200 1713 POST http://66.48.69.99/sindex.php - DIRECT/66.48.69.99 text/xml
1229885617.630 101 192.168.10.103 TCP_MISS/200 359 POST http://66.48.69.99/getdate.php? - DIRECT/66.48.69.99 text/html
1229885617.647 116 192.168.10.103 TCP_MISS/200 672 POST http://66.48.69.99/sindex.php - DIRECT/66.48.69.99 text/xml
1229885617.656 136 192.168.10.103 TCP_MISS/200 374 POST http://66.48.69.123/sindex.php - DIRECT/66.48.69.123 text/xml
1229885617.902 122 192.168.10.103 TCP_MISS/200 470 POST http://66.48.69.123/sindex.php - DIRECT/66.48.69.123 text/plain
1229885617.956 175 192.168.10.103 TCP_MISS/404 630 GET http://66.48.69.104/DAS/2008_12_21.xml? - DIRECT/66.48.69.104 text/html

Friday, December 19, 2008

Is conntrackd really pfsync+CARP for Linux?

Say it aint' so Joe, but conntrack-tools says it "provides and equivalent of OpenBSD's pfsync."
What can do the conntrack-tools for me?

Lots of cool things. conntrackd covers the specific aspects of stateful Linux firewalls to enable high availability solutions and it can be used as statistics collector of the firewall use as well. The command line interface conntrack provides an interface to add, delete and update flow entries, list current active flows in plain text/XML, current IPv4 NAT'ed flows, reset counters atomically, flush the connection tracking table and monitor connection tracking events among many other.
This is something I've been wondering about for a while and it looks like this project has been around since 2006.

Here is a presentation on the capabilities of this. There isn't much test data here, but based on the stats in the talk, the performance of conntrackd (my testing/production observations was done on similar hardware DL-145G3) look a significantly worse than FreeBSD/OpenBSD with PF+pfsync+CARP. Note that the CARP/VRRP functionality is performed by keepalived.

*BSD can be used in the Enterprise for high availability gigabit packet filtering, but it would be interesting to see if anyone is using iptables+conntrackd+keepalived for this?

Update
This presentation about a successful migration from Linux to OpenBSD confirmed my suspicions about conntrackd not being ready for prime time. And This USENIX article provided an interesting comparison between OpenBSD and Iptables.


Linux is, in general, more efficient than OpenBSD. In both router and bridge configurations, it spends less time forwarding packets. Furthermore, iptables filters packets more quickly than PF, with only one exception (in our testing): if the transport-layer protocol of the transit packet, say, UDP, differs from the specifiedtransport-protocol type of a sequence of rules—“protocol type” set to “TCP”in this example—PF ignores those rules and confronts the packet only with the rest of the set, acting more efficiently than Linux, which confronts the packet with all the rules in the set.

This feature of PF is very interesting. UDP-based attacks are very insidious, and most firewalls have rules to prevent many types of UDP datagram from accessing the network. Nevertheless, most traffic from and to a protected network is made up of TCP streams (protocols such as HTTP, SMTP, and FTP all use TCP). In such a case, PF may be more effective: it does not spend processing time comparing TCP packets with the set of rules destined to block UDP datagrams, avoiding delay in processing legitimate packets. Finally, unlike iptables, PF performs automatic optimization of the rule set, processing it in multiple linked lists [7, 8]. A way to optimize the search on the rule set for iptables is to resort to the “jump” parameter [18] for jumping to a subset of rules (i.e., a chain) reserved for TCP or UDP packets, depending on protocol type.


Of course even discounting performance, the iptables rulesets are much less elegant than ipf/pf.

Webjob




WebJob looks more interesting that you would think from the description:

WebJob downloads a program or script from a remote WebJob server and executes it in one unified operation. Any output produced by the program/script is packaged up and sent to a remote, possibly different, WebJob server. WebJob is useful because it provides a mechanism for running known good programs on damaged or potentially compromised systems. This makes it ideal for remote diagnostics, incident response, and evidence collection. WebJob also provides a framework that is conducive to centralized management. Therefore, it can support and help automate a large number of common administrative tasks and host-based monitoring scenarios such as periodic system checks, file updates, integrity monitoring, patch/package management, and so on.


When you look at the use cases:


To date, WebJob has been successfully used to:

* Automatically harvest argus, ifconfig, lsof, netstat, ndd, patch, ps, tcpdump, (name your utility), etc. data
* Automatically update cron tabs, DNS records, password files, snort rules, web sites, (name your application), etc.
* Automatically update system binaries when their MD5s do not match expected values
* Conduct massive searches for credit card numbers, social security numbers, and suspect hashes
* Deploy FreeBSD, Linux, Solaris, and Windows packages
* Drive GUI-based Windows utilities via AutoIT scripts
* Harvest evidence and diagnostic information from hundreds (300+) of systems in parallel
* Harvest system information to perform security audits or compliance verification
* Implement a Virtual Evidence Locker (VEL)
* Implement and maintain a Poor Man's Compile Farm (PMCF)
* Implement and maintain a distributed malware test harness
* Perform integrity monitoring with FTimes
* Periodically perform administrative tasks on a 950+ node Content Delivery Network (CDN) and the list goes on and on...



I haven't tried it (and it would be interesting to see if it really can scale) but I will!

Thursday, December 18, 2008

Andy v. Alan: Two Man Enter

Having been on both sides of the fence this is amusing.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don't need it at the moment, there are more pressing projects and I haven't decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don't currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I've now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn't necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn't do as expected or doesn't meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could have been avoided if the sales person simply chose to wait until next year when a "real" decision could be made.

Wednesday, December 17, 2008

Lenovo Ideapad S10 it is



Well I did my small part in propping up post-late-capitalism-2.0 by purchasing necessary consumer electronics devices, by finally ordering an Ideapad S10 Netbook (512MB/80GB) I think it was a black one, can't remember.

A number of stars aligned and it was a tossup at the end because there was Dell Mini-9 package for around $410 with 8GB SSD with Ubuntu and I really wanted to support a vendor that preinstalled Ubuntu (because I will be running it afterall) but here are the reasons I went with the Lenovo:
  • I hate Dell Laptops, although the M4300 I'm using right now is tolerable but I love my Thinkpad T-61. I had positive experiences with Lenovo support, the unknown of Dell support scares me. They don't call it "Dell Hell" for nothing
  • Expandability - the Lenovo case is really easy to pop open and the drive is a SATA, so I can pop in the 120GB from my wife's dead MacBook. And I can wait until prices some down on SATA SSD's. I think the 1GB stick from the MacBook should work, too. Dell just has 1 SODIMM slot. PCI-Express port., probably more for a SSD than wifi since I have a USB, although the 2 USB ports could come back an bite me.
  • Price - with the Lenovo Corporate discount, it was $30-40 cheaper.
  • Aesthetics - Lenovo is boxy with a matte finish vs. rounded and shiny. Looks more professional
  • OS/Storage - I can install my Own Damn Linux and it is not a bad thing to have another OS with XP on it. It will be interesting to see how lame the Atom is, but the larger hard has the potential of making it usable as a real computer (or so I think) vs. only as Linux netbook. I will either dual boot or pop in a new drive.
  • Screen Size - 10" vs. 8.9 with my eyes really blurry right now I need every larger pixel I can get.
The battery life is going to suck compared to the Mini-9 but there is a 6-cell that is available.

Tuesday, December 16, 2008

OpenVZ Virtual Ethernet Devices

By default, OpenVZ uses the venet devices which on the network have the same mac address as the host (VE0/CT0). This actually proved to be a problem when I was trying to [Nessus] scan OpenVZ containers from the host.

(Basically I'm trying to migrate Linux VM's some of which are targets that we scan in class away from VMWare Server, and the behavior was that students were only able to scan the VE's if they were connected to a Nessus scanner that was not on the same physical system as the other containers. Got it?)

So I had seen an eth0 within the container and wondered what it was and how it is configured. Well the virtual ethernet device wiki page has the answers although I was not unable to get this working after waking up at 1:30 AM and being unable to go back to sleep. Will try again tomorrow.

Monday, December 15, 2008

CyberSecurity Sanity We Can Believe In



With everybody and their pocket yoyo trumpeting the need for a Cyber-Czar it was good to see Dale's comments over on Digital Bond

1. The reorganization of responsibility will introduce delay and is unlikely to improve the situation

Let’s say the National Office for Cyberspace comes to be early in the Obama administration. We are in for an ineffective time period and disruption while the new organization is ’stood up’ and everyone figures what their new role is in this organization. Is it six months, a year or longer before the new organization is effective? Anyone who has dealt with government stand up efforts and associated bureaucracy is probably shaking their heads.

Many loyal blog readers have been involved in one or more re-orgs of large organization, especially with arrival of new management. How often has that really made a dramatic difference? I don’t see the organizational structure being even close to the biggest impediment to date.

2. This whole consolidation / czar concept that is the rage is flawed, at least as related to information security.

We like to think that we can bring in a superstar with charisma to become the czar, e.g. drug czar, education car czar, cyber security czar, …, and all will be well. In this control system cyber security effort I’d argue the key is the people three, four and five levels down from this charismatic czar.

We don't need to be creating new organizations.

We don't need a Cyber Defense Agency (or a Control Systems CERT for that matter).

Just do your F-ing jobs, people.

Saturday, December 13, 2008

Major Vendor Netbook Pricing Showdown

I've been longing for a Netbook for a while and am still watching craiglist like a hawk as well as pricing from Netbook vendors.

  • HP Mini HP 1000/1GB Ram/8GB SSD with 2 year warranty (WinXP obviously) - $459
  • Dell Inspiron Mini 9/512GB/8GB SSD with 2 year warranty (Ubuntu) - $463
  • Lenovo S10 IdeaPad/512GB/80GB SATA with 2 year Warranty (XPSP3) - $408
I'm sort of anal about getting warantees on laptops and I don't trust Acer, Asus, etc.

Ubuntu reportedly runs on these, but the Lenovo looks really tempting (especially because I'm somehow on their employee discount list). It looks easy to upgrade, like to put in a SSD when they get a little cheaper and it also has a express card slot which I would be more interested more for storage although looking at the BIOS it doesn't look like you could boot from it. It would be trivial to dual boot on the SATA drive, but it seems like the whole point of having at netbook is to have a SSD drive.

XDot Graphviz Viewer

The last time I was using Graphviz I was mostly using the Mac, which had a nice viewer, but XDot seems to be the best option for Linux. It is a single Python script and all the dependencies are available in the repos.

Friday, December 12, 2008

Chuvakin waits for the "Retarded" SCADA 09 Predications

I'm with Anton Chuvakin on this one:


“SCADA anything REALLY bad” (here) – to be really honest, I have not really seen it yet this year so no link, but it will come. Help yourself to previous year embarrassments :-)

Thursday, December 11, 2008

Forest and Trees?

Along with the neverending drumbeat from ElasticVapor on CyberSecurity, now even Tom Peters is bullish on the idea of a CyberSecurity czar and an increased focusing on "CyberSecurity" in the next administration.

While Mr. Bush did increase spending on cyberthreats, much, much more emphasis is called for—and the topic is too important to bury in DHS.

But if if you "create a new White House office to protect cyberspace from hackers, thieves and foreign agents, coordinating security efforts across U.S. military, intelligence and civilian agencies" isn't that creating another DHS?

The problem is not coordination (of all things) we don't need another figurehead or another advocate for "CyberSecurity."

The issue is implementation. This is dirty, tedious work that creation of another agency or czar is not going to solve.

Tuesday, December 09, 2008

Remember CP/M ladder?



At bedtime, my son always asks me about what it was like when I was a kid and tonight I was telling him how much more powerful his Nintendo DS was than the first computer we owned, a Kaypro II but I remembered my favorite game Ladder that I was very pleased to find a Java implementation.

Pure genius.

Correction, my favorite game was Rats! when I was able to go into my dad's lab.

Monday, December 08, 2008

Whisky, Tango, Foxtrot, over?

From U.S. is Losing Global CyberWar. '

What the hell does that even mean?

To compile the report, which is entitled "Securing Cyberspace in the 44th Presidency," commission members say they reviewed tens of thousands of pages of undisclosed documentation, visited forensics labs and the National Security Agency, and were briefed in closed-door sessions by top officials from Pentagon, CIA, and British spy agency MI5. From their research, they concluded that the U.S. badly needs a comprehensive cybersecurity policy to replace an outdated checklist of security requirements for government agencies under the existing Federal Information Security Management Act.

The report calls for the creation of a Center for Cybersecurity Operations that would act as a new regulator of computer security in both the public and private sector. Active policing of government and corporate networks would include new rules and a "red team" to test computers for vulnerabilities now being exploited with increasing sophistication and frequency by identity and credit card thieves, bank fraudsters, crime rings, and electronic spies. "We're playing a giant game of chess now and we're losing badly," says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.

So the need to replace their old checklists with new checklists and start testing for vulnerabilities.

Which genius thought that up?

Chess? Win vs. Lose?

If only they knew about the Petraeus doctrine

Define the problem in these terms, and winning battles becomes less urgent than pacifying populations and establishing effective governance.

War in this context implies not only coercion but also social engineering. As Nagl puts it, the security challenges of the 21st century will require the U.S. military “not just to dominate land operations, but to change entire societies.”

If you can't even define victory in Iraq (conventionally or unconventionally) how can you define victory in "Cyberspace?"

(And of course over on ElasticVapor they think this is a great article which confirms my suspicions)

Please tell me what all this is going to accomplish or attempt that has not already been tried in the last decade?

Sunday, December 07, 2008

But Is Intrepid Ubuntu Enough?

Several years ago my wife was using Hoary Hedghog on her laptop and it suited her just fine, but I really haven't tried switching family members away from Windows to Linux. Actually I have counseled them to get Mac's but they haven't gone for it.

But this week my sister in law got some nasty malware from Facebook (this appears to be going around) and spending a few hours descending into safemode trying to get rid of of it with McAfee, Windows Defender, and ClavAV. No luck. Yesterday I had booted up with a Fedora 10 LiveCD and my brother liked the look of that and given the hell of dealing with malware they are willing to give Ubuntu a shot. They already use OpenOffice and Firefox sould it is the ideal case. But we'll see if it is painless enough.

So I added Ubuntu 8.10 to the Dell Optiplex 330. Added medibuntu repos, installed flash, Realplayer, and the codecs for mp3's even added the Gnome weather applet to the toolbar. Hell, even imported their pictures into F-Spot. What I was most pleased about what that the several year old D-Link PCI Wireless card worked out of the box, even with WPA.

What didn't work well was the GUI partition resizing, which failed silently, but I was able to drop down and do an ntfsresize -i to see that it was unclean NTFS partition.

So there is no way that an average user could do Dual Boot or setup all the repos and install the software themselves without doing a whole of lot of reading, but now we will see how painful it is. I'm particularly concerned about printing. My sister in law still needs access to some windows programs so I'll try Dual Booting and/or possibly VMWare Player.

If this is successful I want to replace XP Home on my mom's 3-4 year old Dell laptop because it is starting to die a slow death.

Thursday, December 04, 2008

Fedora 10 on T-61 Passes the Sniff Test (But Fails the Virtualization Test)

Did the install from the LiveCD. First go around I had forgot to unmount /dev/sda1 (where I was going to install it) so it failed but on the 2nd try booted just fine. Installed Flash from the repositories. Added another repo so I Gstreamer could handle mp3 streams. Sound works. Haven't tried WPA but that should work too.

Still not as smooth as the last two (or three) Ubuntu releases for but still usable, but the two things I do like

1) Fedora GNOME install has mini-commander. Yeah!!!
2) Fonts are bigger for an old guy like me ;)

But easy virtualization (compared to Ubuntu) forget about it

No easy OpenVZ. KVM (which sucks with QEMU)/Virtual Machine Manager didn't work out of the box (or at least not in 5 minutes the way it does on Ubuntu) and no dom0.

Lame. I really wanted a Xen-friendly distro to dual boot for my Thinkpad, since Centos/RHEL kernel is so old it won't support the hardware.

Trisano: Open Source & National Security

As opposed to my previous blog Trisano would be a real example (if it does what it say) that Open Source improves national security:


TriSano™ is an open source, citizen-focused surveillance and outbreak management system for infectious disease, environmental hazards, and bioterrorism attacks. It allows local, state and federal entities to track, control and ultimately prevent illness and death.

Open Source Cliches of the Day

First it was ludicrous article Open source is dead long live open source (don't get me started about the notion that Open Source code is so good that it doesn't need support, put the crackpipe down!) and then Bejtlich Cited in Economist.

While kudos go out to Richard (and I'm quite jealous) about being cited in The Economist I wish it would have been about NSM and not Open Source:
One way for governments to do this [to become resilient to cyber attack], says Richard Bejtlich, a former digital-security officer with the United States Air Force who now works at GE, an American conglomerate, might be to make greater use of open-source software, the underlying source code of which is available to anyone to inspect and improve. To those outside the field of computer security, and particularly to government types, the idea that such software can be more secure than code that is kept under lock and key can be difficult to accept. But from web-browsers to operating systems to encryption algorithms, the more people can scrutinise a piece of code, the more likely it is that its weak spots will be found and fixed. It may be that open-source defence is the best preparation for open-source attack.
Besides being included in article on my non-favorite topic of late (cyber-anything makes me ill) I think Richard is repeating one (or maybe two) security cliches: the "more eyes mean greater security" and the oft-repeated negation of "security through security."

OpenBSD is not PHP.
Linux is not Apache.
Tomcat is not BIND.
Debian is not OpenSSH.
Fedora is not SELinux.
Firefox is not Ruby on Rails.

Each of these may or may not be "more secure" than the other--or compared to an individual development team within a vendor we know and love/hate.

Software security is about tools, talent, and techniques not whether code of open or closed. Developer culture and committed project leadership are what make software secure, not whether the code exposed to clueless masses to find security flaws. Furthermore, there is great diversity in code quality, development (and business/sponsorship) models among Open Source pojrects that make it very difficult to make these sort of generalizations about the security of Open Source, let alone the role of Open Source in "resisting a Cyberattack" and much better case could be made based about the Open Source network security toolset that Richard champions in thwarting attackers -- as opposed to the inherent robustness and integrity of the Open Source codebase. With the exception of the Intel community, how many government personnel (or their contractors) are spending time scrutinizing the Linux kernel source? Jakarta Struts?

Not too many, I would guess.

While I am certainly a huge advocate of Open Source (and have had the [mis]fortune of developing/operating Open Source-based security platforms performingcritical functionality within a large Enterprise to back it up) security would not be at the top of the list as the reason to develop on (or deploy) an Open Source stack. For me it is about control, customization, and cost. Probably in that order. Yes, transparency, can result in improved code security (meaning fewer vulnerabilities per line of code) and better decision making in terms of deciding when and whether to patch (if I can look at the diff I don't have to guess about the true impact of the cryptic Cisco/Microsoft advisory or worse) but this is only a potential that in many (perhaps) Open Source projects don't live up to in reality.

Wednesday, December 03, 2008

Tuesday, December 02, 2008

A Nice Xen vs. OpenVZ Comparison

Why OpenVZ and not XEN has a nice summary of some of the differences that are relevant to some of the comments made in response to OpenVZ fever

OpenVZ has one strong limit compare to XEN, it is not a full visualization and therefore you're limited to Linux only containers. People working with Sun will recognize Solaris zones concept, that was introduced few years ago. Like for Solaris every OpenVZ zones shared the same kernel, which at OVH translate in a Linux-2.6.24.7 kernel. This being said, it is important to understand that Linux distributions are independent of kernel, you can therefore run any Linux distributions you want under a unique kernel. While OVH ships Debian Etch with OpenVZ hyperviseur, you can chose any other distribution for your zones, new version of Fridu mostly operated with Ubuntu, but nothing prevents you from running multiple distributions. OVH ships template for Debian, CentOS, Gentoo and Ubuntu, but if this is not enough you can either create your own template or download one from Internet (OpenVz-WIKI)

OpenVZ includes a set of scripts to create/manage virtual machines, unlike Xen that is shipped naked and where I had to write more or less equivalent scripts by myself (cf: Fridu Xen Quick Start). Furthermore OVH ships OpenVZ with a web console from Proxmox, not that I'm a big fan of having a GUI, but as you can see on the video, it is great to make sexy demos.This console allows you to create a new virtual instances literally in a mater of seconds :) It allows you to start/stop change ram size, IP adresses, etc. on any instances without forcing you to remember any special commands. While Proxmox console misses few features like an SSH applet, a firewall config, or a java VPN. I must say that I get used to it and create every virtual machine through the web GUI.

OpenVZ is very light weight, not only it shares the same kernel, but also the same filesystem and networking stack. Direct result is that, on a given server you can run more OpenVZ zones than you could run XEN virtual-machines. From a user point of view when a zone is up, wether you run OpenVZ or XEN is fairly transparent, this being said they are nevertheless some fundamental differences:

Monday, December 01, 2008

OpenVZ Fever


Just like the recession, it's official. I'm totally hooked on OpenVZ and here are the reasons.
  1. Performance, performance, performance. IO-intensive apps are really sluggish on VMWare. I have OpenVZ running quite nicely on an old AMDK7. I had two VE's running (one with Security Center managing a Nessus scan, in progress) and other Ubuntu server and I was playing a game of Netpanzer with my son with no issues. Now that is a benchmark.
  2. Ease of use and broad Linux distribution support. Debian 4.0r3 slightly edges out Ubuntu 8.0.4.1 and it looks like CentOS (as the host) is straightforward as well. There is also a rich library of Linux OS templates to choose from.
  3. Non-Disruptiveness - a lot of Linux other virtualization solutions don't play well with others. VirtualBox doesn't work if kvm is running. Hell, I've yet to find a Linux distribution where Xen works out of the box, but on Ubuntu I can have VMware Server and OpenVZ together with no issues.
Obviously OpenVZ is only for running Linux VM's but I'm sold.

Sunday, November 30, 2008

Military Industrial Media Complex

From the NYTimes this morning. Not surprising, but still troubling...


Through seven years of war an exclusive club has quietly flourished at the intersection of network news and wartime commerce. Its members, mostly retired generals, have had a foot in both camps as influential network military analysts and defense industry rainmakers. It is a deeply opaque world, a place of privileged access to senior government officials, where war commentary can fit hand in glove with undisclosed commercial interests and network executives are sometimes oblivious to possible conflicts of interest.

Few illustrate the submerged complexities of this world better than Barry McCaffrey.

General McCaffrey, 66, has long been a force in Washington’s power elite. A consummate networker, he cultivated politicians and journalists of all stripes as drug czar in the Clinton cabinet, and his ties run deep to a new generation of generals, some of whom he taught at West Point or commanded in the Persian Gulf war, when he rose to fame leading the “left hook” assault on Iraqi forces.

But it was 9/11 that thrust General McCaffrey to the forefront of the national security debate. In the years since he has made nearly 1,000 appearances on NBC and its cable sisters, delivering crisp sound bites in a blunt, hyperbolic style. He commands up to $25,000 for speeches, his commentary regularly turns up in The Wall Street Journal, and he has been quoted or cited in thousands of news articles, including dozens in The New York Times.

His influence is such that President Bush and Congressional leaders from both parties have invited him for war consultations. His access is such that, despite a contentious relationship with former Defense Secretary Donald H. Rumsfeld, the Pentagon has arranged numerous trips to Iraq, Afghanistan and other hotspots solely for his benefit.

At the same time, General McCaffrey has immersed himself in businesses that have grown with the fight against terrorism.

The consulting company he started after leaving the government in 2001, BR McCaffrey Associates, promises to “build linkages” between government officials and contractors like Defense Solutions for up to $10,000 a month. He has also earned at least $500,000 from his work for Veritas Capital, a private equity firm in New York that has grown into a defense industry powerhouse by buying contractors whose profits soared from the wars in Afghanistan and Iraq. In addition, he is the chairman of HNTB Federal Services, an engineering and construction management company that often competes for national security contracts.

Many retired officers hold a perch in the world of military contracting, but General McCaffrey is among a select few who also command platforms in the news media and as government advisers on military matters. These overlapping roles offer them an array of opportunities to advance policy goals as well as business objectives. But with their business ties left undisclosed, it can be difficult for policy makers and the public to fully understand their interests.

Saturday, November 29, 2008

Drop Dead Simple OpenVPN on OpenBSD 4.4

Like OpenBSD, OpenVPN is something I always end using every couple of years but not often enough to stay fluent with the setup & configuration. Although I don't get into it here, you can do some really cool stuff with bridged mode. We actually used it in the SCADA Honeynet to send traffic to a target PLC. OpenVPN is also an ideal free VPN solution for a small company since it is available on Windows, OSX, and Linux.

After reviewing docs and blog entries since the last time is used it, I found that not only are the too way many howtos out there (when can too much documentation be a bad thing?) many of them are overkill for what I needed and focus on using certificate authentication, when shared key was all I needed. But the Static Key Mini-HOWTO was too simple.

This configuration could be used to provide remote access to a private network over the Internet (or, as the case is here) providing access to the Internet over an insecure wireless network. The OpenVPN server becomes the default route. There is obviously a lot more than you

1. Install on OpenBSD 4.4 (OpenVPN server) via ports (or package if if you lazy)
# cd /usr/ports/net/openvpn && make install
2. Install on Debuntu (client)
# apt-get install openvpn
3. Generate your static key on the server
openvpn --genkey --secret static.key
4. Create Server OpenVPN config (/etc/openvpn/server.conf
dev tun0
port 1234
ifconfig 10.0.0.1 10.0.0.2
secret static.key
ping 15
verb 4

4. Create your PF rules in /etc/pf.conf. The key rules I added were to allow the incoming UDP OpenVPN traffic (port 1234) and to allow all the traffic in on the tun0.
ext_if="xl0"
int_if="rl0"
vpn_if="tun0"
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if)
block in log
pass out keep state
pass quick on $int_if no state
pass in on $vpn_if keep state
pass in on $ext_if proto udp to ($ext_if) port 1234
pass out proto icmp keep state
pass in proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh

5. OpenVPN client config (in /etc/openvpn/openvpn.conf)

Paste over the key to /etc/openvpn/static.key
dev tun0
remote 192.168.1.44
port 1234
nobind
ifconfig 10.0.0.2 10.0.0.1
secret /etc/openvpn/static.key
redirect-gateway def1
ping 15
verb 4

The new option I learned about was "redirect-gateway def1" which adds a default route to the OpenVPN terminating tunnel address (10.0.0.1) so that all non-local traffic gets sent over the tunnel, which is what I want. Obviously this leaves any local traffic unprotected.

mfranz@mfranz-t61:~$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.100 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.1.44 192.168.10.254 255.255.255.255 UGH 0 0 0 wlan0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 vnet0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
0.0.0.0 10.0.0.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.0.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.10.254 0.0.0.0 UG 0 0 0 wlan0


6. Startup your server (and add this to rc.local)
openvpn --daemon --config /etc/openvpn/server.conf
When you are testing, obviously don't select the --daemon option

7. Connect with the client
# openvpn --config /etc/openvpn/openvpn.conf

Sat Nov 29 14:47:34 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Sat Nov 29 14:47:34 2008 /usr/sbin/openvpn-vulnkey -q /etc/openvpn/static.key
Sat Nov 29 14:47:34 2008 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 29 14:47:34 2008 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 29 14:47:34 2008 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 29 14:47:34 2008 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 29 14:47:34 2008 TUN/TAP device tun0 opened
Sat Nov 29 14:47:34 2008 ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1 mtu 1500
Sat Nov 29 14:47:34 2008 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Sat Nov 29 14:47:34 2008 Local Options hash (VER=V4): '5c3fe1ab'
Sat Nov 29 14:47:34 2008 Expected Remote Options hash (VER=V4): '522471df'
Sat Nov 29 14:47:34 2008 UDPv4 link local: [undef]
Sat Nov 29 14:47:34 2008 UDPv4 link remote: 192.168.1.44:1234
Sat Nov 29 14:47:44 2008 Peer Connection Initiated with 192.168.1.44:1234
Sat Nov 29 14:47:46 2008 Initialization Sequence Completed

Friday, November 28, 2008

Cloud Wars, Russia/China v. DoD, Digital Pearl Harbor's and other things that don't keep me up at night




Elasticvapor is hyperventilating about the latest cyberattacks (what is it about the term "cyber" that makes me bilious)
This current attack on the DoD is a relatively minor diversion in comparison to what a full out, planned network centric attack could actually do. Think about the potential fall out if the US electrical grid, cell / phone network and financial infrastructure was to be attacked in unison and taken offline all at once. Combine that with if it were to happen during the midst of an actual "crisis" such as what we're currently seeing in India this week. The turmoil would be unprecedented.

Nod. Been there done that, why nail assets from other critical infrastructure sectors (air, rail, chemical, various pipeline) while you are at it? A threat-modeler's wet-dream.

Yep, the more things change the more they stay the same -- like Richard Clarke's Digital Pearl Harbor (yeah you read that right, that is from 2000)
On coming to office, the next president will find that several nations have created information-warfare units, Clarke said.

"These organizations are creating technology to bring down computer networks. Some are doing reconnaissance today on our networks, mapping them," he said.
The horror, the horror andt here is some other good stuff from pre-9/11 days when (if you believe Vmyths) there was too much focus on Cyber and not enough on physical.
Another way to improve security throughout the Internet is to create secure lines of communication between the technology industry and the government, Clarke said. That way, they could share information about hackers and viruses without worrying about the public learning about it.

Others at the conference expressed the same notion. Harris Miller, president of the Information Technology Association of America, said that a nonprofit organization of 18 companies would be created early next year to share information.
That wouldn't be the genesis for those pesky little ISACs we keep hearing about.

Speaking of public information if you look at the latest press on the attacks against DoD. you'll see the typical meaningless say-nothing article (with a few juicy-sounding leaks from DoD employees) that undermine the credibility of the whole story and reinforce how little is known in the open press. Channeling Rumsfeld (are these known unknowns or unknown knowns?), here are all things that are not known by defense officials:

From LA Times
The defense official said the military also had not learned whether the software's designers may have been specifically targeting computers used by troops in Afghanistan and Iraq.

Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Or maybe, despite the headlines, it is not a cyberattack at all?

So, to distill what is available in public news sources:
  • It might (or might not) be W32/Agent.BTZ (hence, the USB angle) which has been around for months
  • Central Command networks have been infected and perhaps others, possibly to gather information about logistical systems
  • Both China and Russia are mentioned with no direct evidence of their involvement
  • Portable storage devices were banned on 17 Novemeber
Yeah I'm a hell of a lot more worried about the link between breastfeeding and peanut allergies that any of this stuff. Note to self: don't accidentally give the peanut butter-filled Nilla wafers your 5 your old didn't eat to your 11 month old.

Update: Dave Lewis also mentions the article, so it must be serious ;)

Wednesday, November 26, 2008

Yeah, one wonders...

Joe summarizes his impressions on the CSI SCADA/Control Systems Summit

There were 19 attendees. The session was disappointing as there were no attendees with control system experience – it was an IT audience. Consequently, the discussions focused on securing Windows. However, it was so focused on traditional on IT experience that when an example was provided of actual control system field implementations (older, unpatchable Windows systems that cannot be replaced), it caught the attendees off-guard and they didn’t know what to do. They were not expecting that unintentional threats are critical to securing control systems. When discussions focused on what security control system vendors are providing (HMI and field devices), the attendees did not understand why security was not a primary design criteria or the difficulties in implementing secure control systems. There was also little knowledge of the control systems standards organizations and why IT standards were not directly applicable. I realize this may not be a typical representation of IT personnel working on control system cyber security, however, one wonders how much progress actually has been achieved in understanding the unique issues of control system cyber security.
Say it ain't so Joe!

It would be interesting to see the attendee list to see just who these "IT" people were.

But rhetorically (meaning how you would want to win the argument or get your point across) it doesn't make sense for those in the control systems security community (if in fact they want to be taken seriously) to continually dismiss "IT" (which basically means anything that is not control systems) as irrelevant and complain about "IT's" ignorance "SCADA Security" standards efforts.

To put it more bluntly, imagine if you walked into a meeting trying to engage in dialog with folks that consider themselves experts on a given topic. If the first thing you do is tell everyone in the room is full of shit and what they do know is not relevant to the problem at hand, how can you expect to be taken seriously?

Tuesday, November 25, 2008

Sophocles, Soldiers, PTSD

Heard In Ancient Dramas, Vital Words For Today's Warriors on NPR this evening:


It's a three-day gathering designed to help military personnel — from enlisted men and women to generals — deal with war's emotional toll.

Brig. Gen. Loree Sutton, who runs the Pentagon division behind the conference, says that despite the graphic horrors depicted in Sophocles' tragedies, today's warriors can find comfort in them.

The plays can reassure a soldier, she says, "that I am not alone, that I am not going crazy, that I am joined by the ages of warriors and their loved ones who've gone before me, and who have done what most in society have no idea our warriors do."

Saturday, November 22, 2008

Qore: your new webappsec buddy?

Now I don't do webappsec anymore but if I did, I would I would investigate qore.

Why?

The areas Qore targets are interfacing, database integration, threading (and SMP scalability) and embedding (and arbitrarily restricting) code. Qore is also a dynamically-typed language to facilitate rapid prototyping and development (particularly regarding agile programming, disposable interfaces, etc). To my knowledge there is no other programming language with this design focus.

You can get a feeling for this aspect of Qore's design when programming with Qore's database-independent DBI infrastructure (through the Datasource and DatasourcePool classes), Qore's XML and JSON integration (where XML and JSON strings and qore data structures can be converted from one to the other), easy use of the Socket class and classes provided by modules providing messaging integration, etc.


It is a bit too Perlish for my taste (damn you semi-colons!) but it looks sort of interesting and I'll probably play around with it.

root@ubuntu-ve804:~# qore --version
QORE for Linux unknown (32-bit build), Copyright (C) 2003 - 2008 David Nichols
version 0.7.1-2304 (builtin features: sql, threads, xml, debug)
module API: 0.5
build host: Linux localhost 2.6.24-21-openvz #1 SMP Wed Oct 22 02:50:53 UTC 20
08 i686 GNU/Linux
C++ compiler: g++
CFLAGS: -I/usr/include/libxml2 -D_GNU_SOURCE -D_QORE_LIB_INTERN -DMODULE_DIR="
/usr/local/lib/qore-modules" -g -g -m32 -D_THREAD_SAFE -Wall -lm
LDFLAGS: -lz -lpcre -lxml2 -lbz2 -lssl -lcrypto -g -lm
this build has options:
OPTION atomic operations = true
OPTION stack guard = true
OPTION library debugging = true
OPTION runtime stack tracing = true
ALGORITHM openssl sha224 = true
ALGORITHM openssl sha256 = true
ALGORITHM openssl sha384 = true
ALGORITHM openssl sha512 = true
ALGORITHM openssl mdc2 = false
ALGORITHM openssl rc5 = false
FUNCTION round() = true
FUNCTION timegm() = true
FUNCTION seteuid() = true
FUNCTION setegid() = true
FUNCTION parseXMLWithSchema() = true

Friday, November 21, 2008

Hoff's PDP Proxy

It is good somebody else finds GNUCITIZEN content annoying because (much like following SCADASEC) I certainly lack the self restraint to avoid writing snarky blog posts like this one.

The power of the real American network



Some patriotic Americans at Verizon was keeping tabs on our Marxist, Socialist, Terrorist, Muslim President Elect, according to CNN


Records from a cell phone used by President-elect Obama were improperly breached, apparently by employees of the cell phone company, Verizon Wireless said Thursday.
An Obama spokesman said the transition team was told Verizon Wireless workers looked through billing records.

An Obama spokesman said the transition team was told Verizon Wireless workers looked through billing records.

"This week we learned that a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama's personal cell phone account," Lowell McAdam, Verizon Wireless president and CEO, said in a statement.

Wednesday, November 19, 2008

Literally Marinating in Vulnerabilities

Gunnar Peterson has an interesting blog which reflects his "asset focus", which I think is on target.

Money quote from The Economics of Finding and Fixing Vulnerabilities in Distributed Systems


Why does a talk on finding and fixing vulnerabilities start with valuing assets? The reason is that vulnerabilities are everywhere, we are literally marinating in them. Interesting vulnerabilities are attached to high value assets. In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to. You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on? The first part of answering this question is asset value.

Those crisp Lincolnshire mornings

We've had snow (sort of) these last few days and I got out my warm "Chicago" coat this morning. There is a hint of dawn on the horizon. Different. Definitely. East on I-70 as the sun goes up and West as it sets. Just as before, only at home in darkness.

I forgot how refreshing the cold is. And as beautiful as the still-night sky is this morning, the moon stiill out and the last few stars, as I go warm up my car (the true thermometer, it is not really cold until your car is hard to start) I can't help but think of all those crisp blue mornings driving North on the Edens, across the spur, through the trees of Riverwoods. The jet contrails into ORD. The frozen swamps of Lake County, feet and feet and snow, the frozen lake (was it a quarry lake) and all the Canadian goose shit on stomped down sidewalks on the Hewitt campus. Bigger than you would think.

Happy times. Sad times. Mood swings. Meds changes. Mania.

Once again we approach Thanksgiving and the dreaded Equinox.

Pinned by chemistry and angle of the sun.

The more things change the more they stay the same.

It is a Frost morning


They cannot scare me with their empty spaces
Between stars--on stars where no human race is.
I have it in me so much nearer home
To scare myself with my own desert places.

Tuesday, November 18, 2008

rsyslog vs. syslog-ng

I really like syslog-ng, but I just ran across rsyslog tonight. It built on Debian 4.0 (failed on OpenBSD 4.4) but I didn't get it running yet. Will give it a try.

Rsyslog is an enhanced multi-threaded syslogd. Among others, it offers support for on-demand disk buffering, reliable syslog over TCP, SSL, TLS, and RELP, writing to databases (MySQL, PostgreSQL, Oracle, and many more), email alerting, fully configurable output formats (including high-precision timestamps), the ability to filter on any part of the syslog message, on-the-wire message compression, and the ability to convert text files to syslog. It is a drop-in replacement for stock syslogd and able to work with the same configuration file syntax.



I could care less about TLS Encrypted syslog but some of the other features like Handling a massive syslog database insert rate with Rsyslog look sort of interesting.

Database updates are inherently slow when it comes to storing syslog messages. However, there are a number of applications where it is handy to have the message inside a database. Rsyslog supports native database writing via output plugins. As of this writing, there are plugins available for MySQL an PostgreSQL. Maybe additional plugins have become available by the time you read this. Be sure to check.

In order to successfully write messages to a database backend, the backend must be capable to record messages at the expected average arrival rate. This is the rate if you take all messages that can arrive within a day and divide it by 86400 (the number of seconds per day). Let's say you expect 43,200,000 messages per day. That's an average rate of 500 messages per second (mps). Your database server MUST be able to handle that amount of message per second on a sustained rate. If it doesn't, you either need to add an additional server, lower the number of message - or forget about it.

Monday, November 17, 2008

Nice Blog on eLearning Course Design

Although I'm generally ambivalent about the whole idea of eLearning 2.0 Tony Karrer has quite a few practical tips on eLearning design regardless of the version of your eLearning.

I found the breakdown of specific types of users (and the implication that you must design activities for each) quite helpful

Spectator / Joiner / Creator Levels of Participation

One of the best decisions we made early in the design of the course was to define different levels of participation in the course. Here's how we defined it:

Each week we will share new activities that will allow you to explore each of these tools. We recognize that there will be differences in interest, experience and time available for exploration, so these activities will be designed to give you meaningful experiences at different levels:

* The Spectator--These will be exercises or activities that should take approximately 15 minutes to complete. The Spectator level is for people who want just a quick exploration of the tools and minimal interaction.

* The Joiner/Collector--For those who want to delve more deeply into a particular Web 2.0 tool, the Joiner/Collector level will consist of activities that take approximately 30 minutes to complete.

* The Creator--These activities are for people who want to really spend some time exploring and trying out a particular tool or set of tools. The activities will take approximately 75 minutes to complete and will allow you to immerse yourself in the Web 2. 0 experience.


Of course I think this breakdown works if you delete all the references to web 2.0.

And I think these different styles of learning/levels of engagement actually apply to the [Instructor Led] classroom as well.

Sunday, November 16, 2008

VMWare Server 1.08 on Etch-n-Half

Well, my main server (running Ubuntu 8.04LTS) was giving me grief so I switched back to Debian. And I ran across this blog helped out a lot.

I always do a minimal net install and then select nothing with tasksel, so after going into dselect, doing an update, then installing all new packages that showed up, then I installed the following.


build-essential
linux-headers-`uname -r`
libx11-6
libxtst6
libxt6
libxrender1
libxi6
libdb3
psmisc

Is Whitelisting really this lame?

From White Listing - The End of Antivirus?


Some people are talking about a technique called “white listing” as if it were the silver bullet that is going to save the world. It is… in the fantasy worlds. I think I can lay claim to a certain amount of expertise when it comes to white listing. White listing was fundamentally my job at Microsoft for over seven years. My job was to make sure that MS didn’t release or digitally sign any infected code. How did I do that? I used a heck of a lot of………. ok… you guessed it…. antivirus software. Recognizing the shortcomings of signature based detection, I relied upon products, such as NOD32, Norman Virus control, and others to provide heuristics to detect threats that signatures alone cannot protect against. Virtually every Microsoft product went through my labs, and I had to “white list” them before they could be digitally signed or released.

The marketing arm of current white listing companies tout anti-virus as dead and white list as the solution. What they try to hide is that white listing companies would be out of business without antivirus. White listing companies are mega-power users of antivirus software, they can’t get enough of the stuff.

ipt-netflow

Speaking of Netflow, I just ran across ipt-netflow


Very fast and effective Netflow exporting module for Linux kernel. Designed for Linux router with heavy network load. It is iptables module, but not using conntrack for performance reasons.


And from the docs


===========
= RUNNING =
===========

1. You can load module by insmod like this:
# insmod ipt_NETFLOW.ko destination=127.0.0.1:2055 debug=1

Or if properly installed (make install; depmod) by this:
# modprobe ipt_NETFLOW destination=127.0.0.1:2055

See, you may add options in insmod/modprobe command line, or add
them in /etc/ to modules.conf or modprobe.conf like thus:
options ipt_NETFLOW destination=127.0.0.1:2055

2. Statistics is in /proc/net/stat/ipt_netflow
To view slab statistics: grep ipt_netflow /proc/slabinfo

3. You can view parameters and control them via sysctl, example:
# sysctl -w net.netflow.hashsize=32768

4. Example of directing all traffic into module:
# iptables -A FORWARD -j NETFLOW
# iptables -A INPUT -j NETFLOW
# iptables -A OUTPUT -j NETFLOW



Oh if I had a week to kill, to do a complete bakeoff of Linux and BSD user/kernel space implementations.

Saturday, November 15, 2008

Any Netflow probes for OpenBSD 4.4?




So I built a new OpenBSD 4.4 box on real hardware (Optiplex GX-100/128MB) so I could ensure the ratio of end hosts to forwarding devices remains less than one on my home network. The great thing about OpenBSD is they haven't touch the installer in the ten years I've used it and the network install always works like a charm assuming you don't fat finger the mirrors.

Pull down some packages, tweak the pf.conf (but forget to enable IP forwarding in sysctl.conf) fire the last system I built back in 2001 or so (K7 with 1.2GB) and then decided to add netflow. The obvious choice is pfflowd which fails to compile and ports says is broken. Spin my wheels around net/if_pfsync.c, browse the diffs. Hmmm... maybe this is harder, screw up the patch for 4.3 I find from Next (well actually I keep bouncing back and forth) try fprobe

No luck. Probably a pthreads issue, this might actually work, though?

Finally softflowd which compiles and appears to work, but for some weird reason I'm not seeing the traffic on the wire although it is definitely recording flows. Netstat shows it is has bound the sockets but not traffic is being generated. No firewall drops. Try disabling PF, nothing. Routing table fine. 

Weird.

Yet another reason why ramdisk distros rock

From tor-ramdisk


Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM. For those not familiar with Tor, it is a system which allows the user to construct encrypted virtual tunnels which are randomly relayed between Tor servers (nodes) until the connection finally exits to its destination on the internet. The encryption and random relaying resist traffic analysis in that a malicious sniffer cannot easily discover where the traffic is coming from or what data it contains. While not perfect in its efforts to provide users with anonymity, Tor does help protect against unscrupulous companies, individuals or agencies from "watching us". For more information, see the Tor official site.

The usefulness of a RAM only environment for Tor became apparent to me when Janssen was arrested by the German police towards the end of July, 2007. (You can read the full story in a CNET article.) While the police did not seize the computer for whatever reasons, they certainly could have. More typically, it would have been taken for forensic analysis of the data on the drives. Of course, if the computer housing the Tor server has no drives, there can be no question that it is purely a network relaying device and that one should look elsewhere for the "goods".

Friday, November 14, 2008

RealEyes



Sometimes just browsing Freshmeat can lead to some interesting discoveries like tonight I ran across Realeyes


The Realeyes analysis engine is a C library of functions that maintain state information and analysis results about streams of data. Applications may be built on it to search for complex patterns and then output information about the data or even transform it. It has been tested on several Linux distributions but should run on any Unix system.

The first application that has been developed using the library is a network Intrusion Detection System (IDS). It reassembles sessions (including both halves of a TCP session) from live or captured network traffic and analyzes them for patterns.

The detected records are transferred to a database interface and inserted into a PostgreSQL database. The database also maintains configuration information which can be sent to the IDS hosts for dynamic reconfiguration. The database interface can communicate with one or more hosts.

The user interface is a Java application using the Standard Widget Toolkit from the Eclipse project, which has been tested on several Linux distributions and Microsoft Windows. It is used to administer the application as well as to analyze detected network traffic and create reports for supporting a secure environment.

All Realeyes technologies are licensed under GPLv3 and are originally developed on the GNU/Linux v2.6 operating system.


And there is a blog, too -- because everything must have a blog, right?