Sunday, November 30, 2008

Military Industrial Media Complex

From the NYTimes this morning. Not surprising, but still troubling...


Through seven years of war an exclusive club has quietly flourished at the intersection of network news and wartime commerce. Its members, mostly retired generals, have had a foot in both camps as influential network military analysts and defense industry rainmakers. It is a deeply opaque world, a place of privileged access to senior government officials, where war commentary can fit hand in glove with undisclosed commercial interests and network executives are sometimes oblivious to possible conflicts of interest.

Few illustrate the submerged complexities of this world better than Barry McCaffrey.

General McCaffrey, 66, has long been a force in Washington’s power elite. A consummate networker, he cultivated politicians and journalists of all stripes as drug czar in the Clinton cabinet, and his ties run deep to a new generation of generals, some of whom he taught at West Point or commanded in the Persian Gulf war, when he rose to fame leading the “left hook” assault on Iraqi forces.

But it was 9/11 that thrust General McCaffrey to the forefront of the national security debate. In the years since he has made nearly 1,000 appearances on NBC and its cable sisters, delivering crisp sound bites in a blunt, hyperbolic style. He commands up to $25,000 for speeches, his commentary regularly turns up in The Wall Street Journal, and he has been quoted or cited in thousands of news articles, including dozens in The New York Times.

His influence is such that President Bush and Congressional leaders from both parties have invited him for war consultations. His access is such that, despite a contentious relationship with former Defense Secretary Donald H. Rumsfeld, the Pentagon has arranged numerous trips to Iraq, Afghanistan and other hotspots solely for his benefit.

At the same time, General McCaffrey has immersed himself in businesses that have grown with the fight against terrorism.

The consulting company he started after leaving the government in 2001, BR McCaffrey Associates, promises to “build linkages” between government officials and contractors like Defense Solutions for up to $10,000 a month. He has also earned at least $500,000 from his work for Veritas Capital, a private equity firm in New York that has grown into a defense industry powerhouse by buying contractors whose profits soared from the wars in Afghanistan and Iraq. In addition, he is the chairman of HNTB Federal Services, an engineering and construction management company that often competes for national security contracts.

Many retired officers hold a perch in the world of military contracting, but General McCaffrey is among a select few who also command platforms in the news media and as government advisers on military matters. These overlapping roles offer them an array of opportunities to advance policy goals as well as business objectives. But with their business ties left undisclosed, it can be difficult for policy makers and the public to fully understand their interests.

Saturday, November 29, 2008

Drop Dead Simple OpenVPN on OpenBSD 4.4

Like OpenBSD, OpenVPN is something I always end using every couple of years but not often enough to stay fluent with the setup & configuration. Although I don't get into it here, you can do some really cool stuff with bridged mode. We actually used it in the SCADA Honeynet to send traffic to a target PLC. OpenVPN is also an ideal free VPN solution for a small company since it is available on Windows, OSX, and Linux.

After reviewing docs and blog entries since the last time is used it, I found that not only are the too way many howtos out there (when can too much documentation be a bad thing?) many of them are overkill for what I needed and focus on using certificate authentication, when shared key was all I needed. But the Static Key Mini-HOWTO was too simple.

This configuration could be used to provide remote access to a private network over the Internet (or, as the case is here) providing access to the Internet over an insecure wireless network. The OpenVPN server becomes the default route. There is obviously a lot more than you

1. Install on OpenBSD 4.4 (OpenVPN server) via ports (or package if if you lazy)
# cd /usr/ports/net/openvpn && make install
2. Install on Debuntu (client)
# apt-get install openvpn
3. Generate your static key on the server
openvpn --genkey --secret static.key
4. Create Server OpenVPN config (/etc/openvpn/server.conf
dev tun0
port 1234
ifconfig 10.0.0.1 10.0.0.2
secret static.key
ping 15
verb 4

4. Create your PF rules in /etc/pf.conf. The key rules I added were to allow the incoming UDP OpenVPN traffic (port 1234) and to allow all the traffic in on the tun0.
ext_if="xl0"
int_if="rl0"
vpn_if="tun0"
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if)
block in log
pass out keep state
pass quick on $int_if no state
pass in on $vpn_if keep state
pass in on $ext_if proto udp to ($ext_if) port 1234
pass out proto icmp keep state
pass in proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh

5. OpenVPN client config (in /etc/openvpn/openvpn.conf)

Paste over the key to /etc/openvpn/static.key
dev tun0
remote 192.168.1.44
port 1234
nobind
ifconfig 10.0.0.2 10.0.0.1
secret /etc/openvpn/static.key
redirect-gateway def1
ping 15
verb 4

The new option I learned about was "redirect-gateway def1" which adds a default route to the OpenVPN terminating tunnel address (10.0.0.1) so that all non-local traffic gets sent over the tunnel, which is what I want. Obviously this leaves any local traffic unprotected.

mfranz@mfranz-t61:~$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.100 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
192.168.1.44 192.168.10.254 255.255.255.255 UGH 0 0 0 wlan0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 vnet0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
0.0.0.0 10.0.0.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.0.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.10.254 0.0.0.0 UG 0 0 0 wlan0


6. Startup your server (and add this to rc.local)
openvpn --daemon --config /etc/openvpn/server.conf
When you are testing, obviously don't select the --daemon option

7. Connect with the client
# openvpn --config /etc/openvpn/openvpn.conf

Sat Nov 29 14:47:34 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008
Sat Nov 29 14:47:34 2008 /usr/sbin/openvpn-vulnkey -q /etc/openvpn/static.key
Sat Nov 29 14:47:34 2008 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 29 14:47:34 2008 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 29 14:47:34 2008 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 29 14:47:34 2008 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 29 14:47:34 2008 TUN/TAP device tun0 opened
Sat Nov 29 14:47:34 2008 ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1 mtu 1500
Sat Nov 29 14:47:34 2008 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:4 ET:0 EL:0 ]
Sat Nov 29 14:47:34 2008 Local Options hash (VER=V4): '5c3fe1ab'
Sat Nov 29 14:47:34 2008 Expected Remote Options hash (VER=V4): '522471df'
Sat Nov 29 14:47:34 2008 UDPv4 link local: [undef]
Sat Nov 29 14:47:34 2008 UDPv4 link remote: 192.168.1.44:1234
Sat Nov 29 14:47:44 2008 Peer Connection Initiated with 192.168.1.44:1234
Sat Nov 29 14:47:46 2008 Initialization Sequence Completed

Friday, November 28, 2008

Cloud Wars, Russia/China v. DoD, Digital Pearl Harbor's and other things that don't keep me up at night




Elasticvapor is hyperventilating about the latest cyberattacks (what is it about the term "cyber" that makes me bilious)
This current attack on the DoD is a relatively minor diversion in comparison to what a full out, planned network centric attack could actually do. Think about the potential fall out if the US electrical grid, cell / phone network and financial infrastructure was to be attacked in unison and taken offline all at once. Combine that with if it were to happen during the midst of an actual "crisis" such as what we're currently seeing in India this week. The turmoil would be unprecedented.

Nod. Been there done that, why nail assets from other critical infrastructure sectors (air, rail, chemical, various pipeline) while you are at it? A threat-modeler's wet-dream.

Yep, the more things change the more they stay the same -- like Richard Clarke's Digital Pearl Harbor (yeah you read that right, that is from 2000)
On coming to office, the next president will find that several nations have created information-warfare units, Clarke said.

"These organizations are creating technology to bring down computer networks. Some are doing reconnaissance today on our networks, mapping them," he said.
The horror, the horror andt here is some other good stuff from pre-9/11 days when (if you believe Vmyths) there was too much focus on Cyber and not enough on physical.
Another way to improve security throughout the Internet is to create secure lines of communication between the technology industry and the government, Clarke said. That way, they could share information about hackers and viruses without worrying about the public learning about it.

Others at the conference expressed the same notion. Harris Miller, president of the Information Technology Association of America, said that a nonprofit organization of 18 companies would be created early next year to share information.
That wouldn't be the genesis for those pesky little ISACs we keep hearing about.

Speaking of public information if you look at the latest press on the attacks against DoD. you'll see the typical meaningless say-nothing article (with a few juicy-sounding leaks from DoD employees) that undermine the credibility of the whole story and reinforce how little is known in the open press. Channeling Rumsfeld (are these known unknowns or unknown knowns?), here are all things that are not known by defense officials:

From LA Times
The defense official said the military also had not learned whether the software's designers may have been specifically targeting computers used by troops in Afghanistan and Iraq.

Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Or maybe, despite the headlines, it is not a cyberattack at all?

So, to distill what is available in public news sources:
  • It might (or might not) be W32/Agent.BTZ (hence, the USB angle) which has been around for months
  • Central Command networks have been infected and perhaps others, possibly to gather information about logistical systems
  • Both China and Russia are mentioned with no direct evidence of their involvement
  • Portable storage devices were banned on 17 Novemeber
Yeah I'm a hell of a lot more worried about the link between breastfeeding and peanut allergies that any of this stuff. Note to self: don't accidentally give the peanut butter-filled Nilla wafers your 5 your old didn't eat to your 11 month old.

Update: Dave Lewis also mentions the article, so it must be serious ;)

Wednesday, November 26, 2008

Yeah, one wonders...

Joe summarizes his impressions on the CSI SCADA/Control Systems Summit

There were 19 attendees. The session was disappointing as there were no attendees with control system experience – it was an IT audience. Consequently, the discussions focused on securing Windows. However, it was so focused on traditional on IT experience that when an example was provided of actual control system field implementations (older, unpatchable Windows systems that cannot be replaced), it caught the attendees off-guard and they didn’t know what to do. They were not expecting that unintentional threats are critical to securing control systems. When discussions focused on what security control system vendors are providing (HMI and field devices), the attendees did not understand why security was not a primary design criteria or the difficulties in implementing secure control systems. There was also little knowledge of the control systems standards organizations and why IT standards were not directly applicable. I realize this may not be a typical representation of IT personnel working on control system cyber security, however, one wonders how much progress actually has been achieved in understanding the unique issues of control system cyber security.
Say it ain't so Joe!

It would be interesting to see the attendee list to see just who these "IT" people were.

But rhetorically (meaning how you would want to win the argument or get your point across) it doesn't make sense for those in the control systems security community (if in fact they want to be taken seriously) to continually dismiss "IT" (which basically means anything that is not control systems) as irrelevant and complain about "IT's" ignorance "SCADA Security" standards efforts.

To put it more bluntly, imagine if you walked into a meeting trying to engage in dialog with folks that consider themselves experts on a given topic. If the first thing you do is tell everyone in the room is full of shit and what they do know is not relevant to the problem at hand, how can you expect to be taken seriously?

Tuesday, November 25, 2008

Sophocles, Soldiers, PTSD

Heard In Ancient Dramas, Vital Words For Today's Warriors on NPR this evening:


It's a three-day gathering designed to help military personnel — from enlisted men and women to generals — deal with war's emotional toll.

Brig. Gen. Loree Sutton, who runs the Pentagon division behind the conference, says that despite the graphic horrors depicted in Sophocles' tragedies, today's warriors can find comfort in them.

The plays can reassure a soldier, she says, "that I am not alone, that I am not going crazy, that I am joined by the ages of warriors and their loved ones who've gone before me, and who have done what most in society have no idea our warriors do."

Saturday, November 22, 2008

Qore: your new webappsec buddy?

Now I don't do webappsec anymore but if I did, I would I would investigate qore.

Why?

The areas Qore targets are interfacing, database integration, threading (and SMP scalability) and embedding (and arbitrarily restricting) code. Qore is also a dynamically-typed language to facilitate rapid prototyping and development (particularly regarding agile programming, disposable interfaces, etc). To my knowledge there is no other programming language with this design focus.

You can get a feeling for this aspect of Qore's design when programming with Qore's database-independent DBI infrastructure (through the Datasource and DatasourcePool classes), Qore's XML and JSON integration (where XML and JSON strings and qore data structures can be converted from one to the other), easy use of the Socket class and classes provided by modules providing messaging integration, etc.


It is a bit too Perlish for my taste (damn you semi-colons!) but it looks sort of interesting and I'll probably play around with it.

root@ubuntu-ve804:~# qore --version
QORE for Linux unknown (32-bit build), Copyright (C) 2003 - 2008 David Nichols
version 0.7.1-2304 (builtin features: sql, threads, xml, debug)
module API: 0.5
build host: Linux localhost 2.6.24-21-openvz #1 SMP Wed Oct 22 02:50:53 UTC 20
08 i686 GNU/Linux
C++ compiler: g++
CFLAGS: -I/usr/include/libxml2 -D_GNU_SOURCE -D_QORE_LIB_INTERN -DMODULE_DIR="
/usr/local/lib/qore-modules" -g -g -m32 -D_THREAD_SAFE -Wall -lm
LDFLAGS: -lz -lpcre -lxml2 -lbz2 -lssl -lcrypto -g -lm
this build has options:
OPTION atomic operations = true
OPTION stack guard = true
OPTION library debugging = true
OPTION runtime stack tracing = true
ALGORITHM openssl sha224 = true
ALGORITHM openssl sha256 = true
ALGORITHM openssl sha384 = true
ALGORITHM openssl sha512 = true
ALGORITHM openssl mdc2 = false
ALGORITHM openssl rc5 = false
FUNCTION round() = true
FUNCTION timegm() = true
FUNCTION seteuid() = true
FUNCTION setegid() = true
FUNCTION parseXMLWithSchema() = true

Friday, November 21, 2008

Hoff's PDP Proxy

It is good somebody else finds GNUCITIZEN content annoying because (much like following SCADASEC) I certainly lack the self restraint to avoid writing snarky blog posts like this one.

The power of the real American network



Some patriotic Americans at Verizon was keeping tabs on our Marxist, Socialist, Terrorist, Muslim President Elect, according to CNN


Records from a cell phone used by President-elect Obama were improperly breached, apparently by employees of the cell phone company, Verizon Wireless said Thursday.
An Obama spokesman said the transition team was told Verizon Wireless workers looked through billing records.

An Obama spokesman said the transition team was told Verizon Wireless workers looked through billing records.

"This week we learned that a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama's personal cell phone account," Lowell McAdam, Verizon Wireless president and CEO, said in a statement.

Wednesday, November 19, 2008

Literally Marinating in Vulnerabilities

Gunnar Peterson has an interesting blog which reflects his "asset focus", which I think is on target.

Money quote from The Economics of Finding and Fixing Vulnerabilities in Distributed Systems


Why does a talk on finding and fixing vulnerabilities start with valuing assets? The reason is that vulnerabilities are everywhere, we are literally marinating in them. Interesting vulnerabilities are attached to high value assets. In a world that quite literally presents us with too much information, we need screens to sift out what is worth paying attention to. You can run your vulnerability assessment tool of choice on your system, and come back with hundreds or thousands of vulnerabilities, but which ones should you pay attention to and act on? The first part of answering this question is asset value.

Those crisp Lincolnshire mornings

We've had snow (sort of) these last few days and I got out my warm "Chicago" coat this morning. There is a hint of dawn on the horizon. Different. Definitely. East on I-70 as the sun goes up and West as it sets. Just as before, only at home in darkness.

I forgot how refreshing the cold is. And as beautiful as the still-night sky is this morning, the moon stiill out and the last few stars, as I go warm up my car (the true thermometer, it is not really cold until your car is hard to start) I can't help but think of all those crisp blue mornings driving North on the Edens, across the spur, through the trees of Riverwoods. The jet contrails into ORD. The frozen swamps of Lake County, feet and feet and snow, the frozen lake (was it a quarry lake) and all the Canadian goose shit on stomped down sidewalks on the Hewitt campus. Bigger than you would think.

Happy times. Sad times. Mood swings. Meds changes. Mania.

Once again we approach Thanksgiving and the dreaded Equinox.

Pinned by chemistry and angle of the sun.

The more things change the more they stay the same.

It is a Frost morning


They cannot scare me with their empty spaces
Between stars--on stars where no human race is.
I have it in me so much nearer home
To scare myself with my own desert places.

Tuesday, November 18, 2008

rsyslog vs. syslog-ng

I really like syslog-ng, but I just ran across rsyslog tonight. It built on Debian 4.0 (failed on OpenBSD 4.4) but I didn't get it running yet. Will give it a try.

Rsyslog is an enhanced multi-threaded syslogd. Among others, it offers support for on-demand disk buffering, reliable syslog over TCP, SSL, TLS, and RELP, writing to databases (MySQL, PostgreSQL, Oracle, and many more), email alerting, fully configurable output formats (including high-precision timestamps), the ability to filter on any part of the syslog message, on-the-wire message compression, and the ability to convert text files to syslog. It is a drop-in replacement for stock syslogd and able to work with the same configuration file syntax.



I could care less about TLS Encrypted syslog but some of the other features like Handling a massive syslog database insert rate with Rsyslog look sort of interesting.

Database updates are inherently slow when it comes to storing syslog messages. However, there are a number of applications where it is handy to have the message inside a database. Rsyslog supports native database writing via output plugins. As of this writing, there are plugins available for MySQL an PostgreSQL. Maybe additional plugins have become available by the time you read this. Be sure to check.

In order to successfully write messages to a database backend, the backend must be capable to record messages at the expected average arrival rate. This is the rate if you take all messages that can arrive within a day and divide it by 86400 (the number of seconds per day). Let's say you expect 43,200,000 messages per day. That's an average rate of 500 messages per second (mps). Your database server MUST be able to handle that amount of message per second on a sustained rate. If it doesn't, you either need to add an additional server, lower the number of message - or forget about it.

Monday, November 17, 2008

Nice Blog on eLearning Course Design

Although I'm generally ambivalent about the whole idea of eLearning 2.0 Tony Karrer has quite a few practical tips on eLearning design regardless of the version of your eLearning.

I found the breakdown of specific types of users (and the implication that you must design activities for each) quite helpful

Spectator / Joiner / Creator Levels of Participation

One of the best decisions we made early in the design of the course was to define different levels of participation in the course. Here's how we defined it:

Each week we will share new activities that will allow you to explore each of these tools. We recognize that there will be differences in interest, experience and time available for exploration, so these activities will be designed to give you meaningful experiences at different levels:

* The Spectator--These will be exercises or activities that should take approximately 15 minutes to complete. The Spectator level is for people who want just a quick exploration of the tools and minimal interaction.

* The Joiner/Collector--For those who want to delve more deeply into a particular Web 2.0 tool, the Joiner/Collector level will consist of activities that take approximately 30 minutes to complete.

* The Creator--These activities are for people who want to really spend some time exploring and trying out a particular tool or set of tools. The activities will take approximately 75 minutes to complete and will allow you to immerse yourself in the Web 2. 0 experience.


Of course I think this breakdown works if you delete all the references to web 2.0.

And I think these different styles of learning/levels of engagement actually apply to the [Instructor Led] classroom as well.

Sunday, November 16, 2008

VMWare Server 1.08 on Etch-n-Half

Well, my main server (running Ubuntu 8.04LTS) was giving me grief so I switched back to Debian. And I ran across this blog helped out a lot.

I always do a minimal net install and then select nothing with tasksel, so after going into dselect, doing an update, then installing all new packages that showed up, then I installed the following.


build-essential
linux-headers-`uname -r`
libx11-6
libxtst6
libxt6
libxrender1
libxi6
libdb3
psmisc

Is Whitelisting really this lame?

From White Listing - The End of Antivirus?


Some people are talking about a technique called “white listing” as if it were the silver bullet that is going to save the world. It is… in the fantasy worlds. I think I can lay claim to a certain amount of expertise when it comes to white listing. White listing was fundamentally my job at Microsoft for over seven years. My job was to make sure that MS didn’t release or digitally sign any infected code. How did I do that? I used a heck of a lot of………. ok… you guessed it…. antivirus software. Recognizing the shortcomings of signature based detection, I relied upon products, such as NOD32, Norman Virus control, and others to provide heuristics to detect threats that signatures alone cannot protect against. Virtually every Microsoft product went through my labs, and I had to “white list” them before they could be digitally signed or released.

The marketing arm of current white listing companies tout anti-virus as dead and white list as the solution. What they try to hide is that white listing companies would be out of business without antivirus. White listing companies are mega-power users of antivirus software, they can’t get enough of the stuff.

ipt-netflow

Speaking of Netflow, I just ran across ipt-netflow


Very fast and effective Netflow exporting module for Linux kernel. Designed for Linux router with heavy network load. It is iptables module, but not using conntrack for performance reasons.


And from the docs


===========
= RUNNING =
===========

1. You can load module by insmod like this:
# insmod ipt_NETFLOW.ko destination=127.0.0.1:2055 debug=1

Or if properly installed (make install; depmod) by this:
# modprobe ipt_NETFLOW destination=127.0.0.1:2055

See, you may add options in insmod/modprobe command line, or add
them in /etc/ to modules.conf or modprobe.conf like thus:
options ipt_NETFLOW destination=127.0.0.1:2055

2. Statistics is in /proc/net/stat/ipt_netflow
To view slab statistics: grep ipt_netflow /proc/slabinfo

3. You can view parameters and control them via sysctl, example:
# sysctl -w net.netflow.hashsize=32768

4. Example of directing all traffic into module:
# iptables -A FORWARD -j NETFLOW
# iptables -A INPUT -j NETFLOW
# iptables -A OUTPUT -j NETFLOW



Oh if I had a week to kill, to do a complete bakeoff of Linux and BSD user/kernel space implementations.

Saturday, November 15, 2008

Any Netflow probes for OpenBSD 4.4?




So I built a new OpenBSD 4.4 box on real hardware (Optiplex GX-100/128MB) so I could ensure the ratio of end hosts to forwarding devices remains less than one on my home network. The great thing about OpenBSD is they haven't touch the installer in the ten years I've used it and the network install always works like a charm assuming you don't fat finger the mirrors.

Pull down some packages, tweak the pf.conf (but forget to enable IP forwarding in sysctl.conf) fire the last system I built back in 2001 or so (K7 with 1.2GB) and then decided to add netflow. The obvious choice is pfflowd which fails to compile and ports says is broken. Spin my wheels around net/if_pfsync.c, browse the diffs. Hmmm... maybe this is harder, screw up the patch for 4.3 I find from Next (well actually I keep bouncing back and forth) try fprobe

No luck. Probably a pthreads issue, this might actually work, though?

Finally softflowd which compiles and appears to work, but for some weird reason I'm not seeing the traffic on the wire although it is definitely recording flows. Netstat shows it is has bound the sockets but not traffic is being generated. No firewall drops. Try disabling PF, nothing. Routing table fine. 

Weird.

Yet another reason why ramdisk distros rock

From tor-ramdisk


Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM. For those not familiar with Tor, it is a system which allows the user to construct encrypted virtual tunnels which are randomly relayed between Tor servers (nodes) until the connection finally exits to its destination on the internet. The encryption and random relaying resist traffic analysis in that a malicious sniffer cannot easily discover where the traffic is coming from or what data it contains. While not perfect in its efforts to provide users with anonymity, Tor does help protect against unscrupulous companies, individuals or agencies from "watching us". For more information, see the Tor official site.

The usefulness of a RAM only environment for Tor became apparent to me when Janssen was arrested by the German police towards the end of July, 2007. (You can read the full story in a CNET article.) While the police did not seize the computer for whatever reasons, they certainly could have. More typically, it would have been taken for forensic analysis of the data on the drives. Of course, if the computer housing the Tor server has no drives, there can be no question that it is purely a network relaying device and that one should look elsewhere for the "goods".

Friday, November 14, 2008

RealEyes



Sometimes just browsing Freshmeat can lead to some interesting discoveries like tonight I ran across Realeyes


The Realeyes analysis engine is a C library of functions that maintain state information and analysis results about streams of data. Applications may be built on it to search for complex patterns and then output information about the data or even transform it. It has been tested on several Linux distributions but should run on any Unix system.

The first application that has been developed using the library is a network Intrusion Detection System (IDS). It reassembles sessions (including both halves of a TCP session) from live or captured network traffic and analyzes them for patterns.

The detected records are transferred to a database interface and inserted into a PostgreSQL database. The database also maintains configuration information which can be sent to the IDS hosts for dynamic reconfiguration. The database interface can communicate with one or more hosts.

The user interface is a Java application using the Standard Widget Toolkit from the Eclipse project, which has been tested on several Linux distributions and Microsoft Windows. It is used to administer the application as well as to analyze detected network traffic and create reports for supporting a secure environment.

All Realeyes technologies are licensed under GPLv3 and are originally developed on the GNU/Linux v2.6 operating system.


And there is a blog, too -- because everything must have a blog, right?

Sunday, November 09, 2008

Kiosk Mode, or why are all the cool Linux security tools on Fedora?

It's not that I have anything against Fedora, but for some reason I've never used it much, but I'm thinking I should wipe OpenSuSE on my 2nd partition and add Fedora (8 or 9?) because there seems to be a lot going on there. The most recent example is Fedora Kiosk Mode which is built on xguest and Linux namespaces (how many times can you say polyinstantiation?) GNOME Sabayon and SELinux of course to create "highly secure" (or at very least restricted environments) for public environments such as classrooms or public information kiosks. Cool stuff.

HT: James Morris

Saturday, November 08, 2008

Linux Auditing Tool Showdown: sectool v. ProShield




So I ran across ProShield on Complete Dose of Linux Poison and I was expecting good things by the writeup, but when I peeked inside the .deb I was shocked to see a 1000+ line shell script. Got a new test? Just tack in on the end of a monolithic script.

The horror. The horror.

Unless you are writing system startup scripts there is no reason anything should be written in shell that is longer than 10-20 lines.

(Having had to maintain thousands of lines of shell/sed/awk scripts that somebody else wrote.)

On the other hand sectool (which doesn't work out of the box with Ubuntu/Debian) does have some potential not only because it is written in a post-1970s scripting language (Python) but has a framework-plugin architecture where where individual test cases can be written in shell or Python.

Of course a limitation of both of these is that must be run locally to get results (I assume) making it very difficult to scan large numbers of systems -- unlike what you can do with Nessus compliance checks for UNIX.

Friday, November 07, 2008

Why Manual Whitelisting works for Kids



As I've blogged previously a few times, I use squid with a simple white list

acl goodsites dstdomain "/etc/squid/goodsites"
http_access allow goodsites our_networks

for blocking access to my kids subnet. I have a very small list of sites, mostly .gov, because after all the government would never post anything inappropriate right?

(I initially allowed the entire TLD but my son started looking up crime statistics on the FBI web site, so made it more restrictive.)

My son has spent hours on the NASA sight downloading pictures, adding them to his GNOME backgrounds (yes his desktop is Ubuntu) editing them with gimp, creating OpenOffice presentations and during hurricane Ike I added weather.com so he's become obsessed with weather. but I was looking for something new.

My wife suggested adding one site at a time so he could take his time with each site.

One of the really cool things about the national geographic website is that topic areas have distinct hostnames, so I could be more granular in terms of blocking access.


1226102204.230 54 192.168.10.33 TCP_MISS/200 735 GET http://science.nationalgeographic.com/staticfiles/NGS/Science/SiteAssets/img/backgrounds/fact-486-footer.gif - DIRECT/208.59.201.138 image/gif
1226102204.253 73 192.168.10.33 TCP_MISS/200 521 GET http://science.nationalgeographic.com/staticfiles/NGS/Science/SiteAssets/img/backgrounds/feature-486-body.gif - DIRECT/208.59.201.138 image/gif
1226102204.268 81 192.168.10.33 TCP_MISS/200 686 GET http://science.nationalgeographic.com/staticfiles/NGS/Science/SiteAssets/img/backgrounds/feature-486-footer.gif - DIRECT/208.59.201.137 image/gif
1226102204.438 170 192.168.10.33 TCP_MISS/200 1276 GET http://science.nationalgeographic.com/staticfiles/NGS/Global/ApplicationAssets/flash/dl-loader.swf - DIRECT/208.59.201.137 application/x-shockwave-flash


There is actually a pretty good music there, too. Lot's of world music My son is playing the Ben Harper song above over and over again.

What he doesn't remember is that he listened to a lot of Ben Harper on KGSR back in Austin. That and a lot of Lucinda Williams.

Good stuff. Good times.

Serial Console on Newer Ubuntu Systems

This is another one of those boring reference blog posts on things you don't do very often so you forget how to do them.

Starting with Edgy, Ubuntu uses upstart instead of good old init so you no longer use /etc/inittab to enable serial consoles.

See SerialConsoleHowto for details, but basically what basically what you do is create a file in /etc/event.d for all the devices you want to spawn a getty on.


root@cm1208:/etc/event.d# ls
control-alt-delete rc1 rc4 rc-default sulogin tty3 tty6
logd rc2 rc5 rcS tty1 tty4 ttyS0
rc0 rc3 rc6 rcS-sulogin tty2 tty5
root@cm1208:/etc/event.d#


Looking inside ttyS0

# ttyS0 - getty
#
# This service maintains a getty on ttyS0 from the point the system is
# started until it is shut down again.

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5

stop on runlevel 0
stop on runlevel 1
stop on runlevel 6

respawn
exec /sbin/getty 115200 ttyS0


and you can see the process running


root@cm1208:~# ps aux | grep ttyS0
root 547 0.0 0.0 3004 756 pts/2 R+ 09:40 0:00 grep ttyS0
root 4239 0.0 0.0 1716 512 ttyS0 Ss+ Oct23 0:00 /sbin/getty 115200 ttyS0

Thursday, November 06, 2008

Web 2.0 Security You Can't Believe In

From Obama, McCain campaigns' computers hacked for policy data.

Obama is PHP (the horror, the horror). McCain in ASP.


As described by a Newsweek reporter with special access while working on a post-campaign special, workers in Obama's headquarters first detected what they thought was a computer virus that was trying to obtain users' personal information.

The next day, agents from the FBI and Secret Service came to the office and said, "You have a problem way bigger than what you understand ... you have been compromised, and a serious amount of files have been loaded off your system."

One of the sources told CNN the hacking into the McCain campaign computers occurred around the same time as the breach into those of Obama's campaign.

Representatives of the campaigns could not be reached for comment on the matter

As Sarah Palin would say: Thanks but No Thanks (for the GE Fanuc Exploit)



Although I thought about the feasibility of SCADA metasploit modules for the ICCP vulns (VU#190617 and others) I discovered back in 2006 but I didn't write the GE Fanuc Exploit on milw0rm.com

And truth be told (hanging my head in shame) I've never actually written an exploit for any of the vulns I've discovered and I don't do vuln work anymore.

I've been clean for almost 2 years now.

But these are amusing. Must have struck a nerve.


proxy.writeFile('franzshell.jsp', Rex::Text.encode_base64(jspshell,''),false)
sock.put("GET /infoAgentSrv/franzshell.jsp?cmd=c:\\blogfranz.exe HTTP/1.0\r\n\r\n")

This module exploits an API flaw in GE Fanuc SCADA software

'Author' => [ 'Matthew Franz ' ],
'Version' => '$Revision: 20081031 $',
'References' =>
['CVE', '2008-0175'],
['URL', 'http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460'],
['URL', 'http://www.tenablesecurity.com/training/'],
['URL', 'http://blogfranz.blogspot.com/'],

I was wondering why I saw an increase in referrals from milw0rm.com and why someone asked me if I wrote an exploit. But of course I was too busy worrying about the election to care.

Tuesday, November 04, 2008

Mac was Back!

Apart from the booing goons in the crowd, I must say McCain did an awesome job tonight. Natural and authentic, no longer strained like the past few weeks and months. Remembering Gore's concession in 2000, what is it about concession speeches that are so flattering?

Almost makes me wish I was back in Chicago

See the slideshow from Grant Park and the live footage on MSNBC.

MSNBC: It's over

Ohio, New Mexico. And now the red states start flipping.

Yes We Can!

Monday, November 03, 2008

CyberSecurity Change you can believe in?

From Partnering for Cyberspace Security (Washington Post, 11/3/08)


By Walter Pincus
Monday, November 3, 2008; Page A19

In two recent speeches that have attracted little notice, Donald Kerr, principal deputy director of national intelligence, has called for a radical new relationship between government and the private sector to counter what he called the "malicious activity in cyberspace [that] is a growing threat to everyone."

Kerr said the most serious challenge to the nation's economy and security is protecting the intellectual property of government and the private sector that is the basis for advancements in science and technology.

"I have a deep concern . . . that the intelligence community has still not properly aligned its response to what I would call this period of amazing innovation -- the 'technological Wild West' -- by grasping the full range of opportunities and threats that technology provides to us," he said at the annual symposium of the Association for Intelligence Officers on Oct. 24.


Wild West? I though the late 90s were the Wild West?

Sunday, November 02, 2008

Ground Game Reports Start to Trickle In

Good stuff from Ben Smith


I am 60 year-old white Republican for my whole life. I am a Vietnam combat veteran who has never voted Democratic before. I will vote for Obama Tuesday.

I am tired of politics as usual and am willing to take chance a on him. I believe he is sincere and has a good heart. I also have been impressed with his steadfastness during the economic crisis. He may be one of the most intelligent people I have ever heard. I have told no one I am voting for him, instead evading the question. I believe there are many like me.

I have not had one McCain visitor at my house, but have had 15 separate visitors for Obama. I counted them with a pad on my refrigerator.


Go Obamacons! There have to be a lot more like this, that want some intelligence in the White House for a change, who see the writing on the wall.

I'm talking small-government, NRA-life member, military types.

And then there was this interesting one


Interesting anecdote and probably a testament to ground organization. I have no idea what this means. Friday night (which happens to be the start of our Sabbath) my wife answered the phone to hear a man stating he was from the McCain-Palin campaign. He asked who she was supporting. She replied that we will vote for Obama. He replied with "but he's a f-----g n---er!". Before I get to my wife's response I'll first have to say that I understand desperation and I also understand that this pitch may actually work for a few people. I also understand that there are people who are whack-jobs phone-banking for both sides. But here are some facts:

My wife and I are Black. Citing the fact that Obama is a f----g n---er as a way to sway our vote may not be a great idea. My wife and I live in Maryland... Baltimore, MD.... One of the most African American areas of Baltimore Maryland. How on earth did our phone numbers get on to a McCain volunteers phone bank list of potential voters to be calling at this stage in the game? We have never received a call from the Obama campaign.

Just weird. Not sure what to make of it... but that's not a good sign of organization. If it did anything it made us want to donate more. BTW, the rest of the call went downhill from there. My wife prayed for forgiveness after the call.

Besides Blogging Yesterday!

From oct-nov-leaves-2008

Saturday, November 01, 2008

SELinux and a Xen Vuln (CVE-2008-1943) Adventure

Given products like VM Fortess and the SVirt project I ran across today, I've been curious about the impact of application sandboxing/mandatory access control regimes against attacks against/using VMs.

Luckily, I happened to run across Adventures with a certain Xen vulnerability (in the PVFB backend). Now I don't claim to be able to understand even 20% of this paper, but I was pleased to see the impact of SELinux on the attack against dom0. Very cool. Plus, unlike so much vuln work it talks about the limitations of exploits and avoids all the media whoring that tends to characterize so much vuln work these days and turns me off.


Using the above guidelines, the exploit has been built. When SELinux was in permissive mode, it worked properly, handing out a connect-back root shell. However, an unsettling message was logged:

SELinux is preventing /usr/lib/xen/bin/qemu-dm (xend_t) "execmem"

And indeed, the exploit failed when SELinux was in enforcing mode. It turns out that by default the ability to map anonymous memory with rwx protection is denied by SELinux.

Thus, the call to mmap in the return-into-libc from the previous subsection failed.

There are workarounds for "execmem" protection, dutifully explained in, but I did not nd any le that can be opened with write permission and executed in xend t domain6. So, a less ecient return-into-libc payload has been created that does not use mmap. It returns into PLT entry for execv. The arguments for execv must be rebuilt at a xed address. Using repetitive returns into "assign %eax from the stack; ret" and "stosl; ret" (these sequences must be present in the qemu-dm binary) it is possible to create a payload of size const+4*length of execv arguments.

Please let this be true

A Palin prank call?


MONTREAL — A Quebec comedy duo notorious for prank calls to celebrities and heads of state has reached Sarah Palin, convincing the Republican vice-presidential nominee she was speaking with French President Nicolas Sarkozy.

In the interview, which lasts about six minutes, Palin and the pranksters discuss politics, pundits, and the dangers of hunting with current vice-president Dick Cheney.

The Masked Avengers, who have a regular show on Montreal radio station CKOI, intend to air the full interview on the eve of the U.S. elections.

The well-known duo of Sebastien Trudel and Marc-Antoine Audette have also tricked Rolling Stones singer Mick Jagger, Microsoft founder Bill Gates and French president Jacques Chirac.

The call to Chirac was rated by the BBC as one of the top 30 best moments in radio history of all time.


Tip: Ben Smith


The audio is at http://www.tindeck.com/audio/filestore/w/wwdo-SarahPalin.mp3.

Let's hope it isn't malware.

Please let this be true

A Palin prank call?


MONTREAL — A Quebec comedy duo notorious for prank calls to celebrities and heads of state has reached Sarah Palin, convincing the Republican vice-presidential nominee she was speaking with French President Nicolas Sarkozy.

In the interview, which lasts about six minutes, Palin and the pranksters discuss politics, pundits, and the dangers of hunting with current vice-president Dick Cheney.

The Masked Avengers, who have a regular show on Montreal radio station CKOI, intend to air the full interview on the eve of the U.S. elections.

The well-known duo of Sebastien Trudel and Marc-Antoine Audette have also tricked Rolling Stones singer Mick Jagger, Microsoft founder Bill Gates and French president Jacques Chirac.

The call to Chirac was rated by the BBC as one of the top 30 best moments in radio history of all time.


Tip: Ben Smith

Palin's Closing Counterfactuals

So how many in that crowd of Florida actually bring home a quarter mil?

Socialism, as in nationalizing the banks and federalizing the auto industry socialism?

Nah, we don't want to "experiment" with that. And the less that is said about J-the-P the better.



Tuesday can't come soon enough.

Dole's ^H^H^H^H^H McCain's Closing Argument

As one of my faithful readers (a Romney supporter, IIRC) predicted when McCain won New Hampshire. Romney is looking pretty good right now, given the selection of Palin. Oh well, hindsight is 20/20.



Let's hope the results are the same as '96, since Sarah Palin is no Jack Kemp.

Good Recent Paper to Get Up to Speed on SELinux

James Morris (of RedHat) has one of the better papers seen so far, Have you driven an SELinux lately?.

Among the areas for future work, he defines:

*Continued extension of SELinux architecture to the
desktop infrastructure and major applications. The
Imsep work mentioned in section 10.1 looks to be a
promising model for general separation of security
domains within applications.
• Working with the IETF to standardize Labeled
NFS, and with the Linux community to have it accepted
into the mainline kernel.
• Ongoing performance improvement, and efforts to
further reduce the memory footprint of SELinux.
• Further simplification of policy, perhaps through
the development of a higher-level policy language
with idioms more familiar to Linux administrators.
• Support for more virtualization models, including
Linux as hypervisor (e.g. KVM) and containers.
• Improved support for third party distribution of
policy modules, such as the case of cross-building
RPMs on systems with a conflicting host policy.
Continued usability improvements for end users,
administrators and developers.
• Better documentation.

Tom Peters on Obama

From Caught in the Act.

Not a lot that you haven't heard before but some reasons (or at least how he articulated them) that stand out

among other things our major problems are likely to be with us for decades—and cannot primarily be dealt with by aircraft carrier superiority, a tough thing for a true blue Navy man to admit. I believe Mr Obama meets the Churchillian standard of "jaw jaw beats war war." I am fearful of Mr McCain's bellicosity and perhaps some volatility.


and


Though I am an avowed supporter of undiluted capitalism (my faith, like Mr Greenspan's, is being sorely tested), I believe that the growing inequity in America is a clear and present danger of the first order. As Mr Buffett said, and I paraphrase, "There's a problem when my secretary has a higher marginal tax rate than I do."


and


I think the time has come to pass the torch to the next generation, and I believe Mr Obama would be an excellent symbol of a new generation of leader. (I think Mr McCain has the haggard look of yesterday, and is, like myself, advertised to be a cranky old man. Age matters—take it from me, and feel free to wish me "happy 66th" on 7 November.)