Friday, April 29, 2005

Encryption: Enigmail for Mozilla Thunderbird

Enigmail is an extension for Mozilla Thunderbird that will allow integration with the GnuPG encryption utility. This is a very useful tool that features key management, email signing, and encryption of email. I heartily recommend this extension to anyone who uses Thunderbird.

While installing Enigmail for Mozilla Thunderbird, I had some difficulty getting the extension installed. I would open the extensions dialogue and select the xpi file from my desktop and nothing would happen. I have not had to install the windows version for such a long time that I forgot that I had to perform the install as an Administrator account before I install it as a Limited-Access User Account. I don't agree with the way that this system works, as it means that the application is too closely coupled with the system registry and affects more than my single user when I install this extension. If this extension requires Administrator privileges to install, why doesn't it install for every user on the system when I do perform the Admin install?

Wednesday, April 27, 2005

Security Principle: Separation of Privilege

There is an excellent article on Securityfocus.com by Daniel Hanson that talks about the downfall of running any system as an administrative account. Daniel makes an excellent reference to the Linspire way of doing things, which follows Microsoft and runs all users as root. As Daniel so eloquently points out, running as root is like putting all of your vegetables in the same pile -- if one of them begins to rot, the rest will most likely begin rotting and you will have no more vegetables left. On the other hand, if you put restrictions on your users and run with Least-privilege User Access, you will be able to maintain the integrity of your system. One of the fundamental elements of Information Security is integrity (CIA) -- which is making sure that your data is the same now as when you put it there. If you run all of your users as root, or even you run as root as you surf the web and check your email, you run a significant risk of losing control of the integrity of your data.

It is always easier to run as root until you lose some data. This can be compared to the person who doesn't believe they need to backup their data -- they will quickly change their mind after they lose critical data (although some people never do learn and that idea must be applied here). If Linspire has to go through the same maturity lesson that Microsoft has gone through then it will be a stain on the reputation of Linux as part of the operating system.

Tuesday, April 26, 2005

Current Events: Server Compromise

This past weekend I noticed a huge amount of traffic from one IP trying to break into my SSH server at home. After some investigation, I discovered that this IP had made over 1100 intrusion attempts. The attacker was a script-kiddie using a dictionary attack. I performed an aggressive nmap on the IP to discover the type of machine attacking me with the following command:

nmap -sS -sV -O -v -T5 'ip address'

After discovering that the IP had a tempting number of services available, in addition to several IRC servers running, I attempted to view the web page that the server was serving by viewing it in Firefox. I was suprised to discover that the web site was an e-commerce site that belonged to a religious organization. Armed with this new information, I was convinced that the site had been compromised and that they needed to be informed. By looking up the whois data, I discovered that the server was hosted in the US and that there was a technical contact listed. I emailed the technical contact, as well as the root/abuse/info at the domain in question and informed them of the problem. I received a response a couple of hours later and the site was taken down for maintenance.

A couple of things I take away from this is that I can make a difference by being aware of what is happening to me and doing some minor investigating when an intrusion attempt occurs. Also, the whois data being public is essential for people like me who care about the safety of others to be able to inform server admins that they may have a problem with the integrity of their systems. Sorry about the lack of detail on the site, but I don't want to make them a target or give them any undue publicity.

Saturday, April 23, 2005

Book Review: The Art of Intrustion (Mitnick & Simon)

The Art of Intrusion is a book written by a convicted cracker who has solicited stories from other crackers so that he can tell them through this book. Kevin Mitnick has made quite a name for himself through the crimes that he committed and the sentence that he received. The Art of Intrusion is a book designed for the "not so technically inclined" who want to know how crackers feel and work.

Throughout The Art of Intrusion, Mitnick relates unfounded but convincing stories of cracking performed by others. With each event, Mitnick related how to prevent the attack and how to fix the problem before it begins. Mitnick does not reveal any new information in this book that any security professional worth their salt does not already know. Mitnick's style of story-telling almost feels like he wants to be writing a technical document but doesn't make it there which results in a book which is awkward to read and not very interesting until the last two chapters. I had to convince myself to keep reading in hopes of finding out something new.

The biggest complaint that I have about this book is that Mitnick is continually trying to convince the reader that crackers are doing society a favor by exploiting vulnerable systems and that all of the really good security consultants were once [or still are] black-hat crackers. Mitnick and others who commit cyber crimes evidently believe that they should not be punished if they report the crime to the party who their crime effects -- even though malicious activity has occurred. If the crime is committed, the consequences should be faced.

I do not recommend this book.

Wednesday, April 20, 2005

Books: The Art of Intrusion

I am currently reading The Art of Intrusion, by Kevin Mitnick, and will post a full review when I am done. After reading the first 4-5 chapters I am disappointed by the lack of technical detail and the method Mitnick uses to tell the story. Mitnick is giving out security advice during and after each account which has not revealed any gems thus far. If the book continues as it has, I will be forced to give this book to my mother-in-law, as it does not reflect the level of knowledge that I expect.

To be continued...

Sunday, April 17, 2005

Email Clients: Mutt

I recently SSH'd into one of my servers running Fedora Core 3 and wanted to check my local mail. Not wanting to use the basic mail utility, I tried for my old favorite, Pine. With Pine nowhere to be found, I began to search for an alternative to it [since it is being used less and less, as I have found -- FreeBSD actually discourages the installation of Pine due to some security vulnerabilities]. After some very short searching on Google, I ran across Mutt and decided to try it out. It takes a few minutes to get the basics down, but this MUA is excellent! I really enjoy being able to use my "default editor" on any system to edit my email. I am a hard-core vi user, so being able to edit email in vi makes my life easier. There seems to be a fairly active user and developer base for Mutt so this bodes well for support and documentation. There is also a Mutt wiki.

Friday, April 15, 2005

Microsoft Security: Right direction?

The biggest problem with Windows security has always been that it is nearly impossible to run as a non-administrator when performing normal operations. It is possible, but it is very difficult. With it being so difficult to run as a non-administrator, most users run with full system privileges all the time which brings their system(s) under attack from every web page they visit and every email they open. Windows experts have instructed users to 'down-grade' their privileges when using their browser or email client, which is never done due to the additional steps that it takes to accomplish this seemingly simple task -- this is backwards, you should have to elevate your privileges to perform privileged functions!!

Microsoft has made some big strides in improving this model of operation recently with the 'Run-As' command but it has also been difficult to use. With the next release of Windows coming up, code-named Longhorn, Microsoft is embracing the principle of Least-privilege User Account (LUA). The principle of LUA has long been enforced in the Unix/Linux worlds with all users being able to control their own profile and nothing else or an account having access to control one daemon or service except the root user who is used to perform administrative functions. I am anxious to see how Microsoft does in this implementation, although I do expect it will take a few tries to get it right. This may turn into another version of the same thing we have now -- with there being 15 different levels of administrator and the Limited Account that still cannot function.

Wednesday, April 13, 2005

Linux Distro: OpenNA Linux

While reading a whitepaper in the SANS reading room today, I came across a reference to OpenNA Linux. OpenNA Linux is a distribution designed with a high level of security in mind. The distribution is somehow derived from Red Hat Linux originally, but now maintained by the OpenNA security solutions team which offers it for free [without support]. The fact that it stems from a Red Hat system makes it easy to install RPMs and gives Red Hat admins a good sense of familiarity. After reading a bit on their website, I plan on testing OpenNA Linux.

OpenNA Linux aims to be more secure than the average main-stream Linux distribution by removing all unnecessary software and services with role-based installations. If you are going to deploy a web-server, you install only the applications necessary to run a web-server. While role-based security is fairly obvious, very few distributions allow you the flexibility of installing only the bare minimum to run the services that you desire. OpenNA Linux even discourages installing an X Window system, which should be advised to any production server.

On a side note, Werner Puschitz, has written an article on how to secure a Linux system that is well worth reading. After reading the article, I have just a couple of additions to the article. The first thing that I would do is with the sshd_config file; replace the following line:

#Protocol 2,1

with this line:

Protocol 2

This change will prevent the SSH server from using the SSH protocol 1 to authenticate users and it will be more secure. The other item that I don't quite agree with pertains to passwords. The auther encourages very complex passwords which makes it difficult for users to remember them. I do agree with his password scheme for any privileged accounts or accounts with remote access, but for normal users who do not have remote access (outside the subnet) there should be a more relaxed scheme. I would recommend only requiring at least two of the many criteria that he listed, as well as a minimum length of 8 characters.

Overall, I highly recommend reading his article and will get back on how I review the distribution.

Thursday, April 07, 2005

Biometrics: Good Idea or Not?

If the use of biometrics to increase the level of security or safety that you enjoy appeals to you, visit SecurityFocus.com and read about a Malaysian businessman who lost his finger because it was the only means to start his Mercedes. This incident shows to me that biometrics are NOT a viable security alternative. I don't want someone trying to cut off my finger or pull my eyeball out of the socket so that they can take my car for a joy-ride around the city. I agree with the author of the article on SecurityFocus.com that I do not want something used for security that is physically tied to me.

This incident reminds me of hearing about foreign diplomats who are implanted with RFID tags so that they can be located and recovered in the event of a kidnapping. The crooks are not all foolish, they found out and began removing limbs that held the RFID tags (which were usually hands). What are YOU willing to sacrifice for that level of "safety"?

Tuesday, April 05, 2005

FOSS Providing Means to Educate Millions

The MIT Media Lab is launching a program to develop and distribute $100 laptops to children around the world who are in need of education and technology. The program will provide laptops to children in developing nations who do not have access to the Internet or education materials, even books. With the idea to issue a laptop to a specific child who is able to take the laptop home and use it with their family, this program will provide a means to educate millions (orders will be for at least 1 million laptops).

Free and/or Open Source Software (FOSS) create a means to provide technology to these children without spending lots of money on a proprietary operating system or office package and still provide a complete computing experience. If this operation were required to spend $199 on MS Windows and $399 on MS Office, the whole endeavor would be dismissed as impossible. I know that there are bulk licenses, but they cannot compete with the free software available. I'm not saying that there is not a place for the MS software though, they do provide a rewarding experience for those who are able to pay for the expensive licenses and who are able to pay for the support required to run these systems.

I applaud the efforts of MIT and I am certain that without the movement of FOSS that opportunities like this would not be available. If this effort is successful and laptops are distributed in mass quantities, the acceptance of Linux and Open Source software around the world will sky-rocket.

How do you compete with an opponent that has no price? I don't know, but MS has enough money they may find a way.

Monday, April 04, 2005

Security Principle: Least Privilege

One of the most important concepts in the IT security world is that of least privilege. When you create a user account and give it access permissions, you should give that account the least amount of privileges that the account requires to perform it's function. Following this principle will save you an incredible amount of time and hassle when administering a network and maintaining the security of your system(s).

With 5 years of Linux administration and 10 years of administering Windows machines, it is increasingly apparent to me that the biggest cause of security breaches is that of too much user privilege. I see many shops where the administrators are running as administrator or root on the machines that they use for email, web-browsing, and non-administrative tasks. I also see a MS Windows environment where it is incredibly difficult for a user to not run as administrator and still get normal day-to-day tasks done -- but it is possible. When administering a network with 30 users on Windows XP/2K machines for 1.5 years I had no virus or worm outbreaks, and no loss of data. I did experience one incident of spyware when a user played a joke on another user by installing a screen-saver. On every network that I administered where the users were able to access the administrator account(s), there were always problems with virus outbreaks and worms causing hours of work for me to recover the systems.

I have heard from some system administrators and even security professionals that it is not possible to force users to not run with administrator privileges. This is not a correct statement or thought process. If you take the time to learn how to administer your systems properly, it will save you time in the long run. Unix and Linux have the 'su' command that will allow you to temporarily become an administrator to perform administrator functions. MS Windows has the 'Run-as' command that works fairly well to do the same. You should NEVER have to login to your system as the administrator user account. It is very difficult with MS Windows to maintain this security policy, but it is doable. One of the best ways to get used to this practice is to do it at home, where I'll bet most people do not! I can honestly say that I do not login to my machines as root unless I am performing administrative tasks, and then I logout as soon as I am done.

The following link from Microsoft gives a good overview of tools and methodologies which help run with least privilege: article.