I recently migrated my mail server from a Gentoo Linux host to a Fedora 7 host and decided to use SELinux to improve my security posture. This is a big deal and should provide a greater level of security for my mail server, provided I can configure the security policies correctly.
SELinux was developed with the NSA and released under the GPL to provide a method of Mandatory Access Control for Linux.
The great benefit of using SELinux is that processes are prevented from accessing files that are not defined as belonging to, or associated with that process. This is a great thing! If a daemon or process were to be compromised, it would be restricted to the specific files and resources configured in the SELinux policy. Any violations are logged by the setroubleshoot daemon in the /var/log/messages syslog file and allow the user to review in order to allow or continue denial of the access attempt(s).
Enabling SELinux is very simple upon installation of Fedora or Red Hat Linux and is prompted during install. I do not recommend enabling on an OS that is in production and would only recommend enabling SELinux on a recent install or non-production host until you are very comfortable with it and have tuned your policies according to your production operation.
To get your feet wet, enable SELinux in permissive mode. This mode will allow all processes to run as if SELinux were off, but it will log any violations via auditd in syslog to allow you to tune your policies. You are prompted for this method upon install, or post-install, you could configure this via the following method:
1. use the setenforce command: setenforce permissive
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
2. edit the /etc/selinux/config file:
SELINUX=permissive
Also, be sure to remove any mention of selinux from the /boot/grub/grub.conf file if you enable SELinux, or provide the proper flags to enable it. This is also the best way to disable SELinux if you are so inclined. An example would be:
#/boot/grub/grub.conf
title Fedora 7 (2.6.22.1-41.fc7)
root (hd0,0)
kernel /vmlinuz-2.6.22.1-41.fc7 ro root=/dev/vg01/f7_root rhgb quiet selinux=0
initrd /initrd-2.6.22.1-41.fc7.img
Note that on the kernel line I have passed 'selinux=0' to the kernel which would then disable this feature.
After enabling SELinux, check syslog frequently (/var/log/messages) to look for policy violations and tune your system. A typical policy violation would look like the following:
Dec 26 08:12:50 f7-laptop setroubleshoot: SELinux is preventing the /bin/vi from using potentially mislabeled files (.exrc). For complete SELinux messages. run sealert -l 27ae2a46-19bb-47a8-b127-068a587e9494
In the above log entry, I used 'vipw' to access the /etc/passwd file and SELinux did not allow the 'vipw' binary to access my '.exrc' file (user customized file for VIM settings).
In short, SELinux can provide a GREAT measure of security to a seasoned administrator who is willing to take the time to learn how to use it. Use permissive mode and tune the policies to fit your particular environment. I do not know of anybody who uses SELinux in production or in a business due to the issues it seems to cause by lack of training and/or expertise in the configuration phase. Remember to disable SELinux and re-create the issue before bothering the application maintainer about any issues you may have.
Showing posts with label IT Security. Show all posts
Showing posts with label IT Security. Show all posts
Wednesday, December 26, 2007
Sunday, March 04, 2007
rootkit defense -- not so fast
A recent demonstration at Black Hat DC by Joanna Rutkowska shows how hardware based rootkit defense may not be sufficient when facing an elite hacker. Rutkowska showed how the image of volatile memory as seen by the CPU can be different from the image in memory.
This is significant as it shows that monitoring at the hardware level is not fool-proof and defenders must use a combination of hardware and software monitoring.
Read the article.
Actual implementation of this attack does not seem very likely due to the complexity.
This is significant as it shows that monitoring at the hardware level is not fool-proof and defenders must use a combination of hardware and software monitoring.
Read the article.
Actual implementation of this attack does not seem very likely due to the complexity.
Tuesday, August 02, 2005
Responsible Disclosure: Ciscogate
For those who have not yet heard (shouldn't be anyone), Mike Flynn presented a flaw in Cisco routers at Black Hat 2005 that could bring the Internet to it's knees. There are conflicting sides to the story, but the gist is that Cisco was trying to down-play the seriousness of the flaw and keep the researcher from disclosing the vulnerability. Responsible disclosure means that after a reasonable amount of time trying to work with the vendor, the researcher must disclose the vulnerability to the security community so that the flaw may be fixed or defended against. There are rumors that the Chinese have already been exploiting this flaw, which makes it imperative that the security community know about it.
Open Standards: HTML and web technologies
As an avid supporter of open standards in all things digital, I was pleased to see this article on Slashdot wherein Paul Thurrott talks about boycotting Internet Explorer 7.0 until Microsoft comes out with a standards-compliant browser. I think that IE is a huge disappointment and a very lazy offering by MS. Any self-respecting tech company will strive to better the field that they work in and IE has made the field of web browsing and development worse for the wear. Please use Firefox.
Other reasons to not use Internet Explorer:
1. Privacy
2. Security
3. Diversity
4. Competition is better for innovation (not patents -- contrary to popular belief)
Other reasons to not use Internet Explorer:
1. Privacy
2. Security
3. Diversity
4. Competition is better for innovation (not patents -- contrary to popular belief)
Friday, July 29, 2005
Black Hat USA 2005
I just got back from Las Vegas, NV where I attended Black Hat USA 2005. This IT security conference is incredible! All of the briefings are new material only, which give you a fresh perspective on security issues in the IT field. The presenters were people from The Schmoo Group, Dan Kaminsky, the Choicepoint CISO, and many others! I saw some excellent briefings and learned quite a bit. This conference is a "must attend" for any serious security professional.
Saturday, July 16, 2005
Network Monitoring: Storage of capture data
I recently played around with trying to store some pcap capture data in a MySQL database so that I could analyze it and look for trends. I had the capture set to create 20MB full content files so that I could manipulate them easily:
tcpdump -s 1515 -C 20 -w content.lpc
I next created a Ruby script that would open the pcap file and write the data that I wanted to store to a CSV file that I would then bulk load into the MySQL database. This part worked very well and very quickly. I found that when I inserted the data into an InnoDB table, while only storing the source IP, destination IP and port, and the time of the packet, that 20 capture files would take up 1GB of space. Not only that, but it turned out to be over 1.3 million packets. This amount of data is really testing my SQL skills, as I try to create intelligent queries that will allow me to aggregate the data on specific parameters.
Anyone have any better solutions?
tcpdump -s 1515 -C 20 -w content.lpc
I next created a Ruby script that would open the pcap file and write the data that I wanted to store to a CSV file that I would then bulk load into the MySQL database. This part worked very well and very quickly. I found that when I inserted the data into an InnoDB table, while only storing the source IP, destination IP and port, and the time of the packet, that 20 capture files would take up 1GB of space. Not only that, but it turned out to be over 1.3 million packets. This amount of data is really testing my SQL skills, as I try to create intelligent queries that will allow me to aggregate the data on specific parameters.
Anyone have any better solutions?
Securing the mother-in-law's computer.
This week I had the opportunity to take a look at my mother-in-law's computer, after having gone over it pretty thoroughly 6 months ago to make sure some basic security measures were in place, to make sure she was safe on-line. I was talking to her about how she accessed the internet and browsed web pages, as well as using her digital camera to create photo pages. She told me that when she accessed the Internet, she has to disable 'that ZoneAlarm' program so that it wouldn't take as long...and sometimes it stopped web pages from loading altogether! This really suprised me, as I thought that I had explained the situation better than that. Her firewall was being disabled at the time she needed it most.
My mother-in-law is running Microsoft Windows 98 and has been using it for nearly 7 years. She knows how to get around and sees no reason to upgrade to Windows XP or Linux. As security people, I believe that we need to advise people to use systems that are as secure as possible...especially since Microsoft does not, and cannot, maintain the security of it's Operating Systems. The real answer here is to use an Operating System that is more secure so that the users do not have to understand so much about how the technology works to be secure on-line.
My mother-in-law is running Microsoft Windows 98 and has been using it for nearly 7 years. She knows how to get around and sees no reason to upgrade to Windows XP or Linux. As security people, I believe that we need to advise people to use systems that are as secure as possible...especially since Microsoft does not, and cannot, maintain the security of it's Operating Systems. The real answer here is to use an Operating System that is more secure so that the users do not have to understand so much about how the technology works to be secure on-line.
Sunday, June 19, 2005
Home PC: How secure do you feel?
I recently helped my brother-in-law setup a new computer that he had purchased, just to make sure that he would not be plagued with the endless spyware and adware that most home users are afflicted with. The biggest issue being that most people run their personal machines as a member of the Administrators group. One thing that I noticed as I waded through all of the "utility" software on his machine was that there is a lot of JUNK on OEM machines!! I have only purchased 1 OEM machine in my lifetime, while building the rest of my machines or buying them used from University surplus sales, so I didn't realize how much crap they put on these things. I got the feeling from this situation that if the user feels safe because of the massive amount of software designed to make them safe on the machine that they must be safe -- or at least that's what the OEM would have you believe. After I cleaned all of the AOL, Norton trial, and Mcafee trial software off the machine, it booted twice as fast and ran much more smoothly. I also installed AVG Free edition for Anti-Virus and enabled the built in Windows Internet Connection Firewall. Now he will be able to use the full power of his machine and not get plagued by viruses and other malicious code.
Some things that are just smart to do with a Windows machine to maintain it -- in order of importance:
1. Do not use an Administrator account unless you are installing software or configuring your machine (this will save most people)
2. Use a firewall of some sorts
3. Enable automatic updates for Windows
4. Use anti-virus software
Some things that are just smart to do with a Windows machine to maintain it -- in order of importance:
1. Do not use an Administrator account unless you are installing software or configuring your machine (this will save most people)
2. Use a firewall of some sorts
3. Enable automatic updates for Windows
4. Use anti-virus software
Thursday, May 05, 2005
Spam Increase due to Bebo.com
I have noticed a marked increase in the amount of spam that I get since my sister tried to sign me up for the Bebo.com experience. Since they now have control of her hotmail address book, it only makes sense that they would spam everyone in it, including me. The sad part is that most of the spam I am getting now is "adult" related. I have never received much spam and I am very careful with my email addresses. Now I am receiving 3-6 messages each day that I believe are a direct result of Bebo.com. It just takes one person who doesn't have a clue to ruin it for you.
Please do not use Bebo.com.
Please do not use Bebo.com.
Reporting Bebo.com to Microsoft
After the Bebo.com episode a few days ago, I reported it to abuse@hotmail.com. This morning I received an automated reply stating that I need to send a hotmail addressed email to them. They are evidently not the right people to be notifying about the scandal that Bebo.com is running. The email is as follows:
--------------------------
This is an auto-generated response designed to answer your question as quickly as possible. Please note that you will not receive a reply if you respond directly to this message.
Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to:
abuse@hotmail.com
>>>>>> To forward mail with full headers
Using Hotmail:
1. Click "Options" to the right of the "Contacts" tab. The "Options" page appears.
2. Under "Additional Options", click "Mail Display Settings". The "Mail Display Settings" page appears.
3. Under "Message Headers", select "Full" and click "OK".
4. Forward the resulting mail to:
abuse@hotmail.com
Using MSN Explorer:
1. Open the message, and then click "More" in the upper right corner.
2. Click "Message Source". The message opens in a new window with all the header information visible.
3. Copy all the text and paste it into a new message. Send this message to:
abuse@msn.com
Using Outlook Express or Outlook:
1. On the unopened mail, place your cursor over the mail, right-click, and click "Options".
2. Under "Internet headers", copy the contents of the full header.
3. Open the e-mail in question and forward a complete copy of the message, including the full message header you copied at the beginning of your message, to:
abuse@hotmail.com
If you're not a Hotmail member, consult the Help associated with your e-mail program to determine how to view complete header information. Then forward the message to:
abuse@hotmail.com
If the unsolicited junk e-mail or "spam" comes from a non-Hotmail account, you can send a complaint to the service provider that sent the mail. Make sure that you include full headers when you send your complaint.
In the full header, look at the last "Received" notation to locate what .com domain it came from. It looks something like:
[service provider domain name].com
Forward a complete copy of the message, including the full message header, to:
abuse@[service provider domain name].com
If the domain does not have an abuse service, forward your complaint to:
webmaster@[service provider domain name].com
All Hotmail customers have agreed to MSN Website Terms of Use and Notices(TOU) that forbid e-mail abuse. At the bottom of any page in Hotmail, click "Terms of Use" to view the Terms of Use document in its entirety.
Thank you for helping us enforce our TOU.
--------------------------
This is an auto-generated response designed to answer your question as quickly as possible. Please note that you will not receive a reply if you respond directly to this message.
Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to:
abuse@hotmail.com
>>>>>> To forward mail with full headers
Using Hotmail:
1. Click "Options" to the right of the "Contacts" tab. The "Options" page appears.
2. Under "Additional Options", click "Mail Display Settings". The "Mail Display Settings" page appears.
3. Under "Message Headers", select "Full" and click "OK".
4. Forward the resulting mail to:
abuse@hotmail.com
Using MSN Explorer:
1. Open the message, and then click "More" in the upper right corner.
2. Click "Message Source". The message opens in a new window with all the header information visible.
3. Copy all the text and paste it into a new message. Send this message to:
abuse@msn.com
Using Outlook Express or Outlook:
1. On the unopened mail, place your cursor over the mail, right-click, and click "Options".
2. Under "Internet headers", copy the contents of the full header.
3. Open the e-mail in question and forward a complete copy of the message, including the full message header you copied at the beginning of your message, to:
abuse@hotmail.com
If you're not a Hotmail member, consult the Help associated with your e-mail program to determine how to view complete header information. Then forward the message to:
abuse@hotmail.com
If the unsolicited junk e-mail or "spam" comes from a non-Hotmail account, you can send a complaint to the service provider that sent the mail. Make sure that you include full headers when you send your complaint.
In the full header, look at the last "Received" notation to locate what .com domain it came from. It looks something like:
[service provider domain name].com
Forward a complete copy of the message, including the full message header, to:
abuse@[service provider domain name].com
If the domain does not have an abuse service, forward your complaint to:
webmaster@[service provider domain name].com
All Hotmail customers have agreed to MSN Website Terms of Use and Notices(TOU) that forbid e-mail abuse. At the bottom of any page in Hotmail, click "Terms of Use" to view the Terms of Use document in its entirety.
Thank you for helping us enforce our TOU.
Tuesday, May 03, 2005
Identity Integrity: Bebo.com
This morning I received a very strange email from my sister asking me to update my personal contact information on Bebo.com. I was very skeptical that this email actually came from my sister, so I immediately emailed her to ask her if she had sent me the message. She replied saying that everyone she knows uses this thing and she lost her address book, so she would too. The message was as follows:
I did a little research on the Bebo.com website and was not able to find anything that would link them to Microsoft. I did some more googling and found that many people were receiving spam and were unhappy with how Bebo.com hijacked their hotmail password/account so I thought I would investigate this. The first step would be to create a throw-away email address with hotmail.
I created an account with hotmail called 'isthisbebo@hotmail.com'. This took a very short time, filling out each form with bogus information.
First name: bebo1
Last name: bebo2
...
etc...
...
The next step is to sign up with Bebo.com and try to find out where they link with hotmail. I then signed up with the username, 'isthisbebo'. The following information is requested about the person signing up:
The very next page shows a couple of text boxes which allow you to enter your hotmail email account and password so that Bebo.com can show you who IN YOUR ADDRESS BOOK is already in Bebo.com. Is that scary or what? This service is using people's email accounts to access address books. Why write a virus to do this, just create a website and ask people, they will give you their passwords!! I wonder if Microsoft condones this practice? The next step was to enter my hotmail email address and password and watch it go over the wire in the clear...which it did:
Email form:
Ethereal Capture:
In conclusion, Bebo.com is NOT integrated with hotmail.com. The practice that Bebo.com has started of trying to fool people into giving them their hotmail username/password is very disconcerting. I am going to warn my family and friends to be very careful when using this service and not give out other email addresses or passwords. If a hacker were to compromise this system, there is no requirement for them to disclose it to the users, as far as I know -- and they would have a valid email address with password for some users. Bebo.com also reserves the right to send spam to those on their lists.
HiAt this point I'm very worried that my sister may have fallen for a scam of some sort, so I tell her that I am concerned that she may be using Bebo.com for my personal data...and she replied that she would not. She also was under the impression that Bebo.com is part of hotmail. Now I was getting worried that Microsoft was pulling a fast one on people and trying to take over the world by combining Bebo.com with their webmail service -- but I hadn't seen it on the all knowing Slashdot yet.
I am updating my address book and it would be very helpful if you could click on the link below and enter your contact details for me:
http://www.Bebo.com/fr2/4247668a3779803b227582652c605356
I am using a new service that helps people stay in touch. It is only for direct friends and allows
you to privately exchange contact details and view one another's photos. You choose what to share.
Thank you for helping.
I did a little research on the Bebo.com website and was not able to find anything that would link them to Microsoft. I did some more googling and found that many people were receiving spam and were unhappy with how Bebo.com hijacked their hotmail password/account so I thought I would investigate this. The first step would be to create a throw-away email address with hotmail.
I created an account with hotmail called 'isthisbebo@hotmail.com'. This took a very short time, filling out each form with bogus information.
First name: bebo1
Last name: bebo2
...
etc...
...
The next step is to sign up with Bebo.com and try to find out where they link with hotmail. I then signed up with the username, 'isthisbebo'. The following information is requested about the person signing up:
| My Contact Details | ||
|---|---|---|
| First Name | ||
| Last Name | ||
| Date Of Birth | ||
| Gender | ||
| Country | ||
| Email Addresses | Home | |
| Work | ||
| Other | ||
| Phone Numbers | Home | |
| Work | ||
| Mobile | ||
| Postal Addresses | Home | |
| Work | ||
The very next page shows a couple of text boxes which allow you to enter your hotmail email account and password so that Bebo.com can show you who IN YOUR ADDRESS BOOK is already in Bebo.com. Is that scary or what? This service is using people's email accounts to access address books. Why write a virus to do this, just create a website and ask people, they will give you their passwords!! I wonder if Microsoft condones this practice? The next step was to enter my hotmail email address and password and watch it go over the wire in the clear...which it did:
Email form:
Add Friends
Request contact details from your own friends and populate your free address book.
| ||||||
| ||||||
Hotmail Users 
~ OR ~
| Copy and Paste the wording below into an email. Send the email to friends to request their contact details. You can send from either your Hotmail account and/or ANY other email account you may have. | ||
|---|---|---|
|
Ethereal Capture:
POST /WhosHere.jsp?Ran=289260571 HTTP/1.1
Host: bebo.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://bebo.com/RequestDetails.jsp?NewMember=Y&Ran=507541617
Cookie: bdaysession=251377972379689953; Email=isthisbebo@hotmail.com; Username=isthisbebo; A=-1; G=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
ScraperTypeCd=H&Email=isthisbebo%40hotmail.com&Password=testing&OK=++OK++HTTP/1.1 200 OK
Server: Resin/2.1.16
Content-Type: text/html; charset=utf-8
Content-Length: 8888
Connection: close
Date: Wed, 04 May 2005 02:04:24 GMT
In conclusion, Bebo.com is NOT integrated with hotmail.com. The practice that Bebo.com has started of trying to fool people into giving them their hotmail username/password is very disconcerting. I am going to warn my family and friends to be very careful when using this service and not give out other email addresses or passwords. If a hacker were to compromise this system, there is no requirement for them to disclose it to the users, as far as I know -- and they would have a valid email address with password for some users. Bebo.com also reserves the right to send spam to those on their lists.
Monday, May 02, 2005
ISP Security
While researching ISPs lately, I came across an interesting concept on the website of Speakeasy where they will allow individual customers to be a mini-ISP with their netshare program. With this program, any customer who considers themselves competent can share their connection with others for profit and the customer is responsible for the actions of the users who they are sharing their connection with. If someone you happen to be sharing your connection with is downloading child porn or other illicit activity, you will be held responsible if you do not take care of it. Also, the system is designed for wireless connections, and the customer is responsible for the security of the configuration. It seems pretty un-safe to me to allow consumers who "think" that they are competent be responsible for the security of the information that their neighbors pass over the network! I think that there needs to be a qualification check in place to make sure that this doesn't get out of hand. Another caveat, the customer who administers the netshare program must provide tech-support for their users, which could be a big hassle if not properly managed.
Friday, April 29, 2005
Encryption: Enigmail for Mozilla Thunderbird
Enigmail is an extension for Mozilla Thunderbird that will allow integration with the GnuPG encryption utility. This is a very useful tool that features key management, email signing, and encryption of email. I heartily recommend this extension to anyone who uses Thunderbird.
While installing Enigmail for Mozilla Thunderbird, I had some difficulty getting the extension installed. I would open the extensions dialogue and select the xpi file from my desktop and nothing would happen. I have not had to install the windows version for such a long time that I forgot that I had to perform the install as an Administrator account before I install it as a Limited-Access User Account. I don't agree with the way that this system works, as it means that the application is too closely coupled with the system registry and affects more than my single user when I install this extension. If this extension requires Administrator privileges to install, why doesn't it install for every user on the system when I do perform the Admin install?
While installing Enigmail for Mozilla Thunderbird, I had some difficulty getting the extension installed. I would open the extensions dialogue and select the xpi file from my desktop and nothing would happen. I have not had to install the windows version for such a long time that I forgot that I had to perform the install as an Administrator account before I install it as a Limited-Access User Account. I don't agree with the way that this system works, as it means that the application is too closely coupled with the system registry and affects more than my single user when I install this extension. If this extension requires Administrator privileges to install, why doesn't it install for every user on the system when I do perform the Admin install?
Wednesday, April 27, 2005
Security Principle: Separation of Privilege
There is an excellent article on Securityfocus.com by Daniel Hanson that talks about the downfall of running any system as an administrative account. Daniel makes an excellent reference to the Linspire way of doing things, which follows Microsoft and runs all users as root. As Daniel so eloquently points out, running as root is like putting all of your vegetables in the same pile -- if one of them begins to rot, the rest will most likely begin rotting and you will have no more vegetables left. On the other hand, if you put restrictions on your users and run with Least-privilege User Access, you will be able to maintain the integrity of your system. One of the fundamental elements of Information Security is integrity (CIA) -- which is making sure that your data is the same now as when you put it there. If you run all of your users as root, or even you run as root as you surf the web and check your email, you run a significant risk of losing control of the integrity of your data.
It is always easier to run as root until you lose some data. This can be compared to the person who doesn't believe they need to backup their data -- they will quickly change their mind after they lose critical data (although some people never do learn and that idea must be applied here). If Linspire has to go through the same maturity lesson that Microsoft has gone through then it will be a stain on the reputation of Linux as part of the operating system.
It is always easier to run as root until you lose some data. This can be compared to the person who doesn't believe they need to backup their data -- they will quickly change their mind after they lose critical data (although some people never do learn and that idea must be applied here). If Linspire has to go through the same maturity lesson that Microsoft has gone through then it will be a stain on the reputation of Linux as part of the operating system.
Tuesday, April 26, 2005
Current Events: Server Compromise
This past weekend I noticed a huge amount of traffic from one IP trying to break into my SSH server at home. After some investigation, I discovered that this IP had made over 1100 intrusion attempts. The attacker was a script-kiddie using a dictionary attack. I performed an aggressive nmap on the IP to discover the type of machine attacking me with the following command:
nmap -sS -sV -O -v -T5 'ip address'
After discovering that the IP had a tempting number of services available, in addition to several IRC servers running, I attempted to view the web page that the server was serving by viewing it in Firefox. I was suprised to discover that the web site was an e-commerce site that belonged to a religious organization. Armed with this new information, I was convinced that the site had been compromised and that they needed to be informed. By looking up the whois data, I discovered that the server was hosted in the US and that there was a technical contact listed. I emailed the technical contact, as well as the root/abuse/info at the domain in question and informed them of the problem. I received a response a couple of hours later and the site was taken down for maintenance.
A couple of things I take away from this is that I can make a difference by being aware of what is happening to me and doing some minor investigating when an intrusion attempt occurs. Also, the whois data being public is essential for people like me who care about the safety of others to be able to inform server admins that they may have a problem with the integrity of their systems. Sorry about the lack of detail on the site, but I don't want to make them a target or give them any undue publicity.
nmap -sS -sV -O -v -T5 'ip address'
After discovering that the IP had a tempting number of services available, in addition to several IRC servers running, I attempted to view the web page that the server was serving by viewing it in Firefox. I was suprised to discover that the web site was an e-commerce site that belonged to a religious organization. Armed with this new information, I was convinced that the site had been compromised and that they needed to be informed. By looking up the whois data, I discovered that the server was hosted in the US and that there was a technical contact listed. I emailed the technical contact, as well as the root/abuse/info at the domain in question and informed them of the problem. I received a response a couple of hours later and the site was taken down for maintenance.
A couple of things I take away from this is that I can make a difference by being aware of what is happening to me and doing some minor investigating when an intrusion attempt occurs. Also, the whois data being public is essential for people like me who care about the safety of others to be able to inform server admins that they may have a problem with the integrity of their systems. Sorry about the lack of detail on the site, but I don't want to make them a target or give them any undue publicity.
Friday, April 15, 2005
Microsoft Security: Right direction?
The biggest problem with Windows security has always been that it is nearly impossible to run as a non-administrator when performing normal operations. It is possible, but it is very difficult. With it being so difficult to run as a non-administrator, most users run with full system privileges all the time which brings their system(s) under attack from every web page they visit and every email they open. Windows experts have instructed users to 'down-grade' their privileges when using their browser or email client, which is never done due to the additional steps that it takes to accomplish this seemingly simple task -- this is backwards, you should have to elevate your privileges to perform privileged functions!!
Microsoft has made some big strides in improving this model of operation recently with the 'Run-As' command but it has also been difficult to use. With the next release of Windows coming up, code-named Longhorn, Microsoft is embracing the principle of Least-privilege User Account (LUA). The principle of LUA has long been enforced in the Unix/Linux worlds with all users being able to control their own profile and nothing else or an account having access to control one daemon or service except the root user who is used to perform administrative functions. I am anxious to see how Microsoft does in this implementation, although I do expect it will take a few tries to get it right. This may turn into another version of the same thing we have now -- with there being 15 different levels of administrator and the Limited Account that still cannot function.
Microsoft has made some big strides in improving this model of operation recently with the 'Run-As' command but it has also been difficult to use. With the next release of Windows coming up, code-named Longhorn, Microsoft is embracing the principle of Least-privilege User Account (LUA). The principle of LUA has long been enforced in the Unix/Linux worlds with all users being able to control their own profile and nothing else or an account having access to control one daemon or service except the root user who is used to perform administrative functions. I am anxious to see how Microsoft does in this implementation, although I do expect it will take a few tries to get it right. This may turn into another version of the same thing we have now -- with there being 15 different levels of administrator and the Limited Account that still cannot function.
Thursday, April 07, 2005
Biometrics: Good Idea or Not?
If the use of biometrics to increase the level of security or safety that you enjoy appeals to you, visit SecurityFocus.com and read about a Malaysian businessman who lost his finger because it was the only means to start his Mercedes. This incident shows to me that biometrics are NOT a viable security alternative. I don't want someone trying to cut off my finger or pull my eyeball out of the socket so that they can take my car for a joy-ride around the city. I agree with the author of the article on SecurityFocus.com that I do not want something used for security that is physically tied to me.
This incident reminds me of hearing about foreign diplomats who are implanted with RFID tags so that they can be located and recovered in the event of a kidnapping. The crooks are not all foolish, they found out and began removing limbs that held the RFID tags (which were usually hands). What are YOU willing to sacrifice for that level of "safety"?
This incident reminds me of hearing about foreign diplomats who are implanted with RFID tags so that they can be located and recovered in the event of a kidnapping. The crooks are not all foolish, they found out and began removing limbs that held the RFID tags (which were usually hands). What are YOU willing to sacrifice for that level of "safety"?
Monday, April 04, 2005
Security Principle: Least Privilege
One of the most important concepts in the IT security world is that of least privilege. When you create a user account and give it access permissions, you should give that account the least amount of privileges that the account requires to perform it's function. Following this principle will save you an incredible amount of time and hassle when administering a network and maintaining the security of your system(s).
With 5 years of Linux administration and 10 years of administering Windows machines, it is increasingly apparent to me that the biggest cause of security breaches is that of too much user privilege. I see many shops where the administrators are running as administrator or root on the machines that they use for email, web-browsing, and non-administrative tasks. I also see a MS Windows environment where it is incredibly difficult for a user to not run as administrator and still get normal day-to-day tasks done -- but it is possible. When administering a network with 30 users on Windows XP/2K machines for 1.5 years I had no virus or worm outbreaks, and no loss of data. I did experience one incident of spyware when a user played a joke on another user by installing a screen-saver. On every network that I administered where the users were able to access the administrator account(s), there were always problems with virus outbreaks and worms causing hours of work for me to recover the systems.
I have heard from some system administrators and even security professionals that it is not possible to force users to not run with administrator privileges. This is not a correct statement or thought process. If you take the time to learn how to administer your systems properly, it will save you time in the long run. Unix and Linux have the 'su' command that will allow you to temporarily become an administrator to perform administrator functions. MS Windows has the 'Run-as' command that works fairly well to do the same. You should NEVER have to login to your system as the administrator user account. It is very difficult with MS Windows to maintain this security policy, but it is doable. One of the best ways to get used to this practice is to do it at home, where I'll bet most people do not! I can honestly say that I do not login to my machines as root unless I am performing administrative tasks, and then I logout as soon as I am done.
The following link from Microsoft gives a good overview of tools and methodologies which help run with least privilege: article.
With 5 years of Linux administration and 10 years of administering Windows machines, it is increasingly apparent to me that the biggest cause of security breaches is that of too much user privilege. I see many shops where the administrators are running as administrator or root on the machines that they use for email, web-browsing, and non-administrative tasks. I also see a MS Windows environment where it is incredibly difficult for a user to not run as administrator and still get normal day-to-day tasks done -- but it is possible. When administering a network with 30 users on Windows XP/2K machines for 1.5 years I had no virus or worm outbreaks, and no loss of data. I did experience one incident of spyware when a user played a joke on another user by installing a screen-saver. On every network that I administered where the users were able to access the administrator account(s), there were always problems with virus outbreaks and worms causing hours of work for me to recover the systems.
I have heard from some system administrators and even security professionals that it is not possible to force users to not run with administrator privileges. This is not a correct statement or thought process. If you take the time to learn how to administer your systems properly, it will save you time in the long run. Unix and Linux have the 'su' command that will allow you to temporarily become an administrator to perform administrator functions. MS Windows has the 'Run-as' command that works fairly well to do the same. You should NEVER have to login to your system as the administrator user account. It is very difficult with MS Windows to maintain this security policy, but it is doable. One of the best ways to get used to this practice is to do it at home, where I'll bet most people do not! I can honestly say that I do not login to my machines as root unless I am performing administrative tasks, and then I logout as soon as I am done.
The following link from Microsoft gives a good overview of tools and methodologies which help run with least privilege: article.
Wednesday, March 23, 2005
Mac OS X Security
Computer Crime Research News has an article where they discuss an article by major Anti-virus vendor Symantec which talks about how Mac OS X is increasing in popularity and becoming a target of hackers. This discussion is excellent for the security industry and those who would like to see more variety in the operating systems deployed on the desktop. With BSD and Mac OS X being rated as the most secure OS for either 2003 or 2004 (I forgot the link, I'll try to find it), we will now be able to see how secure it is. We will also be able to see how secure the applications that Apple has added to the BSD system are and how viable the Apple solution is compared to Linux [and Microsoft Windows].
I don't think that the vulnerabilities will ever match, or come close to matching what we have seen with Microsoft products. The reasoning for this is that Microsoft has been in the spotlight for many years as the front-runner, while the other boys have stood by the way-side learning and moving in a more secure fashion while learing from the mistakes and successes of Microsoft. It is much better to have options when deploying a server or desktop, so I welcome the competition of Microsoft, Apple, and any other OS vendor. I do like to preach about open-standards though, and the consumer should not have to be the one struggling to implement a solution because the vendor has gone out of their way to prevent interoperability (read Microsoft).
I don't think that the vulnerabilities will ever match, or come close to matching what we have seen with Microsoft products. The reasoning for this is that Microsoft has been in the spotlight for many years as the front-runner, while the other boys have stood by the way-side learning and moving in a more secure fashion while learing from the mistakes and successes of Microsoft. It is much better to have options when deploying a server or desktop, so I welcome the competition of Microsoft, Apple, and any other OS vendor. I do like to preach about open-standards though, and the consumer should not have to be the one struggling to implement a solution because the vendor has gone out of their way to prevent interoperability (read Microsoft).
Thursday, February 17, 2005
Student Privacy in Public Schools
In an elementary school in Sutter, California, the school implemented a policy to use RFID tags to track students movements throughout the school. The system was supposed to make it easier for administrators and teachers to take attendance and monitor the location of students. The initial plan included tracking students into the bathrooms, which was protested successfully by parents.
This type of automated tracking is a clear invasion of privacy. I am not suggesting that we have a right to privacy (although I do support the right to privacy), but I am suggesting that in this situation, the parents should be able to decide whether or not school employees will have access to their children at all times. I would want measures to be in place to ensure that the local pedophile would not have access to the children's location when the school was short-staffed. We all know that background checks are not 100% accurate, and that school employees are under-paid. The RFID technology is not mature enough to prevent third party reading and tracking either. There should be more planning and risk-analysis involved in a policy such as this.
The idea of monitoring our children is not a bad one, as they require monitoring by responsible individuals who care for their well being. The monitoring becomes a problem when it is automated and access may be given to individuals who the parents are not informed about. I can see this issue getting more of the spotlight as more monitoring solutions are created.
This type of automated tracking is a clear invasion of privacy. I am not suggesting that we have a right to privacy (although I do support the right to privacy), but I am suggesting that in this situation, the parents should be able to decide whether or not school employees will have access to their children at all times. I would want measures to be in place to ensure that the local pedophile would not have access to the children's location when the school was short-staffed. We all know that background checks are not 100% accurate, and that school employees are under-paid. The RFID technology is not mature enough to prevent third party reading and tracking either. There should be more planning and risk-analysis involved in a policy such as this.
The idea of monitoring our children is not a bad one, as they require monitoring by responsible individuals who care for their well being. The monitoring becomes a problem when it is automated and access may be given to individuals who the parents are not informed about. I can see this issue getting more of the spotlight as more monitoring solutions are created.
Subscribe to:
Posts (Atom)