Related link: http://www.nwc.securitypipeline.com/159900223

Lots of folks get involved in collecting and creating security “best practice” documents (I have to admit I am guilty of that as well). This fun paper looks at “commonly accepted” security “worst practices”. Here is the list, but do read the paper since it has many fun titbits as well as suggestions on what to do instead of this:

1 If you find a security hole, buy a product to fix it

2 Ignore the human element

3 “Full speed ahead and damn the torpedoes” is our motto

4 To run a tight ship, take an authoritarian approach

5 Make access privileges an all or nothing proposition

6 Treat all data as equal

7 Back up everything, every night

8 Perform audits and penetration tests infrequently, and in-house

9 Endpoints for everyone

10 Make sure security is highly visible, even intrusive

Related link: http://www.computerworld.com/printthis/2005/0,4814,100637,00.html

Well, the other commentator described it as “dumb” and yet more people called it “abhorrent” and “equivalent to suing a whistle-blower”, but one database company actually threatened a vulnerability research firm after it shared the flaw information with the software vendor (!) and also had a policy of publishing flaws. It does look pretty dumb, but is the software vendor considering all the risks of doing such “strong-arming”? I see such behavior as incredibly risky since I suspect future researchers will not come to the vendor with their findings, they will just leak them and let the database customers be “owned” without a chance of protection…

Related link: http://www.smh.com.au/news/Breaking/Safe-CD-solution-for-online-banking/2005/03/…

Cybersource, an electronic payment services company, has announced a new product called “Coastguard” to help make accessing online banking sites more secure. Coastguard is basically a remastered Knoppix CD that has DNS servers and other settings are automatically configured to use secured bank servers. This is a departure from token-based systems that other companies use.

I like the fact that this company was able to recognize how useful Knoppix is, particularly for this kind of security. Of course, at a $250,000 price tag, it’s not exactly cheap. For the cost you do get complete access to the remastered CD with the ability to further tweak it, although I think you could probably pay a lot less for someone who knows Knoppix to create a remastered version just for you.

From Cybersource:

“The costs of burning and distributing the CDs will have to be borne by the institution but it will definitely not be as high as the $18 which one bank pays for its security tokens,”

“In any case, the bank which adopts a security token as a solution will have to make some backend changes which will cost it much more than our solution does,”

What I wonder is just how well this solution will work. As many of you know, a number of banking sites (or at least the web designers behind them) seem to think that this is an IE-only world. I can live with not being able to access functions on some random website because the designers weren’t clueful enough to code it to standards, but banking sites are a different matter! At least for the most part, these sites will work if you spoof your user agent, and perhaps that’s just what Cybersource did with their Knoppix CD.

Maybe a Knoppix hacker with some spare time will work up a remastered edition for the home user that implements some of these security features.

Related link: http://loop.interop.com/comments.php?id=269_0_1_0_C

This fun piece looks at the following curious security issue: is patch management simple or complicated. I’ve seen people say its very simple (’just set Windows Update to On’) or horribly complicated (’we have a staff of 10 and they are overworked just doing patches’). Why is that? This article affirms that patching Windows in Windows-only environment is actually pretty simple. Patching Unix is not too hard also. However, the author claims that when people aim for an ambitious multi-platform patch solution to “patch everything”, all hell breaks loose and complexity reigns supreme…

Related link: http://software.silicon.com/security/0,39024655,39128296,00.htm

I just love those debates on vulnerability disclosure! Just think about this amazing spin: who was the first to suggest that people search for software vulnerabilities for two reasons only: to hack somebody and to “make the world a better place”? Why can’t there be more reasons, like make money?

Related link: http://www.bsdcertification.org

It’s been a while since I’ve last blogged. Many exciting things have been happening in BSD, with much more in the works as 2005 progresses.

An exciting initiative which I’m lucky to be a part of was officially announced earlier today on the BSD advocacy lists. A BSD Certification Group has been formed to address the lack of BSD certification. You can read the press release at the BSD Certification Group site.

A Portuguese version of the press release was also announced to various Portuguese BSD lists and user groups.

While the Group will be coordinating and overseeing the effort, we are actively seeking contributions from the community to ensure the resulting certification process meets the needs of the BSD community. Some contributions have already been defined, with more ways to contribute in the works. If you haven’t already, subscribe to the public mailing list as it will be the main announcement venue as the certification standard progresses.

The countdown is now on for BSDCan 2005. Last year was great, but it looks like it will pale in comparison to this year’s lineup. If you haven’t already, register now as space is limited and seats are filling up fast.

Here’s your chance to mingle with and listen to the names you’ve seen on mailing lists as well as some BSD icons. I already had a chance to meet Greg Lehey at EuroBSDCon 2004, but it’s great to see him coming over to this side of the pond. And after meeting Kirk McKusick last fall, I am really looking forward to meeting another CSRG member, Sam Leffler. There’s also some surprises which will be revealed at the conference. I’ve tried getting hints from Dan Langille over beer and pizza, but even I’ll have to wait for BSDCan to find out!

I’ll also be manning the registration booth so don’t forget to say hi when you register.

And this one just in: a reader emailed me to let me know of a Hungarian BSD portal.

Daemonnews has put out a call for contributions. Check it out if you have some time to donate and would like to help contribute to the BSD community.

The folks at NYCBUG have created a searchable database of companies that use or support BSD. They also have a submission form should you wish to add a new resource.

I’ll be writing later on this spring regarding several other initiatives which are in the works but are not quite ready to be announced yet. See you then.

Related link: http://www.kurobox.com

So, it runs on a PowerPC processor, and already runs a working Linux environment. It has a thriving user community in the Japan as well as a starting-to-thrive US community. All you need to do is throw in a hard drive. This is probably the most hackable device since the Tivo for the amount of creative stuff you could potentially do with it.

All in all it looks really cool. Now all I have to do is figure out how to convince myself I need it for some project around the house :-)

So, my iBook sits on desk like an unloved little brother to the Dell laptops I use for my daily working activity.

Since I love my little iBook, perhaps not as much as I would a nice shiny new Powerbook (but that’s neither here nor there), I am looking for some little utilities/conveniences that would make my life easier on under OS X - those little killer apps for the Mac?

So the question is: What freeware, Open Source, or (cheap) shareware apps and utilities am I missing that I would look back and go “how did I live without that?”

Related link: http://www.honeynet.org/papers/bots/

If you are looking to read something on security today, read this report from the Honeynet Project. From what I’ve seen, it is by far the most comprehensive study of bot and botnets, deployed by attackers for various purposes. Some tools to help with your own bot analysis are also provided.

Related link: http://www.heise.de/english/newsticker/news/56987

Klaus has released the latest version of Knoppix, 3.8, to the crowd at CeBIT 2005. This version includes the normal round of updates including the 2.6.11 kernel by default, KDE 3.3.2, and Firefox and Thunderbird instead of Mozilla. The exciting news, however, is the addition of UnionFS. UnionFS stacks your Knoppix ramdisk on top of the read-only filesystem on the CD, the effect being that you can apt-get install, and otherwise modify all of the files on the system as though they were all writeable. Here I’ll go over why I think this is going to change Knoppix in a major way.

One of the struggles with using Knoppix day-to-day as a portable distribution has always been the fact that the majority of the CD was read-only. You had a nice ramdisk sandbox that let you write within the /home directory, and tinker in /etc if you changed some of the symlinks. If you wanted persistence, there was a nice script that created a small filesystem on writeable media like a usb thumbdrive and used it to store your home directory.

The Problem

The problem, of course, is that you couldn’t install new programs with this method. All of /usr is read-only. Over time various methods have been introduced to try to hack around this by redirecting binaries into the /home directory and changing various system paths. The live software installer that came with previous versions of Knoppix is one example, and klik is another. These worked okay, depending on the program, but in some cases relied on hacks such as using scripts to search and replace file paths within binaries.

The Solution

Enter UnionFS. With this system, basically every segment of the filesystem is read-write. UnionFS keeps track of which files you have modified (which are modified and stored within the ramdisk) and which are unmodified, all on the fly. When you access a file in the filesystem that has been modified, UnionFS points you to the copy in ramdisk instead of the copy on the CD-ROM. This means that if you, say, want to install the enlightenment window manager all you would need to do is:


knoppix@2[knoppix]$ sudo apt-get update

knoppix@2[knoppix]$ sudo apt-get install enlightenment


You can install programs just like with Debian. They all get installed to their regular locations, and if you check out the /ramdisk directory on the CD, you will see a mirror of the root directory structure (or at least the directories that have been modified) and can see all of the files that you have changed. You can even use your favorite graphical packaging program (if you have one) to install packages.

This also means that if you set up a persistent home directory, you can potentially back up all of these changes and restore them at boot. In fact, Knoppix 3.8 already has a modified persistent home script that does just this (although it’s still a beta feature so expect to see bugs here and there). Knoppix can even detect when you have done this on a drive when it boots, and will let you choose what features to restore from this image (if any). If you let it time out, Knoppix does the safe thing and doesn’t load any of the settings.

The latest persistence script also automates the process of setting up an AES256-encrypted home directory, so if you are concerned about the security of your persistent image you can enable this option, type in a passcode, and Knoppix does the rest.

I really think UnionFS is going to take Knoppix to a whole new level of ubiquitous computing. You can truly use the CD just like any other installed CD, and with the prices of usb thumbdrives continuing to drop, you can basically install anything you would like. Major changes, such as replacing KDE with Gnome, probably will still work better if you do a full remaster, but I expect all of the Knoppix-based live CDs (if they are smart) will incorporate this technology into future releases.

Can you tell that I’m excited about this? Like I said, currently it seems to be a bit buggy (on a few of my machines I seem to get some instability after I restore from an image), but I imagine that sort of thing will be ironed out once the “download version” of Knoppix 3.8 hits http://www.knoppix.org.

Related link: http://www.timesonline.co.uk/article/0,,2-1487674,00.html

Bruce Schneier has linked to yet another study that shows that people don’t securely delete data from drives before selling them. This group purchased 111 supposedly clean hard drives and recovered a lot of sensitive information including “national insurance numbers, evidence of a married woman’s affair and detailed biographical information about children.” I think the major issue is that your common guy thinks that formatting the drive is the solution to erase data, and anything more sophisticated than that is too difficult or expensive. Here I’ll show you how to easily shred a drive using free Open Source tools.

The basic problem with a regular format of a hard drive, is that it generally doesn’t actually go back and scramble all of the data. Generally the data is sitting there waiting for someone with low-level tools to recover it. Even if you do a “low-level format” and write over the full drive with zeroes, there’s still a chance that an individual with the right (albeit expensive) equipment can recover data from the drive. Even though the equipment is expensive, that’s a minor issue if the data to be recovered is worth even more (such as company trade secrets, etc.). Because of the magnetic nature of hard drives, even when a sector on the drive is written to, it doesn’t necessarily mean the previous data is completely overwritten. Often you can pick up the trace of the previous write.

The solution to this issue is to write over the drive multiple times with random data, that way any real data that is on there is scrambled with random data that will likely actually overwrite its place on the drive. Doing this isn’t as hard as it might seem, and doesn’t actually require any script-fu. All you need is some sort of bootable Linux distribution, such as Knoppix, that has the “shred” tool installed.

Shred is designed primarily to securely delete files on the system. When you shred a file, shred not only unlinks it, but it also overwrites the sectors on the drive 25 times with random data. Since “everything is a file” on a UNIX system, you can use this to shred the entire partition or even the entire drive.

First, boot your bootable Linux distribution. You don’t need a graphical desktop for this operation, just a terminal, so if it can boot directly to console, save yourself some time and go that route (under Knoppix you’d boot with the knoppix 2 cheat code).

The next step is to identify the partition. If you only have a single IDE drive on the system, likely it will be /dev/hda and if it has a single partition, it will probably show up under /dev/hda1. If you are unfamiliar with Linux and what device your drive will show up as, in the case of a Knoppix CD you can just boot to the full graphical environment and look at the name of the hard drive icons on the desktop for a clue.

After you have identified the partition to shred, the next step is to actually shred it. You will need root permissions for this (most console modes on rescue CDs will automatically give you root permissions) since you are writing directly to the hard drive. Then, run:


# shred -n 2 -z -v /dev/hda1


What this tells shred, is to overwrite the partition 2 times with random data (-n 2) then finish it up by writing over it with zeroes (-z) and show you its progress (-v). Of course, change /dev/hda1 to whatever your partition is. Each pass can take some time, which is why I set it to only do 2 random passes instead of the default 25. You can adjust this number, of course, to your particular level of paranoia and the amount of time you have.

Since shred writes on such a low-level, it doesn’t actually matter what kind of filesystem is on the partition–everything will be unrecoverable. Once shred is finished, you can shut down the machine and sell or throw away the drive with peace of mind.

Does your company have a data shredding policy?