I discovered a stupid bug in Apple Mail today.

I have a SSH tunnel set up on my PowerBook back to a Linux machine at work so I can securely check my IMAP mail from open wireless networks. Today in class I found that the wireless network I’m on blocks outbound port 25, so I set up the SSH tunnel to take port 25 traffic back to my SMTP servers. This is a really cool trick, and you can do this all on a single SSH line:

ssh user@some.server.org -L2143:mail.server.org:143 -L2525:mail.server.org:25

This opens an SSH session to some.server.org, and then forwards your local port 2143 to mail.server.org:143, and likewise for port 25. You can chain as many of these ports as you need into a single SSH session.

So I set up the outbound server in Mail to “localhost:25″. No luck, Mail was having none of it. I could telnet to localhost 25 from commandline just fine. My IMAP connection is localhost:143 and that works in Mail. Puzzled, I tried 127:0.0.1:25 and THAT works.

How on earth did that happen? These preferences are in the same pane in the Mail Preferences. Someone had to specifically code Mail to allow “localhost” for IMAP, but not for SMTP.

Dumb.

A friend of mine asked a question on a mailing list about how their root password policy. In a pool of 500 or so servers, the root password is changed at regular intervals, whenever there are personnel changes, or if a non-administrator learns what the password is. Each host gets a unique root password.

Each password is then recorded on a paper that is securely locked in the appropriate data center. It’s used as a last resort password escrow. If a non admin person ever needed to, they could open the envelope and retrieve the root password that they needed.

With 500 servers, that procedure becomes a little bit of a burden. Changing the password is easy. Putting together 500 envelopes is a different matter. My friend asked about ideas on how to simplify the procedure. The only concern was he still required unique root passwords on each host.

One idea that came to mind was generating the passwords from a shared secret. By using a hashing function, a unique password could be created from the secret string and the hostname of the server.

#!/usr/bin/perl

use Digest::SHA1 qw(sha1_base64);

$secret="foo";
$host="mailhost5";

print substr(sha1_base64($host.$secret),0,8);

The downside to this is that the non-administrator would need some sort of host access in order to re-hash the password.
As an alternative, there are simpler substitution ciphers that could be used; the caveat is making sure that the cipher can still create unique root passwords that are significantly different from host to host.

Another issue is that the non-root user now has a secret that could potentially give him root access to many hosts. To minimize this, a different secret key could be used for each datacenter, or host group. Reducing 500 envelopes to 25 or 50 envelopes still improves password management significantly.

Admins spent hours looking at logs and sorting thru various log “esoterica.” I am sure many of my readers ever exclaimed ‘there gotta be a standard’…

Here is an interesting piece from Computerworld written by Oracle CSO Mary-Ann Davidson. She indicates that NIST is taking the charge in defining a common audit log standard. Can it actually happen? Maybe, if NIST can leverage US government’s purchasing power and demand support for such standard from all kinds of log-producing device and software vendors. I would not say that the chance is very high, but - unlike failed even standard projects like IDMEF and CIEL - this one seems to have the right players in place…

Just imagine the world where all the logs look the same :-)

So, a while ago I did this poll on network intrusion prevention mishaps. What are the results and what do they tell us?

* Block and NOT alert you on the threat at all (45%)
* Alert but NOT block the threat (29%)
* Block and NOT tell you what specifically was blocked (18%)
* What is an intrusion prevention system? (5%)

So, as it was pretty obvious that a majority of respondent NIPS users (45%) will be pretty upset about the silent blocking - the first case above. And, the hidden motivation for this poll was actually a story relayed to me by a friend who was recently involved in a “major” NIPS evaluation for a “leading” magazine. It turns out that one of the common NIPS devices is afflicted by that very thing - silently dropping certain suspicious packets without any record in the logs. Just think “broken application troubleshooting” and be terrified about wasted hours of system/network administrator time…

Employee turnover in most organizations runs high. So unless you run a small shop with a stable user base, you need to learn how to clean up after an employee leaves. Too many so-called system administrators do not understand the stakes involved when they manage users. Disgruntled former employees can often cause significant trouble for a company by gaining access to the network.

To remove a user, you need to learn to manage all of his or her files, mailboxes, mail aliases, print jobs, recurring -(automatic) personal processes such as the backing up of data or remote syncing of directories, and other references to the user. It is a good idea at first to disable the account in

/etc/passwd

after which you can search for the user’s files and other references. Once all traces of the user have been cleaned up, you can remove the user completely–but if you remove the entry from

/etc/passwd

while these other references exist, you have a harder time referring to them.

When you remove a user, it’s a good idea to follow a pre-determined course of action so you don’t forget any important steps; it may even be a good idea to make a checklist so that you have a routine. Following, you will find several items requiring attention.

The first task is to disable the user’s password, effectively locking him out. For example:

#passwd -l bwilson

Sometimes it’s necessary to temporarily disable an account without removing it. For example, the user might go on maternity leave or take a post for 90 days in another country. You may also discover from your system logs that someone has gained unauthorized control of an account by guessing the password.

The passwd -l command is useful for these situations.

Next, you have to decide what to do with the user’s files.

Remember that users may have files outside their home directory. The find command can find them:

find / -user bwilson

You can then decided whether to delete these files or keep them. If you decide to delete them, back them up in case you need data from them later. As extra security, you can change the user’s login shell to a dummy value. Simply change the last line in the passwd file to something like *.

If your organization uses Secure Shell (SSH, usually provided on Linux by OpenSSH) and you allowremote RSA or DSA key authentication, a user can get access to the system even if the password is disabled. This is because SSH uses separate keys. For instance, even after you have locked Brian Wilson out of your system using the steps shown up to now, he could get on another computer somewhere and run a commandsuch as:

bwilson:~$ ssh -f -N -L8000:intranet.yourcompany.com:80 my.domain.com

This forwards traffic to port 80 (the port on which a web server usually listens) on your internal servert.

Obviously, if your system offers SSH, you should remove authorized keys from ~bwilson/.ssh

or .~bwilson/.ssh2

directories in order to stop a user from regaining access to his account this way..

Likewise, look for shosts and rhost files in the user’s home directory: ~bwilson/.shosts
and ~bwilson/.rhosts.

Also, check to see if the user still has any processes running on the system. Such processes might act as a backdoor to allow a user into a network The following command will tell you if any are running currently.

# ps aux |grep -i ^bwilson

Some other questions a system administrator might ask about a personal user who has left the company include:

Could bwilson execute Common Gate Interface (CGI) scripts from his home directory or on one of the company’s web servers?

Do any email forwarding files such as ~bwilson/.forward exist? Users can utilize forwarders to send mail to their accounts and cause programs to be executed on the system where they supposedly do not have access.

Sealing the home directory

You will often find that management wants to retain the information in the directory of an employee who leaves. All the email and other documents in a personal user’s account belong to the company. In the event a disgruntled former employee becomes litigious, the company’s legal counsel may want these files. Many analysts consider the keeping such directories as good practice. You can save the contents of a user’s home directory by renaming it. Simply execute a move command:

# mv /home/bwilson /home/bwilson.locked

In this way, the former employee cannot log in or make any use of configuration files such as the .forward file discussed in the previous section. The contents remain intact if needed later.

I recently had the need to generate some flash demos to demonstrate the Oedipus Web Scanner in action. Since I don’t happen to have one of the commercial Flash demo generators handy at home (I use Viewlet Builder for Linux at work) I decided to see what I could get done with an all Open Source solution.

I quickly found vnc2swf, for recording a VNC session as a Flash movie. There are two versions of vnc2swf, one in C and one in Python - I ended up using both in my case. A cool feature both version have is they generate an HTML file that you can use to display the Flash file you just created. The Python version, which is the one under active development, generates a nice Javascript progress bar and pause button in this page, which I ended up using verbatim for my demo pages.

Since I was recording on Linux I installed TightVNC as my VNC server (you can use any VNC server, such as RealVNC or UltraVNC, or the original VNC if you still use it).

Running vncserver on Linux starts a separate X Windows session that can have it’s own programs running. This was perfect for my needs, however if you need access to your entire desktop for some reason you could use x11vnc for this. For the purposes of what I needed, I configured my VNC session to run gnome terminal and metacity so I could get a Gnome-style capture. You do this by configuring your $HOME/.vnc/xstartup file on the server I was using. This is what mine looks like:

#!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid grey
gnome-terminal &
metacity &

After this is all setup, we point vnc2swf at the vncserver. In my case, the options I used (using the C version of vnc2swf) were similar to this:

vnc2swf -startrecording -geometry 800×600 -depth 16 -framerate 5 \
~/moviename.swf hostname:1.0

After recording a satisfactory demo, I recorded an audio commentary as a 44kbps WAV file, compressed this to a 24kbps MP3 file using LAME, and added this to the original Flash file (and did some compression as well) using edit.py from the Python version of vnc2swf as follows:

edit.py -a audio.mp3 -c -o output.swf original.swf

And we’re done! I should note that one of my audio files was a few seconds too long. I used Audacity to “speed up” the file so that it fit the length of the flash movie.

For reference, the demos I recorded are here and here to see what kind of quality I ended up with.

Final Note: A colleague pointed me to Wink after I had completed this. I will be trying this next time I need to do a software demo.

If you think that a Linux advocate cannot make an objective analysis of desktop operating systems, then you need to read this report. You may find yourself surprised with some brutal honesty that leaves out the free software philosophy.

All three desktop operating systems have admirable qualities. Each has some weaknesses. Attending a recent User Group Fair, I had another chance to see them at work. Having used and programmed on each platform provides some unbiased insights.

Background

I have owned several Macintosh computers. I had new world and old world bios machines including several older 6500s, 7600s, etc. that would not take OS X. I also had a blue and white, a beige workgroup server, Power Mac G4s, a Cube, iBook, etc. I remember making the transition from OS 9 to OS X. I liked it.

I used Microsoft from the DOS days to early Windows 2.0, 3.0, 3.11, Windows 95, 98, ME, NT3.51 - 4.0, 2000 and XP. I still have the licenses and media for everything since Windows 3.1. I managed large IBM networks with OS/2 on the desktop and LAN Server 3 as the server. I won’t get into my NetWare experience.

I used Solaris, AIX and Linux starting with Slackware 3x. I even ran Red Hat on Sun IPCs, Sparc 5 and 10 workstations. I’m now using SUSE SLES and Pro, RHEL, Fedora, Debian and Ubuntu for daily use on servers and workstations.

Each system has different programing architectures with OS X a little closer to Linux than Windows. OS X uses a UNIX architecture to run its internals. However, the OS X desktop interface does not resemble Linux or other UNICES which depend on X. You can use X on the Mac natively.

Windows has a completely different programing structure from OS X and Linux. Windows relies heavily on its user interface which has evolved over time. Programing involves using Windows shell extensions. XP uses the NT kernel to manage file systems, internals and communication with the graphical shell.

OS X and Linux use completely different schemes with kernel extensions and independent programs running inside the user interface shell. The UNIX shell runs independently in what kernel developers call userland.

UNIX and Linux programmers consider their programing methods preferable to Windows. Windows developers consider the interface extensions easier to use and providing for more rapid application development. Each have merit when you look at them objectively. Of course, Macintosh developers will say that since they moved to the UNIX method that they experience more stability.

Macintosh

I started with the first Mac configured as a desktop publishing machine. I remember liking it because it cut costs we otherwise spent on type setting and graphics, paste up ,etc. Then I started using the Mac as a production machine at a DoE lab.

For personal use, I used the Mac for graphics, audio productions and developing web sites. OS X made a huge difference since I didn’t have to reboot in the middle of working. I also knew my way around UNIX and that allowed me to use Internet applications I hadn’t used previously.

I found the developers tools useful. I enjoyed the interface. I found myself exploring more of the system when I purchased “OS X, the Missing Manual”. The same book helped me discover ways of using Windows and Linux I hadn’t known previously.

Windows XP

I recall using XP for three months without having to reboot it. I don’t remember that happening before. I started collecting Microsoft Certs when Windows 95 arrived. I had used Excel 5 and Access to develop financial tools. Later, I became a sysadmin and ran a couple of large NT networks.

XP appeared safe behind our firewall. After three months, my system became sluggish and prone to malware. I did maintenance on the system regularly including defraging the disk, deleting unnecessary files and checking the registry.

I liked XP better than any previous Microsoft OS and still have one workstation running in my lab. I programmed on XP when it first arrived to help build a plug-in or Exchange Client Extension for Outlook that allowed it to run on a Linux groupware server. The server peered with Exchange and used free software components like exim, apache, OpenLDAP, Cyrus IMAP, etc.

Comparison

I have combined information from surveys, analysts reports and personal experience to prepare this comparison of each system. I have a personal bias for Free Software, but I’m wearing my certified analyst hat in an effort to remain objective.

Ubuntu

For programming, administration, a replacement for an UNIX workstation and a moderately performing desktop Linux works well. Using key applications such as Openoffice.org productivity suite, Evolution for a mail client, GAIM for instant messaging, Firefox as a web browser, GIMP for graphics, CUPS for printing, Samba for interoperability, Linux has a lot going for it. It also uses less resources than other operating systems.

Ubuntu works fine for comparison purposes. Ubuntu has in excess of 25% of the Linux desktop market which compares to number two SUSE with 11.4% of the market. So, I’ll use Ubuntu to represent the Linux desktop in this report.

Like all Linux desktops, Ubuntu has limitations. It lacks applications such as Photoshop, Framemaker, Pagemaker, Visio, Access, Quickbooks, a PDF converter, legal DVD players and most importantly income tax preparation software. Without those applications ported directly to Linux, Ubuntu remains a mid-level desktop.

I use Ubuntu for 12 or more hours a day. So, I’m not complaining about the lack of those applications. I have found GIMP an adequate replacement for Photoshop and I just completed a 30 day testing period for the latest distribution of Photoshop.

The Linux desktop has many advantages over its counter parts for developers especially when it comes to programming web services, porting applications and engineering tasks. It runs on moderately priced hardware and takes less memory for graphic intensive software. I can use 512MB of RAM to perform the same jobs that require 1GB of RAM on other systems.

All in all, Ubuntu does an exceptional job replacing UNIX workstations and has a superior desktop. It fits mid-level desktop users and works for about 80 to 90% of enterprise users.

Home users find it a good operating system especially for stability, ease of use and for those who can legally use applications like Xine, Mplayer, etc. for audio and video software which only plays on the Mac and Windows in the US.

A modified Ubuntu will give the user all he or she might want with the exception of tax preparation software. With that in mind, you will find software preparation capabilities on-line at tax prep web sites.

For other applications, Codeweavers Crossover office provides an environment for using Windows applications in Linux. VMware and Win4Lin work for some users who need some Windows applications. TransGaming Technologies provides similar emulation for popular Windows Games.

Windows XP

XP provides an adequate operating system for hosting a number of applications. The large volume of sales seduces Independent Software vendors like Adobe, AutoDesk, Intuit, Corel, Cyberlink, RIM and others to primarily write to the Win32 API. Microsoft’s own applications run well under the XP environment.

Windows XP comes preinstalled on every computer manufacturers’ products with the exception of Apple. The lower cost of the software to OEMs versus the high cost to retail customers keeps XP on the vast majority of computers. The low cost to manufacturers like IBM, HP, Dell, Gateway and second tier or white box manufacturers allows them to modify their software and hardware to run XP.

Microsoft has improved Windows XP since its debut by adding numerous security patches and service packs. With the large number of systems deployed, Windows XP has vulnerabilities to malware. XP remains popular with the majority of PC users.

Windows XP does not compare favorably with Linux, Macintosh or UNIX variants as a development platform. Microsoft’s development tools work strictly on Windows and do not allow for interoperability amongst desktops such as the Mac, Linux or systems running non-Intel based processors. That doesn’t seem to bother XP users since their access to Microsoft Windows based applications remains abundant.

Windows installed base means many people already have training on the system as end users. That creates a barrier for adoption to other systems. A large number of Microsoft Certified System Engineers exits. Those engineers and product specialists can fix user problems quickly. They also see no need to move to a different platform.

Cost savings do not play to Microsoft’s advantage despite their attempt to convince people with their “Get the Facts” campaign.

Macintosh OS X

Macintosh OS X runs on a limited number of hardware devices which allows Apple Computers to offer a stable and high-performance product overall. Apple’s entry level products such as the Mac mini provides a low-cost, high-value multimedia platform.

Apple’s high-end desktops such as the Power Mac G5 with Dual and Quad dual-core PowerPC processors provides remarkable performance for the graphics and multimedia user. The Powerbook occupies a similar place for developers and authors. A number of people also use the high-end products as servers and for development.

Apple remains the major innovator in the PC space. Apple makes superior display units and peripherals. Users have shown they will pay more money for Apple’s products because of the high levels of performance and innovation.

While Apple has had critics in the past for its lack of software offerings much of that has changed. OS X provides more than just an adequate host for proprietary offerings such as Intuit financial products, the majority of Adobe offerings and Microsoft’s productivity suite. Apple also benefits from the Free Software offerings Linux users have become accustomed to seeing. Apple also provides a wide range of native applications such as DVD players and multimedia utilities.

Apple Macintosh does not fare well for mid-level PC users the way Linux might. The lack of operability on commodity hardware makes Apple a specialty product in the enterprise. People who can afford Apple products have a special devotion to the Mac and OS X.

A Closer Look

Macintosh with OS X and Microsoft Windows XP have an advantage over Linux in the area of education where curriculum demands exists for things such as foreign languages courses. The inability to provide for educational demand holds Linux back.

Until commodity hardware manufacturers and Independent Software Vendors make their products available for Linux, the demographics in the desktop area will remain fairly constant. The exception remains in the mid-level desktop area. Analysts will continue to tout Windows for enterprises until ISVs port their software offerings to Linux or until adequate replacements exist.

For both hardware and software manufacturers the prospects of creating offerings for Linux involve significant risks. For example, an ISV may not recover Research and Development costs since the Linux community prefers free software.

Secondly, the continuous development cycle concerns companies like Adobe and Intuit whose cost could increase with every release and upgrade of Linux. Ubuntu has a six month release cycle and replaces applications and libraries continuously. This scares ISVs.

If ISVs could come up with a solution to Linux’s continuous upgrade cycles, they still have unknowns with regard to whether Linux would take off as a desktop alternative to Microsoft. Possibly, the availability of Adobe and Intuit products could supercharge Linux.

Some companies have taken that risk with UNIX desktops and got burned badly. In the interim, Windows will remain the preferred desktop for the masses. Macintosh will remain the connoisseur’s choice of operating systems. Ubuntu will continue as a mid-level desktop and a popular platform for developers.

The poll on “What do you do with system logs?” aims at learning “best practices” for system, network and security log storage and analysis.

Again, I will comment when the results trickle in.

Related link: http://www.schneier.com/blog/archives/2006/03/class_break_of.html

I was just reading on Bruce Schneier’s blog about Citibank cancelling ATM/debit cards, when used overseas in the UK, Canada, and Russia. These cards were (apparently) previously compromised from a US retailer a year ago, leading me to believe this is: a) not something Citibank is perhaps at fault for… but certainly b) could have been handled a hell of a lot better.

This reminds me of the relatively new mandatory disclosure laws in California, New York, and Ohio, and leads me to wonder whether the people involved were ever informed that their information had been stolen? Certainly the California law was in effect at the time (the New York law went into effect in December 2005, Ohio last month), so I wonder if the people in California had been notified?

Here is a fun piece that I wrote recently, based on some stuff I read in the security media. I was planning to publish it elsehwere, but this place is as good as others :-)

Will security ever get done?
by Anton Chuvakin

Here is a fun thing to think about: with security, will we ever really be “done”? Before you, my esteemed security colleague, emphatically scream “NO!” let us consider this – admittedly philosophical – problem in-depth. There is also a related question that we will try to answer en-route to the above more general pursuit: will security become so boring that only boring people will do it (something akin to physical security guards)? In addition, we will touch another “messy question,” the one of “security consolidation”, that generated some attention lately (see, for example, this, this or this where some pundits and pundit wonnabes spout about it…)

Before we hear some pro and con arguments, let’s stop and think for a second: what security are we talking about? Network security? Software security? IT security? Data security? Or, information security in general? I would prefer to have this question answered for the broader information security realm.

So, why some folks think that “security problem” will be solved in the future?

• OS and application vendors will improve the security of their wares and gear so that security problems will not gather as much attention as now
• Network infrastructure vendors will “embed” security in their offerings and thus address a wide range of current “top shelf” security problems, such as worms, overall reducing the importance of security
• Similarly, large security companies will combine all sorts of defenses into largely automated “security bundles” and will “protect everybody” with them
• As new technologies develop, people will learn from the mistakes that plague us now and will start doing things right from scratch (e.g. IPv6 vs IPv4 situation)
• In particular, new software projects will “build security in” and thus will not provide such a huge attack surface as do the current “crapware” products
• IT users, both home and the enterprise kind, will be finally educated and thus will avoid the most costly security mistakes, such as running untrusted code (OK, this one is just a tad too naïve to be mentioned here (, if not for the sake of completeness)

Did I miss any? Feel free to comment or email me and I will update the list.

Why others violently disagree?

• New technologies that use the Internet and whatever other future networks will come out, some say at an increasing pace, and thus result in a dramatic increase in a number of “things to steal, break and abuse”
• Overall increased connectivity will also enable new attacks and open new exposures, thus needed novel creative solutions
• In general, new threats will always be there because there is no shortage of people who are both smart, creative and evil
• Increased reliance on IT systems will strengthen the resolve of cyber-criminals and all sorts of other bad guys to “go cyber” instead of committing “normal” crimes (“…since that is where the money is”)
• New uses of old technologies – networked fridge anyone? – will also open holes and exposure in the areas where none mattered before (SCADA security is one fine example)
• Economics always favors fast product delivery and thus lowers the quality of released current and future software; even though it might be devoid of obvious and easily found flaws, it will still be exploitable
• Increased regulatory pressure will sometime create the need for either new uses of security technologies or even motivate people to create entirely new security technologies (scalable log retention for compliance comes to mind)

Did I miss any here? Feel free to comment or email me and I will update this list as well.

In addition, some folks aggressively attack the pro arguments instead of coming with their own cons. Specifically they claim:

• OS and other infrastructure vendors will always lag behind, since, by the very nature of being large established companies, they cannot respond to the “fast lane” rate of threat change
• IT users will not learn and in fact will become worse, since the overall population is getting dumber (note that I am not sure I agree with this one…)
• Software developers will also not learn from the mistakes and, in fact, will repeat them, since economics seems to favor bad software quality

Let’s step back and try to come up with – no, not the compromise, that’d be silly :-) – the conclusion. Here is what I think the answer is.

Certainly, there will be consolidation in the security market and defenses will get embedded in both operating systems and network gear, eliminating some of the standalone network and system defense solutions. It is also likely that some types of bugs will be eliminated, if not by the good will of developers, but by the changes in the commonly used programming languages.

But, on the other hand, the explosive combination of the march of ever-more-critical new connectivity technologies with the presence of dedicated evildoers will, in my opinion, guarantee that information security will remain relevant, vital and fun for years to come! Security technology innovation will not dry out any time soon

Dr Anton Chuvakin, GCIA, GCIH, GCFA is a recognized security expert and book author. A frequent conference speaker, he also participates in various security industry initiatives and standard organizations. He is an author of a book “Security Warrior” and a contributor to “Know Your Enemy II”, “Information Security Management Handbook” and the upcoming “Hacker’s Challenge 3″. He also published numerous papers on a broad range of security subjects. In his spare time he maintains his security portal http://www.info-secure.org and two blogs.

Recently, I picked some fun discussion on system log admissibility in court. Here is a summary of several posts by others and my comments as well.

Overall, its a fun but very confusing and esoteric subject…