Linux kernels now support encrypted filesystems. Setting one up should take 5 minutes, or 3 hours if you’re like me and can’t read.

Firstly, install the right tools: apt-get install cryptsetup

Make a new partition, and initialize it with: cryptsetup luksFormat /dev/sda3 mycrypto

Where /dev/sda3 is your newly created partition and ‘mycrypto’ is your name for the container.

You will be prompted to type YES in uppercase to confirm your understanding that your partition is about to be wiped. If, like me, you type ‘yes’ in lowercase, it will fail with “Command Failed.”. You’ll then spend hours checking for loaded kernel modules, log files, and trawling google for more information. The answer is to type ‘YES’ in uppercase as you’re told

Enter a passphrase, and you’re ready to go.

Next, ‘open’ the container. cryptsetup luksOpen /dev/sdb3 enter the passphrase, and you should at this point end up with a /dev/mapper/mycrypto

Format with your desired partition mkfs.ext3 /dev/mapper/mycrypto

Then, you can mount /dev/mapper/mycrypto as you would any other block device: mount /dev/mapper/mycrypto /mnt/my_mount_point

To close the container:
umount /dev/mapper/mycrypto
cryptsetup luksClose mycrypto

Easy

Having recently moved to a new apartment, one of the first things that I decided to do was build an RC entry system

Here’s some pictures:

The black box at the top is a simple Velleman RC control kit and the black box below is a 240VAC->12VDC regulated converter.  The Velleman RC receiver has two relays, one connected to an electric strike lock and the other connected over the button input in the entryphone which unlocks the main door.

On the RC transmitter there are two buttons, and as they are currently connected, one opens the main door and one unlocks the electric strike on the apartment door, with a 5 second timer on each.

This works well so far and I have paired the transmitters with the receiver so that default unpaired transmitters will not activate the relays. A few weeks on, having already locked myself out once, the next step is to extend this project.

I intend to have the RC transmitter connected separately to some embedded linux board, probably the spare Alix and Phidgets boards I have from the robot I built a while ago. The linux board will signal over a separate frequency to this door entry system. The linux board will perform a variety of functions from logging entries to automated surveillance.  Additionally the linux board will have net access and possibly run asterisk. I can either SMS my way in or alternatively call in to asterisk and do some voice authentication. More to follow when I actually have time to get this done..

Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant,  I often get a call after a Google search turns up with my details as the guy to contact when this happens.

Shameless plug: Why not contact me BEFORE this happens for a FREE basic web scan.

Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..

First, concentrate on the box and LAMP environment as a whole. Here’s a top 10:

• Restrict or disable .htaccess type files. A lot of sites these days allow uploading of files, in whatever form that may come. Often, the code can be tricked into allowing an attacker to upload htaccess files to certain directories which could allow for scripts to be executed, or visitors to be redirected.

• Check your apache config, after tightening up/disabling htaccess, disabling cgi directories you might not need, and modifying limits.

• Consider mod_security

• Check your apache, php, mysql and related modules are up to date

• Firewall mysql externally and any other services that should not be accessed directly from the outside or are not necessary.

• Check your list of mysql users and make sure you only have the necessary privileges assigned to the various users.

• It’s common to find users on their own webservers connecting to mysql from their web code as the root user. Don’t do it. Create a user account for that particular site/database and assign it the tightest privileges. Do not connect to mysql as root unless necessary.

• Take multi day backups of database, code AND logs.

• Check the machine for word readable/writable directories.

• Restrict limits on hits/sec from IPs

Next, look to your web code, here’s a top 5:

• Look for SQL Injection opportunities. SQL Injection is NOT just prevented with escaping incoming strings..

• Check all input areas for XSS (Cross Site Scripting)

• See my PHP Security post

• Session ID Protection – can users overwrite cookie/session variables that you have set and taken for granted the fact that they shouldn’t be changed by the user? This is easy to do overwrite/exploit with ‘curl’ or ‘wget’

• How are you handling user data input? Sniffing plaintext HTTP or plaintext anything for that matter is very simple. All sensitive data should be sent over HTTPS. On that matter, are you storing the data safely afterwards?

Anything to add to this list? Please let me know!

As an embedded linux programmer, I’ve had the opportunity to work on a number of different platforms, MIPS being one of my favorites.

There are a few general limitations that you’ll find. You have limited CPU power available, you have very little RAM available, and for more advanced operations and optimizations, your CPU will generally have a limited function set.

The usual good programming practices apply, but are of much greater importance. Specifically, don’t allocate memory that you don’t need, and dont put the CPU under undue stress with unnecessary or badly optimized loops. Taking C syntax and some pseudo code;

char *myvar = malloc(10240);
strcpy(myvar, somevar);
…

Where somevar has previously been limited to say 16 bytes of data, why just allocate an arbitrary large number (10KB) to myval?

Here’s another:

int ctr = 0;
int maxlen = 0;
for (ctr = 0; ctr < get_count(data); ctr++) { … }

Although this looks nice and tidy, why are we calling get_count to get the number of records each time the loop runs when it will never change?

int data_count = get_count(data);
for (ctr = 0; ctr < data_count; ctr++) { … }

makes much more sense.

Years ago, there was also a lot of manual assembler optimization that you could do before compiling. A popular one was replacing “movl %eaX, 0″ with “xorl %eax %eax” as the exclusive or result of two of the same value will be 0 and requires less processor time than the movl operation. Now, not only can most of this be done for you by passing the -OX flag to gcc, but a loop of 1 million movl’s took no more time than 1 million xorl’s on my processor, and I’m guessing the processor deals with this for you now anyway. Today, if you’re on a nonstandard platform and you’ve got the information that certain instructions are favored over others on your target, you’d be able to better optimize the assembler code before compile time.

The main thing to remember, is that sloppy programming that would have gone unnoticed on your super powerful CPU will bring your embedded application to a halt.

As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation.

Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible.

Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it.
Within your code, do not ever assume any type of input given by a user or with the possibility of being manipulated by a user is safe. Take the following example:

readfile.php?file=…
<?php
$fh = fopen($_GET['file'], “r”);
…
?>

The attacker can specify ?file=/etc/passwd or anything else for that matter readable by the web user. Instead:

readfile.php?file_id=1
<?php
switch($_GET['file_id'])
{
case “1″:
$filename=”/tmp/myfile”;
…
}

Next, make sure register_globals is turned OFF in PHP’s config file. In all newer versions of PHP this is already done. register_globals automatically creates a variable called $username from a page called with page.php?username=adam. With register_globals off, this is only accessible via $_GET['username'] or $_REQUEST['username'].

This means that I could call page.php?user_id=1&username=admin. Your code should accomodate register_globals being turned on, and automatically check for this kind of variable poisoning however this is often overlooked.

Magic Quotes is a depreciated feature of PHP helping beginners write more secure code. All incoming input would automatically have the quotes escaped thus preventing SQL Injection. More advanced users that know what they’re doing can find this annoying, as it is not strictly PHP’s job to interfere with the input variables like this. Instead you should escape all input yourself with addslashes() or mysql_real_escape_string()

PHP error reporting is another important issue to consider. By default, any warnings and errors are printed out to the user. This often gives away directory paths, filenames, variables and all sorts of other information about the server and the script that should not be printed out to an anonymous user. Turn off error reporting to the screen and instead dump any errors to a log file an perhaps trigger an email to an admin.

These are just a few basic things to keep in mind to get started. User input can come in a variety of formats, and not just via the variables $_GET, $_SESSION, etc, etc. XSS (Cross Site Scripting) is another common attack method and something that will be covered in future articles.

Server management is one of the most basic requirements in maintaining a healthy server/cluster, however, is often overlooked until something goes wrong.  In it’s most basic form, server management involves:

1. Checking log files for size and suspicious entries
2. Checking disk space usage
3. Checking memory usage
4. Checking for new packages (apt-get update; apt-get upgrade)
5. Check load and process list
6. Checking backups

If everything’s working fine, why bother? Well, packages are often upgraded because they contain security holes or other bugs. Often though, the upgrades just contain improvements or new features.

This process doesn’t generally take more than 30 minutes every so often, and not only keeps your server running well, but also keeps you up to date with the condition of and running software on your server.

Often, when working with compromised machines, as a security consultant, I find a malicious SSH binary. The malicious SSH binary generally logs all usernames, passwords and hosts connected to from the compromised machine, and usually in /tmp/. The attacker can then log back into the machine and collect this file at a later date.

The compromised SSH binary is usually over 10 times the size of the normal binary. This is because the attacker compiles it as statically linked in the first place, meaning that all libraries that it depends on are compiled in to the application. This means that as long as the system architecture is the same, e.g. x86, the binary will work regardless of distro or libc version. The attacker could compile the compromised SSH specifically for that libc/distro however this is usually not the case. Either way, the binary will always be of differing size, and will always have a different MD5 checksum compared to the legitimate binary.  You could also run the strings utility against the SSH binary, and attempt to find out more about its contents. Usually you’ll find custom error messages and the path to the password log shown up by ’strings’.

This is a popular attack, as users regularly ssh from machine to machine, and additionally, often ssh as root, without any idea as to the ssh binary that they are using. Not only should you only initiate outbound SSH connections from your own trusted machine, and never from machine to machine, but you should also disable root login, and use su or sudo to get root access when required on the remote machine.

Merry Xmas

PHP allows the use of boolean operators.

AND, OR, XOR and NOT. We can combine NOT with AND and OR to form the NAND and NOR operators respectively.

$a = ($b and $c); will return TRUE if both $b AND $c are TRUE, otherwise, it will return FALSE. This can also be specified as $a = ($b && $c)

$a = ($b or $c); will return TRUE if $b OR $c are TRUE, otherwise, it will return FALSE. This can also be specified as $a = ($b || $c);

$a = ($b xor $c); will return TRUE if $b OR $c are TRUE, but not if they are both TRUE, otherwise, it will return FALSE.

$a = (! $b); will return TRUE if $b is NOT TRUE.

$a = (!($b && $c)); will form NAND (NOT + AND)
$a = (!$b || $c)); will form NOR (NOT+AND);

What use is this to us? Here’s some [hopefully] self explainatory examples:

if ($user_option1 xor $user_option2)
{
//good, do some processing
} else {
echo “You need to select at least one but not both options”;
}

if ($logged_in and $verified_email)
{
//good, do some processing
} else {
echo “You need to log in AND verify your email address before continuing”;
}

if ( ($usertype == “paying”) or ($usertype = “expired”) )
{
//good, do some processing
} else {
echo “You need to be a paying or previously paying user to continue, not a free user.”;
}

PHP 4 and 5 offer a few shorthand methods for basic numeric operations:

$n = $n + 1; can be specified as $n++;
$n = $n – 1; can be specified as $n–;
$n = $n + 10; can be specified as $n += 10;
$n = $n – 10; can be specified as $n -= 10;

On the subject of shorthand, also check out the PHP Ternary Operator

Here I’ll give some file reading examples. There’s a few different ways to do this. I’m going to focus on plain text files only, as opposed to binary files.

If you just want to read the contents of a file into a string variable, then the easiest thing to do is use $mystring = file_get_contents(”/home/adam/myfile”);

For more control over what you’re doing, or if you want to do anything more than reading a file into a string, you’ll need to use the fopen, fread and fclose functions.

To read everything in one go:

<?php
$myfile = “/home/adam/myfile”;
$file_handle = fopen($myfile, “r”);  //Open /home/adam/myfile for READING
$data = fread($file_handle, filesize($myfile));
echo “File contains:  ” . $data . “\n”;
fclose($file_handle);
?>

In this case, we use the filesize() function to get size in bytes of $myfile, and we pass that value to fread() as the number of bytes to read from the file, i.e. the entire file.

You could replace filesize() with a fixed figure, or alternatively, if you want to keep reading until you find a certain character or string;

<?php
$myfile = “/home/adam/myfile”;
$mysize = filesize($myfile);
$file_handle = fopen($myfile, “r”);
while (strpos($tmpdata, “FINDME”) === false)
{
$tmpdata = fread($file_handle, 128);
$data .= $tmpdata;
}
fclose($file_handle);
….

Now at this point, we’re reading 128 bytes of the file at a time until we find “FINDME”. Depending on the size of the file, pick a reasonable figure. The lower the figure, the more times the loop has to run, which is inefficient in itself, the larger figure  Chances are though, we’ll end up with additional data after “FINDME” anywhere between 0 and 122 characters. If we don’t want that, to remove “FINDME” and anything after it:

….
$data = substr  ($data, 0, strpos($data, “FINDME”) );
?>

You should also be checking the return code of fopen to ensure that it has actually returned a valid file handle as opposed to blindly reading from what may be an invalid handle.

Edit:

Reader Brian makes a valid point, that the fread(…, 128) could cut off “FINDME” in which case, it will never match, we should perform our test against the data just read as well as the data in the previous read:

while (strpos($tmpdata_last . $tmpdata, “FINDME”) === false)
{
$tmpdata_last = $tmpdata;
$tmpdata = fread($file_handle, 128);
$data .= $tmpdata;
}

PHP Developer – strlen, count, and substr

The strlen function retuns the length, i.e. number of characters in a string:  int strlen(string s)

count will get the number of elements in an array:  int count(array a)

substr will return a “subset” of a string, string substr(string s, int start, [int len]);
<?php
$s = “test string”;
echo “String length is: ” . strlen($s);
?>

Will return:  String length is: 11

Why would you care how long a string is? Well, for many reasons, one being that you might wish to iterate through each character of a string to perform a certain conditional check or operation on each character. Alternatively, you might want to check that a certain string is not over a given size, and if so, shorten it. Here’s a common example that shows these three common functions together:

<?php
$myarray = Array("This is a very long string", "short string", "some text", "some more text to be shortened");
define(MAXLEN, 20); //maximum permitted string length
$num = count($myarray); //Get the number of elements in the array
for ($ctr = 0; $ctr < $num; $ctr++)
{
    if (strlen($myarray[$ctr]) > MAXLEN)
    {
        echo substr($myarray[$ctr], 0, (MAXLEN - 3)) . "...\n";
    } else {
        echo $myarray[$ctr] . "\n";
    }
}
?>

The above will output:
This is a very lo…
short string
some text
some more text to…

This could be used in an instance where we only want to show a predefined “taster”, i.e. replacing … with “(more)” or similar. Alternatively, ensuring that text does not overflow a “<div>” element in a particular instance

In PHP, we can use strpos to find the position of a character or string within another string:

int strpos  ( string $haystack  , mixed $needle  [, int $offset = 0  ] )

For example:

<?php
$mystr = “this is a test string”;
$pos = strpos($mystr, “test”);
echo “Position: ” . $pos;
?>

Returns:  Position: 10

We can just as easily use strpos to test for whether or not a given string is found in a larger string:

if (strpos($mystr, “test”))
{ … }

However, that may in some cases unexpectedly fail:

if (strpos($mystr, “this”))
{ … }

This will return 0, as “this” is at the beginning of the string and therefore at position 0, causing the condition to fail. The correct usage is:

if (strpos($mystr, “this”) === false) { … } OR  if (strpos($mystr, “this”) !== false) { … } noting the usage of “===” or “!==” meaning an absolute evaluation. As of PHP 4, “==” means “equal to” and “===” means “identical to”.

PHP has two ver useful functions, serialize and unserialize.

serialize() generates a string based storable representation of any variable type that you like. Take a complex variable:

<?php
a = "test";
$obj->b = "string";
$obj->c = Array("this", "is", "a", "test", "array");
$obj->d = new stdClass();
$obj->d->var1 = "some text";
$obj->d->var2 = Array("this", "is", "another", "array");

print_r($obj);
?>

wwwtest:~# php ./test.php
stdClass Object
(
    [a] => test
    [b] => string
    [c] => Array
        (
            [0] => this
            [1] => is
            [2] => a
            [3] => test
            [4] => array
        )

    [d] => stdClass Object
        (
            [var1] => some text
            [var2] => Array
                (
                    [0] => this
                    [1] => is
                    [2] => another
                    [3] => array
                )

        )

)

Now, changing the last line of the script to:

$mystring = serialize($obj);
echo "Serialized data is: " . $mystring;

We now get:

Serialized data is: O:8:"stdClass":4:{s:1:"a";s:4:"test";s:1:"b";s:6:"string";s:1:"c";a:5:{i:0;s:4:"this";i:1;s:2:"is";i:2;s:1:"a";i:3;s:4:"test";i:4;s:5:"array";}s:1:"d";O:8:"stdClass":2:{s:4:"var1";s:9:"some text";s:4:"var2";a:4:{i:0;s:4:"this";i:1;s:2:"is";i:2;s:7:"another";i:3;s:5:"array";}}}

We can just as easily return this to it’s original form with unserialize(). This is useful because this flat string can be stored in a database or perhaps even passed through a site and associated with the current user for his usage preferences.

There are 3 types of loop in PHP:

while (condition)
{ code_goes_here; }

do
{ code_goes_here; }
while (condition);

for(expr1, expr2, expr3)
{ code_goes_here; }

In terms of the ‘for’ loop above, ‘expr1′ being the starting expression, i.e. $i=0. expr2 being the condition that must be satisfied to keep the loop running, i.e. $i < 100. expr3 being the expression evaluated each time the loop runs, i.e. $i++. Each loop type has it’s uses.

The two while loops are mostly identical, the only difference being that in the first loop, the condition is checked before running that iteration of the loop whereas in the second loop, the condition is checked after running the loop iteration. The while loop will exit as soon as any negative condition such as a 0, FALSE, etc is hit. That makes it useful for fetching mysql result sets for example:

while ($result = mysql_fetch_assoc($resource))
{ //execute code using $result variable }

As opposed to:

$num = mysql_numrows($resource);
for ($ctr = 0; $ctr < $num; $ctr++)
{
$result = mysql_fetch_assoc($resource));
}

Additionally, the for loop does have advantages in cases, such as:

for ($ctr = 0; $ctr < 10; $ctr++)
{
echo “Counter is: ” . $ctr;
}

As opposed to:

while ($ctr < 10)
{
echo “Counter is: ” . $ctr;
$ctr++;
}

Although in this case there isn’t a great deal of difference. Just remember when looping through database results for example not to call functions or otherwise incur overhead in the loop such as calling mysql_numrows($result) unnecessarily.

I’m going to be offering some VERY high end UK VPN hosting accounts in the next few weeks once I can get a site and signup form up and running. The VPN servers will run from within the same cluster as this site, and so you can test your ping time with ping www.adamsinfo.com which in my case from my London based BETHERE DSL connection gives a 16-17ms ping time. You can also grab http://www.adamsinfo.com/wp-content/10mb.test and http://www.adamsinfo.com/wp-content/100mb.test for speed tests. I’m planning on running OpenVPN as the server software but will additionally offer PoPToP if anyone really wants it. Compared to other VPN providers, this will be a reasonably expensive offering. This is on the promise that:

• The service will be thoroughly undersubscribed
• The connectivity will be very fast
• You can select as much bandwidth as you want from 512kbit up to 80mbit – assuming your ISP supports it.
• Your service can be configured to use compression and encryption if you wish, meaning even faster access for you. This can use a lot of CPU and RAM on our end
• Custom set up as you wish as well as NAT 1:1 dedicated public IP and reverse DNS
• Squid Caching Proxy if desired
• 99.9% uptime guaranteed or your month’s money back

Addition I will be running the multithreaded tcp tunnel server software for anyone who wishes to use it, which means that with the right settings/config at your end, you can balance your VPN access over multiple connections at your local end.

Contact me (adam [AT] adamsinfo [DOT] com) to register interest!