HiR Information Report

Rehi, Milw0rm

noreply@blogger.com (Ax0n) — Thu, 09 Jul 2009 21:02:00 +0000

I guess enough people stepped up to the plate and offered to resuscitate Milw0rm on Str0ke's behalf.

This is a good day. Rehi, Milw0rm!

Milw0rm has been up-and-down ever since the closing announcement hit Teh Internets. Probably due to the script kiddies recursively wgetting (downloading a mirror of all the archives)

Hopefully, the site will stabilize and be back online and back to business as usual soon!

DefCon 17

noreply@blogger.com (Ax0n) — Thu, 09 Jul 2009 16:32:00 +0000

Asmodian X and I will once again make our annual pilgrimage to Las Vegas over the last weekend of July-into-August.

I haven't picked the talks I'm attending yet, but you'll be able to find me at the Podcaster's Meetup and probably a SecurityTwits meetup, if there is one. Otherwise email me (ax0n ! h-i-r , net) - I'll probably be checking my mail frequently.

Any readers attending?

Not news: smuggling bomb parts into federal buildings

noreply@blogger.com (Ax0n) — Thu, 09 Jul 2009 11:30:00 +0000

ABC News: Bomb materials smuggled into fed buildings

Federal investigators had no trouble smuggling bomb-making materials past ill-trained and poorly supervised guards at federal buildings, senators were told at a hearing Wednesday.

The thing is that if you poke around the office supply closet and the broom room, you will undoubtedly be able to amass everything that's needed to wreak some serious havoc.

The article doesn't say whether the GAO agents used credentials or covert entry to get into the compounds with said "bomb supplies". If they were able to enter without credentials, there's a much larger problem. If they used credentials, it really doesn't matter what they can carry in. Through all of history, weapons have been made from seemingly benign objects.

This is more pedantic security theater: Focusing on one specific threat instead of working to refine and simplify the armor.

Links for 2009-07-08 [del.icio.us]

Thu, 09 Jul 2009 00:00:00 PDT

FBI: Russian Programmer Stole Stock-Trading Secret Code | Threat Level | Wired.com
This was all over the place a few days ago. Somehow I just not got around to linking to it.
iTWire - OpenSSH developer plays down exploit rumours
Emergent Chaos: Origins of time-sync passwords
Make: Online : How-To: Dissolve IC packages
Hardware hacking for the win!
Lifehacker - WEP Cracking Redux: Beyond the Command Line - Security
Lifehacker is feeding the skiddiez!

Network programming and distributed scripting with newLISP

noreply@blogger.com (Ax0n) — Wed, 08 Jul 2009 23:30:00 +0000

I'm not sure why I never re-posted this here, but alas, better late than never. I should have an article published in the Summer 2009 issue of 2600 as well, but I haven't seen it yet.

This initially showed up in 2600: The Hacker Quarterly Volume 23 Number 4 (Winter 2006-2007)

newLISP (www.newlisp.org) is a relative newcomer to the interpreted language arena in terms of popularity. While it had its humble beginnings back in 1991 when Lutz Mueller started working on it, only in the last 4 years has development been consistently active.

newLISP is everything that old-school LISP languages are, with a lot of modern features. First off, it's a scripting language that's extremely fast. It has networking ability that's powerful enough to write TCP or UDP client or server applications. Then, to top that off, it has a command called net-eval which makes newLISP stand out from the crowd by giving it the unique ability to easily distribute tasks to other nodes over a network connection.

Binaries (under 200 kilobytes) are available for Windows, BSD, Linux, Mac OS X, Solaris and a host of other platforms. It is released under the GPL. Performance is also second to none. newLISP has been topping the charts on script interpreter benchmarks in several categories thanks to it's small size (under 200 kilobytes) and efficient C code. It outruns php, perl, and even ruby.

newLISP also has some other tricks up its sleeve that make it an excellent system administration scripting language. It has decent filesystem support, so it can see if files or directories exist, determine if a file's permissions are acceptable for reading or writing, and it has very powerful text processing ability using PCRE (perl compatible regular expressions). Finally, it's also worth mentioning that newLISP can easily import whole functions from dynamic libraries such as libmysqlclient (instant MySQL access from within newLISP!), tcl/tk (for creating graphical applications in newLISP) and zlib (for compression and decompression) just to name a few. This makes newLISP one of the most robust and flexible languages around. As you can tell, newLISP is a formidable choice for hackers, geeks, network admins or security professionals wishing to create scripted programs to do network operations or distributed computing with minimal effort

I am lucky to have been able to work directly with Lutz, the founder and creator of newLISP. I got a few direct lessons from him, and from there, started tinkering with it on my own. With that, the first thing I did was create a makeshift port scanner. I learn easiest by example, so here is what I came up with.
Click to see port.lsp

The first part simply assigns the command line arguments into a list called params, then makes sure that 4 parameters were given (program name, host, begin port and ending port). If not, it displays a usage tip before exiting. The second part assigns elements of the list to appropriate variables, then uses a for loop to iterate through the ports, displaying open port numbers that are open. Note that on machines with packet filters that "drop" packets, this port scan will take a very long time. nmap is a much more robust port scanner, however this little script demonstrates the power of newLISP's network commands. We'll run this as a test just for fun:

$ ./port.lsp 192.168.0.105 1 200

21 open

22 open

23 open

25 open

79 open

111 open

Now, let's look into distributed computing, shall we? The core command behind newLISP's distributed computing power -- called "net-eval" -- operates on a list of lists (similar to a 3 dimensional array). The inner-most list is a list of host, port, and a string representing the command(s) you wish to run on the remote node. The outer-most list can contain as many host-port-command lists as your heart desires, allowing you to run many distributed processes at once, and get the results back all at the same time. Then, outside those lists is a timeout in milliseconds. If a result isn't returned in the timeout period, the operation returns "nil" (that is, false). To clarify, net-eval syntax is as follows:

(net-eval (list (list "host" port-number command-string)) timeout)

On each remote node, you must have a newLISP listener, which is simply started by running "newlisp -c -d port-number" from the command line. On UNIX environments, you may put an ampersand (&) at the end to launch it in the background, or you may even wish to use "set NOHUP" and log off to leave it running in the background indefinitely. In my example, I went to my Solaris box and launched it, listening on port 31337 as follows:

$ newlisp -c -d 31337 &

I also launched newLISP listeners on various other machines on my home network, including a few OpenBSD machines, and my wife's MUD/BBS server running Windows Server 2003 with the "Services for UNIX" tools installed.

Now, care must be taken. It is a bad idea to have a newLISP listener running on a public IP address, because commands like process or exec can launch shell processes on the newLISP node, which is just as good as giving away an unprotected shell account on your network. I advise using newLISP listener nodes only behind a NAT or firewall, or on a segregated network.

Let's run a test script, shall we? In LISP, boolean and math operations are always performed by placing the operator first, followed by the symbols to apply it to. In addition, the symbols are numbers, but they could easily be strings or lists with some operations. Adding 1 + 2 in LISP is as simple as (+ 1 2) I will start by running a quick addition operation on 1 remote node with a 3000ms (3 second) timeout.

Click to see net-eval-test.lsp

When we run it, we get the answer to this mind-boggling math problem:

$ ./net-eval-test.lsp

(3)

Now, to expand this even more, I have added three other nodes into the mix, which shows more clearly how the nested list syntax of net-eval works, and I'll demonstrate remote command execution at the same time, using the "exec" command. Notice how the quotes around the command to be run is escaped with backslashes. This is needed to keep from confusing the interpreter. To put quotes inside a quoted string, you need to escape them. This is almost universal to all programming languages. On UNIX-like platforms, uname is used to get information about the operating system and architecture. uname -s -n -m will list the OS that's running, the hostname, and the machine architecture.

Click to see uname.lsp

The result is a newLISP list of strings, containing the results of running the command:

$ ./uname.lsp

(("SunOS sparky sun4u") ("OpenBSD compy386 i386") ("OpenBSD bouncer sparc") ("Windows mudbbs x86"))

The online documentation for newLISP is very extensive, and features a few rather advanced demonstration scripts, including a working web server written entirely in newLISP. While learning a new programming language is never easy, newLISP is more than mature enough in both implementation and documentation to make it a pretty easy language to add to your list.

Links:
NewLISP Website, full of demonstration newLISP programs, documentation, binaries for many platforms, and newLISP source code:

NewLISP.org

(newLISPer) is a journal, or blog, written by a guy who was just learning newLISP. It's turned into a bunch of newLISP tutorials with some philosophy tossed in as well:

Newlisper Blog ((now unbalanced-parentheses) (you see what I did there?)

Norman's code snippets is a website full of newLISP programs and snippets for Linux (not tested on other platforms). There is a lot of really interesting applications and widgets available to download:

Norman's code Snippets

Tracking Rumors (a la the OpenSSH Exploit)

noreply@blogger.com (Ax0n) — Wed, 08 Jul 2009 15:33:00 +0000

By now, I'm sure you've all heard the OpenSSH Exploit rumor. The short and sweet points are:

The rumored exploit doesn't work on the current version (5.2/5.2p1 as of writing)
The rumored exploit does work against older versions (but we don't know how old or when it got fixed)
It's not a bad idea to upgrade your OpenSSH (and derivative) services to OpenSSH 5.2.

What really concerns me are forks from OpenSSH that are likely to be ubiquitous in the enterprise. There are many, but the following two seem like A Pretty Big Deal to me:

Red Hat Enterprise Linux ships with OpenSSH 4.x, but patches it in-house and releases these updates to RHEL users to fix certain bugs as they're fixed in the 5.x series.
Sun Solaris 10 ships with "SunSSH 1.1" which is basically a mash-up based on OpenSSH 3.5p1.

You see why I'm more than a little concerned, right? Without having the exploit code to test with, we don't know if the exploit will work against these bastardizations of the OpenSSH code-base.

Without some solid proof, I'm not going to go to my boss and scream that the sky is falling. I just want to stay in touch with the OpenSSH / 0pwn0wn exploit drama. Google Alerts to the rescue!

Google Alerts allows you to get rapid-fire email or RSS feed updates when new items show up in Google's index for given search terms. You can use this for vanity searching and a host of other things... or, as I do, to keep an eye on breaking news for more obscure stuff.

With that, I set up alerts for OpenSSH (News and Blogs) and 0pen0wn (Comprehensive search) - If an exploit is released publicly, I want to know about it so that I can test it and make recommendations on how to fix it.

Also, it's not a bad idea to set up google alerts for other mission-critical products or services you rely on, if for nothing else, to keep your fingers on their pulse.

Improvised backpacking stove

noreply@blogger.com (Ax0n) — Wed, 08 Jul 2009 10:40:00 +0000

Squarely in the "Other interesting topics" category for this site, I can tie all this summer fun back to hacking a little bit. This is about improvising a little bit to solve a problem. It's also about trade-offs, fire, and building stuff in a cheap and hackish nature. So there. With that out of the way, this post will have almost nothing to do with technology.

I love camping, and usually when I go camping with family and friends, it's the all-out party at the lake kind of camping, just short of sleeping in an RV. I can tether my LG Chocolate to my MacBook, plug in my La Fonera running Jasager to mess with WiFi-toting campers, keep everything charged with the inverter and still start fires for the sake of fire -- because God knows you don't need a bonfire to cook when you have a nice propane stove hooked up to a 20-pound gas-grill propane tank! Sights like this one (from Memorial Day Weekend) aren't uncommon:

More recently, though, I've tried to get myself back into a more stripped-down backpacking mode. It's no secret that I like riding my bicycle for basic transportation. It also happens that there are decent campgrounds close enough to home for me to ride my bicycle to. For an adventure like this, the goal is to pack light (kind of like backpacking) -- In fact, the weekend after the above photo was taken, I snapped this -- which should give you some idea of how much crap I had to haul for a one-night "backpacking" adventure on my bicycle:

This is a 17-ounce (or so) propane tank and my small propane burner which I brought along on my last trip. It's definitely better than the 30-pound rig we were using a week prior. The bonus is that it still boils water in well under 5 minutes and makes fried eggs for breakfast like an ace.

I have a similar trip coming up in about 3 weeks, and over the past few days, I've been contemplating various ways to minimize the bulk. The wretched camp stove above is pretty much the only thing I can downsize cheaply. Sure, I could ditch some of my older, heavier gear and buy a $60 camp pad and a $250 tent -- No thanks. I'm on a budget, and that kind of money would be better spent on say... plane tickets to DefCon?

I decided to try going the sterno route. We have a can of it laying around, so what could it hurt? The main problems with sterno are that it doesn't get as hot as propane, and that the can itself won't support your cookware. I had some old bicycle spokes laying around and made this little contraption. It's two spokes (of different lengths) bent up and strapped together with tape on one edge. It folds nicely, but not totally flat. If I had spokes of the same length (or if I just cut the longer one, or wasn't afraid of bending the longer one so it is directly in the flame's path) it would fold flat.

I bent this so that it would hold the cookware about 1" above the fuel canister. It's so simple that I really don't think you need a full set of instructions to replicate what I did here. You can cut and re-bend a wire hanger, get some thick solid-core copper wire, or improvise whatever you want. Three level points are all you need to support a kettle over the heat source

With the sterno can in place -- and set up on a piece of my mess kit so I don't melt the counter and incite the wrath of my l33t wife -- it looks like this:

Now for the sucky part: In order to boil two cups of water (for example, to make French Pressed Coffee or re-constitute a freeze-dried backpacking meal), it takes between 10-15 minutes depending on conditions, and yes I had the lid on whilst attempting to bring this water to a boil.

One cool thing, though, is that this stove stand will work nice with many other kinds of improvised heat sources. I may just end up replacing the sterno can with a beer-can alcohol stove. That's another project for another evening, though.

Links for 2009-07-07 [del.icio.us]

Wed, 08 Jul 2009 00:00:00 PDT

Securosis Blog | Cracking a 200 Year Old Cipher
Cool story about a very old code from our country's early years
Sat Marks the Spot, Uncovers Pirate Weapons Haul | Danger Room | Wired.com
Clever sleuth work and proof that well-funded individuals and companies can do powerful things with satellites
Moby Shows (Again) That Free Music Doesn't Cannibalize Paid Music | Techdirt
Nothing we didn't already know
Retro Computing: For the REALLY old Computers: FreeDOS
Via Jon / Retrothing - I will always have a soft spot in my heart for DOS

Fare thee well, Milw0rm

noreply@blogger.com (Ax0n) — Tue, 07 Jul 2009 23:25:00 +0000

Str0ke is apparently abandoning Milw0rm:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Milw0rm was (and for the time being, still is) a site with a simple interface to browse a vast, extensive library of exploit code that was until now quite frequently updated. For the time being, it looks like the site is still up, but it sounds like str0ke has stopped trying to add more submissions to the site. Time will tell if he keeps the page alive.

It is survived by Packet Storm and a few other fragmented archives. Nothing quite matches the pedantic focus of Milw0rm, though. You will be missed!

Hat tip: A bunch of the security twits were discussing this.

Annual gathering of pyromaniacs

noreply@blogger.com (Ax0n) — Mon, 06 Jul 2009 11:17:00 +0000

As usual, The HiR crew participated in massive amount of explosives and fire for Independence Day. While we didn't have professional-grade stuff like last year, we all actually got to set off a bunch of smaller things. And I mean a bunch.

Frogman is actually made of explosives. :)

A few repeater cakes (pre-fused multi-shot aerial displays) staged in the yard.

Frogman, Dicegrrl and Asmodian X setting up a few bottle rockets.

This made me laugh, particuarly seeing Frogman cheer as the projectile launched. I made it from a sequence of images taken with an intervalometer script on my camera (thanks to CHDK)

Dicegrrl shows off her Twitter Glitter. By the way, this was just about the most underwhelming piece of the night, aside from one ironically called "The Migraine". Both of them were basically a 4-shot roman candle. At least Twitter Glitter could be described in 140 characters or less.

Crackle.

Boom.

Links for 2009-07-05 [del.icio.us]

Mon, 06 Jul 2009 00:00:00 PDT

Schneier on Security: The Pros and Cons of Password Masking
So maybe ALWAYS un-masking passwords is a bad idea. I think leaving it optional with a check-box would be the best way to go in most cases.
Securosis Blog | Database Security: The Other First Steps
Adrian goes through what he believes are the first steps to secure your databases
Emergent Chaos: The Punch Line Goes at the End
If you're going to give talks that you think might get the kibosh, how about naming them something less than ominous when submitting your talk to the convention organizers

Sysadmin Sunday: Guard against file corruption with PAR

noreply@blogger.com (Asmodian X) — Sun, 05 Jul 2009 13:00:00 +0000

Introduction:
Bit rot, File corruption, partial file transfer, call it what you will, digital transmission mediums some times fail and you are left with a corrupted fragment of data if any at all. In the case of large files in which re-transmission would take hours or days, this is a tough situation.

PAR uses a RAID like technique to salvage corrupted files in most cases only needing to obtain files containing restore information that are a fraction of the size of the original file.

This article is intended for people with basic to intermediate understanding of a un*x style operating system.

-=-=-=-=-=-=-=-=-=-=-=-=-=-

Table of contents:
1. PAR and the Reed-Solomon error correction algorithm
2. Available applications based off of PAR
3. Examples
4. Informative resources

-=-=-=-=-=-=-=-=-=-=-=-=-=-
1. PAR and the Reed-Solomon error correction algorithm

The Reed-Solomon algorithm was developed in 1960 by Irving S. Reed and Gustave Solomon. It is used in many technologies such as CD's, BlueRay, DSL Modems, RAID6 and more. This method of error correction is used to protect against certain forms of media defects or data transmition errors.

The PAR utility was developed by Tobias Rieper and Stefan Wehlus for the purpose of recovering corrupted files and file fragments from Usenet posts with out needing to download the file all over again. Later, to compensate for some limitations of PAR, the PAR2 specification was developed by Michael Nahas and Peter Clements. Clements then wrote some of the first PAR2 applications.

A simple way of explaining what PAR does is that it takes the original source files then applies the mathematical algorithm to it which contains a sort of processed description of what that file looks like. Then lets say you send someone a file but for some reason the transmission fails mid way through the file transmission. All that needs to be done is to download the results of the mathematical operation (which are significantly smaller than the original file) and run the par utility to apply the math to the file fragment. Par can fill in the blanks using the algorithm and restore the the file.

2. Available applications based off of PAR
There is of course the fore-mentioned open source application written by Peter Clements et all. There are a slew of other PAR clients for Mac, OS 9 and 10, Windows, Linux, BSD and more. Though the PAR1 specifications are incompatible with the PAR2 specification most clients support both formats side by side. For a detailed list of PAR compliant projects check out the Parchive sourceforge website. If you are using Linux, you can either download a Linux rpm or source tarball from the sourceforge site . Or use a package system such as apt-get to download it from your distributions package archives.

3. Examples
In this example I am using Ubuntu Linux.

This will require the Ubuntu Universe repository. You can uncomment this in "/etc/apt/sources.list" using "sudo vi /etc/apt/sources.list".
Then update your sources using "sudo apt-get update".
Finally get the par2 package using "sudo apt-get install par2" .

Now lets test par2 to see if it can recover a file:

Using dd create a 10MB test data file from /dev/zero "dd if=/dev/zero of=/tmp/testdata.bin bs=1024 count=10240"
Then create our par2 file and recovery blocks: "par2 create testdata.par2 testdata.bin"
Now im going to copy the original data to a different name then make some changes to it.
Then I run "par2 verify testdata.par2 testdata.bin"
par2 tells me that I need one recovery block to repair the file. (* during the create process par2 created several repair blocks. Since par2 over-samples, I can use the either the largest repair file or a combination of the smaller files for the same effect.) In this case I just need to have the repair block file called testdata.vol000+01.par2 in the same directory.
I then type in "par2 repair testdata.par2 testdata.bin" where it then reports that the file has been repaired.

4. Informative resources
Clements,Peter Gallagher,Ryan Nahas,Mike et. all. "Parity Archive Volume Set: File
Specification, Clients, and Related Resources" (Accessed July 2009)
http://parchive.sourceforge.net/

Wikipedia.org "Reed-Solomon Error Correction" (Accessed July 2009).
http://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction

Wikipedia.org "Parchive" (Accessed July 2009).
http://en.wikipedia.org/wiki/Parchive

Links for 2009-07-04 [del.icio.us]

Sun, 05 Jul 2009 00:00:00 PDT

I-Hacked.com Taking Advantage Of Technology - Understanding Exploit Development
Sign up for an account on i-Hacked (it's free) and check out this extensive tutorial!

Links for 2009-07-03 [del.icio.us]

Sat, 04 Jul 2009 00:00:00 PDT

Apple patching serious SMS vulnerability on iPhone | Mobilize - InfoWorld
Whoops! I'd love to be at Black Hat to see this one demonstrated!
Hard Drive weight increasing?
People on tech support forums are both stupid AND mean. Rarely helpful.

Links for 2009-07-02 [del.icio.us]

Fri, 03 Jul 2009 00:00:00 PDT

GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 2) « McGrew Security Blog
Part 2 of the GhostExodos Saga, with videos. This is a riot.

Links for 2009-07-01 [del.icio.us]

Thu, 02 Jul 2009 00:00:00 PDT

Schneier on Security: Security, Group Size, and the Human Brain
This has social networking implications, too
Lifehacker - How to Crack a Wi-Fi Network's WEP Password with BackTrack - wep
GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1) « McGrew Security Blog
This reads like some kind of short fiction novel. Check out some of Wesley's links to related stories. Excellent sleuth work.
lynis CLI-Apps.org
An open-source CLI security scanning tool for the local system
rkhunter CLI-Apps.org
Rootkit hunter runs locally and tries to determine if you've been rootkitted
ATM Security Researcher Censored
This makes me sad.
Securology: Flying Firearms
Deviant is using his noggin... and his guns!

Busy Busy!

noreply@blogger.com (Ax0n) — Fri, 26 Jun 2009 17:41:00 +0000

Between SOX Audit stuff (which is a month-long process of data gathering), other demanding projects at work and the more important things in life, I really haven't had a lot of time to both tinker AND post stuff. Keep an eye on our RSS Feed, though, and I'll try to get to posting more Delicious Links. I run across dozens of cool infosec, UNIX and programming links every week. I've just been really lax on sharing them via Delicious.

In the meantime, bow before Mubix's inspiring display of creativity. This is seriously awesome. Room362: Metasploit Framework as a Payload for Metasploit Framework

Godwin's Law and Scientology

noreply@blogger.com (Ax0n) — Tue, 02 Jun 2009 11:23:00 +0000

In the bygone days of usenet's booming popularity, Mike Godwin crafted a theory that's often called Godwin's Law or Godwin's Rule of Nazi Analogies. As originally stated, it ties specifically to Usenet (newsgroups) but it has been applied to almost any form of discussion including Forums, mailing lists, IRC and even Twitter.

As a Usenet discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1.

Frogman alerted me to a hilarious Godwin's Law proof Monday involving the Wikipedia ban of edits coming from the Church of Scientology. On May 28th, Wikipedia banned edits from CoS. on the grounds that all CoS wikipedia edits have been self-serving and sometimes downright subversive. On May 30th, David Miscavige (Chairman of the CoS RTC) retorted with this statement, essentially calling Wikipedia's Arbitration Committee a bunch of Nazis:

Blocking the IP addresses of computers located at Scientology's Pac Base, Int Base and Celebrity Centre is just a way to force Scientology parishioners into an undesired beingness. What's next, will Scientologists have to wear yellow, six-pointed stars on our clothing?

Dude. Godwin's Law! Hey, I have to include an xkcd if one is relavent!

On the ranty side -- and this is my personal opinion:
There are very few things that could possibly happen on this planet that will ever come close to the kind of oppression that Hitler was trying to implement. I really wish that people would quit trying to draw parallels to the mother****ing HOLOCAUST when they can't get their way in life. Not only is it irrationally dramatic in most cases, but it trivializes a tragedy the likes of which we will hopefully never have to deal with again.

kc2600.com is alive and well once again

noreply@blogger.com (Ax0n) — Mon, 01 Jun 2009 11:30:00 +0000

The old site (a forum) had fallen into a state of disrepair and was eventually abandoned by its previous keepers. Asmodian X has breathed new life into kc2600.com as a place to learn more about what's going on at the 2600 meetings in Kansas City. Hopefully, we'll have updates from other kc2600 attendees as well. Thanks, Asmo! Don't forget, the next meeting is coming up Friday, June 5th. I believe there will be attendees at both Oak Park Mall Food Court and inside Barnes & Noble at Independence Commons. Maps at the bottom of this post.

Greater Kansas City 2600

View Larger Map

View Larger Map

Sysadmin Sunday, a Response: Are admins developers too?

noreply@blogger.com (Ax0n) — Sun, 31 May 2009 13:00:00 +0000

Lori MacVittie comes up with another one worthy of a response post. This time, she asks if admins are starting to become developers. In a nutshell: I don't think so, but we are definitely programmers.

Ah, there are those damned semantics again!

My opinion here comes from more than the simple fact that my employer has placed a "Systems Programmer" stamp on me despite the fact that my primary job duties do not include programming anything. Programmers make specialized procedural tools, while I feel that developers are a different breed entirely. Developers architect entire solutions and tie together lots of programs: usually functions and routines they've written or borrowed. Developers often collaborate with other developers on a project and usually put together something that will get used by someone other than themselves, from a single client or an internal organization all the way up to public-facing web applications available to anyone on the Internet!

Through the course of my sysadmin and infosec career, I've written literally thousands of tools in varying states of complexity and user-friendliness from object-oriented PHP behemoths to generate large reports from a database down to simple loops that copy shell scripts out to the enterprise before executing them on each system. At any given time, I have scores and scores of these little home-grown scripts and programs laying around.

Administration usually involves repetitive, mundane tasks. Analytical types will usually find a way to automate the things that can be predicted. I wouldn't confuse this process with being a developer, though. I'm not saying developers always create solutions that are more elegant, elaborate or stable. I am saying that developers have a different mind-set than admins, who usually (as Lori points out) create quick tools for themselves or their peers.

Friday Musings: Redundancy

noreply@blogger.com (Ax0n) — Fri, 29 May 2009 11:31:00 +0000

Sorry for the lack of content lately. Work has been crazy, and I had a lazy five-day weekend that I decided to use for vegging out more than geeking out. Whilst camping over the Memorial Day weekend, I did come to appreciate the redundancy built in to Mag Instrument's AA Mini-Mag (and most other lights of theirs), a spare bulb hiding in the tail cap right below the battery spring:

I got this flashlight almost a decade ago as schwag (and seriously nice schwag at that) from Check Point while working at a Check Point Value-Added Reseller as a support technician and penetration tester. The bulb that burned out over this last weekend was the original. I can't even imagine how many hours of burn-time it had, how many drops to the pavement it's taken, or how many times it saved my ass.

I only wish that this kind of redundancy was more common in everyday life from household appliances to consumer-grade electronics. Parts that are most prone to failure should be included. Some old vacuum cleaners even came with a spare drive belt and a nice place to store it.

Now, it seems you only see redundancy addressed when you're dealing with large-scale Enterprise IT and industrial- or military-grade machinery. Otherwise, it's:

Somewhere in history, we've lost our way...

News Flash: Man figures out how to use a dial-up modem

noreply@blogger.com (Ax0n) — Thu, 28 May 2009 12:50:00 +0000

Via Hack-a-Day:

[phreakmonkey] got his hands on a great piece of old tech. It’s a 1964 Livermore Data Systems Model A Acoustic Coupler Modem. He recieved it in 1989 and recently decided to see if it would actually work. It took some digging to find a proper D25 adapter and even then the original serial adapter wasn’t working because the oscillator depends on the serial voltage. He dials in and connects at 300baud. Then logs into a remote system and fires up lynx to load Wikipedia.

The HiR team loves Old School tech, but where do I even begin with this? The guy found a serial modem (and had to SCROUNGE for an industry-standard serial cable?) and used it exactly as it was designed to be used without any modifications. Where's the hackery here? Why is this even newsworthy?

In the 1980s, I cut my teeth on a similar modem albeit quite a bit newer than 1964. When dial-up Internet became accessible here in Kansas City, I would fire up a GRAPHICAL DOS-Based web-browser (Minuet, if you care) and connect via SLIP or PPP.

I suppose since I'm getting older, it's only going to get worse from here. I'll recall old tech with a certain fondness, and I'll get curmudgeonly whenever it becomes 'news' that someone found out how to use the old hardware as it was designed. Stored properly, well-built electronics don't rot or rust. These relics should simply "just work" and the fact that some standards from the 1960s still exist today should surprise no one. The world has built a vast technology canon of these standards. Some of the very standards we take for granted now are a result of engineering that happened hundreds and hundreds of years ago.

Now get off my lawn, you darn kids!
/me shakes his fist at whippersnappers!

PHP Editing In The Cloud

noreply@blogger.com (Ax0n) — Mon, 11 May 2009 13:03:00 +0000

I ran across PHP Anywhere over the weekend. At first glance, it looks as feature-rich as the free version of PHP Designer, a Windows-only tool I use at work when I have to mess with PHP (which isn't too often)

There's just one question I have: who in their right mind would store the FTP password to their web site "in the cloud" like this? In fact, I don't even have FTP access ENABLED on my primary web server. I set up a test instance somewhere else to play with PHP Anywhere. I usually scp my files to their destination. Sadly, that's not an option for PHP Anywhere yet, but if it did, you'd still be storing credentials to modify your website...

I suppose if you are really in a crunch somewhere and lack your usual desktop IDE of choice (and for some reason can't get on the system to edit it locally), it makes for a neat toy.

That's all for today. I'm going to change my password on that FTP account now...

Sysadmin Sunday: Dealing with OpenBSD's chroot Apache server

noreply@blogger.com (Ax0n) — Sun, 10 May 2009 13:05:00 +0000

Prerequisites
I'm assuming that you have a working OpenBSD/Apache/MySQL/PHP environment working prior to this, or at least have all the packages installed. We will be slightly modifying the MySQL startup process, and changing some stuff on the filesystem to allow the chroot to function properly.

Introduction to chroot
Chroot means "change root", and it's a way to spawn a process so that it has a different apparent root directory. Try as it might, this process cannot get to the "real" root. This has many advantages, especially with web servers.

While an operating system itself might be locked down like Fork Knox, the system's overall security is only as good as the applications that get installed on it. Just take a look at Milw0rm and you'll see that web application vulnerabilities are a dime a dozen. Local file inclusion and other vulnerabilities can sometimes allow an attacker to get to the very heart of the host operating system. With chroot, the attacker is unable to see the real operating system's environment -- in this case, only things within /var/www are visible to Apache and its sub-processes.

Path names that do not have a leading / will automatically use the "ServerRoot" directive (/var/www in OpenBSD) This is why you see lines such as "ErrorLog logs/error_log" in the configuration.

Basically, chroot is awesome. It's also a pain in the ass if you aren't used to dealing with it. Don't worry; I'm here to help.

Why isn't Apache always chrooted then?
There are things in the real operating system environment that the web server relies on. For AMP web applications, PHP needs access to the MySQL Socket (in /var/run/mysql). If you have Sessions enabled and using the filesystem, then /tmp needs to be accessible. Anything else in the "real root" that needs to be accessed must be re-created or hard-linked within /var/www as if it's the root directory.

Anything else in Apache's configuration that calls for path names with a leading / (VirtualHost, UserDir, etc) will be forced to use /var/www as its root as well. I do not recommend creating hard links from inside ServerRoot to external directories for web content. Instead, create subdirectories under /var/www for content (ex: /var/www/virtuals/HiRtest/ ) and grant write permissions for users who need it.

Fixing the broken stuff!
Most AMP packages only need somewhere to store Session information and a way to get to the MySQL socket. Since the real /tmp contains information that is not needed for Apache, we'll just create a new tmp directory specifically for Apache within /var/www and make it world-writable with the "sticky bit" set (exactly like the real /tmp)

sudo mkdir /var/www/tmp
sudo chmod 1777 /var/www/tmp

Next up is the MySQL socket. First, reproduce the directory structure for the MySQL socket under /var/www.

sudo mkdir -p /var/www/var/run/mysql  # -p creates subdirs as needed

Then, make sure the real mysql.sock file gets hard linked into the new directory. If you added the "mysql.server start" line to the end of /etc/rc.local, you can accomplish this pretty easily by adding a hard link command after the mysql server starts. I also added a line to remove the old hard link before starting MySQL. The end of my /etc/rc.local looks like this:

rm /var/www/var/run/mysql/mysql.sock
/usr/local/share/mysql/mysql.server start
ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock

Finally, make sure that you set the httpd line in /etc/rc.conf to look like the line below, unless you really need more options. Just make sure "-u" isn't one of them!

httpd_flags=""  # for normal use: "" (or "-DSSL" after reading ssl(8))

At this point, I would advise rebooting the system. While you can start and stop Apache and MySQL, it's best to make sure that everything will come back up and that the chroot hard link to the MySQL socket will be re-created properly upon reboot. Otherwise, you might find yourself with a problem later on.

After rebooting, Apache web server should have all its components working properly again within its chroot environment. In my case, I installed WordPress 2.7.1 before setting Apache to chroot mode. After simply restarting Apache in chroot mode, WordPress gave only an error message about being unable to connect to the database. After making the other changes above and rebooting, WordPress is back to life. The same should hold true for most other packages.

Friday Funny: Defaced software packaging

noreply@blogger.com (Ax0n) — Fri, 08 May 2009 18:10:00 +0000

As found in the tech museum at work...

A Windows XP package sporting a "May Cause Headache" pharmacy sticker and a "Warning DRM" sticker from Defective By Design

Also, all your database are belong to IBM.

Introduction to Snort IDS

noreply@blogger.com (Asmodian X) — Fri, 08 May 2009 00:00:00 +0000

Snort is a software package which monitors a network for suspicious traffic and provides advanced warning of an attack. Snort can also be useful in security failure mode analysis, where it can provide a log of network wide events over a pririod of time. Snort is open source software under the GPL License which means it is free to distribute provided the source is made available.

This article is intended for network administrators and requires an intermediate functional knowledge of server administration and networking skills in a Linux environment.

======ToC======
1. Introduction
2. Installation
3. Implementation
4. Monitoring
5. Informative Resources
===============

1. Introduction
The trouble with managing a network of any size is that we only know about a breach of security after it happens. Most servers have logging but so much is being logged that its impractical to keep up with it. Yet there are many vulnerabilities which manipulate the logs or the signs of the intrusion are so cryptic it blends in with the every day noise of doing business.

Firewalls and Anti-virus only detect a small portion of network security issues. Enter the next piece of the puzzle: The Intrusion Detection System. An IDS sits at the top level network and checks the network traffic for patterns of known attacks then logs them and it can be configured to provide advanced warning of an attack in progress.

SNORT is an IDS and is free open source software (free as in beer) which can be configured to fit almost any IDS role. SNORT is not the end-all be-all security technology, it is just another security tool to be used in conjunction with other tools and practices to keep your network safer.
Like all pattern recognition based security, it must be updated regularly to be able to detect new threats.

Most security vendors are moving towards a Unified Threat Management System, which pulls firewall, vpn, IDS, Antivirus/mal-ware into one centrally maintained appliance available by subscription.

2. Installation
For this example we will be using Ubuntu Linux Server Edition on a computer with 2 or more network adapters. Since snort will be performing a great deal of logging, the more space you make available, the better off it will be.

$sudo apt-get install snort

The package manager will download all of the dependencies and install them for you.
It will then ask you for the network range you will be monitoring. (ex. 192.168.1.0/24 )

Snort will begin logging traffic it sees in /var/log/snort/alert .

Syslog is the system log daemon which manages the various reports and logs which are produced by the services currently running on your machine. Should you need to report the information to a central server or log management database (like Cisco MARS) you can create a cusom local log by:

1. Edit snort.conf and add in output "alert_syslog: LOG_LOCAL4 LOG_ALERT"
2. Edit syslog.conf "local4.alert ww.xx.yy.zz" (Where ww.xx.yy.zz is the ip address or DNS name of your logging server.)
3. Restart Snort and syslogd

3. Implementation

Most networks use a switched network which means traffic not destined for your port on the switch doesn't go there. An intelligent switch can be configured to copy all traffic to your port in addition to its intended destination. This is the ideal solution in that if we are using Gigabyte Ethernet the only other option to sniff traffic is an active bridge or hardware Ethernet tap between the top level switch and the rest of the network. Gigabyte Ethernet uses all of the pairs of a cable for receiving and transmitting so creating a passive tap between it and another host would significantly change the electrical properties of the cable and cause significant degradation of signal. 10/100 Ethernet however only uses two pairs to transmit and receive so its possible to create a passive Ethernet tap where the sending and receiving pairs would be read by a nic on your sniffing machine. This is where the specification for two or more nic's comes in because you have to use one nic to read the transmit pair and one nic to read the receive pair.

4. Monitoring

The information from the Snort sensor is normally captured in a logfile on that sensor. We configured it to send the log information to a central syslog server. Snort also has plug-ins for MySql and Postgres SQL so the information can be accessed from a database, and also allows for the use of a web-front end. SnortCenter ,SAM and ACID are examples of a web based snort data viewer.

There are also stand-alone applications such as Razorback which can display Snort logs. Snort also has a iptables firewall plugin called Snortsam which can modify the firewall settings on the fly if prevention functionality is needed.

5. Informative Resources

Cisco Systems, Inc. "Device Configuration Guide for Cisco Security MARS, Release 6.x ." (Accessed May 2009)
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chSnort.html (September 2008)

Danyliw, Roman "Analysis Console for Intrusion Databases." (Accessed May 2009)
http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html (Last Update 3/9/2003)

Freiberg, Sam "Snort Alert Monitor." (Accessed May 2009)
http://projects.darkaslight.com/projects/show/sam

InterSect Alliance. "RazorBack: The SNORT GUI for displaying events." (Accessed May, 2009)
http://www.intersectalliance.com/projects/RazorBack/index.html

Knobbe, Frank "SnortSam." (Accessed May 2009)
http://www.snortsam.net/

The SNORT Team. "Snort - the de facto standard for intrusion detection/prevention." (Accessed May 2009)
http://www.snort.org

See Also:

Oprah, queen of the sheeple, promotes malware

noreply@blogger.com (Ax0n) — Wed, 06 May 2009 13:25:00 +0000

Oprah Winfrey. She mentions something, it turns to gold. Seemingly, any book, service or gadget she endorses immediately spreads like wildfire. Yesterday, it was KFC's new "Kentucky Grilled Chicken"

Today, I get all kinds of email from 'friends' (brainwashed sheeple) that "Oprah is giving away free chicken!" (Beware, I wouldn't click any links on that page without some security plugins like NoScript installed)

Oprah isn't giving away squat. Oprah's site links to unthinkfc.com (not linked), a site telling you to "unthink what you thought about KFC" (unsurprisingly owned by KFC), which links to Coupons.com. Coupons.com doesn't give you graphic representations of coupons. They install software that is supposed to keep ne'er do wells such as ourselves from printing off thousands of copies of these coupons. Obviously with the advent of cheap color copy/fax/print machines, this really doesn't stop us. But that's not the point.

Does this raise any red flags for you? It does for me!

Coupons.com installs its "coupon printer" application with classic spyware-like traits such as failing to actually uninstall itself when asked, tracking you and even printing information onto these coupons to correlate not only which coupons you print, but which ones get used and where. [Reference: Wired]

So congratulations, Oprah. Regardless your knowledge of the situation and likely without any ill will, you just pwnt almost all of your computer-owning sheeple. 9,000 Internets to you!

Update: unkinkfc.com now links to a PDF coupon download. Kudos to them!

One of the best 80s toys. Ever.

noreply@blogger.com (Ax0n) — Mon, 04 May 2009 11:29:00 +0000

Digging through the pile of history that time forgot, I ran into my old Tandy Armatron. The grease in its gears has deteriorated, as to be expected when something goes un-used for close to two decades. So, it was time to take it apart.

Let me tell you, this machine is considerably more complicated than you'd think, but it's back together and working better. Miraculously, this is the first time I've ever taken this thing apart. I would often take my toys apart for no good reason, and had varying degrees of failure and success in reassembly. I can guarantee that my younger self would not have had the degree of mechanical wherewithal required to get this thing put back together. It's easier than rebuilding a car engine, though!

While the Armatron seemed like a fairly useless device to many, the way it worked fascinated me quite a bit, and fostered my interest in mechanical things, robots, and remote control. My dad asked me if I can program it. I told him I could make it programmable. I wonder how hard it would be to make this work with a microcontroller?

Sysadmin Sunday: Updated OAMP: OpenBSD 4.5 Apache MySQL PHP

noreply@blogger.com (Ax0n) — Sun, 03 May 2009 13:52:00 +0000

It turns out that, just like with OpenBSD 4.4, It's a cinch to get a rock-solid web application hosting environment up and running with OpenBSD 4.5. In fact, the only thing that really changed is the version numbers. Just remember to either run these as root, or preferably add your user account to sudoers.

I'll keep this quick and easy. You can just reference my OAMP walk-through from 4.4 if you want to see some more output, but otherwise you can simply run these commands:

# sets up the path for pkg_add (I usually add these lines to my .profile)

PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.5/packages/i386/
export PKG_PATH

# Installing these two packages will fetch all the dependencies

sudo pkg_add php5-mysql mysql-server

# Copy the sample files into place

sudo cp /var/www/conf/modules.sample/php5.conf \    /var/www/conf/modules/

sudo cp /var/www/conf/php5.sample/mysql.ini \
    /var/www/conf/php5/

# Get MySQL started and the default database installed

sudo /usr/local/bin/mysql_install_db

sudo /usr/local/share/mysql/mysql.server start

sudo /usr/local/bin/mysqladmin \
   -u root password 'your-password'

# Set apache to start on boot by editing /etc/rc.conf


sudo vi /etc/rc.conf  
#(find httpd_flags once editing the file)

# use -u to disable chroot, see httpd(8)
httpd_flags=""
 -or-
httpd_flags="-u"

# Launch apache (unless you plan on rebooting when this is done)

sudo httpd

-or-

sudo httpd -u

# Set MySQL to start at boot

sudo vi /etc/rc.local
(add the following line to the end)
/usr/local/share/mysql/mysql.server start

That's really all there is to it!

If you run httpd in its default chroot mode, it can be difficult to get some AMP packages running properly due to the location of the MySQL socket and the php configuration. If you run httpd -u, most PHP5-compatible packages should just work with minimal effort.

I have never actually installed Wordpress before, and I got it up and running on OAMP (without chroot) in about 3 minutes by following the Wordpress instructions.

Next Sysadmin Sunday, I'll hopefully cover the things you should be prepared to do in order to run AMP packages in OpenBSD's default chroot environment. I've done it before (whilst working at a startup in 2006) but I'm a bit rusty.

Holy War: BSD Vs. Linux

noreply@blogger.com (Ax0n) — Sat, 02 May 2009 14:00:00 +0000

Ah, holy wars. vi vs. emacs. Mac vs. Windows. Marmite vs. starving to death. Who doesn't love a good, old-fashioned battle royale? Today, we're pitting BSD vs. Linux.

Background
Whilst in college, I was living in a bachelor pad with two other hackers. I'd been running Red Hat Linux 5.2 on my new PC for a few months when one of my roomies introduced me to FreeBSD 2.2.8. This single event sparked my love for BSD in general. Later, I'd come to really settle on OpenBSD. Over the last 15 years, I've written quite a bit about various operating systems including the BSDs. I by no means hate Linux. I still have to use it for some things. I simply have my gripes about it.

Leading up to the release of OpenBSD 4.5, I got in a few debates -- holy wars, kind of.

Wednesday, I got into a Linux/BSD debate with Mubix.

Then Ben, the instigator that he is, brought up a decent point in the public info-sec fora that is Twitter:
"... Why should I try [OpenBSD]? What advantages does it have over Linux?"

I, always ready to inject semantics to prove a point, started with the obvious: Linux is a kernel, not an operating system. I also quickly pointed out that Holy Wars are hard to do on Twitter. So here I am. Ben really wanted a comparison of OpenBSD vs. his current solution of Debian Linux.

Really, though, semantics have a lot to do with it. Linux is not a complete operating system.

Lineage of Linux
The Linux kernel itself is maintained by a core of kernel developers. Almost all Linux distributions come with the GNU system -- the so-called "userland environment" -- which was itself designed to replace the proprietary UNIX userland in the 1980s. The GNU system and the Linux kernel are developed independently of one another. In fact, Linus Torvalds was completing work on the Linux Kernel around the same time as The Free Software Foundation was putting the finishing touches on GNU. With these two free software components combined, a truly free operating system could be rolled out. This is, of course, why The Free Software Foundation prefers that people use "GNU/Linux" when talking about Linux as an operating system, rather than simply Linux as a kernel. Debian led the charge in adopting the GNU/Linux name.

This was all unfolding in the early 1990s, with the first distributions accessible to the masses around 1992 and 1993 with the popularity of dial-up Internet in the home and CD-ROM drives and media becoming less expensive and widely used.

Linux Distributions
While GNU and Linux combined make a bare-bones operating system with just enough tools to log in and compile software, it's not enough to be useful to the average person. To that end, groups package the GNU system, the Linux kernel and sometimes up to thousands of third-party packages into distributions. These distributions are complete operating systems: many of them are somewhat secure, stable, and usable for their given purpose.

Ubuntu, one of the more popular distributions, gathers praise for being one of the easiest for non-technical people to use. It also gets criticized by many technical folks who prefer something more svelte and minimalist. Those technical folks often choose Linux distributions that fit their needs: Arch Linux, Debian, or Gentoo. Likewise, corporations often spring for enterprise-supported distributions like SUSE Linux Enterprise Server or Red Hat Enterprise Linux. There are literally hundreds of active distributions, all of which loosely fall under the Linux umbrella. I do not have time to list them all, however I've touched on some of the more popular ones.

Configuration and package management
Package management systems, configuration tools, and other details vary widely between them. A sysadmin that uses SLES at work, for example, will probably have to spend some time figuring out how things with on Arch Linux or Debian GNU/Linux. Most Linux distros use a System V-style init based on runlevels. Configuring services and daemons usually involves messing with files and subdirectories in /etc/init.d/. The automated tools to do this, however, differ between families of Linux distributions.

Popular Linux package-management systems
RedHat Package Manager (Red Hat, SUSE, Fedora)
Debian Package (Debian, Ubuntu)
PacMan (Arch, Frugalware)
BSD-Derived Ports-like systems (Arch Build System, Gentoo)

Lineage of the BSDs
Berkeley Software Distribution (BSD) started as an additional package to go with Bell Labs' Unix Version 6. By the end of 1979, 3BSD was a complete operating system (kernel and userland) designed to run on DEC VAX systems. By late 1983, BSD had implemented TCP/IP. Legal troubles surrounding copyright of the source code held back BSD's development in the early 1990s, but by 1994, a portable, free operating system (4.4BSD-Lite) existed: a kernel and userland wrought from a very mature code-base written by a comparatively small group of developers. Development of BSD at Berkeley win 1995.

A more mature and unified kernel / userland code-base, and smaller development community are two major things that separate BSD-derived operating systems from Linux distributions. All BSD operating systems still package many other open-source tools such as X.org, Apache Web Server and perl. Many of the BSDs come with some or all of the above included by default. To that end, even BSD flavors are similar to Linux Distributions in that the release team can pick and choose what gets rolled in with the base operating system.

BSD Flavors
During the legal battle encumbering official development on BSD, a team of developers ran with some existing free software from the official 4.3BSD release, 386BSD and some GNU code as well. The result was FreeBSD. FreeBSD now focuses on cutting-edge hardware support, performance and scalability. More "liberal" than the other BSDs, FreeBSD isn't vehemently against closed-source binary drivers and allowing developers to sign Non-Disclosure Agreements with hardware vendors in the name of functionality -- practices that Linux developers regularly partake in.

Around the same time, NetBSD was also underway. Today, NetBSD focuses on clean kernel code that is extremely portable and easy to compile across almost every 32-bit computing platform. If your kitchen sink had a CPU, it could probably run NetBSD.

OpenBSD forked from NetBSD shortly after NetBSD's 1.0 release, mostly due to a falling out between Theo DeRaadt and the rest of the NetBSD developers. OpenBSD's primary focus has always been on security and freedom of code. Strict code audits, re-writing open-source replacements for proprietary services, and refusal to use closed-source binary "blob" drivers or sign NDAs are some key factors.

Configuration
FreeBSD and NetBSD have a somewhat "hybrid" init for services and daemons. For the most part, "easy" system configuration tools are only found in the installation tools and scripts. Configuration is typically done by modifying human-readable files and scripts in /etc that are well-documented with comment lines. The syntax of the system tools often varies slightly from the GNU equivalents found in Linux distributions.

Package Management
Binary packages are handled nearly identically across all three major BSD platforms, which borrowed the functionality from FreeBSD.

The Ports Tree is a staple in BSD derivatives. It is a skeletal directory of patches that can automatically fetch, build, and install source code including all dependencies. NetBSD refers to this functionality as "Source packages" because it uses the term "Ports" to describe porting the entire operating system to different architectures.

In praise of Linux
No one had really heard of GNU until the Linux kernel came along. It was the last piece of a huge puzzle. That puzzle was a free operating system that beat BSD to the target market by almost 3 years. It took the Internet by storm, engaging a new wave of passionate coders. As a catalyst, Linux has probably done more for the Free and Open Source Software movement than anything else to date. It also happens to be that Linux's threading is quite efficient, and the kernel scales fabulously from old 386 computers up to bleeding-edge supercomputers. For things where symmetric multi-processing and threading matters, such as databases, Linux can be a very hard competitor to beat.

My Linux gripes
I feel like there are too many cooks in the kitchen sometimes. Updates to the kernel and GNU sources happen fast and frequently from a very, very diverse and loose pool of developers. It's both good and bad. It also seems like every budding techno-junkie has thought that it would be a good idea to learn how to craft their own Linux distribution. There are too many to be useful. Fortunately, there's a relatively small group of distributions that really matter out here in the real world. Still, one has to experience many of them in order to be what I'd consider a Linux expert. When hiring a sysadmin with 3 years of Linux experience you really don't know if they will have any idea what to do with the flavor you've got deployed, without asking. I also dislike the ominous verbiage and forced-open source of the GNU Public License under which most of Linux and all of GNU is licensed. The GPL forces you to share the source code to anything you derive from GPL-licensed work. While it sounds noble, it's actually a restriction on what you can and cannot do. The license itself is incompatable with some other popular licenses, so you may not be able to use code from two different projects if you plan on releasing the end result to the masses.

In praise of BSD
I'm an OpenBSD fanboy, but I like NetBSD and FreeBSD as well. If you've used one, you will probably be comfortable using the others. They are fast and come installed with a fairly minimal set of tools, but it's very east to install the things you want and need in order to build your system up the way you want it. I don't know anyone who's tried BSD coming from another UNIX-like operating system background and not at least liked it. The BSD license has less restrictions on what you can do with the code. While a smaller core of developers generally means the BSDs have less support than Linux for bleeding-edge hardware, I like the fact that the BSD flavors are more mindful of what is allowed into the base operating system. In the case of NetBSD and OpenBSD, I see a lot of benefits that come from a strict code auditing framework. Recently, FreeBSD has been working on scaling CPU performance, but it's taken them a long time to catch up to Linux on enterprise server class hardware.

My BSD gripes
With few exceptions, BSD is usually slow to the game for adding exciting new features and hardware support. Because of this, there are still places where the BSD kernel lacks the performance of Linux. BSD is therefore often playing catch-up with Linux on performance, while Linux is busy adding new features.

To answer Ben's original questions:
Why should I use OpenBSD?
If you are the kind of person who likes a lean environment for your desktop or servers, you will probably like any of the BSDs. I'd recommend starting with FreeBSD, or if you're a die-hard command-line commando, OpenBSD. If you're serious about security and stability, OpenBSD is a good choice. BSD isn't for everyone, and there are some things that it's simply harder to to on BSD than it is to do on Linux. Running Mozilla with Flashplayer, for example. I honestly don't miss having flash. It's an annoyance to me, most of the time. Exception: When someone sends me a really funny video on YouTube.

What advantages does it have over Linux?
I think I've made plenty of points and counterpoints regarding the technical advantages of Linux and BSD. It's difficult to compare Linux (in general) and all the BSD flavors side-by-side. So my initial comment stands: "Seriously, more geeks should give this operating system a try!" You might just like it!

OpenBSD's philosophy and ease of use are what keep me coming back. Are those advantages over Linux? No. It's about personal preference.

Securing Php Web Applications

noreply@blogger.com (Asmodian X) — Fri, 01 May 2009 10:00:00 +0000

PHP is a popular server side scripting language, it's as simple or as complex as you want to make it. It is typically used along with Linux, Apache Web server and MySQL RDBMS. In most web applications the script acts on user provided information and returns processed data. To this end there are a number of simple steps you can take to help make your web application less vulnerable to exploitation by an unfriendly party.

This article is intended for beginning to intermediate web application programmers.

=======ToC=========
1. Introduction
2. Methods of input
3. Input data validation
4. Trusted processing
5. Database queries
6. Raising the bar
7. Informative resources
===================
1. Introduction

PHP is a HTML pre-processor, meaning that it reads a file before it is sent to the user and if it contains PHP script, it processes it and returns the document and the processed results to the user. There are many other technologies which do the same thing each with their benefits and flaws. The importance here is not to proclaim the benefits of PHP over the others but to show some good ideas of how to protect your applications from un-friendlies.

2. Methods of input

In PHP we can get information externally from the webserver itself ($_SERVER), Cookies ($_COOKIE), Get variables ($_GET), Post Variables ($_POST) . In addition PHP can internally connect to just about anything.

Example:
So when Joe, our end user goes to your website to check this weeks Fantasy Football scores on your website, he will login (sending login information using POST variables) to a script which then reads the login information and decides whether he can login. Then it returns a page with the result of his attempt and then either takes him to the next page or back to the login prompt. Once he is logged in, PHP sets a Cookie with a unique random session id. Every time a browser returns that cookie to a page, it knows that this session is good and belongs to Joe. Then Joe sorts his results page sending some criteria via a Get variable which is used to control a query to the sports database.

The important thing to know is that Joe can control everything he sends to the server. He can see the cookie contents, post data and get variables. Lets say that Joe wants to check a friends team score. The site allows Joe to sort his scores using GET variables. Joe just places in an escape character and appends some SQL to view his friends score.

3. Input data validation

Think of a web application like a game of D&D, if you are out on the desert plains with a 12th level Barbarian named Ogar, whats keeping the player from making Ogar go left when the DM expects the player to go right? There is no reason Ogar the barbarian can't sit down and whittle a set of dice, mark up a parchment with character stats and then play Cube farms & Bosses.

You have a nice HTML page which provides for the intended actions of the user but everything in the browser or on the computer is out of your control. Java script, plug ins, input, cookies and URLs are not controllable and therefore cannot be fully trusted.

The key is limiting the users choices, and abstracting their decisions. If your scripts inputs expect a phone number, then the input should only be numbers or else its invalid. If there is only search methods A,B or C then if the input isn't A,B or C then it has to be invalid. Simply filtering out known bad data such as embedded javascript isn't 100% effective, if the data type is contaminated it cannot be trusted.

The quality of the data you take in is important, the other part of this is abstraction of the users decisions. If a persons available choices are A,B and C, and internally you identify A, B and C as actions and everything else as false input then that is more effective than allowing user input directly control your data.

4. Trusted processing

Assuming that you have done your due diligence and secured your server, it is more trustworthy of a computing platform than your clients workstation. A clients workstation could be infected with mal-ware, it could have a malfunctioning or obsolete browser or the user could intentionally manipulate the http variables to trick the application. Input validation cannot be done using JavaScript alone, trusting JavaScript or any other plug in to obfuscate your applications process just isn't a good idea. Client side scripting is good for enhancing the presentation and for providing a means to communicate information effectively to the user but it should not be relied upon to process information.

5. Database queries

Filtering valid data is just one step, the other step is on your data sources such as MySQL, Postgres, Oracle ... most modern Databases allow you to do a prepared statement which auto-magically binds input into a SQL string. Because its binding data directly to a variable the chances that a user's escape string can hijack the SQL query is greatly diminished. By limiting the users input to only data and not to the program execution process you greatly reduce the possibility of your script becoming compromised.

For example:

"http://example.com/mypage.php?display=select * from mydatabase.mytable where user=Joe order by date;"

Including SQL in a user accessible variable is a really really bad idea. Even if it is on a link that Joe wont see and Java script is used to obscure the URL. Joe controls the machine so any obfuscation used will never be effective. What is stopping Joe from substituting "select 'joe' as user password as score, currdate() as date from mysql.users where username=root;"?

6. Raising the bar

There are alot of "Magic Bullet" solutions to web application security. Application firewalls monitor information going both to and the web application. SQL application firewalls filter out suspicious SQL commands going to your RDBMS server. For most developers, these solutions are
either too expensive or too complex to implement for individual web applications. Here are some PHP security plug ins and tools to help raise the bar on the cheap.

When you use this or any other security plug-in, it is vital that you evaluate your applications baseline performance to know what is normal behavior. For instance PHPBB2, a popular PHP bulletin board application display a large list of forums. And mysteriously the settings would not save. I was using Suhosin and this was caused because the number of variables being posted was above Suhosin's default limit and the script was aborting before it could save the changes.

On the server side there is Green SQL, which is a MySQL sanitizer/proxy. Then there is mod_security which hardens Apache and turns it into an application firewall. mod_chroot is similar in the basic functionality of mod-security except it just chroots Apache transparently to the user. Then there are web application security scanners such as the ones included in Nesssus.

Wapiti checks for cross-site scripting (XSS), injection and other common issues. OWASP's WebScarab is a good utility for testing user access to http variables on the client side and intercepting the raw http conversation between the client and the server.

7. Informative resources

Breach Security "Mod Security home page". (Accessed April 2009)
http://www.modsecurity.org

Dawes, Rogan "OWASP WebScarab Project" (Accessed April 2009)
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Esser, Stefan "Hardened PHP Project" (Accessed April 2009)
http://www.hardened-php.net/suhosin/

Freitag, Pete "20 ways to Secure your Apache Configuration" (Accessed April 2009)
http://www.petefreitag.com/item/505.cfm (Posted Dec 5, 2005)

Green SQLProject "Green SQL home page". (Accessed April 2009)
http://www.greensql.net

Hobbit "mod_chroot" (Accessed April 2009)
http://core.segfault.pl/~hobbit/mod_chroot/

OWASP Foundation. "Main Page" (Accessed April 2009)
http://www.owasp.org/index.php/Main_Page

Tenable network security inc. "Nessus Product Page" (Accessed April 2009)
http://www.nessus.org/nessus/

The Apache Foundation. "Apache HTTP Server Project". (Accessed April 2009)
http://httpd.apache.org/

The PHP Group. "PHP: Hypertext Preprocessor". (Accessed April 2009)
http://www.php.net/

Surribas, Nicolas "Wapiti Web application vulnerability scanner / security auditor" (Accessed April 2009)
http://wapiti.sourceforge.net/

See also:
Ax0n's OAMP (Apache, Mysql, PHP on OpenBSD) Article:
http://www.h-i-r.net/2008/12/sysadmin-sunday-amp-on-openbsd-44.html

Asmodian X's Name based hosting mini-howto:
http://www.h-i-r.net/2008/10/sysadmin-sunday-apache-name-based.html

Asmodian X's Workbench - Suhosin :
http://www.h-i-r.net/2008/12/asmodians-workbench-suhosin-hardened.html

OpenBSD 4.5

noreply@blogger.com (Ax0n) — Thu, 30 Apr 2009 12:51:00 +0000

With a release date of May 1, OpenBSD 4.5 is probably going to be hitting the mirrors later today -- maybe late tonight.

Notable features and enhancements:
* Enhanced support for the sparc64 platform
* Support for more hardware monitoring sensors
* Lots of new or improved drivers for miscellaneous hardware
* Reliability and security improvements from 4.4, which was fraught with a couple of critical issues.

Thanks to Venture37, I've already got my hot little paws on 4.5; I didn't get to pre-order it. I plan on upgrading my main workstation to 4.5 over the weekend, but for the time being, this looks like a release worth upgrading to!

If you're not familiar with OpenBSD, it uses a "text-adventure" style installation script with a couple of very straightforward options. The only tricky part is partitioning and formatting the disk for installation. The Installation Guide can help you set up the disks.

Once installed, OpenBSD is "secure by default" without any remote services running other than the ones you specify. The only ones you can enable during installation are ntp and ssh (but they default to disabled).

OpenBSD's minimalist nature means that you're left with a powerful but svelte platform upon which to build to suit your needs: whether that's a workstation, firewall/router or an Apache/MySQL/PHP (OAMP) web-hosting environment. The installation media comes with apache, Xenocara (which includes Xorg), GCC, perl, Suhosin PHP and a host of other open-source components, most of which have been audited, patched and hardened by the OpenBSD dev team.

Related Posts:

Xorg.conf for OpenBSD on MacBook / Parallels

OpenBSD 4.4 / Apache / MySQL / PHP

Operating System Junkie