The real issue here of course is not that source to a popular AV app has been stolen – the core problems, that a lot of the commentary seems to be missing, is that of due diligence and vendor control.

Most companies will do some sort of due diligence on their suppliers. It varies between industries, and what the software solution is going to be used for – but usually things like credit checks, lists of reference sites, etc. are done. Depending on what the software does, the due diligence can also include things like looking at recent security audit reports, viewing physical and virtual site security procedures, and sometimes even penetration testing of the vendor.

But how many companies check who else has their vendor’s source? Is it held in escrow somewhere (which is very often a contractual requirement)? How secure is the escrow provider? Has the vendor done any deals with third parties that gives them access to the source? How secure are *they*?

Symantec’s problems are much greater than the loss of the source to an older version of Norton’s AV. They’ve suffered reputational damage because of the lapses of a third party – something they have no control over. The damage here is particularly severe, because Symantec have been growing their enterprise security business.

Customers will be asking awkward questions about how much of that Norton AV source has made it into Symantec’s other enterprise solutions. They’ll also be asking Symantec what other products the breached third party had the source to. These concerns will count heavily against Symantec in any competitive tender, and the damage for Symantec will continue for a long while after the noise around this breach has subsided.

The lesson to be learned from this – for both customers and vendors – is what impact loss of control over your source code has on your security stance, and the risks that that poses to your business. Both of these need to be factored into any vendor assessment and risk analysis.

I’ve been a big Nokia fan since the 9200 Communicator came out, all those years ago. Ahead of their time, the Communicators were everything a techie needed – a keyboard, a decent SSH app, serial connectivity to talk to device consoles, and a cracking email client. The current model, the E7, carries on this Communicator heritage, and really embodies the ‘converged device’ vision that Nokia have touted for quite some time.

Previously I’d been creating specific custom Symbian apps for clients, but have now started to roll out some of my most often used tools for download on Nokia’s OVI Store.

The main page for all of GAE’s apps can be found at http://store.ovi.com/publisher/GAE%20Ltd. Expect new apps, and more details of the existing ones, to be added to this site over the next month.

GCHQ only hire British citizens:
If you’re seriously doing this to look for a job, bear in mind that GCHQ will only hire you if you’re a British citizen, and have lived in the UK for the last 10 years. It’s a fun challenge, but if you’re from Sweden you’re not going to get a job at the end of it (but thanks for all the emails guys!).

You’ll want some sort of VM environment:
Really, I shouldn’t need to say this to anyone – but don’t trust random code from the Internet. Especially if it’s clear it’s coming from one of the top government security organisations. Grab Virtual Box and Backtrack and keep your main OS safe. I should stress that there’s nothing dodgy with anything in this challenge – but this is good practise and should be the first thing you do when tackling anything unknown.

The code in the image doesn’t reveal the keyword:
Look at the hex in the image. Some of the numbers there just don’t map to ASCII or EBDIC – not even in some of the wilder code pages. It’s not that easy.

There are three stages to reveal the keyword:
As you solve each stage, it will lead you to the next. Once you’ve solved the third stage, you’ll have the keyword you need.

Look for patterns in the hex:
I shouldn’t be giving too much away by drawing your attention to patterns in the hex. Yes, there are 16 numbers across – a word length maybe? But instead look at what those numbers are. Repeated numbers or letters are usually the sign of some sort of underlying pattern. If you’ve done any shellcode you should recognise 90 90 as NOPs.

Why is the code in an image instead of just text or HTML?
Think about this. How can information be conveyed in an image. Visual, yes – but what else? It’s a PNG – what else could that tell you?

Test your Google-fu:
This can be viewed as a shortcut, but also a good way to see if you’re on the right track. What else is being hosted on the challenge site? Besides, as with everything, there’s more than one way to solve a problem.

You’ll need to be able to write code:
Not as in ‘encryption’, but as in ‘program’. I’ll be the first to admit my code is shocking – it’s very much ‘solve the problem at hand’ rather than writing something elegant or re-usable. You’ll need to raid your store of scripts, apps, and hacks. Have a search to find existing code that solves similar problems, and then modify it.

Don’t assume everything is straight ASCII:
I would suggest it’s a good idea of have a Base64 decoder (like the one I’ve written for Symbian phones) and an assembler/disassembler. You’ll need to have a good idea of how those things work – or you’ll need to put aside some time to get to grips with them before you proceed.

Hopefully these pointers will help answer – or lead to the answer – to the most common questions I’ve been asked so far. They shouldn’t give away too much of the game, but I’m hopeful that these tips will get you in the right mindset to crack on with the challenge (pun intended).

As with many puzzles like this – and with a lot of security related work in general – it’s not the raw skills that really matter. Don’t get disheartened because you can’t write in a certain language, or you scripting isn’t up to scratch. If you can think in the right way to see a way forward, to string together small hints of information to work out a plan, then you can quickly learn what you need to throw together a tool or script to help you.

At the end of the day, it’s that mindset that is the most useful and sought after skill in any security work.

Historically GCHQ have recruited directly from Oxbridge, with a requirement of at least a 2:1 degree in the STEM subjects (Science, Technology, Engineering, Mathematics). In recent years, however, fewer students are taking these subjects – driven, in part, but the lack of jobs for graduates.

The problem for GCHQ is that the salaries on offer are meagre, to say the least. Littering their site with ‘cyber’ this and ‘cyber’ that is bad enough – but £31k per annum for a Senior Cyber Security Specialist position? With awareness of security issues rising across the IT industry, companies are paying top whack in order to attract the best talent.

GCHQ are competing against this, and despite a the recent UK Cyber Security Strategy allocating £650m to protect key UK assets, GCHQ still aren’t offering competitive salaries. Targeting graduates is one thing, but enticing top talent from the private sector is a different matter.

GCHQ should be applauded for this challenge. Not only has this raised the profile of the work they do, it’s also raised awareness of the sort of security challenges we can face. Critically, GCHQ have also acknowledged that their traditional recruiting methods are struggling to find suitable candidates these days, and they’re started trying to tap into a wider pool of talent.

There’s an interesting lesson there for any company that’s claiming it can’t find the right IT people in the current market conditions.

By now most people should be up to speed with the new features in Solaris 11, like the Automated Installer (AI) and the new IPS packaging system.

ZFS with encryption has been available since Solaris 11 Express was released a year ago. We’ve had a heads-up that support for 32bit x86 CPUs was being dropped, as was support for anything other than T and M class SPARC boxes.

However, there are some extra new features that have come to light with the FCS release:

• Password caching for su – this is an implementation in PAM that’s similar to the ticketing system used in sudo. Darren Moffat has an entry in his blog that details how to enable it.
• root is no longer a user, it’s a role. This been the case since Solaris 11 Express, and in OpenIndiana, but it needs repeating
• Encrypted user home directories, using encrypted ZFS and delegated key management
• SMF layers – basically allowing a way to apply and manage SMF properties and customisations. You can read more on Sean Wilcox’s blog here.
• Many new zone tweaks – Immutable Zones, zone boot environments, and different packages in the global zone and other zones
• Intel AESNI crypto functions have been added to OpenSSL. Previously in Solaris x86, the AESNI functions had been added to the kernel and pkcs11 libraries – now they’re available within OpenSSL as well.

If you can make it to Oracle’s City Office in London next Wednesday, the UK Oracle User Group Solaris SIG (yeah, I know, LOSUG was much less of a mouthful) are having a special Solaris 11 launch event, starting at 2pm and running through the normal meeting in the evening.

You can find more details on the Solaris SIG site here – it promises to be an interesting event that’s well worth attending.

Note that, in the previous post, for management of the Sun MC Agent, we didn’t add a specific command – we added an authorisation to the Profile.

Although this will configure RBAC to support this nicely, it actually won’t do anything – we need to specifically configure SMF on each host to support this extra authorisation.

Basically SMF has an all or nothing approach – applying the authorisation solaris.smf.manage will allow you to manage any SMF service – very much not what we want.

Instead we want to configure a specific SMF service – in this case, sunmcagent – to allow an authorisation string that lets us specifically manage this service – and just this service.

We do this by using the svcprop command on the specific host to directly edit the properties of the service.

First of all let’s list the service’s properties:

root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true

All fairly straightforward – the above tells us:

• the service is enabled
• it’s an evolving service, so the stability of it’s properties isn’t guaranteed
• there can only be a single discreet instance of this service

We want to add an additional property, our authorisation string.

We use the svccfg command to do this:

root@madlarry # svccfg -s sunmcagent setprop general/action_authorization=astring: 'solaris.smf.manage.sunmcagent'

Having done this, it won’t take effect until we refresh the service.

Check for yourself:

root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true

Then we refresh the service:

root@madlarry # svcadm refresh sunmcagent

And then check again:

root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true
general/action_authorization astring solaris.smf.manage.sunmcagent

Behold our authorisation string! Now SMF will recognise this string when passed from RBAC, realise we only want to manage this specific service, and the magic happens.

However – we still can’t disable this service.

That’s because the ‘disable’ action modifies the SMF service (by changing the value of the general/enabled property) – the other actions are all temporary, but disable is persistent across reboots.

To get round this we need to add another property, value/authorization, will gives us authority to modify the values for properties for that specific service when managing it.

Similar sort of options to svcprop to affect this change:

root@madlarry # svccfg -s sunmcagent setprop general/value_authorization=astring: 'solaris.smf.manage.sunmcagent'

Then we can refresh and review the change:

root@madlarry # svcadm refresh sunmcagent
root@madlarry # svcprop -p general sunmcagent
general/enabled boolean true
general/entity_stability astring Evolving
general/single_instance boolean true
general/action_authorization astring solaris.smf.manage.sunmcagent
general/value_authorization astring solaris.smf.manage.sunmcagent

So now the authorisation ‘solaris.smf.manage.sunmcagent’ is allowed to perform temporary actions and permanently modify the values of the sunmcagent service.

There’s a good BigAdmin article on configuring custom RBAC roles in Solaris here – highly recommended reading.

In this example I’ll work through how to allow a non-privileged user to manage the SMF service using by the Sun Management Centre (SMC) agent. We do this by modifying the SMF service to add an authorisation, and then defining with RBAC who is able to use that authorisation.

Setting up RBAC for this will involve modifying three of the RBAC configuration files:

• /etc/security/prof_attr (where RBAC Profiles are defined)
• /etc/security/auth_attr (where authorisations used by RBAC are defined)
• /etc/user_attr (where user attributes are defined)

First of all, we need to edit /etc/security/prof_attr to add a new profile for the SMC agent. The syntax is simple: the name of the profile, a description, and then any authorisations that are needed. Adding the following line will do the trick:

SunMC Management:::Manage SunMC:auths=solaris.smf.manage.sunmcagent

Authorisations are extra tags that are added to an SMF service’s properties – they’re the ‘glue’ that ties together the profile and the SMF service.

Next up we need to add a definition for the new authorisation, by editing /etc/security/auth_attr and adding the following line:

solaris.smf.manage.sunmcagent:::Manage SunMC Agent::

Finally, we edit /etc/user_attr to add in a new role, and then assign our newly created SMC Profile to the role. Add the following line to the file:

smcmgmt::::type=role;profiles=SunMC Management,All

Also within /etc/user_attr we need to assign the role to our users. Add in an entry for each user you want to be able to use the role, like this:

tom::::type=normal;roles=smcmgmt

The final stage required to setup RBAC is to add the role details to /etc/passwd and to add a group entry to /etc/group. This should be standard stuff, so I’ll just show the lines added to each file:

/etc/passwd

smcmgmt:x:10003:10003:SunMC Management RBAC Role:/export/home/smcmgmt:/bin/pfksh

/etc/shadow

smcmgmt:lku7RuB1d71jY:13162::::::

/etc/group

smcmgmt::10003:

As always for RBAC, it’s good practice to create a role, and get users to su to that, rather than tacking profiles onto existing users and pre-pending pfexec to each command.

That’s all for part one – we’ve setup RBAC and we’re ready to roll. Part 2 will cover how we actually modify the SMF service and tie everything together.

Update: You should also head over to Ben Summers’ blog, where he wrote up an excellent end-to-end guide on how to Control untrusted processes with Solaris SMF

You can grab the downloads from http://openindiana.org/download, with several options to choose from:

• Desktop DVD ISO
• Desktop USB installer image
• Server text-based CD ISO
• Server text-based USB installer image

You can browse the full OpenIndiana 151a release notes at http://wiki.openindiana.org/oi/oi_151a+Release+Notes

The EA Release is aimed at developers, to carry out testing and qualification of their applications. With the feature list and functionality frozen, barring some last minute bug fixes, this is what the final Solaris 11 release will look like.

You can find out more at Oracle’s Solaris 11 Early Adopter page. Download links are direct from there – but a quick warning: the only supported SPARC systems are M and T series kit.

Now’s the time to get to grips with the Automated Installer, ZFS root, and the other changes that Solaris 11 will bring.

IPS makes things a lot simpler for us, using the ‘search’ option to pkg.

Let’s check it out on an OpenIndiana oi_147 machine:

-bash-4.0$ uname -X    
System = SunOS
Node = grond
Release = 5.11
KernelID = oi_147
Machine = i86pc
BusType = 
Serial = 
Users = 
OEM# = 0
Origin# = 1
NumCPU = 4

The format of the search option is simple – just give it the full path to the file you’re interested in. In this example, I want to see which IPS package contains /usr/bin/ssh:

-bash-4.0$ pkg search /usr/bin/ssh
INDEX      ACTION VALUE       PACKAGE
path       file   usr/bin/ssh pkg:/network/ssh@0.5.11-0.148

Nice and simple, and certainly a lot easier than the old method of invoking pgchk.

pkg search will take a number of extra options:

-bash-4.0$ pkg search -? 
Usage:
        pkg search [-HIaflpr] [-o attribute ...] [-s repo_uri] query

pkg search will also allow wildcards, like ? and *, as well as specifying a particular IPS repo, with the -s option – which is very handy when you have a custom repo for your infrastructure.