October 31, 2003

Windows Services for Unix

Have you been on a Windows machine and wished you had your favorite Unix tools, and don't want to install cygwin?

Consider checking out Microsoft's Windows Services for Unix. I was suprised to find out that it won the Open Source Product Excellence Award for Best System Integration Software at the LinuxWorld Conference & Expo. Thats right, a penguin gave a bear an award.

Personally I really like cygwin, but I never knew this even existed. I will have to take a look and see how well integrated it is. Having clean NFS support to my Linux and BSD boxes could be very useful without the hacks I have had to do as of late. Then again Samba 3.0 works just great on the Windows side of things.

Anyways, if you are finding yourself more and more using Windows and need your Unix tools, here you go.

Posted by SilverStr at 10:52 AM | Comments (1) | TrackBack

October 30, 2003

Standardizing Authentication Using the Security Assertion Markup Language (SAML)

Security Pipeline published an article on how to use Security Assertion Markup Language (SAML) to provide authentication. Its a pretty good read, even if you are not an XML/SAML demi-god.

I still think there needs to be vendor buy in for this. Standardizing a markup lanugage which is fragmented will not help the industry at all. Everyone has to get together and agree to this thing. Course, same could be said with the HTML standard *lol*

Posted by SilverStr at 10:09 AM | Comments (2) | TrackBack

October 28, 2003

Carinvore DCSNet running over Sprints network

Well, according to an article at Government Computer News the FBI have signed onto Sprint Corp.’s Peerless IP fiber network, which operates independently of the public Internet.

Why? So they can provide secure VPN to over 59 undisclosed locations which are running DCSNet (formally called Carinvore until it was beaten to death in the media) DCSNet’s purpose is surveillance of phone call detail and content traced by law enforcement. It also extends surveillance to e-mail communications.

Big brother is watching. Let the conspiracy theories commence!

Posted by SilverStr at 01:24 AM | Comments (1) | TrackBack

October 27, 2003

NSA Cisco Router Security Guidelines

If you liked the NSA Security Guidelines I recommended for Windows way back in May and wished they had similar documents for your network hardware, fear not! Today the NSA released National Security Agency Security Recommendation Guides for Cisco Router Guides.

If you got Cisco gear, you may want to read up on this.

Posted by SilverStr at 05:23 PM | TrackBack

Next-Generation Secure Computing Base (NGSCB)

Just finished reading an interesting article by Microsoft entitled Next-Generation Secure Computing Base: Development Considerations for Nexus Computing Agents.

In it Microsoft talks about a new system of seperating code into trusted and normal modes, which they refer to as Nexus Mode and Standard Mode. In standard mode, nothing really changes... the Windows kernel uses its existing system to maintain operations. However when in Nexus Mode, there is a better level of assurance when it comes to secure input/output, protected memory, sealed storage (great for storing keys) and attestation.

By writing Nexus Computing Agents (NCA), a developer could provide a more trusted environment through the Nexus Security Kernel than that of the standard Windows kernel, which has become very brittle over time. The result is an innovative platform that provides a more secure and trustworthy computing environment to Microsoft Windows users.

Not sure what to make of it. I hope that they will be giving me access to this at the DevCon at the Microsoft campus next month, so I can understand it better myself.

Any way you look at it, its something interesting to read. Happy reading.

Posted by SilverStr at 01:01 PM | TrackBack

October 26, 2003

The Anatomy of a Bug

I just finished reading a blog entry by a Microsoft tester on the anatomy of a bug. Its really interesting to hear how a really small and silly bug can balloon into a testing nightmare.

As I was reading it I was saying to myself: "Developer did a naughty think and trusted a foreign key location that he doesn't control. Easy fix, recreate the key each time the key could be used, and fail cleanly if perms do not permit that."

Well, that ended up being the fix, but I never fathemed the amount of testing around the fix that would be needed. Especially when it has to be translated into 20 languages. Man i8n is a pain.

Well worth the read, even only to glimpse at the testing required to fix a bug at Microsoft.

Posted by SilverStr at 08:33 AM | TrackBack

Threat Modeling for Drivers

I found a good paper on threat modeling device drivers for Windows. If like me you spend a lot of time writing kernel-mode code for Windows, it is important that you read this paper.

It covers STRIDE modeling right up to DREAD analysis. I really appreciate publications like this coming out of Microsoft. Thanks.

Happy reading.

Posted by SilverStr at 12:10 AM | TrackBack

October 25, 2003

Secure Coding Technigues - Validating User Input

David Wheeler (from Unix Secure programming HOWTO fame) published a secure programming article this week on validating input.

My presentation I give to the local universities on secure coding techniques is pretty much what David is talking about here. You can not trust data moving between untrusted boundaries such as the user input and trusted boundaries in your code. You must validate all user input.

More to the point, you should consider all input suspicious until proven otherwise. This means you don't validate and check for WRONG data, you only accept data that is formatted correctly. Everything else is denied!

Anyway you look at it, it is always good to remember this technique. David does that well in this article.

Happy reading.

Posted by SilverStr at 04:25 AM | TrackBack

Obfuscating C# to Thwart Reverse Engineering

Microsoft released another good article (thats three in one day!) on obfuscating your code to prevent reverse engineering. This has been a problem that has plagued me in Java for years (although the obfuscators were getting better ).

If you don't know, obfuscation is a technique that provides for seamless renaming of symbols in assemblies as well as other tricks to foil decompilers. When it is properly applied, obfuscation can increase the protection against decompilation by many orders of magnitude, while leaving the application intact. Obfuscation is commonly used in Java environments and for years has been helping companies protect the intellectual property in their Java-based products.

Read this article to learn how it can be done for your C# apps.

Posted by SilverStr at 04:17 AM | TrackBack

Keeping Your Data Secure with AES

Microsoft released an interesting article on using the new AES standard within C# under .NET.

This article even includes some significant information on the algorithm itself, and how its implemented within the .NET architecture. It also includes a full example on encrypting and decrypting .NET data!

Nice little article to add to your arsenal if you are working on .NET.

Posted by SilverStr at 04:12 AM | TrackBack

Expert Tips for Finding Security Defects in Your Code

Michael Howard released a new article for Microsoft on how to review and audit your code to find security defects.

If you read some of his previous writings (like one of my favorite books, "Writing Secure Code") you won't find anything new here. But for a lot of you, this is a great topic to continue to read up on. Never hurts to be re-enforced with the same useful information.

Happy reading.

Posted by SilverStr at 04:07 AM | TrackBack

October 24, 2003

Flea: New EMail Virus tried to attack me

Well, apparently there is a new worm out there called Flea. This little sucker can execute automatically when users open HTML formatted emails in Microsoft Outlook or Outlook Express. Unlike most Windows nasties, the bug does not depend on a user opening an infectious file to do its mischief, and guess what... I almost infected myself.

I say almost, because a funny thing happened. My latest work with my Intrusion Prevention System (IPS) that provides mandatory access control included a new feature this week. I added the ability to shield the 'Windows base install directory' from untrusted access. This was acomplished by setting a security policy which allows read and execute access to the systemroot directory (normal c:\windows in XP) and all its subdirs, but prompts the administrator with a default DENY if anyone attempts to write or delete anything in the Windows directory, unless its Windows Update.

Well guess what? This morning in my inbox seemed to be a harmless message that passed my Spamassassin server filter and my host-based anti-virus scanner. When I clicked on it I was prompted from my IPS code that there was an attempt to write to the Windows directory, something I know I didn't ask for. I clicked the "Deny Access" button and the attack ended. It hence stopped the propogation dead in its tracks, and the 'Flea" was dead.

I am kinda happy I added that feature this week. It has already paid for itself by protecting me. The anti-virus product I use from NAI didn't have a signature for this beast. And there lies the problem with all such products, not just NAI. Signature based policy enforcement alone is not enough. Strong security policies which use anomoly detection with least privilege go a lot further.

In my case, I was protected from this unknown threat because I already determined that there is no reason for anyone or anything to write to the Windows base system unless it is Windows Update itself. (Well to be honest there are some other policies as well to allow logging etc, but that is out of scope of what we are talking about) In applying this policy, it doesn't matter if a new strain of this attack occurs. Its propagation is revoked because it goes against the nature of the policy defined.

Man what a neat way to see my code work in action when I wasn't expecting it! Good way to end a great coding week!

Posted by SilverStr at 11:45 AM | Comments (2) | TrackBack

October 23, 2003

Troubleshooting Internet Connection Firewall on Windows® XP

Today Microsoft released a nice Troubleshooting Internet Connection Firewall on Microsoft® Windows® XP document that steps you through the proper configuration of the ICF.

If you are running or administering Windows XP or higher, you should probably download this document and ensure that you have configured your firewall correctly. (Assuming of course that you are using ICF and not some other personal firewall)

Happy reading.

Posted by SilverStr at 05:52 PM | TrackBack

Microsoft talks about Internet security

There was an interesting article I read this morning in which Bob Muglia (Senior VP at Microsoft) is interviewed by C|NET News on Internet Security.

It is always interesting to listen to various people at Microsoft speak about security. They all have the same message, but with different undertones. Nothing really new in the interview, but it was interesting how Bob explained the "shield" Ballmer talked about last week.


Posted by SilverStr at 10:36 AM | TrackBack

User Interaction Design for Secure Systems

Following up on my previous post about Secure Interaction Design, I found Ka-Ping Yee's paper on User Interaction Design for Secure Systems worth the read.

The security of any computer system that is confgured or operated by human beings critically depends on the information conveyed by the user interface, the decisions of the users, and the interpretation of their actions. This paper establishes some starting points for reasoning about security from a user-centred point of view: it proposes to model systems in terms of actors and actions, and introduces the concept of the subjective actor-ability state.

If you are interested in understanding this model of thinking as it relates to the user experience in secure systems, it is well worth your time to check this out.

Happy reading.

Posted by SilverStr at 10:18 AM | TrackBack

Secure Interaction Design

Recently Brian was commenting on User Interface Guidelines and provided some useful links to the guidelines for different platforms. With the recent iTunes now available in Windows, it was funny to see Apple guidelines applied to a Windows platform.

What interested me was not in the guidelines themselves, but how void they were in discussing security aspects with respect to the UI. Now before you jump down my throat and quote Microsoft's own Steve Lipner and say "Usability, flexibility, security are a set of trade-offs", I would like to alter your thinking and dispute that by saying that "usability and security aren't contrary goals; we shouldn't assume that we must sacrifice one for the sake of the other".

In fact, a system that's hard to understand and use will almost certainly have security problems in practice. And a more secure system is a more reliable, more effective system: hence, a more usable system. Here's a definition from Garfinkel and Spafford's book, Practical UNIX and Internet Security:

"A computer is secure if you can depend on it and its software to behave as you expect."

Doesn't that look like it would be good for usability, too?

Now, I wish I could take credit for this thinking. But I cannot. The last paragraph is actually a quote from Ka-Ping Yee, who has devoted time to develop a site in relation to Secure Interaction Design. In it, he points to various papers that support his argument, and comes to suggest a list of ten principles for secure interaction design:

  1. Path of Least Resistance. The most natural way to do any task should also be the most secure way.
  2. Appropriate Boundaries. The interface should expose, and the system should enforce, distinctions between objects and between actions along boundaries that matter to the user.
  3. Explicit Authorization. A user's authorities must only be provided to other actors as a result of an explicit user action that is understood to imply granting.
  4. Visibility. The interface should allow the user to easily review any active actors and authority relationships that would affect security-relevant decisions.
  5. Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible.
  6. Expected Ability. The interface must not give the user the impression that it is possible to do something that cannot actually be done.
  7. Trusted Path. The interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf.
  8. Identifiability. The interface should enforce that distinct objects and distinct actions have unspoofably identifiable and distinguishable representations.
  9. Expressiveness. The interface should provide enough expressive power (a) to describe a safe security policy without undue difficulty; and (b) to allow users to express security policies in terms that fit their goals.
  10. Clarity. The effect of any security-relevant action must be clearly apparent to the user before the action is taken.

Further to this, he has created an excellent poster that now hangs on my wall which reflects these principles. It looks something like this:

If you are interested in usability in software, while at the same time achieving your security goals, consider browsing this site on Secure Interaction Design. Its well worth the effort.

Posted by SilverStr at 09:58 AM | Comments (2) | TrackBack

October 21, 2003

Ballmer says Linux not accountable for security

According to Steve Ballmer, the rivalry between Microsoft Windows and Linux comes down to the basic question of whom customers should trust.

There is an article in which Mr. Ballmer says that "There's no roadmap for Linux. Nobody is held accountable for security problems with Linux."

I do not see how the open development process of Linux equates to the fact we should blindly trust Microsoft. There is a definitive path for kernel development, just as there is for Windows. And, does this mean we can now hold Microsoft accountable because Steve says we can? If so, I would like to know who to send the bill to for all the overtime InfoSec people are putting in cleaning up the mess of the recent months.

Anyways, I don't have enough time in the day to criticize such erroneous thinking. I think Mr. Ballmer needs a tutorial on Crystal Box security vs. Black Box security thinking, and then equate the word "TRUST" accordingly.

You should read the article yourself. Ballmar makes the Microsoft position that they should be trusted because they have the infrastructure to properly address security patches. This is the SAME infrastructure that released the ORIGINAL code that had security issues, and the SAME infrastructure that did the "amazing code audit" as part of their Trustworthy Computing Initative.

Should we trust this SAME infrastructure? No, I think not. Want to earn my trust Microsoft? How about taking these actions:

  1. Perform a 3rd Party Code Audit from an UNBIASED source. Do not pick vendors who are loyal to you and would rather FIRE an honest report rather than accept it.
  2. Stop all new development and refactor the brittleness in your existing systems. We have to wait till 2006-2007 for Longhorn server. Why not invest 6 months bringing the NT core up to date which your own teams at Microsoft admit were not designed with Secure Coding Principles in mind? You would strengthen your system exponentialy and can carry on for use in LongHorn.
  3. Provide an integrated patch management system that works with not only your OS, but the applications on the same platform
  4. Release a public API for this patch management system so other vendors can use the same infrastructure. Consider looking at how well Debian's apt-get works. A customer could simply add another vendors "server" to the list of server sources and can get updated with dependancies on the fly

Take these steps and I will begin to consider trusting you more openly.

P.S. In all fairness, Microsoft IS getting better. But this is the type of thing where "Trust, but Verify" is in order. Blind trust is NOT an option yet.

Posted by SilverStr at 01:45 PM | Comments (1) | TrackBack

Security Considerations in SDLC

Today I stumbled upon an interesting gem published by NIST this month as Publication 800-64. This paper is entitled Security Considerations in the Information System Development Life Cycle, and is work in which the National Institute of Standard and Technology make recommendations on a framework that incorporates security in all phases of the system development life cycle (SDLC).

I haven't had a chance to completely read through it in depth, but from my first reading it seems well thought out and provides good guidelines for any project that should include security during the early stages of design, rather than later on in the implementation/operational stages of deployment. (Well to be honest, this should ALWAYS be the case anyways, since its much more expensive to bolt on a hacked security solution after the fact)

Happy reading!

Posted by SilverStr at 10:25 AM | TrackBack

October 20, 2003

War Nibbling: Bluetooth Insecurity

Today I had a chance to read an interesting paper on the insecurities of bluetooth. @stake published a paper called War Nibbling: Bluetooth Insecurity which goes into detail discussing the protocol's design and implementation flaws. Well worth the read in itself.

On top of that, today they released Redfang - The Bluetooth Hunter, a information gathering tool which exploits the weaknesses found in their paper.

Interesting stuff. Happy reading!

Posted by SilverStr at 11:55 AM | TrackBack

Yet another Linux distro for InfoSec Pros

In my opinion, one of Linux's most powerful attributes is one of its worst failures. Everyone shouts out that "choices" are good. And to a point, I agree with that. But today I learned on freshmeat that there is yet ANOTHER Linux Bootable CD distro focused on Information Security Professionals called L.A.S..

I do not mean to criticize L.A.S. as I haven't tried it, but I don't need to. From their own admissions, its based on Knoppix. *sigh* So why not help out the Knoppix-STD project thats been around for a while! This is one of the falling graces of Linux. Everyone wants to build their own tools instead of getting together, consolidate talent and make kick ass product. The Knoppix "Security Tools Distribution" is something I have talked about before, and is something I enjoy using. More to the point, it is exactly what InfoSec personnel need in their toolkits. The effort that could go into making it better (like better audit reporting facilities for forensic purposes etc) would be way more productive than patching together yet another distro.

But I digress. If you want to try 'yet another distro' for InfoSec purposes, consider seeing if L.A.S. is to your liking.

Posted by SilverStr at 08:39 AM | Comments (4) | TrackBack

October 18, 2003

Characterizing the Performance of NIDS

I just finished reading an interesting paper in which the authors measure and compare two major components of the Network Intrusion Detection System (NIDS) processing cost on a number of diverse systems to pinpoint performance bottlenecks and to determine the impact of operating system and architecture differences.

Suprisingly the results show that even on moderate-speed networks, many systems are inadequate as NIDS platforms. You should read it for yourself to make your own interpretation.

Happy reading.

Posted by SilverStr at 11:56 AM | TrackBack

October 17, 2003

A+ on Microsoft's Report Card

Recently Scoble was giving Microsoft a report card on how they were doing. It is easy to criticize Microsoft due to its very size, and the fact we have had to put up with a lot of crap over the past few years as they dominated our lives.

What was more funny was the last time I saw Scoble, I discussed how I didn't feel Microsoft was small ISV friendly, as I couldn't afford to buy all the software to run a Microsoft shop. Which was and is why I run Linux on all our servers.

But today I want to give Microsoft some praise. More to the point, I would like to give Microsoft an A+ on working with small ISV like me. And I don't say that lightly. I mean it. Today I am impressed with something I heard about Microsoft's outreach to small ISVs like me.

You see I complained a while ago about how expensive it was to tool up to do Windows kernel mode development. I was spoiled on all the free tools I have used on Linux and Unix enviornments for the past 7 years and forgot how much tools on Microsoft platforms cost. I spent thousands of dollars on new development tools (DDK, IFS Kit, Visual Studio etc etc) and easily spent enough money that I could have bought a good used car so I could deliver Pizza or something.

Well today Joel on Software posted something that made my head spin around. After calling my Microsoft rep to check in about this I now retract my comments and would like to apologize to Microsoft.. atleast to a limiting degree. I think they were wrong in selling me stuff when they knew this program existed. Or atleast this information should be more readily available so more people might transition back from a Unix world to the Windows world for development.

What am I talking about? I am talking about the Empower Program for ISV that Joel talked about today. For $795 US I am going to be getting:

  • 5 copies of MSDN Universal (which includes basically everything a dev needs)
  • 5 copies of Windows XP Pro
  • 5 copies of Office XP

I am also getting a software license with 5 Client Access Licenses (CALS) for:

  • Microsoft Windows Server 2003
  • Microsoft Exchange 2000 Server
  • Microsoft SQL Server™ 2000
  • Microsoft SharePoint™ Portal Server

Kudos to Microsoft on such a program. And thanks to Joel for pointing it out to me. Only wish Scoble would have known this so he could have told me before I sunk cash into everything else.

Posted by SilverStr at 01:46 PM | Comments (1) | TrackBack

October 16, 2003

NIST releases Guidelines on Network Security Testing

Today NIST released Special Publication 800-42, Guidelines on Network Security Testing.

It's a thorough document to say the least. Well written though, as should be expected of NIST. The guide stresses the need for an effective security testing program within federal agencies, and goes in detail on how to do so.

I like reading resources like this. I hope you like it. Happy reading.

Posted by SilverStr at 10:57 AM | TrackBack

Microsoft's IT Pro Security Zone

By way of Scoble I found out that Microsoft has launched the IT Pro Security Zone. Its a site to get answers to your security questions and connect with your community. You can find dynamically generated links to the most active security newsgroups, discussion topics, and KB articles. You can also find the latest security updates, downloads, FAQs, and articles from MVPs just waiting to help.

I think this is a pretty good resource to have on hand if you are administering a Windows environment.


Posted by SilverStr at 09:19 AM | TrackBack

October 15, 2003

PDC Security Symposium

Ok now I am vexed. I decided not to go to the PDC because I wasn't all to interested in learning about Longhorn, especially since its atleast 3 years away. The information on the tracks had very little to do with security, and I thought nothing of it.

Today I get an update from MSDN telling me there is now a Security Symposium which would have been right up my alley. And guess what... the PDC is sold out. :(

Grrrrrrrrr. Well thats ok. I am more looking forward to the DevCon Microsoft is hosting on Campus in November. That should be a pretty good conference with lots of good security tracks. I am hoping to make that one. So, if you are in the Seattle area I will probably be found in Building 33 during the conference, and in the evenings free to partake in Seattle's goodness. I know I am going out with Scoble a bit, and hope to catch a beer with Michael Howard, but short of that.. pretty available in the evenings. Drop me a line if yer interested.

Posted by SilverStr at 01:25 PM | Comments (2) | TrackBack

10 steps to a successful security policy

ComputerWorld has an article which discusses 10 steps to a successful security policy.

Nothing really new here, but a good primer for those who don't know how to do it. And you really should be doing this.

Happy reading.

Posted by SilverStr at 01:12 PM | TrackBack

Remote Debugging over DCOM

Well, I have been hung up for over a week with a weird bug in one of my C# apps. What made it even more difficult to track down was that I had to run it in a VMWare session because it is unstable and does nasty things to the system due to its interaction with my kernel-mode driver. (Can you say corrupt the system when you hit a single button... a scriptkiddie paradise.... weeeeeeeeeeee)

Well the solution was to use remote debugging. Sounds easy enough. Ya right.

The idea of remote debugging is sound. I use remote debugging over serial... well a named pipe actually pretending to be a com port with VMWare. You can see my HOWTO on that over here. This works great and I have been doing this sort of debugging for over six months now.

So what harm could there be of also remote debugging my application?

Well now that was a pickle. I read every document on MSDN, in the Help docs and through newsgroups. All I had to do was install Remote Debugging Components within the VMWare session and it should work fine. NOT.

Tried asking around on IRC and Usenet. I am told to use TCP/IP debugging. After spending a few hours looking on how to do this and trying to set it up I find out it only works for native C/C++ code, and will not work with stand alone C# apps. Grrrrrrrr. Waste more time putting everything back the way it was.

Finally I figure I am going to bite the bullet and just install Visual Studio in VMWare and debug it locally. Of course that fails twice (stupid autorun on my host machine STILL runs after I set AutoRun to 0 in the registry). In desperation I step back and decide to rethink my strategy. I have wasted a week trying to get this working, and nothing is helping.

After spending most of last night googling every combination I could think of for "remote debugging C# application" I found the jewel that saved my life. I found a document over at gotdotnet.com that was written by Min Kwan Park, a guy within the Microsoft CSharp Debugger QA team. The topic of the document? "The VS7 Debugger doesn’t work. What can I do?". No way. This can't be. Sure enough the answer sits in the last few paragraphs of the document.

On XP Pro, because of the default security setting for "sharing and security model for local accounts", this remote debugging is not allowed by default.

GRRRRRRRRRRRRRRRRRRRRRRRR. Its an undocumented setting that has to be changed for remote debugging to work! Well, to be fair I guess it was documented in this jewel, but it wasn't found during the last week of searching on MSDN, the VS help docs or even the newsgroups.

So now everything is working great. With my multiple monitors I have one hosting my remote debug session of my kernel driver with WinDgb and the other hosting my remote debug session of my C# app in the Visual Studio .NET debugger. 2 minutes later I found my bug. (And god what a dumb bug it was).


Posted by SilverStr at 10:16 AM | TrackBack

October 14, 2003

Celldar - The next radar?

BusinessWeek reports of a new technology that uses upiquitous cell-phone signals to create cost effective radar through cell towers!

This is a really kewl approach to the radar issue. Because its a passive system (there is no transmitter only a receiver) you could not actually pin point the location of the celldar station, rendering it invisible to you.. but allows it to see everything.

It sounds exciting. You can use all the cell towers around the country to map out movement of virtually anything, or anyone. (Uh oh.. the privacy people are gonna go nuts). An interesting tangent from this is that Lockheed-Martin is building a system using FM radio and TV signals to do the same thing. With these signals being much stronger, they can actually passive-radar as far as 135 miles away. They call the technology Silent Sentry, and I can see why. And the kicker, instead of spending $20-$30 Million on a radar system, these things can be made for lik $20,000. HUGE savings that can be passed on to the right people. Imagine every airport now having radar! (Most don't you know)

This has to make you think though. If you can triangulate a cell signal from 3 towers, and then lock onto the user holding the phone, you could "mark" him and then use the software in celldar to track him. Go ahead Osama, make that next phone call!

Fiction becoming reality? We will have to see.

Posted by SilverStr at 05:10 PM | TrackBack

My Latest installation eXPerience

Today was the day of the turkey. Thanksgiving feast for us all. Or so I thought.

While visiting family for the holiday I helped my mother-in-law get her computer fixed up. She has an old HP Pavillion 6640C with 64M megs of ram, and wanted to get her computer to go faster. She bought some goodies (256 megs of ram and a new OS) and had them waiting for me when I arrived for Thanksgiving dinner.

No worries I thought to myself. This should be a piece of cake (or pumpkin pie as it were)

6 hours later, I finally finished up the hell that was to be known as this year's Thanksgiving feast.

Oh, this wasn't like any installation I had before. I was expecting this install to be easy. I even brought a CD with XPSP1 on it knowing I would need to do some patching. But I never realized how much patching I had to do.

It all started with the switch from Windows98 to XP Pro. It seems HP will not support such an upgrade, because it was never tested in their lab. They would prefer that you buy a new machine. Umm... no. Not gonna happen. They use their computer to surf the net and do the occassional email, which they even use on a browser via hotmail.

My first install of XP failed. Bios incompatibilities. No ACPI support. Ok, that sucks. Need to find a new bios. None exist. Google. Lots of complaints, but no solution to an updated bios. HP won't release an updated bios. Ok fine. Figure out how to get around ACPI. Ahh Microsoft has an undocumented secret key to do just that. Hit F7 as soon as the Windows Setup starts, and it toggles ACPI support. Guess I hit it one to many times as I toggled it off and back on. Install failed. Realize that I must of hit F7 twice, and reinstall again. Ahhh.. worked this time.

Now, this 6640C is pretty slow compared to what I normally use. The install took over an hour. Half way through an error occurs and COM+ can not be registered. Damn. Dinner time.

[Rush through my dinner in no time fast, not getting a chance to really ENJOY the festivities]

Ok back. Install still hooped. Reboot. XP recovers nicely and continues on, only backtracking part of the install. Install completes and I am thinking the rough stuff is over. Dumb assumption on my part.

So after reboot I set up the accounts, and throw in my XPSP1 cd I burned. I thought I was being smart because I thought ahead to download the huge (120+ Meg) service pack and wasn't looking forward to downloading something like that with a modem. I start the upgrade, minding my own business and reading more of the book I took along (Beyond Fear from Bruce Schneier. My second reading of it. Good book)

At about 90% complete something weird happens. A dialog pops up and says some RPC services are corrupt and are shutting down. A few more errors occur and I realize that I just got nailed with a RPC/DCOM attack. How the hell? Oh crap, there is a DSL modem on the floor. Parents upgraded to broadband and I forgot about that. The damn XP default network set up configured itself and Telus had this completely unprotected and exposed XP box for the glorious scriptkiddies to nail. And they did. Oh yaah... now I gotta friggin patch an exploited box.

Well, luck be a lady.. the service pack was installing and had an exclusive handle to some of the files.. the exploit didn't actually attach itself to much. And with nothing configured or installed yet... the malicious code had nothing left to propagate with. Oh thank heavens, I was not wanting to reinstall XP again.

So after I reboot (no choice, basic winservices died when the penetration happened and COM services were toasted) I unplug the DSL modem and let the service pack install. While its installing I clean up the residue from the attack, set up the XP firewall and prepare to plug this thing back into the Net. (At this point its a 'thing' now... it lost the honor of being a computer as I now regret agreeing to fix it during a fantastic thanksgiving feast)

So I go to do a Windows update. 27 critical security patches that are over 38 megs. Well, atleast there is broadband now, so that shouldn't take long. *sigh*

The download did indeed come down lightening fast. But then the patching started. This is where life became fun. It took over 3 hours for the 27 patches to get applied. I could do nothing... it just went on its way with the harddrive writing like mad and the CPU crying for some free cycles. Just when I thought it was freezing up, another HD write would occur and I realized this little machine was doing its best to keep up.

Finally contented with a 3 hour 'windows update' (and the luxury of looking through my wife's family photo albumns for the 3 hours) I finally was prompted for a reboot.

The restart was agonizing. It chugged and churned and I was sure the think was hooped. 5 minutes later, somehow, somewhere the gods looked down and said '"that's enought pain for Dana, he can have more torture tommorow when he needs to fix DCOM remote debugging issues on his own box". It came up. And it was good. It was FASTER than Win98. It was prettier. And it was now 11:30. Time to go home, and eat leftovers from the feast.

Moral of the story? I dunno, pick from the many veins this can be read from this eXPerience. I look at this as a positive experience though. I again am taught about the fallicies of human beings and the false sense of security I thought I had during the install. (Thanks script kiddie) I am so used to flawless XP installs on my machines in a 'clean room' that is properly firewalled and segmented off so I can go to town upgrading quickly. I also got another side benefit. I am trying to lose weight anyways, so I didn't have time to gorge on all the yummy food! Of course, just thinking about it has me hungry so I think I will go make myself a small plate and head to bed.

Hey, I hope your thanksgiving was better than mine. If you haven't had thanksgiving, remember not to get roped into fixing the inlaws computer during the upcoming dinner!

Posted by SilverStr at 12:53 AM | Comments (6) | TrackBack

October 13, 2003

It's Official: No Longhorn Until 2006

Microsoft Watch reports that at Microsoft's worldwide partner conference this week, Microsoft finally admitted that Longhorn won't see the light of day until 2006.

What saddens me is that means that the Longhorn SERVER won't be out until sometime in 2007. Wow that seems like a far ways off to wait for the next server platform release which will include all the new security tidbits that Longhorn project is keeping under lock and key.

Also makes you wonder how good the PDC will be. If they are waiting 3 more years before Longhorn's release, shouldn't they have waited a year or so before announcing things, since 3 years is a PRETTY LONG TIME in Internet time?

Posted by SilverStr at 03:54 PM | Comments (2) | TrackBack

T-Mobile to use PEAP for Secure 802.11 Auth

The Seattle Times report s that T-Mobile is going to roll out 802.1x authentication using secure EAP (actually they will use Protected EAP, better known as PEAP).

Early in the new year users of Windows XP will be able to get a patch from Microsoft which will include 'Wireless Provision Services' that will be able to have their own separately encrypted local channel. This is exciting as it means that customers with the right software and without VPN access suddenly have a very high degree of local link security and integrity.

I like the idea of Hotspots. And I like how T-Mobile is approaching it. I wish them great success!

Posted by SilverStr at 08:18 AM | TrackBack

October 12, 2003

Floating data storage

There has been a long thread on Bugtraq about a paper released called Juggling with packets: floating data storage. In the paper, the authors explores the possibilities of using certain properties of the Internet or any other large network to create a reliable, volatile distributed data storage of a large capacity.

The idea is that as opposed to traditional methods of parasitic data storage (P2P abuse, open FTP servers, binary Usenet postings), the use of float data storage 'on the wire' may or may not leave a trail of data. In other words, you could throw your warez in a network stream and never fear getting caught. Turn the power off and it goes away.

This of course isn't completely true. You can easily record anything that touches the wire, but the theory is quite interesting. Instead of fretting about disk scrubbing data of your harddrive you can simply NOT store it. Not sure if I would appreciate a few gigs of data floating on my network, but hey, it's not my idea.

Would be interesting to see where this might lead. There has been various views on this on the Bugtraq list if you are interested.

Posted by SilverStr at 07:53 AM | TrackBack

Site face lift

I decided to do a face lift on the blog, I hope you like it. Its now done (well, as much as I wanna do tonight anyways).

There is some pretty ugly CSS hacks in there which probably fail every friggin validator out there. But it renders in IE, Mozilla, FireBird and Opera. I would expect most others are fine.

Shouldn't matter though, since you SHOULD be reading my blog via RSS in your aggregator! :)

I have added some references to some of my favorite books on my bookself, as well as some of my favorite papers. These are of course subjective, and chosen at a whim. Some are old and outdated, but are references I seem to always remember in the back of my head.

Hope you like the new site.

Posted by SilverStr at 12:30 AM | Comments (8) | TrackBack

October 11, 2003

Blog changes in Progress

I am going to be overhauling my blog tonight, so bare with me if you encounter layout issues, and other such problems.

I will post when it is complete.

Thanks for your patience.

Posted by SilverStr at 09:16 PM | TrackBack

October 10, 2003

Terrorism Information Awareness Program Shut Down

Inside DARPA Admiral John Poindexter ran the Information Awareness Office and was building a vast computerized terrorism surveillance system. This system included some pretty kewl survillance software, and was starting to be known as the watch dog of the Americian people, scanning personal records and building profiles of suspected terrorist-like activities.

Well, Wired reports that the project has been cancelled. Some software will be picked up by other government agencies (ie: read National Foreign Intelligence Program from using processing, analysis and collaboration tools for counterterrorism foreign-intelligence purposes.)

Now Americians can feel free to buy the Anarchists Handbook online or check our Nuclear Fusion For Dummies without being targetted in Darpa. You'll just be flagged in the FBI database. Oh wait, you weren't supposed to know that.

Posted by SilverStr at 10:42 AM | TrackBack

Nice Tablet PC

I think I found the machine I might start drooling over. Scoble points out that Acer is coming out with the Travelmate C300 which is a supped up Pentium M 1.5 Ghz with 512 Megs of ram, a 14.1 inch display, a 40 gig harddrive and all the trimmings.

My laptop is much to slow to do development with Developer Studio, and I am going to need to upgrade soon. Although my desktop machine works great (and I don't know if I can live without my dual monitor set up) I spend a lot of time away from it in places where I could be productive if I had one of these things.

It has up to a 5 hour battery life which isn't to shabby and even has a built in bay for a CDRW/DVD combo. My only complaints are that it doesn't have bluetooth and the thing weights in at 6.2 pounds. My laptop right now is only 2 pounds, and I don't think I would want anything much heavier. (Ya I have been spoiled)

Chances are I will end up buying a lighter one that is used on Ebay or something. As much as this thing looks neat, I am not sure if I wanna pour $2,299 US for something that is 6.5 pounds. I'm told NEC has some of the lightest Tablets. I will have to check that out one of these days.

Posted by SilverStr at 08:50 AM | Comments (5) | TrackBack

October 09, 2003

Microsoft Security Patch Management

Everyone likes to knock MS for security patches. Solas had a good rant on it today. I think we need to remember that there are improved ways to deal with security in Windows environments, its just that not many people know about them.

Microsoft released a data sheet today about their Systems Management Server 2003 product and how it deals with Security Patch Management. You can improve your security posture of your Windows environment through increased vulnerability awareness and reliable targeted delivery of updates. (Their words, not mine)

If you want to try to understand what SMS is about, you might wanna read this. You might find it useful when exploring what tools to use to manage security for your Windows platforms.

Posted by SilverStr at 04:32 PM | Comments (2) | TrackBack

Canadian government invests in rural connectivity

Here is why I love being a Canadian. The Government of Canada announced a strategic initiative through which they plan to extend broadband Internet connectivity to the nation's most remote communities via satellite.

We are one of the best wired nations because we would rather build infrastructure and build the foundation of knowledge for our children so we can grow as a better nation, rather than spend billions of dollars meddling in other countries affairs. I am impressed on how the government intends to utilize this new connectivity. As an example, in rural communities where it might take days to get health care due to distance, doctors/nurses can perform some consultations with videoconferencing equipment quickly. In some cases, the doctors could even be in Toronto, Vancouver or even over seas. Thats just kewl!

I am proud to be Canadian, as I always am. But things like this make be glow inside. What a great country to live in.

Posted by SilverStr at 09:04 AM | TrackBack

October 08, 2003

Microsoft details new 'Secure The Perimeter' Initiative

CRN has an article in which Bob Muglia (senior VP at Microsoft) discusses Microsoft's next-generation security initiative.

Basically he is saying what I have been preaching for years. Defense in depth with least privilege policies while at the same time seperating roles and responsibilities. Top that off with secure defaults (why the heck hasn't the builtin firewall been on by default since it shipped?)

Time will tell if Microsoft will get this right. I hope so. I know they are trying, and if this article is any indication they are on the right track.

I love how the article ends up. Both Muglia and Microsoft CEO Steve Ballmer admit [security is] a bigger worry than Linux.

Posted by SilverStr at 06:28 PM | TrackBack

PayPal Store Front Vulnerability

Securiteam reports that a vulnerability in the product allows remote attackers to include arbitrary PHP files (that are then executed) that can be stored either locally on the server, or remotely.

In other words, your cart is in doodoo if an attacker decides they wish to include an external file and execute arbitrary commands with the privileges of the web server. (Typically www-data or nobody)

Credits to Astharot over at Zone-h for the original security advisory.

So, if you are using the PayPal store front for you eBusiness... you might wanna look into this.

Posted by SilverStr at 05:56 PM | Comments (2) | TrackBack

Updated SANS/FBI Top 20 List

SANS has just updated their list of The Twenty Most Critical Internet Security Vulnerabilities.

Not much unexpected here with the plague of issues we have had recently, but its always interesting to see a list like this compiled.

Posted by SilverStr at 05:44 PM | TrackBack

ENORMOUS Update to NMap 3.48

Congrats to Fyodor and the crew over at insecure.org for the latest update to NMap. If you check out the change log the number of version detection services detection patterns has increased to over 663 signatures! This means that it now checks over 130 services for 663 different signatures when you use the -sV switch. And more to the point, the version detection algorithms were improved for higher speed and accuracy.

Happy scanning.

Posted by SilverStr at 01:24 PM | Comments (1) | TrackBack

IBM unveils wireless IDS service

Infoworld reports that IBM launched a new managed IDS service for wireless today.

Apparently the IDS can detect the presence of unauthorized ("rogue") access points, denial of service attacks, improperly configured access points and compromised Wired Equivalent Privacy (WEP) encryption keys. Sounds nifty.

The kicker.... they use small embedded linux devices to do it!

Posted by SilverStr at 01:19 PM | TrackBack

October 07, 2003

Wicked MSDN issue on Security

Holy crap! You would think the guys on the Microsoft camp are thinking about security or something.

I just noticed (thanks to Scoble) that November's issue of MSDN Magazine is choked FULL of articles on security. Makes me wish I had a subscription. I think its time to drop by the campus to say hi to Scoble again so I can pick up a copy.

Man it looks like a good read. If you get MSDN Magazine, you won't be disappointed. I know some of the authors of those articles, and they know their stuff!

Scoble, expect a visit dude!

Posted by SilverStr at 09:36 PM | Comments (2) | TrackBack

.NET Show on Tablet PC

I just finished watching the latest .NET show, which is all about Tablet PC.

I REALLY wanna get one of these things. Even more so than a PowerBook. I could see myself walking around in slate mode reading, blog and coding much more.

If you are into Tablet PC, you should check this out!

Posted by SilverStr at 03:43 PM | TrackBack

Why Customer Service is Important

I have always enjoyed the insight Tom shares with us through his blog over at A Shareware Life, since as a fellow developer working with the shareware model, it is good to learn from other's experiences.

I just finished reading a post from him, which I really don't agree with. I know EXACTLY what he is saying, and have on NUMEROUS times fell into this trap in the past.

I would guess he was a bit perturbed and stressed as he posted, as his insight has usually been extremely positive towards the customer experience. Even though he means well and just wants to fix the problems the customer has, its the underlying attitude that might be something to look at. His post was uncharacteristic of him, and is something I would like to respond to in a constructive manner. (Please take no offense Tom, I mean you no personal disrespect)

One of the worst things we did back in the Merilus days was have an internal attitude towards customers that was negative. Worst was the developers. Support engineers would commonly refer to difficult users who had no clue what they were doing as id-10-t errors (Read it closely... idiot). Even though we had some of the best customer support reps on the phones that customers were always happy with, we still had a negative position deep within the company. Once a sale was made we rarely followed through to ensure their satisfaction. And we would easily be frustrated when customers couldn't communicate what issues they would have. Saying "it doesn't work" drove us batty.

Worse yet was that we never had any real policies defined on how to deal with our customers. I routinely would ask for a customer service plan, and would get useless flow charts that didn't really mean anything. We had nothing written down for the whole company to read on how we would deal with our customers. (Customer service has to be a company wide effort, not just a few amazing service reps on the phone) I started getting frustrated and when we would have potential customers who would take up DAYS in man hours in the support system I would start asking the support team WHY we were wasting our time. We were losing money on people not even buying the product!

I WAS WRONG. Since then, I have actually invested time and money on a few courses on strengthening customer service and my attitude towards it. It is one thing to always seem nice on the phone, but it it entirely different to take the position that great service is measured by customer satisifaction first, and gross profits second. Training at SEP taught me that.

One of the text books I got in one of the courses had an interesting set of stats that relate to customer loss:

  • 1% die
  • 3% move away from the platform
  • 5% buy from friends
  • 9% prefer a different brand
  • 14% have a service problem that is not resolved
  • 68% leave because they feel employees are disinterested in giving service
The disinterest is driven by how you position your attitude. If you feel negative or show any form of negativity towards the customer experience, it will be negative. It is all about the mindset, and no one wants to admit it.

I look at Tom's problem and remember feeling that way. WAY to many times to admit. The reality is that everytime a customer complains it's an opportunity to improve our business. There was a survey done years ago which showed that a satsified customer tells eight people that he or she is pleased. A dissatisified customer will tell twenty people about his or her unfortunate experience. A customer who was dissastifies and had a tough problem resolved to their satsifaction will tell sixteen people he or she is pleased. Clearly fixing the issues where dissatisfaction exists has the most benefits, even though it takes more work. And by doing so and then applying what we learn from that experience to prevent it from happening again, we are actually investing in the success of our business.

Tom talks about how he wants customers to act responsibly and follow his company's "Customer Responsibility Policy", which defines to him in some respects how to be a good customer. I'd like to respectfully turn that around. It's already implied that they want to be a good customer. They have invested money and expect that the product simply work. The attitude should not be "Be a good customer to me". It should be "How can I strive to beat my customer's expecations and satisfaction".

How could this be done? Well I agree it is never helpful to get reports like "it doesn't work". Instead, provide a mechanism for them to report an issue to you in a positive and productive manner.

Each company will have their own way of dealing with this. I am not sure how you would do this. Perhaps it is in a better customer service portal which can screen incidents better by hand holding them in a more structured manner. (I recommend the use of ServiceTraq by CyberHQ, it works great for my needs) Perhaps it is some sort of incident reporting system built into the software. If you use a defect tracking system, perhaps you can help get defects/bugs reported through a much easier to use interface which can extract common questions (platform, versioning etc) and insert it for them. Making the customer experience better by being able to listen effectively is key. The communications between you and the customer has to be easy to them, so they will talk to you! There is an old story that drives this point home:

I'm a nice customer. You all know me. I'm the one who never complains, no matter what kind of service I get.

I'll go into a restaurant and sit quietly while the waiters and waitresses gossip and never bother to ask if anyone has taken my order. Sometimes a party that came in after I did is served before me, but I don't complain. I just wait.

When I go to a store to buy something, I don't throw my weight around. I try to be thoughtful of the other person. If a salesperson gets upset because I want to look at several things before making up my mind, I'm just as polite as can be. I don't believe rudeness in return is the answer.

The other day I stopped at a full service gas station and waited almost five minutes before the attendant took care of me, and when he did, he spilled gas on my car and never cleaned the windshield. But did I complain about the service? Of course not.

I never kick. I never nag. I never criticize. And I wouldn't dream of making a scene in a public place, as I've seen others do. I think that's uncalled for. No, I'm a nice customer. And I'll tell you who else I am...

I'm the customer who never comes back!
-Author Unknown

Get the picture?

I am not perfect in this. I have fallen into the trap Tom has many a time. But when I finally realized that without the customer we are nothing, it totally changed my outlook on customer service. I now have a detailed customer service plan which includes conflict resolution, how to deal with difficult customer and how to increase customer satisfaction and retention. I treat it much like I do my business plan. A living document that changes and gets better as the business progresses. I learn from experiences I have with customers and apply it to make my company better.

I don't make the customer work for me, I work for the customer. And that makes all the difference. Tom ended his post with "Be a good customer". I'll respond by simply saying "You will be satsified. I will be a good vendor".

Posted by SilverStr at 01:50 PM | Comments (3) | TrackBack

October 06, 2003

Half-Life 2: Black Box vs. Crystal Box Security

Well if you haven't heard, last week Valve Software (makers of the Half-Life game) announced that they were systematically hacked, with the ultimate result being that their latest source code to a game not yet released (Half-Life 2) was stolen, and they had to push back the release date.

Today there was an interesting article over at Digit Magazine which includes quotes from Gabe Newell that made me shake my head.

One of Gabe's comments is that they now have to do an exhausitive code audit to look for bugs because the code is now out there for hackers to view. Umm, you mean you wouldn't have done one otherwise? I begin to get frustrated when I hear this from companies that have the resources to do so. (We all should do code audits anyways, but I can understand resource allocation issues exist in small companies) No software is perfect, and there will always be bugs. But if you are ready to ship (they were planning to ship Sept 30th before the theft), wouldn't you have already done this? I like the old rule that you should always keep your code in a shippable state.

This is what I hate about the paradoxial argument of crystal box vs. black box security. Security by obscurity will always be trumpt by the willing and able to break it. Why do you think crypto algorithms that are vetted by tonnes of people do better and last longer than secret rolled up private ones? Because it is reviewed and beaten to death by the masses. The real strength of the cipher is in keeping each key safe, not in the secrecy of the algorithm. Now I am not saying that Half-Life 2 should be open sourced and the world can audit it. What I am saying though is that if you have a reliance on black box security to keep you safe, there is something wrong there. A determined member of the underground with little more than a SoftIce debugger and some time will get through anything you try to hide in code on Windows.

This became even more apparent at the end of the article when they brought up the point that it will be much to easy for new mega cheats for the game. Outside of the cheats for local play (wanna cheat yerself... go right ahead) the only real threat here is network play. I can understand not wanting god like powers as you play multiplayer. But this is where interactive synced comms should come into play so no one machine can do this.

I feel for Gabe and the team at Valve Software who have worked so hard and have had their software stolen. This isn't right. It's their intellectual property and no one has a right to steal it like they did. I just came off IRC and was offered the source twice. I obviously did not partake, but its distribution is running rampant right now.

So don't let the bastards win on IRC. When Half-Life 2 comes out, go buy a copy and help out Valve Software, so they can come out with a better version and hopefully fix their design philosophy in regards to black box security. And more to the point, enjoy the game. If its anything like the original.... it will be great fun!

Posted by SilverStr at 03:35 PM | Comments (1) | TrackBack

Windows PostThreadMessage() Arbitrary Process Killing Vulnerability

SecurityFocus has a report of a new vulnerability which can cause any process in Microsoft Windows to be killed with a specially crafted message, due to a design flaw in PostThreadMessage(). There is even an exploit showing how this could be done.

What is scarey about this is the fact that if the reports are true a running process that has a message queue and is sent one of 3 different messages, the process may terminate. This termination will occur despite any security level differences between processes, as well as any safe guards to prevent this behaviour, such as requiring a password before the process is killed.

I've seen something similar to this before in something Mark wrote at SysInternals. But this is one of those things that is so trival to exploit, but so hard to fix. Not sure what to make of it.

One thing that never made sense to me is the lack of information on message processing based on privilege. Try it yourself. As a normal user, use runas to run something with Administrative privileges that requires UI updates. I use explorer.exe as an example. Right click in a folder and create a new file. You won't see the file, or be able to "edit" the name.

When an update message is called, it gets gobbled. So in many cases, you have to manually get the app to refresh (F5) to see any changes. For some reason it supressed the messages. So why wouldn't the message processing between security contexts be able to do the same thing to reject a WM_QUIT message from a lower process? Seems silly if you ask me.

Posted by SilverStr at 12:46 PM | Comments (2) | TrackBack

October 05, 2003

SecurID Token Auth Emulator?

Last week I talked about the fact there was a nice OpenSSH patch for SecurID , but that it wasn't that useful without an Ace/Server.

Well, it got me to thinking. About three years ago I wrote an Ace/Server emulator that used part of an old algorithm I found on BugTraq to be able to authenticate my tokens through a Java server. It didn't use Ace/Agents and was only designed to authenticate access to the Java app. Worked really well. I never released it publically out of respect for RSA and for the fact that I was an RSA partner.

Well, I have been rethinking the idea of releasing a similar token validation emulator.

Now, typically if I ask a question on the blog most people email me privately because they don't want to register their name, email etc. I respect your privacy, and I am ok with that approach. However, I am hoping what I am about to ask will get some public responses so I may gauge accordingly.

I am thinking of porting my Java code to Perl and posting it up on Sourceforge. The idea would be to create a pure perl server that could allow for small businesses like my own to use the powers of RSA's two factor authentication without the need to spend thousands upon thousands of dollars for an Ace/Server, and who do not need such functionality of a real Ace/Server.

The idea would be to make an emulator that could expose functions similar to an Ace/Agent (or perhaps even use an Ace/Agent) to authenticate to the Perl Server and expose 2 factor auth to OpenSSH and Apache. The feature-set would be limited to:

  • New Pin Mode
  • Token Resync (via Next Token) for Timing Drift
  • Normal Passcode
  • Token import (via RSA diskette)
  • Token Revocation

To maintain cross platform use and minimize the installation complexity I would use flat files for config and logs. This means it should work unaltered in most Unix environments, and on Windows. This also lets me limit the feature set in a way to provide a clean upgrade path to a real Ace/Server. I think its only fair that if you are going to really take advantage of RSA's technology in your environment that you buy their product for the advanced functionality.

These restrictions would be put on the server:

  • Limited set of tokens. (Maybe MAX of 25 tokens)
  • Would not support RSA's new AES-based tokens
  • Logs would stay in a flat format to allow for basic auditing and searching
  • The perl will be functional and fast, but will not be optomized like the Ace/Server

Now to my questions for the group. Quite frankly, my concern is that I do not wish to cause myself grief with RSA with such open source code. I decided to not release my code years ago because the Ace/Server was RSA's bread and butter, and I didn't feel right in providing a free alternative which could be abused by others. However, now that RSA has released new AES-based tokens and phasing out the old RSA proprietary tokens, this seems to be an optimum time to reuse some older tokens before they die out.

I have emailed RSA twice and no one wishes to respond on how the company would feel about such a code release. Until I hear otherwise, I am going to guess that no one knows how to respond to this, and perhaps they are just waiting to see what the response is. So, with that in mind my questions to you:

  1. Would you install and use a a free perl token auth-emulator?
  2. Do you own any SecurID tokens?
  3. Would you buy any/more SecurID tokens to use this?
  4. Would you use it with OpenSSH?
  5. Would you use it with Apache?
  6. Would you use it with other Ace/Agents?
  7. Do you think there is value in releasing this code?
  8. Do you think RSA will pull a SCO and start chasing you (or me) down for a license?
I would really appreciate any comments, feedback and discussion from the group of people that read my blog. Again, I am fine knowing most of you would rather email me privately about this, but if you can consider posting in the comments so others can see your views. I look forward to hearing the thoughts of the community on this.

Posted by SilverStr at 07:44 AM | Comments (6) | TrackBack

October 04, 2003

Track Back Now Enabled

At request of the JoatBlog, I have enabled track back pings now. I had no reason to have it off, other than the fact I never checked the box to allow for ping backs.

Have fun.

Posted by SilverStr at 04:52 PM | Comments (1) | TrackBack

Data Hiding and Recovery in Linux

Just finsihed reading an interesting article that shows how to recover data and even how data can surruptitiously be hidden within space on the Linux filesystem.

I like these kind of articles, mostly because it puts into perspective the niavity we have in thinking we are secure. I have used various data wiping tools, but never really had a clue this was possible.

Neat stuff.

Posted by SilverStr at 09:03 AM | Comments (1) | TrackBack

October 03, 2003

Cisco Warns that LEAP is not as Secure as you might think

According to an article at ComputerWorld, the proprietary security system used by Cisco to protect wireless LANs widely deployed by enterprises can be defeated by a "dictionary attack" designed to crack passwords. To counter the security threat, the company is warning customers to institute strong password policies.

LEAP was supposed to be (and is in many respects) the solution to the failed WEP. Yet, anything is fallible. Again we see that the weakest link will be the human factor. Weak passwords and poor implementation will trumpt technology any day.

Posted by SilverStr at 09:54 AM

October 02, 2003

Microsoft Faces Class-Action on Security Breaches

Here is a story I doubt will end up on Scoble's blog. Reuters reports that Microsoft faces a proposed class-action lawsuit in California based on the claim that its market-dominant software is vulnerable to viruses capable of triggering "massive, cascading failures" in global computer networks.

I am just suprised it took this long. With the US being such a litigious country I would have expected someone to target the insecurity of Microsoft platforms much sooner than this. Especially with a $49 Billion dollar kitty; It seems like a prime target.

Posted by SilverStr at 02:24 PM | Comments (1)

Practice Guide for Computer based Electronic Evidence

I found a Good Practice Guide for Computer based Electronic Evidence published in the UK yesterday. This was released by the Association of Chief Police Officers, and was an interesting read.

I think a paragraph in their intro can sum it up better than I can.

Electronic evidence is valuable evidence and it should be treated in the same manner as traditional forensic evidence - with respect and care. The methods of recovering electronic evidence whilst maintaining evidential continuity and integrity may seem complex and costly, but experience has shown that, if dealt with correctly, it will produce evidence that is both compelling and cost effective.
Happy reading.

Posted by SilverStr at 01:43 PM

Hackers broke into GPRS Billing

According to this article over at Newswireless.net, some hackers found a way to penetrate the billing system for the GSM network.

The fix, a proper perimeter using a Checkpoint firewall. Um, this might be a dumb question, but why the hell wasn't this in place to start with?

Posted by SilverStr at 01:38 PM

HOWTO: Secure Network Server with Windows IPSec

Just found a good paper written by Foundstone in partnership with Microsoft on how to
use Microsoft Windows IPSec to help secure an internal corporate network server

This paper describes the security threats to, and the benefits of using IPSec on, an internal corporate network server and uses a scenario to describe the process of IPSec policy design for an internal corporate network.

Happy reading.

Posted by SilverStr at 12:04 AM

October 01, 2003

Blind SQL Injection

I found an interesting paper discussing blind SQL injection techniques and how to battle them. The paper is short but ot the point on how these injections happen, and how you can stop them.

Moral of the story? Never trust user input. Always validate data crossing untrusted to trusted boundaries. Personally, I would recommend using stored procedures correctly so that you can go one step further and validate it as it enters the procedure as well.

Posted by SilverStr at 10:23 AM | Comments (1)

Replacement for your FireCard

I know we have talked at different blog sites about the fact many of us are disappointed with the lack of patches and updates for Gateway Guardian since I left the company, and I sympathize. Besides being irresponsible, it is not really good business as a company selling security to ignore the community when they are notified of bugs and vulnerabilities.

Recently I have been wrestling with what to do about it. Months ago I started rolling my own packages fixing the holes, but realized I would probably cause myself legal issues if I started releasing unsanctioned bug fixes and security patches when I don't work at NetMaster anymore. Further to this, it really shouldn't be my responsibility to fix their problems.

After Del EOL his card and then Barry reported he went out and bought a new device to replace his FireCard, it got me to thinking. I have always liked Linksys more than DLink, and with Cisco acquiring them, I see a long future for them.

Well, today I found the perfect device to replace FireCard. The Linksys WRV54G is chocked full of kewl stuff, and rumor has it, it has a secured Linux back end that no one wishes to talk about. Kinda kewl if you ask me.

The device supports a lot more than FireCard / GGBlade does, and is a lot more cost effective (Its only $229 USD). The WRV54G incorporates five essential functions, including an access point for connecting to 802.11g and 802.11b devices at speeds up to 54Mbps and 11Mbps, respectively. In addition, there's a built-in router for all devices to share one high-speed Internet connection (MASQ/NAT), a virtual private network (VPN) function for up to 50 remote users, business-class firewall protection and a four-port 10/100 switch for connecting wired-Ethernet devices.

I was looking at upgrading my wireless to 54 Mbits anyways, so I think I am going to save up a bit more and then look at buying a WRV54G. It will end up being much more cost effective, and I can regain some trust and assurance that my device will stay up to date with patches. I am tired of having to fix another vendor's product, especially if they don't care to do it themselves.

So, if you want most of the functions of Gateway Guardian (including firewalling, port forwarding and VPN), as well as 11Mbit / 54 Mbit wireless, a 4 port ethernet switch and full company support... the Linksys WRV54G might be the device for you!

Posted by SilverStr at 10:11 AM | Comments (4)