Archive | Security

Security is not a feature; it’s a process. Notes on issues, patches and essays on security.

What’s on your network?

This article in ZDNet points to flaws in Microsoft’s SMB file sharing systems (“Windows networking”) that are, unfortunately, faithfully reproduced in Samba:

http://www.zdnet.com/article/its-not-just-windows-anymore-samba-has-a-major-smb-bug/

See also:

https://access.redhat.com/security/cve/CVE-2017-7494

This means that an old Samba server you have could be be misused as a vector for malware to get a foothold on systems where local Windows machines could get infected. Over the weekend, I went through and cleaned out, updated, reconfigured, or blocked access at some of my client sites.

I also took a long look at our in-house dev network for stuff that could be a problem and found a couple of issues:

– An old Western Digital NAS device was running an *ancient* version of Linux and Samba, and unfortunately is no longer being supported by the manufacturer (last update, 2012). In addition to basic SMB file serving, it supplied media streaming over various protocols and offered ftp (turned off). Despite being in fine shape, mechanically and electronically, I had to turn it off, because, even though the source code is available (yeah, GPL), cross-compiling and rebuilding an ARM 2.6 kernel and utilities into a modern version, and getting it to work on an unsupported device is more effort than I have time for.

– A couple of our networked printers shipped from the factory with all their protocols turned on, even if not configured nor active: SNMP, Web server,  SMB, FTP, tftp, LPD, Raw port, IPP, AirPrint, Web Services, Google Cloud Print, SMTP, mDNS and LLMNR, several of which I had to look up. Surely, there could be no flaws there! And, to boot, two of them were running older versions of firmware, also worth updating.

I am a strong skeptic of the IOT marketing that drops devices into your home/office network that communicate with “the cloud” and can be run from your cellphones, or likely anyone else’s. Unlike PCs with firewalls, intrusion detection, malware scanners and intentionally secure devices like routers, IOT devices are trying to “Just Work” and security might not be in mind.

I knew this was the case for things like “Smart” TVs and voice-recognition devices, but it hadn’t dawned on me that printers would also be in that category.

Be careful out there.

rbenv on Fedora 19: for want of a nail,…

… a kingdom was lost.

Fortunately, I don’t have a kingdom at stake. My tale is more like the House That Jack Built. I had to spend a little time building the tools to build the code to build the language upon which I build solutions for clients. And the path was strewn with gotchas, but I persevered. Since I’ll likely need to do it again some day, I’ll record it here in hopes I can retrace my patch, er, path.

I’ve installed Fedora 19 on my main development laptop, replacing an older Mint 12 install that had gotten too old to maintain easily. I’ve spent some time updating and configuring the machine in my spare time. With FireFox already installed, Chromium was an early addition. Thanks to syncing, these browsers retain the history and passwords of the sites I spent all day on. I moved over my ssh keys and configurations and vim configurations and installed git and the basic development setup is ready to go: most of my coding occurs on remote systems. Next came Apache and PHP in order to develop locally. Finally, I started on Ruby and Rails. Here, I took a tangent from past installs and installed rbenv rather than RVM, the Ruby Versions Manager. I have seen problems with RVM and the 2.0 version is coming along slowly. In the meantime, Bundler has come along and solved a number of problems with gems, gemsets and disk clutter, but in a different and incompatible way with RVM. I thought that this was a good opportunity to inform myself of a new tool, should I run across it on a new gig. Also, I had seen a Drew Neil videocast in his VimCasts series recently where he showed some very useful tools, but rbenv was a pre-requisite. Due to the way RVM works, rbenv can’t be installed side-by-side, so I had to remove RVM. No time like the present!

However, there’s a catch. Isn’t there always? Fedora 19 uses a version of OpenSSL which is configured differently than what used to be typical. I am no crypto expert, but I understand they disallowed some form of elliptical curve (EC) encryption. Ruby, as part of its build process, tests for that specific functionality, so builds will break on Fedora 19 (and recent Red Hat, too). There is a fix in the pipeline: https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/41808, which changes the behavior from requiring this specific form of encryption, which wasn’t really required, just a poorly chosen hard-coded test) and instead tests to confirm that there are some algorithms for encryption by iterating through them. So. Now, I knew there was a fix, I just had to figure out how to wedge it into my system. Thank goodness for internet search engines! Here http://philippe.bourgau.net/how-to-install-a-patched-ruby-interpreter-wit/ was a similar enough situation that I could interpret the process for my system, with different version numbers, of course, and a few tweaks. After a few false starts, I had my own custom patched versions of Ruby 2.0 and 1.9 installed a ready to go.

It may not be clear why I didn’t just install the version of Ruby that comes with Fedora 19. At the moment, that version is the same (p247) as the current version, but as a developer, I don’t want to have to count on the distribution to keep their versions up to date in order to have the most recent version on my systems. Since I’ll be deploying systems into production, and therefore exposed to potential attack from the internet, I need to have the ability to build from the latest source code and to apply patches as needed. This provides the best possible security to my clients for this app. I also need to support older versions, so having worked out the recipe for 2.0, I was able to backport the same changes into Ruby 1.9.3 and install that on the system as well. At the moment, I don’t have any need for Ruby 1.8.7, but now that I’ve worked out the build routine, I’m confident I could deploy that if needed.

0

Three Lightning talks at Alphaloft: September 2012 Seacoast Web Dev Meetup

An excellent time as always at the Seacoast Web Developers Meetup held at AlphaLoft in Portsmouth on September 25th.

Josh Cyr presented his initial research on Google Drive. Josh worked with a client to develop a workflow process using events occurring in Google Drive to process documents. The API from Google allows you to iterate through files and folders, change properties. up- and down-load.

Paul Finn presented Vagrant, a shell around virtual machines that allows simple and easy download of pre-made images, spinning up the VM and talking to it (ssh) via Ruby scripts. Paul’s slides are here: http://slid.es/paulfinn/vagrant/fullscreen

Ted Pennings (@thesleepyvegan) talked about cryptography: the basic concepts, aspects of concern, best practices and more! A very informative 20 minutes from a man who’s obviously deeply involved and enthused about the subject. Slides are here: http://prezi.com/kplh0mz6ptjt/cryptography-in-20-fast-minutes/

0

Notes from the Python Special Interest Group, 18-Nov-2010

Four members attended the November meeting of the Python Special Interest Group, held a week early due to the Thanksgiving holiday (anticipate a similar schedule for December). The Amoskeag Business Incubator was kind enough to allow us to use their smaller meeting room, which worked out perfectly for the smaller crowd.

It was an open Q&A evening, and boy, did we have Qs and As! Topics covered included:

  • Getting scanners working on Ubuntu 10.10
  • sharing printers in Ubuntu
  • Why DSL isn’t always at its rated speed
  • what a CO and a DSLAM is
  • Win7 Starter Edition blue-screening on an Asus Aspire One
  • the New Microsoft/Verizon KinONEm KinTWOm
  • the disaster that was the Microsoft-Danger hiptop acquisition
  • Microsoft’s announcement of Java as a “first class citizen” of their Azure cloud
  • Microsoft’s “Embrace, Enhance, Extend, Extinguish” history
  • Maybe they’ll call it IronJava? And, hey, where did IronPython go?
  • Oracle and Java and licensing and FUD
  • Oracle and MySQL and licensing and FUD
  • A public library looking for a Linux-based solution to reserving PC use
  • A great suggestion to consider Gnome Nanny
  • generating PDF Forms out of a LAMP app using pdftk
  • OpenOffice.org and LibreOffice
  • Generating PDF fill-in forums out of OpenOffice.org, courtesy of Solveig Haugland
  • the difference between “business class” and “consumer grade” machines
  • Dell and HP, Linux support, HPLIP Open Source project
  • printing to PDF in Ubuntu only worked when App Armor was removed
  • the ease of hooking up a projector to Fedora 14 with the new video subsystem and Noveau drivers
  • installing NetworkManager on Debian Lenny (there’s python in there!)
  • a quick tour of NetworkManager on Fedora 14
  • a demo of using Elementree to parse and modify an XML file used to manage installs of Atlassian Jira
  • using BeautifulSoup to parse an HTML file and generate an INI file
  • the Venus software for generating an RSS aggregator page
  • hacking WSDLs for SOAP using suds

Those were the Qs. You needed to be there for the As. And the awesome gingerbread cookies and frosted cake.

Thanks to Janet for the desserts, to Bill for organizing the meeting, to the Amoskeag Business Incubator for the facilities, and to all who attended and participated. Look for the December meeting announcement with the date tentatively planned for the 16th.

0

Adding Fail2Ban to the web site

I swapped out web servers two weekends ago, when the old machine started showing some unacceptable behavior. Part of that swap involved switching from a CentOS-based Linux distribution to an Ubuntu-based distribution. There were some great learning moments involved in that. I also wanted to swap out a few programs that hadn’t worked as well as I had hoped.

One of the new packages I’m trying out is Fail2Ban, an Python-based application to review the logs and temporarily bans IP addresses based on the patterns of abuse. Similar applications like DenyHosts are well-rated, but DenyHosts specializes in ssh, which hadn’t been too much of a problem for me, and didn’t have a straight-forward configuration for ftp, which unfortunately I must offer. I had used a similar Perl-based application before, but it hadn’t supported a couple of a my applications, and appeared to introduce some instability in the system. Fail2Ban came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with nonsense.

So, 48 hours in and things seem to be running well. The log files clearly show some applications being blocked, other applications seems to be running well, and performance and responsiveness of the site seems to be okay.

2

Ideas worth repeating

“We reject as false the choice between our safety and our ideals.”

President Barack Obama, 20 Jan 2009

“They who would give up an essential liberty for temporary security, deserve neither liberty or security.”

Benjamin Franklin, 1775

1

MerriLUG Notes, 17-April-2008: Dan Walsh & SELinux

Eleven people attended the April meeting of MerriLUG, the Merrimack Valley chapter of the Greater New Hampshire Linux User Group. Heather called the meeting to order at 7:30 PM, noted the that attendees were pretty much The Usual Suspects, and dispensed with the long-winded announcements for new members. http://www.gnhlug.org will tell you all you want to know.

Dan Walsh was the main presenter tonight. Dan had a very special visit from the Demo Gods, just before he was to start. His hard drive decided that his boot partition wasn’t. Never heard of ext3. Ouch. Ever the good showman, he borrowed my laptop, downloaded his presentations from the web, and put on a great show.

Dan mentioned that he’d lost his previous laptop during his recent tour in Europe when it was stolen and that maintaining your home directory encrypted was a Good Idea.

Dan reviewed the history of SELinux and the iterations we saw in Fedora 3 though 8 and RHEL 3 through 5 and what to expect in 9. He talked about the evolution of the policies, the different feature sets available, how the SELinux architecture can meet the stringent requirements of DoD level organizations (with bullet points like: “RHEL5: MSP Policy: EAL4+, LSPP, RBAC” – who wouldn’t be impressed?) to the Significant Others at home who really just want a machine to use the browser on.

Dan showed off the new kiosk policy, xguest, which was essentially a minimal-permissions user (no setuid, no executables in the home directory, no installation abilities, etc.) extended to run FireFox. Perfect when someone wants to borrow your machine for a second! In the default settings (installable in F8 or 9 with sudo yum install xguest), it creates a fairly ‘safe’ user that can’t do a lot of harm and whose directories are temporary RAM-based and vanish when the user logs out. (You can modify it to keep a persistent home to store cookies and bookmarks.) Ideal for a library or public kiosk situations. Yes, the evil minded boys in the room could come up with some work-around exploits, but this is a promising start!

Thanks to Dan for a great presentation under trying circumstances, to Heather and Jim for managing and promoting the meetings, to Martha’s Exchange for providing the facilities, and to all who attended and participated.

UPDATE: Dan’s posted an article to Red Hat Magazine, “Confining the user with SELinux” that covers a lot of material in the presentation, with more detail than my notes and links for further study.

0

YA Javascript library: Ext

Sometimes I think the community of Javascript libraries is like a high school popularity contest, with crowds swarming one cool thing before dropping it and moving on to the next. In a project last year, we started with a little hand-coded JS to spice up the site a little bit, then started dipping into the bigger UI libraries of Dojo, script.aculo.us, Prototype and more as the clients expectations went through the roof. I still have deep misgivings on making a web site work like a rich client application using HTML, CSS Javascript and/or AJAX. It’s still a web page, not an RIA, and concerns over web-scale scalability, responsiveness, variation in the client machine (six different browsers, JS on or off, Flash on/off, various readers for accessibility to the visually impaired, rendering on small devices, etc.) make rolling-your-own a fool’s mission.

We’d stabilized on a set of tools long enough for me to start to dig deep into its capabilities, when along comes a suggestion we look at Yet Another JS library, Ext. It is impressive at first glance, no doubt, and the demos have the requisite whiz, bang, oooh and aaah. But concerns over maturity, licensing, suitability to task, cost of retooling existing pages make it a questionable switch. At some time you have to commit, people. Live with what you’ve got or face the costs of serious rewrite. The tenets of RAD, XP and “Agile” as promoted by Scott Adams in DIlbert, not true practitioners, have given folks in charge the impression that they can just chase after the next shiny thing and follow the fashions without concern to the engineering implications of launching a world-class web site. Ah, well, my consultant friends tell me. This is why we get the big bucks.

Now I hear tell jQuery is where its at…

0

Security firm cracks encryption for Microsoft’s wireless keyboards – heise Security

Ouch! Encrypted communications between your computer and peripherals have to be impractically difficult to crack. The encryption scheme described in “Security firm cracks encryption for Microsoft’s wireless keyboards – heise Security” is beyond pathetic. I hope other manufacturers have more reasonable encryption schemes. In the mean time, don’t type anything on a Microsoft wireless keyboard you wouldn’t want to see published like, say, your bank account password. Disgraceful!

Link via Schneier on Security

1

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.