backtrack 3 released

Any half decent sysadmin will routinely test the security of his or her own systems. A good, and sensible, sysadmin will follow up those tests with an independent security audit by a professional company – preferably one which is a member of a recognised industry body (such as CREST). Finding the holes in your security mechanisms (and there will be some – probably more than you will be happy about) before the bad guys do is essential if you want to sleep at night (and keep your job).

There are a huge number of security testing tools available for free if you know where to look. Most sysadmins keep a toolbox of their favourites (nmap, nessus, ettercap, dsniff et al.) to hand ready for testing any new build. But it can sometimes be difficult to know just which tool to use, and where to get it. Enter backtack. I first came across this collection of tools as recently as february 2006 and found it an excellent resource. Essentially backtrack is a collection of all the security testing tools you are likely to need packaged into one linux distribution. Think of it as a knoppix for security testing. A complete list of all the tools in the collection can be seen here.

Bactktrack Version 3 has just hit the streets. Get it here.

(Oh, and don’t think that using a toolset like this makes you a pen-tester. It doesn’t. What it might do is make you more security aware, and a better sysadmin.)

Permanent link to this article: https://baldric.net/2008/06/20/backtrack-3-released/

dental dos

On Tuesday 17 June, Craig Wright, supposedly “Manager of Risk Advisory Services” in an Australian Company called “BDO Kendalls”, posted a rather odd note to Bugtraq and a few other security related lists titled “Hacking Coffee Makers”. In that posting he said that the Jura F90 Coffee maker (which can apparently be networked) was vulnerable to remote attack. His post said that the vulnerabilities allowed the attacker to:

“- Change the preset coffee settings (make weak or strong coffee);
– Change the amount of water per cup (say 300ml for a short black) and make a puddle;
– Break it by engineering settings that are not compatible (and making it require a service);”

but worse

“the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user”.

Now I’ve been a subscriber to bugtraq for longer than I care to remember and I’ve seen some odd posts in the past – particularly around the beginning of April, but in June? I initially dismissed this as just one more nut trying to raise his profile in the security community, but since tuesday the story has been picked up by a range of commentators. Some have found the story simply amusing (slashdot – “All Your Coffee Are Belong To Us”), others such as CNET seem to have taken it only slightly more seriously. OK, the bits about attacking the coffee maker itself may be amusing, but there is a serious point here if Wright is correct in his statement that attacking the coffe jug gets you access to the windows system its management software runs on. Certainly Thor of Hammerofgod has taken the post seriously enough to question Wright’s professional judgement in posting details of a vulnerability before alerting the manufacturer.

The point to note is that as more and more consumer devices become networkable (and networked) then the attack surface gets larger and larger. And it is a fairly good bet that the manufacturer of (say) a networked microwave oven is not going to take network security as seriously as would the manufacturer of a router, NAS, or mainframe.

Oh and Wright has done it again today. His latest post to bugtraq is titled “Oral B SmartMonitor Information Disclosure Vulnerability and DoS”. It’s about a “remote exploitation of an information disclosure vulnerability in Oral B’s SmartGuide management system [that] allows attackers to obtain sensitive information.”

That’s right, he’s talking about a toothbrush.

Some people have way too much time on their hands.

Permanent link to this article: https://baldric.net/2008/06/19/dental-dos/

xkcd on the openssl fiasco

I’ve had my attention drawn to Randall Munroe’s take on the openssl coding change problem.

openssl

Beautiful.

Permanent link to this article: https://baldric.net/2008/06/05/xkcd-on-the-openssl-fiasco/

debian and the openssl flaw

Ben Laurie wrote about the Debian SSL problem a couple of weeks ago. That particular post has attracted a huge response which is well worth reading if you care about free open source software and/or privacy/security issues (or even if you don’t). The key point to take from the discussion is that about two years ago the Debian development team “fixed” a perceived problem in openssl and in so doing actually introduced a fairly serious vulnerability. The net result of this change was that anyone using Debian or a related distribution such as Ubuntu to generate a cryptographic key based on the “fixed” opensssl libraries actually left themselves open to compromise. To quote from the Debian advisory “the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable…….. affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections.”

Fortunately, it seems that GPG keys are not affected (and in any case, my own key was generated some time ago and not on a Debian based system) but this is pretty serious nonetheless and means that a great many people (myself included) have been relying on keys which it turns out are vulnerable to attack. I have now regenerated all the keys I suspect were vulnerable, but that does not leave me feeling very comfortable about past usage.

I don’t want to denigrate the Debian team in any way, but I can’t help but agree with Ben Laurie’s view that the proper place to fix any perceived flaw in an open source product, particularly one as important as a security critical component, is in the upstream package – not in the distribution.

Permanent link to this article: https://baldric.net/2008/06/02/debian-and-the-openssl-flaw/

recursion: see recursion

I have written about how I use one of my slugs to backup my internal files via rsync over ssh. Well it turns out I made a pretty silly mistake in my rsync options. I thought I’d been careful in specifying the files I specifically wanted excluded from the backup (ephemeral stuff, thumbnail images, some caches such as my browser cache etc.) but I missed one crucial directory and it bit me – and sent the slug’s load average through the roof.

GNOME 2.22 introduced GVFS, a new network-transparent virtual filesystem layer. GVFS is a userspace virtual file system with backends for protocols like SFTP and FTP. GVFS creates a (hidden) directory called .gvfs in your home directory and uses this as a mount point when you open a connection via SSH, FTP, SMB, WebDAV etc from the “Places -> Connect to Server” menu option. So if you open an SFTP connection to a server called “slug”, it will mount that connection in .gvfs. Try it yourself.

Now guess what I had mounted on my desktop at the time my rsync cron job ran. The slug spent some frantic time copying itself to itself until I noticed that it seemed to be inordinately busy, diagnosed the problem and managed to kill the rsync and clear up the mess.

Permanent link to this article: https://baldric.net/2008/06/02/recursion-see-recursion/

linuxdoc.org hijacked

Sadly it appears that the once useful linuxdoc.org website has been hijacked by one of those awful domain squatters who seem to want to sell mortgages, holidays and houses. I tried today to check out an old “howto” I had bookmarked and was greeted by a completely new site – as below:

linuxdoc.org hijacked

At first I thought that they had simply redesigned the site because most of the links appeared to be in place. Unfortunately, none of the old LDP documents appear to be there. I also noticed that all the links are referred to a new site on www.kolmic.com. So, none of my old linuxdoc bookmarks are any use now. RIP friend.

Fortunately, however, the original and best TLDP site is still up and running as is the (similarly named) linuxdocs.org site. So, update your bookmarks and stay away from the hijacker. Such a shame that so many printed references in places like the O’Reilly books are no longer valid.

Permanent link to this article: https://baldric.net/2008/05/26/linuxdocorg-hijacked/

what it is to be popular

According to some dubious stats from a web company, this site now ranks at number 4,880,077 (on a scale of usage where Yahoo, Google and YouTube are apparently first second and third). But I shouldn’t really complain. The same stats say that the position is “up 16,958,547 ranks over the last three months”.

Now that is some rise.

Permanent link to this article: https://baldric.net/2008/05/16/what-it-is-to-be-popular/

slugs aren’t really slow

A recent email exchange with the friend who originally suggested that I take a look at the NSLU2 got me thinking about the machines we currently take for granted. In his email he outlined that he had consolidated a set of services previously run on a couple of old desktops (a Dell and a Shuttle) onto his slug – thereby making a big saving in power consumption. His slug now runs ssh, DNS, IMAP and SMTP mail and a couple of other services – a typical slug user’s profile. The phrase that got me thinking however, was his statement that “I’m quite amazed that it can do all this within 32MB memory”.

Now, not so long ago, 32 Meg of RAM was considered quite a lot. We seem to have become so used to desktop home machines equipped with multi GHz CPUs, 2 or 3 Gig of RAM and anywhere from 160 Gig to three quarters of a terabyte of disk that we are surprised that an apparently humble 266 MHz, 32 Mb RAM machine can do so much. But why? As recently as 10 years ago I was running a large public facing network on which the main DNS/mail and syslog server was a single processor Sun SPARC5 with only 32Mb of RAM. And I recall only 15 years ago (OK, so I’m old) running a network of ICL DRS 6000s providing full office system functions to over 1200 users. So I dug out the specs of the machines I was running at that time for comparison. It made interesting reading.

The smallest (in capacity terms) machine on my network 15 years ago was a DRS6000 L440 – which had a single 40 MHz CPU, 32 Mb of RAM and 2 x 660 Mb disks. That machine served 30 users. I also had a mixture of DRS6000s with older 25Mhz and 33MHz CPUs but with more RAM and disk store (typically 96 Mb and 4 x 660 Mb disks) each of those would support around a hundred users (the office application was memory not CPU dependent). The really interesting point is the pricing. I found a note with the following on it:

Item — Price (UKP)

DRS6000 L440 40MHz CPU — £15,000
(inc. 1 * 660 Mb disk)

64 Mb memory board — £11,000

32 Mb memory board — £6.550

SCSI daughter board — £800
(to support additional disks)

3 * 660 MB disks — £8,850

16 port asynch controller board — £1,500

ethernet LAN controller board — £2,660

external exabyte tape drive — £4,000

console and keyboard — £500

sundry cables — £200

hardware sub-total — £51,060

to which I had to add:

128 user licence for Unix 6, TCP and OSLAN — £11,000

(Thankfully, we had a site licence for the application software…)

So, for just over £62,000 I had a 40 MHz machine with 96Mb of RAM and 2.6 Gig of disk. Not bad.

Oh, I forgot VAT.

Permanent link to this article: https://baldric.net/2008/05/05/slugs-arent-really-slow/

a problem slug

I bought myself another slug recently so that I could have one dedicated to internal work and the other used for public facing webs. I wasn’t really comfortable with having my network backup and apt-get mirror on the same beast as a public web. I know from experience that public facing systems are vulnerable and I have to assume that my webcam slug is disposable.

However, it seems that I picked exactly the wrong time to build a new slug because I fell foul of a previously undocumented bug in the new initramfs-tools (version 0.92) in Debian testing. This version generated a ramdisk that made the slug unbootable. This bug was particularly irritating because it only manifested itself at the end of the complete Debian install – i.e at the point when the installer had flashed the new initramfs and rebooted. Because I had been so successful with the earlier slug only weeks before, I thought at first that either I had made a mistake, or, worse, I had bought a problem slug which I could not return having voided the warranty. So I wasted some more time reflashing first with unslung and later with the original Linksys image – just to satify myself that I had a working beast. Then I checked the debian-arm mailing list. A couple of other users reported similar problems and the cuplprit – initramfs-tools – was quickly identified and rapidly fixed (see bug #478236).

When researching the problem, I picked up a useful tip from the mail list on a quick way of backing up a working slug image which is not documented in the how-to section of the slug website. This tip enabled me to take a copy of the image from the known good working slug and flash it to the non-working new slug at the end of (yet another) complete Debian install.

On a working system, do “cat /dev/mtdblock* > backup.img”, and copy that backup image off to a safe place. Use that image with upslug2 to flash to a non-working (or corrupted) slug thus: “upslug2 -i backup.img”.

The problem I encountered is now fixed with the release of 0.92a of initramfs-tools which is now in the Lenny tree.

Permanent link to this article: https://baldric.net/2008/05/04/a-problem-slug/

slugs as pets

Following a recommendation from a friend of mine, I have recently been playing with a Linksys NSLU2. This device is no larger than a paperback book yet packs some remarkable capabilities. It was originally designed by Linksys (Cisco) to act as a “Network Storage Link for USB 2.0 Disk Drives” (hence NSLU2).

The Linksys NSLU2

Externally, the rear of the box offers two USB 2.0 ports and a 10/100 ethernet RJ45 port for connectivity and sports front panel based LEDs for power, disk and ethernet status. Internally it has an XScale-IXP42x CPU (Intel’s implementation of ARM) running at 266 MHz (early versions were apparently underclocked to 133 Mhz) 8Mb of flash memory and 32Mb of SDRAM. Most interesting, at least from my point of view, is that the OS in flash is a version of Linux. Better yet, that can be changed for a full blown OS such as Debian so long as that OS is installed to external disk and the NSLU2 firmware is reflashed with an image which tells it to look for a bootable kernel on disk. Too good an opportunity to be missed – so I bought one and attached a 500 Gig Lacie USB disk so that I’d have room to play.

There is extensive documentation on-line about reflashing and upgrading the slug (as they are affectionately known by their users). My experience is documented here. My own slug now runs Debian Lenny (kernel 2.6.24-1-ixp4xx) and acts as the local apt-mirror for my home network. That mirror is run out of cron overnight so that I save on my bandwidth allowance. Having a local mirror speeds up software installs and security updates and I know that I can run local downloads to any of my machines at any time without impacting on either my monthly allowance or my external access speed. The slug runs lighttpd (changed from Apache) to give me internal virtual webservers as well as access to the mirror and I also backup my internal files to it via rsync over ssh. For example, my primary desktop machine runs a cron job to rsync to the slug.

Oh, and it also runs a webcam – just for fun.

webcam image

A web search for “webcam on slug” led me to the deliciously bizarre “Slug Racing online” site. Quote – “Slug racing is an exciting and cheap alternative to other racing forms. Slugs are available almost everywhere, often in abundance. Seen as a pest by many people, they can be a great pleasure in cultivated slug racing.” Unquote.

Some people have the strangest hobbies.

Permanent link to this article: https://baldric.net/2008/04/07/slugs-as-pets/

google oddness

A google search for “loadlin” produces a sponsored link for “Inflatable lilos”. Strangely no references to insects or food however.

Permanent link to this article: https://baldric.net/2008/04/06/google-oddness/

ssh through http proxy

On a mail list I subscribe to I have recently been involved in a discussion about the restrictions sometimes placed on users of WiFi hotspots or hotel networks (to say nothing of the restrictions placed on corporate networks). Some of the suggested solutions involve tunnelling ssh connections over http(s). Other solutions assume that the network is simply restricting access with packet filters so that you may just need to connect to a non-standard port (such as 80 or 443). If this is the case, then you simply have to configure your target ssh daemon to listen on that port. However, some networks force you through a proxy, in which case you need a utility like corkscrew. I had not previously heard of this neat little utility – but it turns out to merit some exploration if you find yourself needing such a tool.

Corkscrew is relatively simple to set up, but if you have problems, take a look at Andrew Savory’s blog entry of 27 February 2008.

Permanent link to this article: https://baldric.net/2008/03/01/ssh-through-http-proxy/

another vulnerability in the home hub

The guys at gnucitizen have posted details of another vulnerability in the BT home hub (and related Thomson routers). This vulnerability allows a remote attacker to reconfigure the router using the UPnP functionality which is turned on by default. UPnP is an authenticationless protocol designed to allow local devices to reconfigure the router – typically to allow insertion of port forwarding rules or similar changes to the firewall. On the Thomson routers (and the home hub) UPnP configuration can be found under “Game and Application Sharing” on the web configuration interface.

If you haven’t already done so, I recommend that you turn off UPnP. There is no good reason to leave it on. If you find that some device on your network needs a particular port forwarding rule to be set, then set it manually. Better still, consider whether you really need that device on your network.

Permanent link to this article: https://baldric.net/2008/01/19/another-vulnerability-in-the-home-hub/

psp hardware and software specs

I have just stumbled upon a very good resource listing specifications of the hardware and software revisions for the PSP. I would have found this site most useful when I was researching how to format video for the psp last year.

The site is at www.edepot.com/reviews_sony_psp.html

Permanent link to this article: https://baldric.net/2008/01/13/psp-hardware-and-software-specs/

ain’t standards wonderful

I’ve just changed my mobile phone for the first time in nearly three years. I know this makes me unusual, particularly as I am normally a gadget lover, but to me a phone is primarily intended to be communication device. I don’t really need it to be a camera, or a music player, or a games console. I really want my phone to work as a phone when I need it and I don’t really want to find that the battery is flat at exactly the wrong moment just because I have been listening to Peter Green for hours. My daughter seems to change her mobile every six months or so – but then she seems happy to tie herself into a network provider’s contract in order to update what is essentially a fashion accessory. I’m not prepared to do that and I pay a satisfyingly small sum of money each month to my provider because I don’t expect them to subsidise the cost of a phone.

I bought my new phone on-line. And nice and shiny it is – and I admit it appeals to the gadget lover in me. Besides the obvious voice and text messaging capability it offers: multimedia messaging, email, MP3 and MP4 audio/video (video? on a screen that size?), video calling, web access including an RSS reader, games, a radio, a calendar, an organiser, a calculator, stopwatch and of course the obligatory high resolution camera (which I confess is quite nice).

The phone even includes a file manager to allow the user to shuffle the umpteen MP3/4, jpeg/gif whatever files around and provides bluetooth, USB and infrared local communication capability over and above the GSM connectivity actually needed in a phone in the UK – plus of course 3G capability for all that high bandwidth you will need if you try to actually use all the phone’s functionality. Somehow I don’t think my current ten pounds a month contract is going to cover that.

Now with all the thought that has obviously gone in to the design of this wonderful gadget, why on earth couldn’t the company stick with some obvious existing standards in its physical design. I can just about put up with the need to learn a whole new layout on the keypad – hell the device has some dozen additional keys over and above the keypad itself – but why should I have to carry another set of earphones when I already have a perfectly good set of in ear bud phones with a standard minijack? Why should I have to use the phone’s non-standard USB connector when I already have a USB lead on my PC which terminates in a mini USB connector used by my PSP, and my cameras. Why should I have to buy yet another form of the company’s own proprietary memory sticks when I already have plenty of high capacity memory cards in said cameras and PSP?

Oh, and of course the recharger is different to every other such device in my home.

As an old colleague once said to me (quoting Tanenbaum) – “I love standards, there are so many to choose from”.

Permanent link to this article: https://baldric.net/2008/01/06/aint-standards-wonderful/

the war against hair gel

David Malki ! is an interesting character who creates some wonderful cartoons from images drawn from his collection of 19th-century books and periodicals and from other early rare books held at the Los Angeles Central Library. He publishes a collection of his cartoons at wondermark. I recommend that you spend some time flipping through his archive. The man has a completely anarchic sense of humour.

One of my personal favourites is:

hair-gel

I am grateful to him for permission to republish the image here.

Permanent link to this article: https://baldric.net/2007/12/31/the-war-against-hair-gel/