Security and Systems Administration

Whole Disk Encryption Defeated

2008-02-21T19:30:00.000-08:00

So today researchers at Princeton released their findings that hard disk encryption isn't the a silver bullet to protect data on stolen laptops. I'm still working my way through the paper, but my initial thoughts go something along the lines of "woah..." This is some really nice work. You can read the paper at http://citp.princeton.edu/memory/.

They also have a nice video presentation of the weakness. My hat is off to these folks. Great work.

Southern California Linux Exposition - SCALE 6X

2008-02-13T12:57:00.000-08:00

Last week I was down in the Los Angeles area doing some work and I decided at the last second to attend SCALE 6X with some friends at the last second. I'm glad I did, since I had a great time, met some cool people and got a ton of new T-shirts.

We started out the day with a presentation on PostgreSQL 8.3 by Josh Berkus. Josh is a developer for Sun Microsystems and is a member of the core PostgreSQL team. He gave a great presentation on the features of the 8.3 release and really got me thinking about a system I maintain. There may be an upgrade project coming to this machine soon.

Next we wandered around the vendor hall for a bit. Mostly I collected T-Shirts and stickers, but things got really interesting when we stopped to chat with the people at the Zenoss, Hyperic and OpenNMS booths. We are looking at revamping our monitoring quite a bit at work, so this was a good chance to throw out questions. First we talked to the Zenoss guys. I've used Zenoss in the past and I like how much information it is able to pull from devices and servers. It's all done over SNMP, which has its own issues, so I don't have to install an agent on the target systems. It handles network equipment and Windows servers with the same ease. I can also use Nagios plugins to extend its capabilities. Really, its a nice app all around.

Things got really interesting at the OpenNMS booth though. I still don't know a ton about OpenNMS, but what caught my attention was how I could manage workflow with it. They have been working with Hyperic on integration to each other. One scenario that I liked was that a Hyperic check could cause an event in OpenNMS. Normal pager notifications, emails, etc go out. But to take it a step further, I can also define a handler in OpenNMS that when a specific event occurs the application automatically opens up a ticket in Jira for tracking and remediation! Now this I thought was cool. How many times have you had a repetitive issue with an application and struggled to communicate the impact of the issue to management. With this, I can track the work done to resolve each incident, the time taken and create a report for management to summarize the issue. Ok, it's boring, but still pretty cool. Who knows, with this kind of information maybe the root cause of the issue could get fixed.

Last we headed over to a presentation on Puppet by Luke Kanies of Reductive Labs. Puppet provides you with tools to keep your system configurations consistent and ease the difficulty of manually maintaining configurations and packages. It looks really cool and I'm going to play with it some. I still have a question about how secure the communications are between the clients and master server, but I heard something about client SSL certificates so maybe that will do the trick. Anyhow, some testing is definitely in order.

Other than that, not much else exciting at the show. I had a good time and got somethings to play with. If you're down in the LA area next year when SCALE 7X is, I'd recommend checking it out. For $70, it's hard to beat.

Weekend Reading

2008-02-03T15:39:00.000-08:00

I'm out of town this week, but I've been doing some reading on MySQL performance, load balancing, high availability, etc. Some issues at work are at the root of this list, plus some consulting work that I have coming up soon.

First off, some reading directly from dev.mysql.com
High Performance MySQL

Next, a presentation by Jay Pipes and Bjorn Hansen. This one has stuff over my head and is written towards developers. Still, very good stuff.
Real World MySQL Performance Tuning
Download the PDF for it here

This isn't MySQL centric, but I ran across it in Jay and Bjorn's presentation
The High Availability Linux Project

MMM (MySQL Master-Master Replication Manager) - I need to do some testing on this one. Seems like it has some really wild application.
http://code.google.com/p/mysql-master-master/
http://groups.google.com/group/mmm-devel/

MySQL on FreeBSD
http://wiki.freebsd.org/MySQL

MySQL Performance Blog
http://www.mysqlperformanceblog.com/

Optimizing MySQL on FreeBSD
Link Here

More to come later.

Setting up a serial console on FreeBSD 6.3

2008-01-31T15:46:00.000-08:00

I resurrected my old FreeBSD server with a new hard drive and power supply the other day. Because I only have a 2 port KVM, I decided to setup a serial console connection to my primary desktop. I've used systems on a serial connection several times, but I've never actually setup a BSD server to use one before though. Turns out this was a very simple setup.

Track down a null modem cable with female connections at either end. Hook it up to your terminal server and your target machine at the available serial ports. Then do the following.

To see all boot messages on the serial console, issue the following command while logged in as the superuser: # echo 'console="comconsole"' >> /boot/loader.conf
Edit /etc/ttys and change off to on and dialup to vt100 for the ttyd0 entry. Otherwise a password will not be required to connect via the serial console, resulting in a potential security hole.
Reboot and check your results.

These steps are straight from the FreeBSD handbook.

I followed them as written and had console through HyperTerminal. Now I just need to get a different terminal app, since I hate HyperTerminal so bad.

Python Based Cross Site Scripting Scanner

2008-01-31T15:03:00.000-08:00

Recently I was attempting verify some web application security issues reported by one of our vendors. Their report was fairly useless, since it complained about a couple of pages, but gave no information about how to duplicate the results. After manually trying reproduce the flaw for a while, I threw in the towel and started hunting around for a free XSS scanner.

I ran into a tool called SpringenWerk and decided to play around with it. It only took a couple of minutes to set up. I did some quick reading on how to use the tool and fired it off at the suspect page. The script ran for a little while and then exited out. Final score? Two XSS vulnerabilites, neither of which were found by the previously mentioned vendor. So I got curious and fired the script off at an HTTPS URL to see how it handled SSL. No problems at all. It negotiated the connection and did its testing from there. A very nice tool and was useful for me when I was stuck. You can take a loot at it at http://springenwerk.org/.

I never did find the issues the vendor reported and they said it was probably a false positive. Maybe, maybe not. I asked for the actual attack strings that they used, but so far they have not been able to produce them. Suspect...

Access denied on registry when installing a Windows service pack

2007-12-27T10:31:00.000-08:00

This issue has bit me hard a couple of times this week, so I decided to make some notes on it. When installing a service pack on Microsoft Windows, you may get an "Access is denied" error message and have the entire install fail. In one case, I lost the entire machine and it wouldn't reboot. Another time, it survived the reboots, but still was a bit unnerving. Here is what I found out about the issue.

Apparently, this is a permissions issue within the registry. To verify this, check c:\windows\svcpack.log and search for "Access is denied". I found this in the log file.

1024.156: DoRegistryUpdates:SetupInstallFromInfSection Failed for ProductInstall.GlobalRegistryChanges.Install error: 0x5
1024.156: INF_REGISTRY Failed
1024.156: DoInstallation:DoRegistryUpdates failed
1034.047: Unregistration of sprecovr successful
1034.234: Access is denied.

To reset the permissions to the registry to the defaults you will need to use the secedit tool. I ran the following:

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose /areas regkeys

/areas regkeys tells the tool to only reset permissions on the registry and leave the rest of the OS alone. This is important, since firing it off at everything will reset file permissions, etc.

Once the registry permissions are reset, go ahead and fire the service pack install again. I used "WindowsServer2003-KB914961-SP2-x86-ENU.exe /norestart" to prevent a restart before I was ready. For my issue, this worked perfectly.

Links are:
Access is denied when installing SP - http://support.microsoft.com/kb/873148

Reseting registry permissions - http://support.microsoft.com/?kbid=313222

Inactivity on the blog

2007-11-04T18:56:00.000-08:00

So things have been pretty silent for the last 4 months on the blog. It's not that I've been idle, but I've just had so much going on that writing was one of the last things on my mind. Here's a recap of some of the more notable events.

July - Last month of school for me and I finally graduated with my Bachelors Degree in Computer Science! I still can't believe I've finally accomplished this. It was a lot of work and overdue by a fair bit.
August - We had a family reunion in Salt Lake City for my wife's family. I decided to go stop by the University of Utah to see what their graduate program looked like. I found out a number of things I hadn't known before, one of which included a way to get my Master's degree in CS without going further into debt. We talked about it when we got home and made a fairly quick decision to move. So the last part of the month was doing all the things you need to do for moving.
September - Moving time. We left the Los Angeles area early September and headed up to the Salt Lake City area. To sum it all up, it sucked. Moving is bad enough, but we got the house we had rented for 6 months and found that nothing had been cleaned or maintained. I've seen worse, but it wasn't good by any stretch. Our neighbor thought we had gray carpet, when it was actually brown. We also had to deal with 6-8 feet tall thistle plants in the yard. Such fun.
October - Work, cleaning (still), preparing for the GRE tests. I took the general GRE in October and signed up for the Computer Science exam in November. I've learned a healthy dislike for these tests. I also started to file paperwork for my consulting business. JW Network Consulting LLC was born. :)
November - Took the Computer Science GRE yesterday. Hopefully I did well enough for school, but we shall see. It was a nasty exam, but I am alive and relieved that I never have to take these silly exams again.

So that's the replay. I still need to finish my application for the Univ. of Utah, but the major hurdles are over. Then I just need to wait to see if I get in. Now I'm starting to focus on the consulting practice more. It's a bit rougher to try to get things going when you don't know hardly anyone in the area. I've been able to do a small bit of work with someone I know up here, but I need to get more going with all the things that are coming up. Once I start school I will have to quit the full time job and will be relying completely on my consulting work. It's a bit scary, but I think that things will be ok. Definitely will be a learning experience.

I plan to start doing more blogging and research related work. Somethings I won't be able to talk about, others I will. What I can will go down here. If nothing else so that I can find it again later when looking something up.

Changing Firefox to allow XSS on any site???

2007-06-27T21:37:00.000-07:00

Well, I guess the title of this post is a *bit* unfair, but it's close enough for me. First some background. I'm studying cross site scripting right now for my final independent study at school. As part of this I'm messing around with a book on AJAX to learn more about javascript and how this whole Web 2.0 booya works. Tonight I'm banging on one of the early examples in the book. I created the HTML and javascript files on my local machine and hit them via Firefox. The javascript makes an XMLHttpRequest to the author's web site since there is almost zero info on server side code in the book. Firebug immediately starts complaining to me with "Permission denied to call method XMLHttpRequest.open". What the heck?? Time to troll google.

Sure enough, I find some answers the the issue. The problem is that I am running the files at http://localhost/foo.html and the XMLHttpRequest is calling http://authors.website.com/his/webservice to get some AJAXy result back. Firefox looks at this and decides that isn't cool at all and blocks the request. Hurray for the Firefox team. I like it that they thought of this. However, now what am I supposed to do? I don't have the server side code and while I could toss this on my public server, I'd really rather not. Back to google. Maybe there's a hack for this...

Well, sure enough there is. I found this post on Google Groups with details on how to work around the issue. Here's what the post has to say. Find user.js inside your firefox profile. If it's not there, create it. Open it up and add the following three lines to it:

user_pref("capability.policy.XMLHttpRequestToAnySite.XMLHttpRequest.open","allAccess");
user_pref("capability.policy.XMLHttpRequestToAnySite.sites", "http://localhost");
user_pref("capability.policy.policynames", "XMLHttpRequestToAnySite");

One problem, it allows any file running at localhost to call any other site in the background via XMLHttpRequest. From what I can see I have now configured Firefox to be much more open to XSS. So I'm just going to move this file out of my profile and shut firefox down whenever I'm done studying. I'm not frustrated at Firefox at all in this. I just wish I had the source to the server code used in the book so I could run through things without asking to get pwn3d. *sigh*

Darpa Robot Project

2007-06-14T11:58:00.000-07:00

Here's an interesting DARPA project someone threw out in IRC today. It looks a lot like what I did but a WHOLE lot smaller. The military can throw out a number of these things and build a communications network on the fly in a battle zone using wifi. I hope they use better encryption methods than the current public uses, but it still is a cool idea. It is also similar to a project that was done for urban search and rescue. Send out a team of robots, build some kind of mesh network and guide rescuers through the burning building or whatever.

The robots being proposed by DARPA are surprisingly inexpensive at about $100 each. I figured they would cost a lot more. One thing that made me laugh from the article on The Register. DARPA admits "it is expected that power will be a challenging design requirement". No way!!! Really??

Hacking Web 2.0 Applications on Securityfocus

2007-05-17T22:54:00.000-07:00

Quite a while back there was an article on Securityfocus by Shreeraj Shah on hacking on web 2.0 apps. It was very basic, but it had some tidbits in there that I wanted to keep an eye on for later. It shows how to use Firebug, which is something I'm a newb at, to inspect web pages for client side logic, validation, XMLHTTPRequests, etc. I'm doing another project on web app security at school and am going to focus on javascript, ajax, XSS, CSRF and look at javascript worms. It should be a fun project and allow me to take a narrower look at part of webapp sec. The article should provide me with a little more guidance as I dig into this further.

http://www.securityfocus.com/infocus/1879

Some Fuzzing Applications

2007-05-17T22:50:00.000-07:00

Today jms in #pauldotcom threw out a link to some fuzzing applications that a friend of his had written or was part of writing. I haven't had a chance to take a look at them yet, but didn't want to lose the link either. So here it is. If anyone has played around with these apps, please let me know what you think.

http://appliedsec.com/resources.html

A example of sorry web application "security" measures

2007-05-15T20:52:00.000-07:00

So last Saturday I participated in the graduation ceremony at college and was able to don the cap and gown for a hot day in the sun. It was all right, as far as these things go, but I'm a bit biased since it was mine. It was nice to go through, but I still have a few units to finish before I really have my degree. Anyways, as you get your "diploma" you get to shake the hand of the university president and get your picture taken with him. As you hit the bottom of the stage ramp, you get your picture taken again solo. Today I got an email telling me I could order my pictures online and to go take a look. So of course I went to go see how they turned out.

Here's where the web app security comes in. It seems that for $50, they will be happy to email the picture I'm looking at to me. Now that seems a tad bit expensive for something that I know is already on my computer in my browser cache. The preview picture is 430 by 620 pixels, so it's not too tiny. It also has no watermarks on it. So, rather than digging through my cache to find it, how do I just save this picture off to my hard disk? Right click doesn't work. So I go to my menu and do View->Page Source. I read through the source code real quick and see some javascript, which I presume is blocking the right click, and find the URL to the image. The image is hosted on another site and there is no authentication to prevent unauthorized access.

So what was the security measure to prevent me from saving the file? Just that silly javascript. Oh well, they will still make a fair bit of money off of me, since my family was to the right of the stage and I ended up on the left side. Kinda limited the photo ops for them.

Viewing Kismet's Data Remotely

2007-04-18T20:02:00.000-07:00

So, running around a remote war driver makes little sense if you can't see what it is finding. I attempted to use kismet2html running on lighttpd last night. I kept running into some weird issue that prevented the php files to render at all though. It works great on a full blown php install, but I think the php5 package for openwrt has some issues. So instead I'll just take a page out of webif's methods and do some shell scripting to render the HTML. Not the sexiest method, but it will work.

New Router, New Batteries

2007-04-18T19:33:00.000-07:00

I still don't know what caused the WRTSL54GS to die, but with only a few weeks until the end of the semester I had to continue on. I broke out the spare WRTSL54GS and installed it on the tank over the weekend. There were a number of modifications made this time to the assembly. First, the router was installed on thicker grommets to lift it further from the plexiglass base. Second, I bought two 12 volt lead sealed batteries to replace the 7.2 volt packs I had before. Last, and most unexpectedly, I broke the plexiglass base while drilling out the holes to hold the larger batteries. **sigh** So off I ran to Home Depot to by another sheet of plexiglass to mount everything to.

Here's the tank part way through reassembly.

Finally put back together. The problem I have now is that it is too front heavy with the new batteries and gets a bit bouncy because of it. So, I'll be moving the batteries closer to the center shortly.

Scanning Source Code for Vulnerabilities Before Checkin

2007-04-17T11:45:00.000-07:00

I was sitting in #webappsec today when zn- made the comment that he really wanted something to check code for security vulnerabilities as code was being checked into source control. Then if something was found it could refuse the code or do whatever the group had decided to do with it. This got me thinking a bit about it. The company I work for does an extremely basic check of this nature for things like inline SQL in web code. If the code has something that matches its pattern, then it checks the code in and notifies engineering management of the issue. Now this isn't the most robust check in the world, so how could this be improved?

The Web Application Security Consortium has an article up about using security frameworks in web development. It refers to a few different frameworks such as The Java Validation Library and Microsoft's anti-xss library. So it brings up an interesting idea. How would someone do some scripting on their source control server that would run the checked in code against these libraries? What would be the issues that you would run into. At home I use Subversion on UNIX. How would I check code developed for the Microsoft platform against there anti-xss library from my UNIX host? Would it be possible? Or would the library be totally unusable for the purpose of doing automated code audits. I admit, I don't know much about either of these libraries at this time, but it would be REALLY cool to be able to call some method that runs the code through a security framework for potential issues. I think I might be playing around with this some in the future. If nothing else, I need another couple of units at school to graduate and this might make a good project to play with.

Death of a Router

2007-04-11T22:41:00.000-07:00

Well, I guess it had to happen at some point, but I've finally had my first major setback on the project. I'm not sure when it occurred, but my WRTSL54GS bit the dust some where along the line. Friday and Saturday I mounted the routers to the car and all looked well. Sunday I ran ping tests until the batteries died on both routers. I was feeling really good about it all. I didn't mess with the machine for a couple of days, but I took it to work to show it off. Today I noticed that the router hadn't initialized the USB drive on the SL54GS, but I figured it was some kind of boot error. Not so. The router no longer responds to pings and either I botched the console head block install, or it isn't handing out console output either. The end result is that the thing is dead. Multiple failures at resetting to fail-safe mode and trying to tftp to it. **sigh**

So now what? I have my spare router, but I have a couple of questions about this whole thing. Here are the only things I can think of that caused the issue.

I shorted the router out at some point and didn't notice. Definitely possible and I will be doing more to insulate the mounting screw beneath the board to make sure.
The battery test killed it when the voltage dropped too low. This seems kinda unlikely to me. Why would low voltage brick the thing? Wouldn't it just shut down? Still something to consider.
One of my kids got to it between Sunday's testing and my demos today. Not all together unlikely either.

So now the question is, do I hook up my spare and start testing. It's about a $100 risk to do so. Or do I spend more time trying to diagnose the first failure? With only 4 weeks left to the due date, I'd better make a decision fast.

What I did over Easter weekend....

2007-04-10T00:15:00.000-07:00

Just a quick post to show off the wardriver. I spent most of Friday and a chunk of Saturday assembling the monstrosity. It was way too much fun. Here's the basic recipe so far.

A single Blizzard EV
3 - 7.2 volt battery packs
1 - Linksys WRTSL54GS Router
1 - Linksys WRT54GL Router
1 - Airlink 101 Omni-directional antenna for 10 dBi gain
1 - 1 GB USB drive
Add plexiglass, four right angle brackets, assorted hardware and cabling
Mix well, charge the batteries and...

Result: (please excuse the shoddy phone camera)

Modding the WRTSL54GS

2007-03-31T17:47:00.000-07:00

Work was a mess this week, due to an office move and other issues, so I've fallen a bit behind on where I wanted to be on the wireless project. I finally got some time to work on the project late this week. After a run down to the local Fry's, I had all the parts I needed to modify the main board on the WRTSL54GS. I dove into this the other night and found that I was in for more trouble than I expected. First, I pulled out my practice PCB and started soldering again, trying to get warmed up before working on some of the more important parts of the project. Next, I assembled the RS232 adapter and managed to avoid botching the soldering. That made me feel pretty good, so I pressed on... and started wrecking some parts.

The WRTSL54GS uses a very poor antenna in its stock form. It is rated at 1.5 dBi gain, which did not fill me with enthusiasm. So I decided to replace it, but I have a problem The antenna is connected directly to the main board with no way to detach the stock antenna cleanly. Since I was feeling brave after successfully soldering the RS232 adapter, I pulled out the wire cutters and clipped the antenna wire close to the antenna. I wasn't quite brave enough to attempt soldering a new antenna smack in the middle of the board. I had picked up two SMA connectors at Fry's, which I figured would be sufficient. When I attempted to crimp the center pin to the coax cable, I damaged both of them. They would not even come close to sliding up the center of the adapter. Now what? Today, I did another run to Fry's and purchased three more connectors. When I got home, I found that I had the wrong models. The center pins were hollow and I needed the solid ones. So, I needed to salvage the pins I had from the previous night. A bit of dremeling cleaned up one the center pins enough to be usable. Instead of crimping, I soldered the pin to the antenna wire, crimped on the outside of the connector and it all looked pretty good.

Next, I started hooking up the connector to the serial ports on the main board. This sounds straight forward, but Linksys decided to make it more complex. They filled the holes with solder. *sigh* After 30 minutes of messing around the holes were cleared out and I was able to solder in the new head block.

I was a bit nervous again about this because I had to apply a fair bit of heat to get the solder out. I took it up stairs, attached a 10 dBi gain antenna and booted up the router. Sure enough, it booted up cleanly! Needless to say, I'm very happy with this. But was the new antenna working? Fortunately it was. Here's a screen cap of the signal strength.

The SSID of Elune is my access point and WRT is my newly modded router. Both Linksys SSIDs are neighbors, one of which is inviting trouble. Any how, I was on the other side of the house when this cap was taken. Note the huge difference in signal strength of WRT using the new antenna when compared to Elune! Both devices were sitting right next to each other. Mission accomplished.

Here's the modded main board.

Web App Security Research

2007-03-14T23:08:00.000-07:00

Just thought I'd link to my paper on web application security that I did last semester. It's pretty basic and is aimed at a technical audience that is not familiar with web app security.

You can read the document here. <--PDF warning

Senior Project - War Driving Remotely

2007-03-14T22:42:00.000-07:00

I'm finally getting close to graduation! My project consists of taking a couple of Linksys routers, hacking the hardware, installing OpenWRT and then dropping the whole thing on an RC vehicle. Voila! A quasi robotic war driving kit!

So what's the point of it really? Well, I took a robotics class and really liked working with hardware. But security is my main interest. Then I thought about doing an audit for rogue wireless access points around a corporate campus. It would take a while to walk around and war walk the campus. I can be a lazy sort, so I try to look for easier way to do things. So why not install the equipment on something that can do about 20 miles an hour? That ought to speed things up! An idea is born.

Really, I've found somewhat similar ideas for this while I've been researching for this project. So while I largely thought of this on my own, I still lose a few points for my lack of originality. But it will be fun and I will learn a lot along the way. That's really what this is about.

The Concept

Create a mobile wireless detection platform that can cover a wide geographical area quickly.
Provide near real time feed back to the operator.
Use GPS to plot the location of detected access points.
Save data for later analysis.
Find and use enough information to locate the rogue access point.
Optionally, use a 2.4 GHz spectrum analyzer while performing the war driving. (I'm not sure how this will work, but I want to check it out.)

Hardware
Most of the project is still scratched out in my notebook, but I will document more of what I'm doing as I go. I have purchased most of the hardware already. It's been fun to say the least. Here's the bulk of my kit.

I decided on the Kyosho Blizzard EV for the RC platform. It uses treads and has a low center of gravity, which will hopefully keep the shiny side up. More info on its upgraded form here.

Then we get to the wireless gear. I'm still waffling around some on how to set this up, but I think the WRTSL54GS for the Kismet device. I'm kicking around what to do with the lame antenna soldered into it. Unfortunately, it's not like the WRT54GL in the picture which has dual remove able antennae. But I think I can just clip the wire and add an adapter to the end. The idea of soldering a new antenna onto the board is a bit intimidating to me. I'll probably use the WRT54GL to relay information back to me via its wireless connection. I'm working with an old Zaurus PDA and trying to get a Netgear wireless card working on it. It has been a mixed experiment so far.

That's about where I am at so far. The car is assembled and I'm poking around on the WRTSL54GS to see how I can do what I want done. Next steps are:

Design and fabricate the mounting platform for the wireless gear
Order and fashion the antenna(s) that I will be using
Order GPS equipment and mount it to the device
Assemble the hardware into the completed vehicle
Install, write, modify and integrate the software I'm researching together.

This all ought to keep me out of trouble for a while.

Starting Fresh

2007-03-14T22:13:00.000-07:00

I'm not much for blogging just for the sake of doing it, but I'm working on a project for school and figured a blog would be a perfect place to log my work.