While reading thru this weeks SecurityFocus Linux Newsletter (numero #231), I discovered a cool "tool" for linux, called NuFW.

NuFW performs an authentication of every single connections passing through the IP filter, by transparently requesting user’s credentials before any filtering decision is taken. Practically, this brings the notion of user ID down to the IP layers.

Sounds really cool. From the website I further read,

NuFW can :
Authenticate any connection that goes through your gateway or only from/to a chosen subset or a specific protocol.
Perform accounting, routing and quality of service based on users and not simply on IPs.
Filter packets with criterium such as application and OS used by distant users.
Be the key of a secure and simple Single Sign On system.

Normally, Firewall filtering is done on IP-adresses and Port-numbers, but this introduces filtering based on who the user is. This sounds alot like functionallity offered by 802.1x and Extensible Authentication Protocol (EAP), but at the firewall instead of on switches. This should be further investigated, because it certainly sounds cool.

And hey, for us debian-zealots, there are packages for both testing and unstable. Now there really no excuse! :)

Software is a frequently discussed topic nowadays - It can be seen discussed here, on the internet, and in ordinary news-paper press. It’s a real world topic, not just some internet humbug. This article at PC Magazine looks at this from a different angle. An example,

Secrecy Works Best. The three ways to protect intellectual invention are copyright, patents, and secrecy. In some environments secrecy-usually in the form of trade secrets-is the most secure and least troublesome. You invent a process and keep it a secret indefinitely. The formula for Coca-Cola and Mars’s candy-making methodology are examples. If these had been patented, they’d be public knowledge, the patents would have expired by now, and the methods would have been copied.

While this is as far from a advertisment for opensource software, it still sounds.. true? I would have to agree that if Coca Cola would have patented the recipe, others would have gotten an idea about how "to make coke", making Coca Cola loose more on the patent than gaining from it. Read the article, it’s interesting..

Apparently, VmWare has released version 5 of their Workstation-series. I was kind of anxious over this release, as there are some features that I think would be nice to have. From what I can tell, they have speeded up things and added features such as having multiple snapshots of the guest operating system. Also, they have (finally?) managed to incorporate Gnome’s graphical toolkit (GTK). which makes the application look a bit nicer.

But, the functionality that I was looking for was absent. What I would like VmWare to do, is to be able to virtually plan a network of multiple guest OSes. In other words, map the relations that these guest OSes have to each other, like host A, B and C is connected to a switch, and host B has internet-connectivity etc. In addition to that, it would be neat if this enviroment could be totaly locked down (with no connection what so ever to the physical network). This kind of functionallity would be awesome as a lab-environment, for testing malware, penentration-tests etc. To bad the haven’t implemented this, but I think this type of functionallity might be available in their other products, such as VmWare GSX or ESX. I’ll have to check that up some day..

Hah, this is a product for all of us that are ultra-paranoid in our internet usage. No, sersiosly, this might be a joke, but the intents are good. The IDS and IPS-market is full of products claiming to be "Stateful Adaptive Packet Destruction Enterprise-Class Gigabit Intrusion Prevention System", but in the end, they tend to rely on the same set of techniques as their competitors.

So, cut your cables and you’ll have a system worthy that name

Some days ago, a guy from Panda antivirus had a seminar about malware for our class. Nothing special about the presentation or the what was said. He, among many other things, said the pretty obvious statement that antivirus-technologys are always one step behind the viruses. They, like for example signature-based NIDS-products, match files and traffic to a given database of signatures. The problem with this, is that there has to be an incident recorded before the antivirus-companies can act and get a signature out.

What I want to get to is that he stated that Pandas product to defeat this ”time-period” where customers are unprotected agains a new virus, is called TruePrevent. This is the first time I’ve come across a HIDS product for windows. I’m sure they exist, but they’ve just avoided my attention. Further he stated that TruPrevent will be able to look how an process acts, and if it does odd things, alert the user or even kill the process.

I cant really imagine that this product will fill up to it’s promises, and I find it hard to believe it will stop all unknown threats. According to this review a program/process is able to turn off the personal firewall, without an TruPrevent action. Odd.

Still, the presentation was very good, even though it didn’t say anything really new..

A few days ago, an article at securityfocus.com stated that the number of new worms were only one during 2004. This is a really small number, compared to 2002-2003. The author of the article further states that

"One explanation for the dip in computer worms is that the widespread use of XP SP2 and greater use of personal firewall had rendered worms far less potent in the same way that boot sector viruses died out with Windows 95 and the introduction of Office 2000 made macro viruses far less common."

This is exactly why I have some strong opinions regarding Microsofts way of handling security. SP2 for XP has been a big success, and was a big leap in the right direction. However, recently Microsoft said that only registered version of Windows would be able to use Windows update. While I do understand their intentions, it’s also a bit unresponible of them to act like this. Vulnerabilities that causes worms and viruses is mainly targeted at windows, and made possible by the large number of unsecured and upatched Windows-computers out there. Trojan horses gives hackers huge weapons in form of Botnets, which can later be used in sophisticated attacks on companies. Microsoft should, according to me, try to minimize the possibility for viruses and worms to spread, and do so by writing a good operating system, or at least making patches for it free. The quote above proves that this kind of pro-active work pays of, and why do they have to turn in the oposite direction?

Here’s an really cool article on this matter.

Some time ago, we had a laboration accercise as a part of a course at the university, which involved setting up One time password-authentication. This accercise actuall failed because it was badly planned. However, to me it sounded cool, and I wanted to give it a shot. It would be awesome to be able to use one time passwords for remote logins when sitting on a (insecure?) coffeyshop in, say thailand? My friend Johnny later told me that he’d implemented the intended setup, so I aimed to do the same.

Using Debian makes this task easy (as always). I’d like to point out that I’m (still) running the stable Woody-set, but if you’re running Sarge there will probably not be to many differences.
First off, install the package opie-server (this will also include opie-client, as it’s a dependencie). This is the tools that makes this magic work. The Opie-server creates and maintains the OTP-keys, and Opie-client makes OTP-passwords off those keys (very roughly spoken). To be able to use this in a real login-procedure, we need to install libpam-opie. This gives us the tools to enable OTP-authentication for real, with for example SSH.

foursome:/# dpkg -l : grep opie
ii libpam-opie 0.21-7 Use OTP’s for PAM authentication
ii opie-client 2.32-8.1 OPIE programs for generating OTPs on client
ii opie-server 2.32-8.1 OPIE programs for maintaining an OTP key fil

Now, all we have to do is enable this PAM-module in the apropriate configuration file, which is /etc/pam.d/ssh. There are alot of different setups available for this, and some of them can be found in libpam-opie’s documentation (found in /usr/share/doc/libpam-opie/). In my configuration example, I will be able to login with my ordinary unix-password -OR- a One Time Password. Why? Simply because it would be extremely inconvinient for me if I had to use a OTP even though I login from my secure LAN, which is what I do in 90% of the cases. But, for those occasions when I don’t trust the computer I’m at (if I believe there might be keyloggers or somehting like that on them, in other words, any Windows-box :)), I can just choose to login with a OTP. To have this configuration, be sure to have the following “auth”-lines in your /etc/pam.d/ssh.

auth required pam_nologin.so
auth required pam_env.so # <1>
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so

Basicly this tells us that unix-passwords are sufficent, so are opie OTP-passwords. If neither are met, the login will be denied. Also, be sure to enable PAM-authentication in /etc/ssh/sshd_config by setting UsePrivilegeSeparation no and PAMAuthenticationViaKbdInt yes, and restart sshd.

Now, we are at the step of creating the OTP-keys and passwords.

test@foursome:~$ opiepasswd -c -f
Adding test:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase: ******
Again new secret pass phrase: ******

ID test OTP key is 499 fo7385
SKIN TRIO FARM OATH MA SHE
test@foursome:~$

This should be done in a secure enviroment, and not from remote, as I’m doing here.
The last two lines tells us that the OTP for matching sequencenumber 499 and with seed fo7385 is “SKIN TRIO FARM OATH MA SHE”. So logging in from remote to this host will look something like this (first, the unix-password is prompted, and simple enter will skip that)

$ ssh test@192.168.0.10
Password:
otp-md5 499 fo7385 ext, Response:
Linux foursome 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 unknown

test@foursome:~$

But how would we know the One time password when we are at a remote location? Well, either you can use some sofware that can calculate the password when configured with the secret passphrase and OTP sequence number. Or, you can have a list of passwords printed out. To get a range of sequence-numbers, all you have to do is something like this

test@foursome:~$ opiekey -n 10 498 fo7385
Using the MD5 algorithm to compute response.
Warning: Continuing could disclose your secret pass phrase to an attacker!
Enter secret pass phrase:
489: GILT ROTH VINE CHOU LYNN THAN
490: SILO BAIL ULAN TELL NEWT ITEM
491: ROOD CLOD HOWE BONG LUGE WIN
492: DRAW NIT HOOD RACY NOVA SHAG
493: REIN ROAD HERB LEAK MAID KANT
494: SAG AIRY OMIT VIEW GLOM ECHO
495: CRIB ENDS GUST ACHE JOG BAH
496: CANE IRE BEET MORN CUP BREW
497: SUNK IDLE HAWK HUGH KNEE FIG
498: WET RUDY ORGY GRAY ARAB SET

This will give us 10 OTP’s.

I’ve probably forgotten something, and if you notice what, please inform me. I think this is a good way of adding a bit of extra security to SSH and remote-access. If my Ericsson T610 would support a decent version of Java I’d be happy, because then I could run a sofware-OTP-calculator, such as jotp

If you are familiar with wireless networks, you might also know of WPA and WPA2, and that they both exists in Enterprise mode and Personal mode. The big difference with Enterpise and Personal mode, is that Personal uses pre-shared keys (hence the name WPA-PSK) and WPA in enterprise mode derives and exchanges the keys automaticly. WPA with pre-shared keys have been proved to be easy to attack.

So, WPA in enterprise mode is recommended, but it is rather untrivial to implement. Among other things, there are a need for a radius-server (authentication server), and that’s not the first thing you install. At least not in an home-enviroment. So, how could one secure his wlan without placing another server in the closet? Simply put, by using a extremely small radius-server, that can be installed "on-top" of the firmware in the Wireless AP. The software that does this is called TinyPEAP, and here is their own words of the software:

tinyPEAP is a very small RADIUS server that supports PEAP authentication (the most secure wireless authentication protocol). It was designed from scratch to be able to run on very minimal hardware, such as the Linksys WRT54G. What are the benefits of such a server? Traditional 802.1X/RADIUS solutions require a dedicated RADIUS server and a rather complex setup. tinyPEAP allows you to have all of the benefits of 802.1X and PEAP security without the hassle of having a full blow RADIUS server on hand. In fact, the whole setup fits in a relatively cheap wireless access point that is very easy to setup. For those not familiar with 802.1X/PEAP solutions, they provide much enhanced security and user management abilities. 802.1X/PEAP solutions such as tinyPEAP successfully mitigate most of the known attacks against 802.11 wireless networks, most notably sniffing and key cracking. The tinyPEAP team has integrated this server into WRT54G and GS firmware for you to try. We have also provided you with a graphical interface in order to manage the server.

I haven’t got a wireless lan in my possession, so I can’t trye this out. If you do, be sure to tell my how it works ;)

I’ve been following a thread on the Daily Dave-list (Which I of some unknown reason signed up for, I guess it was because of some interesting thread regarding vulnerabilities). However, the specific thread discusses an article that claims that immunity (which manages The Daily Dave), is acting unethicly and without responsibility (and I kind of agree with that).

So, what does Immunity do? The article stated above explains that rather well, so I’ll just quote that,

Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large.

So, what this mean is that paid “customers” will get information on vulnerabilities but noone else. The Non-disclosure agreement that the customers signs keeps them from forwarding the vulnerability-disclosures to the public. I find this very unethical, foolish, unresponsible and stupid. They claim to do us a favor by not making these disclosures public, so that hackers can make exploits targeted against them. What keeps the hackers from signing up, and paying for the disclosures?

I think I’ll leave that list.

As you’ve probably seen (at least by now), the looks on the page have changed a bit. There are no major changes in the sites looks (or content for that matter), but the "backend" is totaly different. Before, I used a "home-made" php-hack, which has done is job kinda well, but felt a little bit insecure and was lacking some functions (that I don’t have time or will to code). So, i’ve converted the page to Simple PHP-Blog. It has some nice fetures and alot better security than my own hack. Also, this page now has support for rss-feeds and a back-tracking-system (that I haven’t had time to familiarize with). Actually, there are likely some functions that I’m not aware of yet.

I’ve converted some of the post that I had made to the old page, but not all of them. I’ve handpicked those that I think were of any significant value. So, ordinary "have you heard this?"-posts are abandoned.

So, what do you think of the changes?