My friend Johnny has posted a series of posts related to work, being effective, organised and awake (which is actually harder than you would think). Check them out..

My name is Göran Sandahl - A security consultant at Integralis, freelance writer and security enthusiast. My current location is in Stockholm, Sweden, where I live with my girlfriend since soon 7 years. My main focus with regards to security are aspects of detection, prevention and recovery from computer and network security attacks - which essentially means I’m working with technologies like IDS, IPS, SIEM and their related routines and processes.

Curriculum Vitae

Upon request …

PGP key

If you’d like to send a mail to me privately and encrypted, my PGP key can be found on most key servers by the fingerprint : 58CB C304 92A7 FCF6 349D 9C49 D279 38F2 C06C D351

Contact me

[CONTACT-FORM]

Enews has reported on an interesting incident of a focused Denial of Service attack. According to the article, a number of British companies has been attacked with heavy IP-traffic just at the quarterly draftings, and that’s the moment where downtime hurts the most. This is yet another evidence that you have to, if not calculate with the most drastic scenario, at least take it in to account.

Software vulnerabilities are the basis of computer security. There are many tools available for source code review, and one of them is RATS.

Rats is a rough auditing tool for security developed by Secure Software, Inc. It is a tool for scanning C, Perl, PHP, and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

A run through of this RATS on an C-based exploit shows some nice things.

neewt@foursome:~/misc/$ rats HOD-ms05039-pnp-expl.c
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 336
Entries in php database: 55
Analyzing HOD-ms05039-pnp-expl.c
HOD-ms05039-pnp-expl.c:270: High: fixed size local buffer
HOD-ms05039-pnp-expl.c:271: High: fixed size local buffer
HOD-ms05039-pnp-expl.c:273: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.

Total lines analyzed: 437
Total time 0.001988 seconds
219818 lines per second
neewt@foursome:~/misc$

RATS reported two vulnerabilities in this 436 character long source code, both classified HIGH. The second instance reports the use of the known dangerous function sprintf, which often is suspectible to buffer overflow. Sprintf is one of the "known vulnerable" functions of C.

More interestingly is actually the first report, about the opening of a socket and use of GET HOST BY NAME. This is not actually a vulnerability in the code itself, but in the way that IP-numbers are resolved. It is however very useful, as a software developer might be less likely to understand aspects of network vulnerabilities, than software vulnerabilities like BO's.

Whenever I'm away from home I'd like access to resources on my local network, such as e-mail and file shares. I have in the past made IMAP, SMTP and SSH access available from the internet, to my dislike. I've also used SSH and X11-forwarding to get an instance of kmail forwarded to my laptop. All these systems either pose security threats, has flaws, or are somewhat painful solutions.

So, I decided to set up a Virtual Private Network with OpenVPN. This would give me a "virtual" access to my local network, and thus have access to resources as I would be present on the local network. OpenVPN doesn't use IPSEC, but instead uses SSL/TLS from the OpenSSL projekt. I also looked in to the new version of OpenSSH, which features functionallity similar to a routed VPN by having support for TUN/TAP-interfaces. OpenSSH does however only run over TCP, which makes the solution un-ideal when having a firewall that performs network adress translation. TCP over TCP will also have more overhead than TCP over UDP.

Setting up the FreeBSD server with OpenVPN

I'm running FreeBSD 6.0, and OpenVPN is available as a binary package thru the ports system. This makes patching painless. We install the package

pkg-addonesome# pkg_add -r openvpn
Fetching ftp://ftp.freebsd.org/../Latest/openvpn.tbz... Done.
Fetching ftp://ftp.freebsd.org/../All/lzo-2.01.tbz... Done.
.. truncated..

In order for the OpenVPN deamon to launch at startup, we add the following lines to /etc/rc.conf

openvpn_enable="YES" # YES or NO
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn"

(If you are using cornshell, CSH, then a "rehash" is in place for the system to find the new openvpn-executable) Now it's time to configure the deamon. We create the directory specified above, and copy the sample configuration file in to place.

root# mkdir /usr/local/etc/openvpn
root# cp /usr/local/share/doc/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn

I'm using PKI-certificates for authentication, and thus these keys must be created. The OpenVPN-package includes a system to do this. It requires us to operate under Bash, so we enter that terminal by issuing the command "sh". We enter the directory /usr/local/share/doc/openvpn/easy-rsa/ and edit the file vars, and modify the last lines like this,

export KEY_COUNTRY=SE
export KEY_PROVINCE=Stockholm
export KEY_CITY=Stockholm
export KEY_ORG="gsandahl"
export KEY_EMAIL="goran@gsandahl.net

We make the file executable with "chmod u+x vars"
This exports several variables which will be used for creation of CA-certificate, server certificate and client certificates. The following procedure exports the variables and creates the CA-key and certificate :

# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
# ./build-ca
Generating a 1024 bit RSA private key
..................++++++
...................... ............................ ................. ++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) <>:
Common Name (eg, your name or your server's hostname) <>:twosome
Email Address :

The process is similar for creation of server and client certificates, with the commands "build-key-server server" and "build-key foursome" respectively. The important thing is that the "common name" differs between all instances.

Next we copy the certificates and keys to their apropriate place

cp keys/* /usr/local/etc/openvpn

The configuration-file we edited before should be fine as of default. We start the OpenVPN-deamon by issuing the command

/usr/local/etc/rc.d/openvpn.sh start

The server should now be up and running. Authentication of connecting clients is based on certificates being signed by the CA that the server trusts (and is signed by). In my case, this is the foursome-certificate.

Setting up Kubuntu and Kvpnc to connect to the server with OpenVPN

My laptop system is installed with Kubuntu Breezy. OpenVPN is available in the official reprository, and is thus easily installed with

foursome# apt-get install openvpn

We wont do any actual configuration of openvpn through it's config files, but instead use the application Kvpnc to configure and connect to the tunnel. Kvpnc is a kde-based vpn-frontend to OpenVPN, amongst others. A great application which also is available thru the APT-system

foursome# apt-get install kvpnc

We do however need the keys created before. I copy the necessary ones ( "client-twosome.crt", "client-twosome.key" and "ca.crt" ) to a local directory using for instance scp.

I launch kvpnc, and choose "new profile" available in the Profile-menu. The configuration of the certificates are done at a later moment in Preferences, available under the Settings-menu. We let two pictures visualise this.

I also made sure that "USE UDP (NAT-T) was checked under Network/NAT, and that "Userdefined port" under OpenVPN wasn't.

The client now successfully connects to the server, and all traffic destined for the 10.8.0.0 network gets routed through the tunnel over the tun0-interface. Beautiful :

Eweek has posted a story that (if it is true) confirms my thoughts and opionions on the WMF-matter. According to the article, evidence say that the exploit targeted at the WMF-vulnerability was first seen in 1st of December, roughly one month before the whole issue became public. This is what i've expected. Exploits, including zero day, gets disclosed to the public when the attackers gets sloppy. In this particular case, the exploit was made public when an attacker bought the exploit, and made an automated attack of it.

Last week, I also saw reports on the British parlament being (successfully?) hacked by the exploit. I expect to see more incidents related to this matter in the future.