Long Term Storage

Tiger warned me that IP fowarding was enabled this morning.  It’s behavior is definitely odd in terms of when it reports something is afoot.

NEW: --WARN-- [lin015w] The system has IP forwarding enabled


I digress.  Good article here on how to dis/enable IP Forwarding, but more importantly for my memory it also has the sysctl syntax which I forget on a regular basis.

Check if IP Forwarding is enabled

We have to query the sysctl kernel value net.ipv4.ip_forward to see if forwarding is enabled or not:
Using sysctl:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

or just checking out the value in the /proc system:


cat /proc/sys/net/ipv4/ip_forward
0

As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
As with any sysctl kernel parameters we can change the value of net.ipv4.ip_forward on the fly (without rebooting the system):

sysctl -w net.ipv4.ip_forward=1

or

echo 1 > /proc/sys/net/ipv4/ip_forward

the setting is changed instantly; the result will not be preserved after rebooting the system.
Permanent setting using /etc/sysctl.conf
If we want to make this configuration permanent the best way to do it is using the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

if you already have an entry net.ipv4.ip_forward with the value 0 you can change that 1.
To enable the changes made in sysctl.conf you will need to run the command:

sysctl -p /etc/sysctl.conf


There is some good stuff down in the comments too.
Thanks MDLog.

To fulfil the purpose of this site, I am reposting a collection of tools.  The Top 10 Security Assessment Tools.

The following steps outline the process of using Public Key authentication for SSH with Putty as your client.  If you follow the entire guide and get it right, you will not have to type in your username/password for the servers you have setup.

Install Files
Copy putty.exe, puttygen.exe, pscp.exe, pftp.exe and pageant.exe to c:\windows\system32

Generat your key pair.

Start -> Run -> puttygen
Change the “Number of bits in a generated key” from 1024 to 2048 or what ever value you would like.
Click Generate
You will need to move the mouse around in the area with the progress bar till the bar completes.  This process is generating random data to create your key from.
Once complete, it will display the key contents.
In the key-comment box, change the value to something you will recognize.
Enter a passphrase and repeat it.
Click the “Save private key” button and save your private key.  I saved mine to My Documents with the same name I placed in the comments.
Click the “Save public key” button and do the same.  I changed the extension to .pub for identification.
Next you need to copy the Public key from the top box.  Be sure to get the entire thing.  It will start with ssh-rsa and end with what you typed in the comments.
Paste the contents below replacing the line that says “<Paste authorized key data here, overwriting this line>”.  None of the existing text should remain.
Log onto each server and paste the following lines.  This will create the .ssh folder, authorized_keys file, and correct the permissions.

cd
mkdir .ssh
chmod 0700 .ssh
cat << EOF > .ssh/authorized_keys
<Paste authorized key data here, overwriting this line>
EOF
chmod 0600 .ssh/authorized_keys


Close puttygen.

Setup your saved sessions in Putty.

Start -> Run -> putty

Adjust Default Session.
These steps will set the default settins of your instance of Putty to use the private key you just generated.

In the Saved Sessions box, select Default Settings and click load.
Browse the tree on the left to Connection -> SSH ->Data
Enter your username in the Auto-login username box.
Browse the tree on the left to Connection -> SSH -> Auth
Click the browse button and select the private key you saved earlier.  It will have a .ppk extension.
Browse back to the Session section on the left.
Click Save.

Existing Sessions.
Repeat this process for each server you created the authorized_keys file on either by changing an existing saved session or creating a new one.

Testing Public Key authentication
Using a session you have setup as above, connect to the server.
You should be prompted for your key passphrase.  If you are not, you have done something wrong and you need to troubleshoot.

Once you get it working, move onto the Putty Agent section.

Putty Agent
The following steps create a shortcut in the startup folder so each time you logon the Putty Agent will automatically start and load the private key.

Start -> All Programs -> Right-click on Startup, click open.
Right-click on the window, select New -> Shortcut
In the field enter: pageant "c:\path\to\private_key.ppk"
Mind the quotes around the path.
Click next.
Give it a name such as “Putty Agent”
Click finish.

Test Public Key authentication with Putty Agent.

Start -> All Programs -> Startup -> Putty Agent (Or what ever you named the shortcut.)
You will be promoted to enter the passphrase for your privage key.
Enter the passphrase.
You will now see a little computer screen with a hat on it in the system tray.
Open putty and use one the sessions setup previously for Public Key authentication.
This should log you in automatically with out prompting for a password or passphrase.

SAIC announced today that they are starting a CyberSecurity blog over at Typepad.  It should be interesting to see who they have do write ups.

During Defcon a new tool was mentioned that would automate the hacking of GMail accounts.   This only applies that those of you using GMail, not the Google Hosted Apps.

The problem is in how GMail encrypts traffic.  It only does SSL encryption during the login session.  As described here and here, this leaves your actual email unencrypted and a door for someone to get into your account later.

The simple fix is to go into your account Settings, scroll to the bottom, select “Always Use HTTPS” and click save changes.  This will cause your entire session with GMail to be encyrpted and mitigate the risk of your account being hijacked.  Combine this with Perspectives and you have a pretty solid security setup.

Four vulnerabilities in the Ubuntu kernel were resolved today.  Go update your systems!

The details are here.

As a side note, I did not have to reconfig the VMWare kernel modules upon reboot.

From the command line:
sudo apt-get update; sudo apt-get upgrade

You will be good to go after that.

A nice article over at Arstechnica talking about a project some Carnegie Mellon students have been working on called Perspective.

It is a SSL and SSH security enhancement which helps prevent Man In The Middle attacks by giving you a 3rd party “perspective” of the site you are visiting.  I know you are asking, what does that mean and how is that my problem?

As this article over at TechDirt describes, the little pad lock has been one of the best things for Internet security.  Users, for the most, recognize and trust it to indicate that the site and the data about the transaction is secure.  A MITM attack is where a cracker intercepts your requests to initiate a secure connection and places them selves in the chain.  If done correctly, you, your browser, and the 3rd party have no idea that someone is listening in.  If this attack succeeds, the cracker now has access to all of the information that is encrypted which could be credit card numbers and passwords.  For you Linux/Unix users out there, SSH is susceptible to this attack as well.

The perspectives project, as they describe it, “designed Perspectives to supplement [Trust-on-first-use] applications with spatial and temporal redundancy”.  It works like this…

You visit a site which has a self-signed certificate. (Nobody wants to spend the rediculous ammount of money required to get a 3rd party signed cert.)

With out Perspectives, Firefox will give you a big warning that most users promptly ignore and select to add the exception.

Perspectives places itself in that step instead.  When you receive the public certificate of the site, perspectives goes out and queries their servers.  Their servers will then connect to the site and send back what they received.  The plugin then compares the two.  If they match, then the certificate is accepted as being valid and Fx doesn’t prompt you with the warning.

There are some additional configuration choices that can be turned on to further enhance this by requiring the signature to have been valid for X number of days.  This acts as a further validation in case the attacker is able to intercept all requests to the site.

All in all, this is yet another tool in the arsenal to keep our computing safe.  I hope that Mozilla, OpenSSL, and OpenSSH take this project to heart and integrate it into their suites as well as some large companies step up and offer their services as a notary.

You can obtain the Firefox extenstion here and an OpenSSH client here.

A nice set of Linux How-tos and guides over at linuxscrew.com covering Bash, utils, the file system, iptables, advanced routing topics and hardening.

For those of you that utilize public/private keys for what ever reason, chances are you have a few that are encrypted.  You can tell if they are encyrpted if you are prompted for a passphrase when you try to sign/encyrpt/use the private key.  It is a good practice to get in to change the passphrase on occasion.  I would personally recommend you do so everytime you change your primary password, which is ofcourse ever 30-45 days isn’t it?

To change the passphrase an en encrypted private key using OpenSSL you issue the following command.

openssl rsa -in encyrpted.key -aes256 -out encrypted.key.new
encrypted.key = the filename of your private key.
encrypted.key.net = the key that is now encrypted with your new passphrase.
Note: These can be the same file, but it is a good idea to test your passphrase before you delete/overwrite the old key.

The -aes256 line can be replaced by des, 3des, aes128, or aes192. I would recommend you stick with the aes options. 3DES has been broken.

After some lively discussion on Macworld’s forums I came up with a few more thoughts on the subject.

It continually amazes me how people will trade control/privacy/freedom for “Security”. As if some other person, organization or company will always have your own best interest in mind. How often to we act in our own best interest, let alone trusting someone else to do so for us?

A couple of quotes I used during my debate? were from Ben Franklin and an old proverb.

Ben Franklin:

“Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.”

The proverb goes:

The road to Hell is paved with good intentions.

I feel these two statement illustrate the fundamental issues with Apple giving itself this much control. Never mind the security implications which I will get to in a moment.

In this particular case, a company, Apple, has decided that it should have the ultimate say on if an application can be installed on a device they no longer own. To take this to a mild example which may have already happened.. The initial release of the App Store included an application called NetShare. This allowed users to tether their computers to their iPhone for Internet access. Meaning users could access the Internet over their cell phone data plan. This is against at&t’s TOS and they requested that it be removed from the store. Now, with this kill switch, they could also remove it from the phones that had it installed.

The implication of this is Apple is acting as a cop for at&t and enforcing their (at&t’s) policies. This opens a lot of questions about liability and privacy in and of itself, but that is another topic. Why does apple get to decide or even help in the enforcement of at&t’s policy on a device they have no authority over any more. They have transferred ownership the device to the user in exchange for money. Rudimentary property rights.

A more egregious example is what if Joe Developer created an app, started selling it on the App Store and it became immensely popular. Apple, in their insatiable need for $, after all they are a publicly traded company with stockholders, decides they want a piece of that pie. So they develop their own version of the application and start selling it. Maybe it is not as successful or maybe someone decides it is not making enough money for the amount they invested, or maybe Apple just gets greedy and wants the whole pie instead of just a piece. Apple throws the little switch and bam! all of those users who had an application they loved and paid for is gone. Since they still want the functionality, they have to buy it from Apple now. And they really have no choice in the matter since Apple controls the gates to the App Store.

Do you think this is a little far fetched? Apple already pulled an app called Box Office for no reason. Any chance that little application might end up in some Apple provided application in the near future?

The security implications are much worse than the potential wrong doing by Apple. The very fact this exists means that someone else can exploit it. What does it take to get something added to that list? What other functionality can that list or maybe another list provide? What will happen when some cracker gets creates an exploit to take advantage of this? Based on my limited understanding of how it functions, it appears it could be a VERY simple task to exploit this hole. If the device does phone home to a URL, then that means the address can be faked with the DNS vulnerability that is out there. If we take Apple’s response to patching their desktop operating system as an example of their timeliness to respond to something critical, then chances are their iPhone hasn’t been patched yet. (I can not find any mention of it.) Never mind the fact they didn’t even patch it correctly. Do a little DNS poisoning, blacklist the application that provides the phone functionality, and no more phone. Or an even better one. Depending on how the blacklisting works, setup the blacklist to kill Internet access and the phone. It goes to check for new blacklisting and loses Internet, phone, and whatever else you can kill with it (Maybe the docking port?). Now it can’t even go out to get a legit blacklist because it has no Internet access. Ouch.

All of that with out even exploiting anything but a simple existing DNS issue. What other problems could you cause by having better knowledge of the system? Can it be trigger by a local app instead of the phone home function? Could a web page initiate the blacklisting through malicious coding?

The bottom line is, this functionality is bad news. No matter what the intentions were, by having the ability to exert this kind of control on a device remotely will always result in someone taking advantage of it.

I was perusing the interweb a few days ago and I stumbled across an interesting statement. (I don’t have the link anymore.). The gist was, you could bridge VMWare Guest NIC to a host adapter that has no IP address. The security implications are what caught my attention. So I started digging a little further and I found it was true and then I managed to work a little bit of magic to make it happen!

Here is the scenario..

ServerLAN is an Ubuntu Server host running VMWare Server. 2 physical NICs bound to 2 bridged networks. NIC1 is attached to the private LAN, NIC 2 is attached to the DMZ. These networks are isolated by a firewall.

ServerDMZ is an Ubuntu Server guest Virtual Machine. 1 Virtual NIC

The idea is to isolate ServerDMZ from the private network and ServerLAN from the DMZ.

I had all of this working with a public IP on the ServerDMZ virtual NIC, DMZ private IP on NIC 2, and the LAN Private IP on NIC1. The problem with this setup is, my host was accessible from the DMZ. With proper blocking.. namely drop all traffic to and from that interface, it wasn’t much of a concern. But the IP was still there. So I did a little Ubunutu /etc/network/interfaces magic.
mapping eth0 eth1
script /etc/network/get-mac-address.sh
map 01:23:45:67:89:01 NIC1
map AB:CD:EF:GH:IJ:KL NIC2
iface lo inet loopback
iface NIC1 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
metric 100
iface NIC2 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down

To break this down..
mapping eth0 eth1
script /etc/network/get-mac-address.sh
map 01:23:45:67:89:01 NIC1
map AB:CD:EF:GH:IJ:KL NIC2
This section is protection verses kernel updates causing my NICs from being brought up in a different order. The script get-mac-address.sh basically greps the interface for the MAC and then assigns the label NIC1 or NIC2 depending on the MAC returned.
iface lo inet loopback
This brings up the loopback interface.
iface NIC1 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
metric 100
This brings up my private network NIC. Does all of the necessary mappings.

Side Note:If you have two NICs with gateways listed, you can supply the metric line to give one a priority. If they are the same, your system will be unable to decide which route to take and take none.
iface NIC2 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down
This final section is how you bring up the interface with out an IP address. It also allows you to set permiscious mode, etc.

Instructions for the interfaces file can be found file:///usr/share/doc/ifupdown as well as the get-mac-address.sh script from the examples sub-folder.