OpenBSD works amazingly well on "our" new SunFire V100 hardware.
With my pre-existing netboot buildout, doing a network installation on the SunFire was quick and easy -- faster than the Solaris network installation, if not quite as self-completing as my "fire and forget" firewall build boot :)
There are a number of security enhancements inherent in OpenBSD by which we can justify this admittedly unusual choice of operating system for DNS and other specialized applications where security is more important than "normalization"
Kevin
(P.S. FreeBSD 5.0 for Sparc64 supports most of the same modern Solaris systems as OpenBSD (Oddly, no Ultra-2 SCSI support, but FreeBSD does work on E220/E250) and offers SMP support for systems that have multiple CPUs)
Friday, December 27, 2002
Thursday, December 26, 2002
Sudo advocacy
Some additional comments on the subject of "sudo" (http://www.courtesan.com/sudo/).
Sudo (Super User Do) is a popular solution for Unix access control, permitting regular users to run certain commands as root or as a role account, without the risks of shared passwords, and without the need for users to memorize yet another password. On many of my personal Unix systems, "sudo" is the only file with "setuid root" permission!
Has there been any consideration of the option to use the advanced (http://www.courtesan.com/sudo/intro.html) features of the "sudo" package? For example, maintaining a single global "sudoers" file on a (secure) central management host, "pushing" copies of this single standard configuration file to all managed Unix servers?
Use of a single global, centrally-managed "sudoers" file offers numerous advantages:
I am aware of a few drawbacks, including the reasons Data Security uses this approach for other configuration files, but not for "sudoers":
Compromise of any host which uses the global "sudoers" file exposes sensitive information about the purpose, users, and access controls on other hosts using the same "sudoers" configuration.
Compromise of the central management host may make it easier to compromise the client hosts.
Effective security requires recompiling "sudo" to use SecurID authentication instead of passwords.
Automatic updating of the "sudoers" file on large numbers of remote hosts can be accomplished in a number of ways. Through the use of "ssh" and "rsync", changes to the global configuration can be distributed, via either "push" or "pull" scripting, quickly and efficiently.
Sudo (Super User Do) is a popular solution for Unix access control, permitting regular users to run certain commands as root or as a role account, without the risks of shared passwords, and without the need for users to memorize yet another password. On many of my personal Unix systems, "sudo" is the only file with "setuid root" permission!
Has there been any consideration of the option to use the advanced (http://www.courtesan.com/sudo/intro.html) features of the "sudo" package? For example, maintaining a single global "sudoers" file on a (secure) central management host, "pushing" copies of this single standard configuration file to all managed Unix servers?
Use of a single global, centrally-managed "sudoers" file offers numerous advantages:
- Simplifies changes that affect many servers, including adding and removing access to commands and user access (allowing for near instantaneous hire/fire access updates).
- Grouping of users, of hosts, and of commands allows discrete access control from a single global file.
- This type of centrally-controlled "sudo" deployment on Solaris is used at many large corporations, including Lockheed Martin.
- Without the need for users (or even most administrators) to know the root password, this password can be stored more securely, and "root" can be a restricted "role" account under Solaris 8 RBAC.
- One single file to audit for access control of root and role account commands for all hosts.
- Automatic generation and reporting of command audit trails, locally and/or to a central log host.
I am aware of a few drawbacks, including the reasons Data Security uses this approach for other configuration files, but not for "sudoers":
Compromise of any host which uses the global "sudoers" file exposes sensitive information about the purpose, users, and access controls on other hosts using the same "sudoers" configuration.
Compromise of the central management host may make it easier to compromise the client hosts.
Effective security requires recompiling "sudo" to use SecurID authentication instead of passwords.
Automatic updating of the "sudoers" file on large numbers of remote hosts can be accomplished in a number of ways. Through the use of "ssh" and "rsync", changes to the global configuration can be distributed, via either "push" or "pull" scripting, quickly and efficiently.
Tuesday, November 5, 2002
Unpublished Solaris RPC exploit against 'rpcbind' in the wild?
There are a growing number of (unofficial, but reliable) reports
from various sources of new, unpublished exploits targeting RPC
services on Solaris, including Solaris 2.6, 8, and Solaris 9,
both Intel and Sparc.
from various sources of new, unpublished exploits targeting RPC
services on Solaris, including Solaris 2.6, 8, and Solaris 9,
both Intel and Sparc.
This is unconnected with the recent publically announced SGI/IRIX
vulnerabilities, also related to 'rpcbind' (aka 'portmapper').
The most reliable reports are of penetration and defacement against
Internet servers running Solaris 8, with all current official
Sun patches applied. There is also the possibility of the upcoming
release of "blended-threat" worms, for example, a worm with a payload
containing both an (unrelated) MS-RPC exploit for Win32/Intel and a
Solaris/Sparc exploit against rpcbind.
Any Solaris system running 'rpcbind', regardless of what services,
if any, are registered with RPC, should be considered vulnerable.
There is no official patch from Sun, this vulnerability has not been
confirmed by Sun Microsystems nor by CERT. Prior vulnerabilities of
this nature have been exploited in the wild for several months before
being officially addressed by the Sun Security Coordination Team.
On many systems, it may be possible to disable the RPC service
if no NFS or other applications/protocols which rely on RPC are in use.
If it is not possible to entirely disable the RPC service, you may wish
to consider implementing one of several mechanisms to protect the RPC
services from remote access.
We are not able to provide details or recommendations for protecting
RPC at this time. There are third-party 'rpcbind' implementations
which support TCPwrappers, however we have not done any recent testing
with this class of software.
Any system exposed on the Internet with 'rpcbind' running and
TCP port 111 accessible should be considered to be compromised.
Thursday, September 19, 2002
The state of Email encryption: GnuPG, PGP and PGP.Com
Recently, there have been some question about the status of email encryption, both within the Company, and for communication with external users. Currently, the Company has no policy or standards regarding encryption and encrypted email. We do support production processes using encrypted files. Specifically, PGP is used to exchange sensitive information with outside vendors for XXX and certain financial applications.
Company employees using the "PGP Freeware" unlicensed application must immediately cease usage.
Promotional pricing for the commercial PGP product is available through October 31st. The promotional price for "Corporate Desktop" is $70, "PGP Mail" is $45. Prices are per-seat for any quantity, these prices will increase significantly on November 1st, 2002.
http://www.pgp.com/promo.php
There are many other useful business tasks facilitated by Public-key cryptography. More information on this technology is available on our intranet server.
IT Audit and the Network and Data Security groups have been using PGP-Freeware with positive results. As explained below, use of PGP-Freeware for business communications is no longer permissible, under PGP.Com's interpretation of the license for that product.
PGP and GnuPG public key queries and key-registration using Internet keyservers will work for HTTP keyservers (after configuration of the client proxy settings, however, registration and queries will not work using LDAP protocol to servers on the Internet. Our team no longer operates an Intranet keyserver, due to a drive failure on our development machine
There are plug-ins for PGP and GnuPG for Outlook and Outlook Express, along with many other email clients. Microsoft has no plans to directly support PGP in Outlook, Exchange or Active Directory, instead, Microsoft provides integrated support for S/MIME, using the X.509 certificate format. Here is a (somewhat dated) comparison between the various protocols:
http://www.imc.org/smime-pgpmime.html
In general, S/MIME is easier to deploy in a Microsoft-centric (Exchange and AD) environment, for purely internal communications, yet PGP/MIME (and now OpenPGP) is the de-facto standard on the Internet.
The commercial PGP division was recently sold by Network Associates. There is a new "PGP.Com" site, with information on products and pricing:
http://www.pgp.com/faq.php
Will You Continue to Support Freeware Products?
Yes. PGP will continue the tradition of freeware products for non-commercial use. The next release of PGP freeware will be in November 2002 for PGP 8.0 for Windows and MacOS X. Customers using freeware products for commercial use - using PGP freeware to communicate with licensed business users - must immediately cease usage and purchase a commercial PGP license. Products can be purchased at https://store.pgp.com/.
Company employees using the "PGP Freeware" unlicensed application must immediately cease usage.
Promotional pricing for the commercial PGP product is available through October 31st. The promotional price for "Corporate Desktop" is $70, "PGP Mail" is $45. Prices are per-seat for any quantity, these prices will increase significantly on November 1st, 2002.
http://www.pgp.com/promo.php
An alternative to purchasing commercial PGP is to deploy GnuPG, the GNU-licensed freeware implementation:
- http://www.gnupg.org/
- http://www3.gdata.de/gpg/
Tuesday, September 17, 2002
SecurityFocus Article on EAS
Gotta love the FCC.
"Insecurity Plagues Emergency Alert System"
http://online.securityfocus.com/news/613
"Though it's not known to have ever been exploited,
the spoofing risk is one of the factors quietly
driving calls to reform the EAS"
Network World: "Spam filters revealing their darker side"
Last week's "Network World" has an interesting article (excerpts below) on the perils of keyword filters.
In our spam-filtering evaluation, we are taking the majority of the steps (and implementing all of the precautions) noted in the sidebar, with the exception of using IP-based "blacklists" to reject or otherwise limit incoming messages, based on the source IP address. I have tried using lists of "known spam sources" from free or commercial "RBL" services, but have not found any such blacklists that find the right balance between effectiveness and excessive false-positives.
"Spam filters revealing their darker side"
http://www.nwfusion.com/news/2002/0909spam.html
In our spam-filtering evaluation, we are taking the majority of the steps (and implementing all of the precautions) noted in the sidebar, with the exception of using IP-based "blacklists" to reject or otherwise limit incoming messages, based on the source IP address. I have tried using lists of "known spam sources" from free or commercial "RBL" services, but have not found any such blacklists that find the right balance between effectiveness and excessive false-positives.
"Spam filters revealing their darker side"
http://www.nwfusion.com/news/2002/0909spam.html
Monday, September 9, 2002
Wireless Network auditing tool
The "netstumbler" (Wireless network discovery for Orinoco) executable is attached, or can be downloaded from http://www.stumbler.net/
I have a small GPS receiver (no display, uses serial port with power from PS/2 keyboard port), if we want to do mapping around the perimeter of the main plant
A few months ago, I drove around the public roads (outside the Company property line) and found many distinct wireless networks, mostly from apartments nearby, however two appeared to be part of the main plant deployment (need to check MACs to be sure).
I have a small GPS receiver (no display, uses serial port with power from PS/2 keyboard port), if we want to do mapping around the perimeter of the main plant
A few months ago, I drove around the public roads (outside the Company property line) and found many distinct wireless networks, mostly from apartments nearby, however two appeared to be part of the main plant deployment (need to check MACs to be sure).
Saturday, August 24, 2002
policy on generic accounts?
We are in the final process of reviewing an update to the policy addressing exactly these concerns -- "generic" shared "role" accounts, service accounts, and automated processes. I have authored an amendment based on feedback from the network managers, IS Audit, and our CSO.
Our manager has received the policy for review.
The long-term solution is the implementation of mechanisms (such as single-sign on, "sudo" on Unix, and group permissions) to remove the necessity to share passwords. We realize that many of these approaches are not feasible in the current budget environment, and the password policy reflects this.
Regarding "role" accounts shared by multiple users, one of the most important requirements in the updated policy is that these passwords be changed every time an employee or contractor who had access to the password leaves (including external contractors after end of contract or when they leave employment with the contract firm, whichever comes first).
Would this "termination clause" in the new policy (over and above the standard change interval) pose an issue for your applications?
Kevin
Wednesday, June 19, 2002
IT Sec Spending Ratios
Little luck so far finding a ratio. Well, there is a Gartner report that they want $5K for that might have that figure...
http://www3.gartner.com/1_researchanalysis/focus/security2002.html
And I found these:
- http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html
- http://www.landfield.com/isn/mail-archive/2001/Jun/0051.html
This is interesting:
Only 0.4% of a company’s revenue, on average, is dedicated to information security in the U.S. By 2011, however, that figure will accelerate tenfold to 4% of revenue for U.S. companies, according to Gartner Inc.’s total cost of ownership model for information security.
Monday, June 10, 2002
AT&T Managed Instant Messenger
The AT&T MIM offering appears to be a managed Jabber server, hosted on an AT&T server in their Internet facility, using an AT&T branded version of the commercial JIM client.
The AT&T pricing appears reasonable (compared to the software license quotes we have from Jabber). The AT&T offering appears to be for a "virtual server", where different customers share not only the same hardware, but also the same Jabber server instance. This presents security and performance issues.
Many of the key benefits of corporate IM are derived from hosting the messaging server(s) in-house (LDAP integration, security, reliability, etc). Outsourced IM service hosted on the Internet negates many of these benefits.
The AT&T pricing appears reasonable (compared to the software license quotes we have from Jabber). The AT&T offering appears to be for a "virtual server", where different customers share not only the same hardware, but also the same Jabber server instance. This presents security and performance issues.
Many of the key benefits of corporate IM are derived from hosting the messaging server(s) in-house (LDAP integration, security, reliability, etc). Outsourced IM service hosted on the Internet negates many of these benefits.
Monday, June 3, 2002
Adtran "sbox" vs Check Point SMB
We have not received the Adtran unit for evaluation. This week I am finishing evaluation of PIX, Nortel, and two AT&T products (one of which we have proven to have serious security exposures), and we need to make our decision very soon.
We have serious qualms about the security of any Check Point product, but we realize that a SOHO box is not going to provide "perfect" security. It appears that the Safe@Office is the minimum configuration for our purposes.
We have serious qualms about the security of any Check Point product, but we realize that a SOHO box is not going to provide "perfect" security. It appears that the Safe@Office is the minimum configuration for our purposes.
Thursday, May 30, 2002
Help -- Problems with new TrackerPod
I just received my TrackerPod+Camera last week, and have a problem with the TrackerPod ceasing function intermittantly. The QuickCam Pro 3000 works great. (Odd that the standard Logitech base/stand was not included?)
I followed the directions to install the TrackerCam 3.01 software from CD and all the drivers to a Windows 2000 machine, start up the software, and it works, for about two minutes. Then the TrackerPod stops Tracking or moving at all, and every click on the movement buttons brings up a new IE window showing the flash demo -- VERY annoying, pops up several windows at once!
So I exit and re-run TrackerCam, and this time it reports an error at startup,a popup stating "TrackerPod not found!".
Reboot, and the cycle repeats, everything works for the first two minutes, then the 'pod stops functioning but the camera keeps going fine. Reboot again, and the pod doesn't work at all this time. Or sometimes it will work for a second (move slightly) then stop.
This is on a Toshiba Tecra laptop with two built-in USB ports, the TrackerPod and camera are the only devices connected to the two ports, using the supplied cable for the TrackerPod. When the 'pod stops working, both the built-in info page in the TrackerCam software and the system settings page show the second USB port as unused, nothing connected, 500ma used by the camera and 500ma available for additional USB hardware.
Lastly, I tried using a powered hub, thinking that the TrackerPod was drawing more than the rated 500ma. This works just a bit better, with the Trackerpod being able to pan/tilt a few degrees, then stop. But it does not resolve the problem.
Monday, May 20, 2002
Strange video noise with "Quickcam Pro USB" and TrackerCam 3.01?
We have a QuickCam Pro (older model), attached to an IBM Netfinity server
with built-in S3 video card.
with built-in S3 video card.
The camera works in all modes including 640x480, with the software from
Logitech, and with third-party software from other vendors, with no "noise".
Under TrackerCam 3.0 or 3.01, the display always has "noise". The noise does
not appear in saved frames, only on the display.
If set to size "2" (176x144), there is a small white horizontal stripe on
right side of one of the first scan lines. At size 3 and above, there is
continuous video noise throughout the displayed image, primarily seen as two
fast-moving vertical stripes of video "noise", in the center and far-right
side of the displayed video window.
The PC is an IBM Netfinity with only the on-board S3 (Trio3D) video card.
Is this "noise" an expected effect of using the on-board video card in this
PC?
Thursday, May 16, 2002
Network Monitoring Tools
Realtime monitoring is a particularly difficult application to implement, many monitoring products themselves can have a detrimental effect on the systems being monitored. This is one reason that WAN monitoring instrumentation needs to be implemented by our team, to avoid disruption to the WAN/routers.
Our team currently uses a combination of HP Openview, VitalNet, and other software for our network "health" information and alerting. In other enterprises (Ameritech) I have previously used Concord (http://www.concord.com/) products to the same effect. All of these solutions provide useful statistics (but not mapping) and are limited their ability to detect and deal with dependencies.
There are applications which provide a map display such as Don envisions, some in real-time, these are generally among the more expensive products. I have been working on a limited open-source application (http://sourceforge.net/projects/netmap/) providing some of this functionality, and the graphing and display issues involved are just the tip of the iceberg.
There are several map-capable products that could be considered, I've heard good things about these three:
- http://www.ipswitch.com/Products/WhatsUp/monitoring.html
- http://www.lanware.net/NetworkManagment.asp
- http://www.intermapper.com/
The most recent NWFusion buyers guide for Network Monitoring I can find (http://www.nwfusion.com/bg/netmon/netmon.jsp) was published in 1999, and is sorely out of date. They still list NetMetrix and other non-existent products, and there are probably many new products in this arena which are not included. Perhaps there are other, better, resources for locating vendors?
Monday, April 29, 2002
BBC: "Employees seen as computer saboteurs"
Ignoring the funny spelling, they have some good points.
Feel free to forward as you see fit.
"Employees seen as computer saboteurs"
Feel free to forward as you see fit.
"Employees seen as computer saboteurs"
- http://news.bbc.co.uk/hi/english/sci/tech/newsid_1946000/1946368.stm
- http://slashdot.org/article.pl?sid=02/04/29/1231200&mode=thread&tid=172
Workers unfamiliar with computers or who blithely open files attached to e-mail could kick off virus outbreaks or inadvertently aid hackers trying to get access to an organisations internal network.
Customer service staff at call centres can also cause security headaches for companies if they are not trained to spot or deal with people who call and try to extract information about passwords and customer accounts
Wednesday, March 13, 2002
Traffic analysis with 'cflow' (NetFlow)
We would loke to look at Cisco's 'NetFlow' for collecting 'peak load traffic statistics from Cisco equipment. With appropriate software to generate 'executive reports' the information collected by enabling flow collection on core and edge WAN/LAN could prove valuable for collecting SLAs and for demonstrating actual utilization to support our budget allocations.
Enabling Netflow requires a substantial amount of RAM, and increases CPU utilization somewhat. Collection should not generate excessive traffic (flow data is sent as UDP packets). These assumptions need to be tested, we will have a test Cisco router for the SLB testing, I'd like to enable NetFlow on that test router initially.
It'd be great if we could get an eval of a vendor's "realtime status display" software.
Cisco Docs:
Commercial Products:
Software analysis tools:
Enabling Netflow requires a substantial amount of RAM, and increases CPU utilization somewhat. Collection should not generate excessive traffic (flow data is sent as UDP packets). These assumptions need to be tested, we will have a test Cisco router for the SLB testing, I'd like to enable NetFlow on that test router initially.
It'd be great if we could get an eval of a vendor's "realtime status display" software.
Cisco Docs:
- http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm
- http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfenterp.htm
Commercial Products:
- http://www.inmon.com/trafficserver.htm
- http://www.netscout.com/
Software analysis tools:
- http://www.caida.org/tools/measurement/cflowd/
- http://rr.sans.org/software/netflow.php
- ftp://ftp.net.ohio-state.edu/users/maf/cisco/
- http://net.doit.wisc.edu/~plonka/FlowScan/
Wednesday, January 23, 2002
SNK-004 Calculator?
Have you made any progess on the SNK calculator for Palm that you mention on your web site?
http://www.cs.vu.nl/~leendert/pilot.html
I'm very interested in this project. There are some serious known issues with the X9.9 standard, so I'm hoping to find a framework into which I can plug a more secure challenge (alphanumeric) and crypto mechanism.
http://www.freeradius.org/radiusd/doc/rlm_x99_token
http://www.cs.vu.nl/~leendert/pilot.html
I'm very interested in this project. There are some serious known issues with the X9.9 standard, so I'm hoping to find a framework into which I can plug a more secure challenge (alphanumeric) and crypto mechanism.
http://www.freeradius.org/radiusd/doc/rlm_x99_token
Monday, January 21, 2002
Congrats on the Interview, and Chicago's view of Bernie
Congrats to Neil on the Newspaper interview.
FYI, we know all the network security people in the Chicago area, and we have never before heard of Bernie. He was never anybody of note in the Chicago scene, and after this, he never will be.
FYI, we know all the network security people in the Chicago area, and we have never before heard of Bernie. He was never anybody of note in the Chicago scene, and after this, he never will be.
Friday, January 11, 2002
Solaris login exploit seen in the wild
A little birdie just told me that the Solaris/Sparc exploit for the buffer overflow in /bin/login is 'in the wild'. I have also received a binary executable of the exploit.
Available now to 'black hats' is a remote exploit overflowing the TTYPROMPT variable. A local exploit should also be expected, allowing anybody who can execute code on an unpatched solaris host to become superuser.
Any internet-accessible Solaris host with port 23 open that has not already been patched should be assumed to have been compromised. Internal hosts are also at risk if not patched.
All of the outsourced hosts with which I am familiar (the ones we audited back in '99) either block telnet entirely, or reject telnet login attempts from arbitrary internet addresses via 'tcp wrappers'. This 'protection' is not an excuse not to apply the Sun patch.
Available now to 'black hats' is a remote exploit overflowing the TTYPROMPT variable. A local exploit should also be expected, allowing anybody who can execute code on an unpatched solaris host to become superuser.
Any internet-accessible Solaris host with port 23 open that has not already been patched should be assumed to have been compromised. Internal hosts are also at risk if not patched.
All of the outsourced hosts with which I am familiar (the ones we audited back in '99) either block telnet entirely, or reject telnet login attempts from arbitrary internet addresses via 'tcp wrappers'. This 'protection' is not an excuse not to apply the Sun patch.
Chicago Tribune Editorial on Spam and UCE
I found Don Wycliff's editorial this Thursday very interesting in view of our recent high-level discussions on unsolicited mail, in particular, HTML messages which automatically download and display pornographic images:
http://www.chicagotribune.com/news/columnists/chi-0201100043jan10.column
Don hits the nail on the head, stating "Newspapers, which must be as open to the public as possible, ought be loath to close themselves off in any way that can be avoided."
He also mentions the two-year-old Illinois anti-spam law. The act provides both legal remedies if the company suffers "actual damages" (I'd like to see the legal definition of this term), and also protection from liability for "action taken in good faith" to stop spam. The full text of the law (and lots of other good anti-spam info) can be found at this location:
http://law.spamcon.org/us-laws/states/il/ema-91-0244.shtml
http://www.chicagotribune.com/news/columnists/chi-0201100043jan10.column
Don hits the nail on the head, stating "Newspapers, which must be as open to the public as possible, ought be loath to close themselves off in any way that can be avoided."
He also mentions the two-year-old Illinois anti-spam law. The act provides both legal remedies if the company suffers "actual damages" (I'd like to see the legal definition of this term), and also protection from liability for "action taken in good faith" to stop spam. The full text of the law (and lots of other good anti-spam info) can be found at this location:
http://law.spamcon.org/us-laws/states/il/ema-91-0244.shtml
Subscribe to:
Posts (Atom)
