Alarm Beacon for USB

I'm not aware of anything supported under OpenBSD,but this article could be a good start towards such a project:

http://www.linuxjournal.com/article/7353

(Yes, I know the article is about Linux. But the $59 USB beaconthey used in the article is platform-agnostic.)

DNS monitor

Had a little incident today, so I ended up writing this.

Uses 'nslookup' because I actually wanted some of the nslookup side-effects;for example, it's difficult to get 'host' to "show it's work" and yetalso producethe same output in the same order each time (so the 'diff' will work correctly). Crude, yet effective.

Hopefully It'll just run quietly for years, never kicking off emails from cron,but at least now I won't be blindsided when somebody decides that simplybecause you can't ping something, it's okay to delete the host from DNS ;)

$ cat  $HOME/bin/dns-validate.pl



#! /usr/bin/perl



#



# No authorship, no copyright, no support.



# KK2005



#



#



$nslookup="/usr/sbin/nslookup";







$dir=$ENV{'HOME'}."/public_html/dns/";







$oldfile=$dir."status.then";



$outfile=$dir."status.now";







@ns= (  "127.0.0.1","207.227.240.1",



      );



#



#



#



die "Missing nslookup $nslookup $!"  unless(-x $nslookup);







chdir($dir)  die $!;



rename($outfile,$oldfile);







system("co -q -l $outfile");



open(OUT,">$outfile")  die $!;







while() {



      next if(m/^#/);



      chomp;



      print OUT "#" x 64, "\n";



      print OUT "#\n# ",$_,"#\n\n";







      foreach $server (sort(@ns)) {



              print OUT "\n # Server $server\n";



              print OUT `nslookup $_ $server`;



              print OUT "\n";



              }



      print OUT "### End $_ $nameserver###\n";



      }



print OUT "\n###\n# End nslookup\n#\n";











print OUT "\n# Contents of /etc/resolv.conf\n",`cat /etc/resolv.conf`,"\n";



print OUT "###EOF###\n";







close(OUT);



chmod(0644,$outfile);







system("ci", "-u", "-q", "-m$0", $outfile);



system("diff", "-w", "-c", "-T", $oldfile, $outfile);



exit($?);











__DATA__



#



#



# Enter your hostnames here, one per line.



# Comment lines must have a '#' as the very first character



#



# Example entries below, I recommend removing these.



#



127.0.0.1



example.com



###EOF###

Sudo advocacy

Some additional comments on the subject of "sudo" (http://www.courtesan.com/sudo/).

Sudo (Super User Do) is a popular solution for Unix access control, permitting regular users to run certain commands as root or as a role account, without the risks of shared passwords, and without the need for users to memorize yet another password. On many of my personal Unix systems, "sudo" is the only file with "setuid root" permission!

Has there been any consideration of the option to use the advanced (http://www.courtesan.com/sudo/intro.html) features of the "sudo" package? For example, maintaining a single global "sudoers" file on a (secure) central management host, "pushing" copies of this single standard configuration file to all managed Unix servers?

Use of a single global, centrally-managed "sudoers" file offers numerous advantages:

• Simplifies changes that affect many servers, including adding and removing access to commands and user access (allowing for near instantaneous hire/fire access updates).
• Grouping of users, of hosts, and of commands allows discrete access control from a single global file.
• This type of centrally-controlled "sudo" deployment on Solaris is used at many large corporations, including Lockheed Martin.
• Without the need for users (or even most administrators) to know the root password, this password can be stored more securely, and "root" can be a restricted "role" account under Solaris 8 RBAC.
• One single file to audit for access control of root and role account commands for all hosts.
• Automatic generation and reporting of command audit trails, locally and/or to a central log host.

I am aware of a few drawbacks, including the reasons Data Security uses this approach for other configuration files, but not for "sudoers":
Compromise of any host which uses the global "sudoers" file exposes sensitive information about the purpose, users, and access controls on other hosts using the same "sudoers" configuration.
Compromise of the central management host may make it easier to compromise the client hosts.
Effective security requires recompiling "sudo" to use SecurID authentication instead of passwords.

Automatic updating of the "sudoers" file on large numbers of remote hosts can be accomplished in a number of ways. Through the use of "ssh" and "rsync", changes to the global configuration can be distributed, via either "push" or "pull" scripting, quickly and efficiently.

The state of Email encryption: GnuPG, PGP and PGP.Com

Recently, there have been some question about the status of email encryption, both within the Company, and for communication with external users. Currently, the Company has no policy or standards regarding encryption and encrypted email. We do support production processes using encrypted files. Specifically, PGP is used to exchange sensitive information with outside vendors for XXX and certain financial applications.

There are many other useful business tasks facilitated by Public-key cryptography. More information on this technology is available on our intranet server.

IT Audit and the Network and Data Security groups have been using PGP-Freeware with positive results. As explained below, use of PGP-Freeware for business communications is no longer permissible, under PGP.Com's interpretation of the license for that product.

PGP and GnuPG public key queries and key-registration using Internet keyservers will work for HTTP keyservers (after configuration of the client proxy settings, however, registration and queries will not work using LDAP protocol to servers on the Internet. Our team no longer operates an Intranet keyserver, due to a drive failure on our development machine

There are plug-ins for PGP and GnuPG for Outlook and Outlook Express, along with many other email clients. Microsoft has no plans to directly support PGP in Outlook, Exchange or Active Directory, instead, Microsoft provides integrated support for S/MIME, using the X.509 certificate format. Here is a (somewhat dated) comparison between the various protocols:

http://www.imc.org/smime-pgpmime.html

In general, S/MIME is easier to deploy in a Microsoft-centric (Exchange and AD) environment, for purely internal communications, yet PGP/MIME (and now OpenPGP) is the de-facto standard on the Internet.

The commercial PGP division was recently sold by Network Associates. There is a new "PGP.Com" site, with information on products and pricing:
http://www.pgp.com/faq.php

Will You Continue to Support Freeware Products?
Yes. PGP will continue the tradition of freeware products for non-commercial use. The next release of PGP freeware will be in November 2002 for PGP 8.0 for Windows and MacOS X. Customers using freeware products for commercial use - using PGP freeware to communicate with licensed business users - must immediately cease usage and purchase a commercial PGP license. Products can be purchased at https://store.pgp.com/.

Company employees using the "PGP Freeware" unlicensed application must immediately cease usage.

Promotional pricing for the commercial PGP product is available through October 31st. The promotional price for "Corporate Desktop" is $70, "PGP Mail" is $45. Prices are per-seat for any quantity, these prices will increase significantly on November 1st, 2002.
http://www.pgp.com/promo.php

An alternative to purchasing commercial PGP is to deploy GnuPG, the GNU-licensed freeware implementation:

• http://www.gnupg.org/
• http://www3.gdata.de/gpg/

SecurityFocus Article on EAS

Gotta love the FCC.

"Insecurity Plagues Emergency Alert System"
http://online.securityfocus.com/news/613

"Though it's not known to have ever been exploited,
the spoofing risk is one of the factors quietly
driving calls to reform the EAS"

Wireless Network auditing tool

The "netstumbler" (Wireless network discovery for Orinoco) executable is attached, or can be downloaded from http://www.stumbler.net/


I have a small GPS receiver (no display, uses serial port with power from PS/2 keyboard port), if we want to do mapping around the perimeter of the main plant

A few months ago, I drove around the public roads (outside the Company property line) and found many distinct wireless networks, mostly from apartments nearby, however two appeared to be part of the main plant deployment (need to check MACs to be sure).

policy on generic accounts?

We are in the final process of reviewing an update to the policy addressing exactly these concerns -- "generic" shared "role" accounts, service accounts, and automated processes. I have authored an amendment based on feedback from the network managers, IS Audit, and our CSO.

Our manager has received the policy for review.

The long-term solution is the implementation of mechanisms (such as single-sign on, "sudo" on Unix, and group permissions) to remove the necessity to share passwords. We realize that many of these approaches are not feasible in the current budget environment, and the password policy reflects this.

Regarding "role" accounts shared by multiple users, one of the most important requirements in the updated policy is that these passwords be changed every time an employee or contractor who had access to the password leaves (including external contractors after end of contract or when they leave employment with the contract firm, whichever comes first).

Would this "termination clause" in the new policy (over and above the standard change interval) pose an issue for your applications?

Kevin

IT Sec Spending Ratios

Little luck so far finding a ratio. Well, there is a Gartner report that they want $5K for that might have that figure...

http://www3.gartner.com/1_researchanalysis/focus/security2002.html

And I found these:

• http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html
• http://www.landfield.com/isn/mail-archive/2001/Jun/0051.html

This is interesting:

Only 0.4% of a company’s revenue, on average, is dedicated to information security in the U.S. By 2011, however, that figure will accelerate tenfold to 4% of revenue for U.S. companies, according to Gartner Inc.’s total cost of ownership model for information security.

AT&T Managed Instant Messenger

The AT&T MIM offering appears to be a managed Jabber server, hosted on an AT&T server in their Internet facility, using an AT&T branded version of the commercial JIM client.

The AT&T pricing appears reasonable (compared to the software license quotes we have from Jabber). The AT&T offering appears to be for a "virtual server", where different customers share not only the same hardware, but also the same Jabber server instance. This presents security and performance issues.

Many of the key benefits of corporate IM are derived from hosting the messaging server(s) in-house (LDAP integration, security, reliability, etc). Outsourced IM service hosted on the Internet negates many of these benefits.

Adtran "sbox" vs Check Point SMB

We have not received the Adtran unit for evaluation. This week I am finishing evaluation of PIX, Nortel, and two AT&T products (one of which we have proven to have serious security exposures), and we need to make our decision very soon.

We have serious qualms about the security of any Check Point product, but we realize that a SOHO box is not going to provide "perfect" security. It appears that the Safe@Office is the minimum configuration for our purposes.

BBC: "Employees seen as computer saboteurs"

Ignoring the funny spelling, they have some good points.
Feel free to forward as you see fit.

"Employees seen as computer saboteurs"

• http://news.bbc.co.uk/hi/english/sci/tech/newsid_1946000/1946368.stm
• http://slashdot.org/article.pl?sid=02/04/29/1231200&mode=thread&tid=172

Workers unfamiliar with computers or who blithely open files attached to e-mail could kick off virus outbreaks or inadvertently aid hackers trying to get access to an organisations internal network.
Customer service staff at call centres can also cause security headaches for companies if they are not trained to spot or deal with people who call and try to extract information about passwords and customer accounts

SNK-004 Calculator?

Have you made any progess on the SNK calculator for Palm that you mention on your web site?

http://www.cs.vu.nl/~leendert/pilot.html

I'm very interested in this project. There are some serious known issues with the X9.9 standard, so I'm hoping to find a framework into which I can plug a more secure challenge (alphanumeric) and crypto mechanism.

http://www.freeradius.org/radiusd/doc/rlm_x99_token

Congrats on the Interview, and Chicago's view of Bernie

Congrats to Neil on the Newspaper interview.

FYI, we know all the network security people in the Chicago area, and we have never before heard of Bernie. He was never anybody of note in the Chicago scene, and after this, he never will be.

Solaris login exploit seen in the wild

A little birdie just told me that the Solaris/Sparc exploit for the buffer overflow in /bin/login is 'in the wild'. I have also received a binary executable of the exploit.

Available now to 'black hats' is a remote exploit overflowing the TTYPROMPT variable. A local exploit should also be expected, allowing anybody who can execute code on an unpatched solaris host to become superuser.

Any internet-accessible Solaris host with port 23 open that has not already been patched should be assumed to have been compromised. Internal hosts are also at risk if not patched.

All of the outsourced hosts with which I am familiar (the ones we audited back in '99) either block telnet entirely, or reject telnet login attempts from arbitrary internet addresses via 'tcp wrappers'. This 'protection' is not an excuse not to apply the Sun patch.