« April 2008 | Main | June 2008 »
May 29, 2008
When Poor Deprovisioning Practices Attack
“When an employee leaves your company, do you make sure you shut down his or her user accounts at once? And do you check to confirm this has been done?
“If not, you’re evidently not alone, according to a new study conducted by eMediaUSA for Symark International that found that too often, the accounts of ex-employees, contractors and suppliers are often left open and accessible after they leave.
“Orphaned accounts are a ‘huge, huge issue, because you’re facing security breaches, compliance breaches [and] identity fraud, and it can lead to both internal and external data breaches,’ Sally Hudson, research director at IDC, told InternetNews.com.”
Because I have a perverse need to put my own prosaic little spin on articles written for IT managers, I’d point out that this problem cuts both ways. Yes … companies are exposed to security liabilities, but people leaving organizations with crappy deprovisioning practices can suffer, too.
For instance: My wife began getting e-mail to a university account meant for the last person who’d held her address. The mail included credit card information. It got her attention because she thought she might be witnessing a botched attempt at identity theft.
Rather than terminating an address and keeping it dead for at least a few years, the school was just recycling them not long after the previous holder left. Sure, it’s nice to not have any uniquifying numbers in your e-mail address, but it’s nicer yet to know that your e-mail address is your e-mail address and won’t soon become someone else’s.
See also: Reasons you shouldn’t be using your work e-mail address for anything besides work anyhow.
(Link)
Posted by mhall at 9:37 PM | Add Comment
May 27, 2008
Hall's First Law of Security Stories
Apple irritated a security company over some vulnerabilities in iCal:
“Critical vulnerabilities remain in Apple Inc.’s iCal calendar program, a security company said Wednesday in an advisory that showed months of back-and-forth between Apple and the researchers over whether bugs were serious enough to warrant patches, and if so, when Apple would patch them.
“After several delays requested by Apple, the security vendor put its foot down and told the company’s security team it would release information about the vulnerabilities May 21, whether Apple had issued patches or not.
“In a bulletin posted to the Bugtraq and Full Disclosure mailing lists and on its own Web site, Core Security Technologies detailed three bugs in iCal that attackers could remotely exploit using compromised servers, malicious Web sites or e-mailed .ics file attachments.
“‘The vulnerabilities may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application,’ said Core Security.
There’s a steady flow of bugs and vulnerabilities exactly like the one ComputerWorld is reporting on here: Seemingly small things that aren’t dangerous all on their own … just when they’re combined with a followup of some sort that takes advantage of an app crashing or misreading data or what have you.
The appropriate response to a security researcher mentioning such a thing from anyone, end user or vendor, will usually be “thank you.”
Unless operating system fan boys are involved. In which case the appropriate response is either stone silence lest rival OS zealots learn of a flaw, or scorn and derision over how petty the vulnerability seems.
(Link)
Posted by mhall at 7:46 PM | Add Comment
May 22, 2008
Some Context on Cisco's Bad China Week
As usual, when something to do with China is making the rounds, Rebecca MacKinnon has useful details and provides more context. This time around, it’s related to an internal Cisco document from 2002, recently published by Wired, that indicates the company was pleased to take advantage of the “opportunities” presented by, among other things, China’s crackdown on Falun Gong:
“To many reporters who cover China, this debate is reminiscent of the debate in the 90s about dual-use export controls on computers that could be used either to save lives in hospitals or to launch ICBM’s… eventually the free-traders won out (with heavy lobbying by the American Chamber of Commerce) because they argued that if IBM didn’t sell the computers, then the Japanese or Germans or somebody else would anyway, China’s behavior or capabilities would be no different but Americans would have lost the business.
“I find the Cisco case much tougher to argue than the Yahoo case or even Google or Microsoft: At least in those cases the facts of what employees of these companies did and didn’t do, under what circumstances, and with what direct consequences for whom, were either clear from the beginning or could be sleuthed out. With Cisco, cold hard proof of exactly what Cisco employees did or didn’t do - and what their intentions were - remains elusive. We know that their routers have been used for censorship. Nobody has yet come up with ‘smoking gun’ evidence to back up Gutmann’s account that Cisco was selling a special censorship router. Cisco has done a great job at preventing anybody from obtaining any evidence that can’t be denied or discounted in some way. This new powerpoint adds a strong data point that makes Cisco’s intentions look really bad. It takes us closer but it doesn’t take us all the way there.
“Whatever the truth is, Cisco has not been transparent and forthcoming with the public about their activities in China. And they’ve failed to engage in the ongoing effort to set human rights standards for Internet and telecoms companies - as Microsoft, Google, and Yahoo among others have done.”
Sometimes I get the sense that the business community’s overwhelming belief regarding China is that some day it will be a liberal democracy on a par with anything you might find in Western Europe, and that we’ll all have a laugh about how silly old China just took a little longer than the rest of us to straighten up and act like some sort of Amsterdam on the Yangtze. That assumption in hand, everyone feels free to make sure they’re doing as much business as possible with the current government, which is most pointedly not a liberal democracy.
Banking on forgetfulness is probably not a losing strategy for a business. In some ways, the pressure companies doing business in China face in terms of PR and bad sleep is similar to that of companies operating in South Africa in the ’80s during the height of the disinvestment movement. In fact, Google’s last shareholder meeting involved a (losing) proposal presented by Amnesty International on behalf of a pension fund, which will sound very familiar if you were around just about any American campus in the ’80s. The net result? Twenty years later there are plenty of “socially responsible” investment funds, many of which grew out of disinvestment sentiment, but I don’t know anyone who’s still boycotting companies that tried to tough out the pressure.
(Link)
Posted by mhall at 7:56 PM | Add Comment
May 20, 2008
While You Were Out Fiddling With Wireshark ...
Paul Rubens on the importance of physical security:
“While physical access attacks are serious when carried out on laptops, they are potentially far more serious when it’s a Windows server, rather than a user laptop, that a hacker has access to. Instead of rebooting the machine into a Linux environment and resetting a password, they could copy the SAM and SYSTEM files from the Windows directory’s system32/config folder to a memory stick and remove them.
“Why would they do that? Because on another Linux machine, the hacker can then get to work using a pair of open source Linux tools called bkhive and samdump2
“First they’d run bkhive on SYSTEM to get the system key:
bkhive (path to)/SYSTEM systemkey.txt
“And then they’d use samdump2 to get at the account names and password hashes from the SAM:
samdump2 (path to)/SAM systemkey.txt>hashes.txt
(Link)
I had just started working for this company in late 2000 when I got sent to COMDEX. One of the nights of the show there was a media reception/vendor crawl. We got free drinks and walked around chatting with reps from companies that had set up very small tables, if any.
I noticed my boss talking to some guys at one of the tables who were looking sort of unhappy. They were pointing to a small laptop and there was a lot of shrugging going on. I walked over and my boss said “They’re locked out of their laptop and they wanted to do a demo here … any way to get back in?”
I opened my mouth to answer and someone leaned over my shoulder and said “That’s a Linux laptop! You’ll never, ever get into that thing! Once you forget your password, you’re screwed!”
So I rebooted the laptop, waited for the LILO prompt to appear, quickly fed it “linux 1” (or something similar to put it into single user mode) and we all stood around watching while the laptop gave me root. At that point, it was pretty easy to fix their password for them, reboot the machine and go back to my beer.
Frankly, I doubt I’d even remember this story if the guy hadn’t made such a big deal out of the laptop’s alleged impregnability. But he had, and it turned out he was a security contractor, and he was the son of a notorious coot science fiction writer with a record of public opinion that suggested cluelessness might be genetic, so the incident has stayed with me.
When I worked at a high school, I watched a coworker tasked with securing a computer lab deal with the same problem from the other end: She’d managed to secure the operating systems on each box in the lab, but she’d forgotten the BIOS password and she was going nuts trying to figure out how it was her carefully secured machines were visiting places they shouldn’t be able to visit and showing porn for wallpaper instead of a big picture of the school mascot. It was trivial for the attackers … o.k., “children,” if you insist … to bring their own boot floppies along and circumvent all the OS-based security.
I have no conclusion besides “Don’t let strange people have physical access to anything on your network,” and “think like a teenage boy who sees your security measures as an impediment to his porn surfing when you’re considering ways to compromise endpoints.”
Posted by mhall at 8:12 PM | Add Comment
May 19, 2008
Facebook: Too Good for You, But HR Gets a Pass
Vangie did a writeup of Facebook Chat for Instant Messaging Planet, including some bits about how FaceTime, a security company that works what it refers to as the “greynet” niche, is providing corporate IT more control over how employees access Facebook:
“In response to rapidly growing concern over the use of social network sites and Web 2.0 applications in the enterprise, FaceTime’s Unified Security Gateway is now designed to provide IT managers with management, security and control over 140 social networking sites, 20,000 individual Facebook widgets and more than 400 Web and real-time applications. These new features are in addition to the USG’s already existing URL filtering, anti-malware and IM and P2P management capabilities.
“‘As we’re learning from our customers, blocking social networking applications like Facebook is simply not an option any more. Companies have difficulty recruiting top-notch talent if they don’t allow many of the cutting-edge applications and tools the recruits are accustomed to using.’
“He said that some of FaceTime’s own customers have HR departments that access Facebook as a recruitment and research tool. ‘They originally shut down the application, but eventually were forced to open access and now needed security. These days, it’s become nearly impossible to shut out all greynet applications. Another customer actually has a written contract with their own customer for the right to communicate via instant messaging. In the new world of enterprise 2.0, Facebook just can’t be shut out.’”
I took a briefing from FaceTime several weeks ago. Its security tool goes beyond turning access to Facebook on or off. It can also selectively block specific Facebook applications, and base those blocks on the same group policy it’s able to apply to general access to Web sites. The group policy approach allows an admin to grant access to a given app or site to everyone in a specific department or group while denying it to others.
Consequently, while you’re stuck trying to get some entertainment value out of the corporate intranet’s portal page or the boss’s official blog, the HR people are yucking it up over a picture of some job candidate (or you) barfing all over a lampshade.
Posted by mhall at 8:06 PM | Add Comment
May 16, 2008
Debian/Ubuntu SSL Keys Vulnerability Explained
The Debian wiki has just about everything you need to know about the recently patched SSL keys vulnerability. Sean Michael Kerner’s writeup (linked here yesterday) did a good job of pointing out how serious the problem was, but the wiki entry (a work in progress) spells out which apps are affected and how: Debian Wiki: SSL Keys.
That page also links to a message from Debian’s admins on how they responded to the vulnerability when they learned about it.
Posted by mhall at 10:51 PM | Add Comment
NebuAd Opt-Out Promises Are Nebu-Lous
Might as well end Friday on the story of the week. Wired’s Ryan Singel dug up more stuff on NebuAd, which is the company providing behavioral tracking services to ISP Charter.
Earlier in the week we noted the original story, which started innocently enough at The Consumerist. The next day the story seemed to grow beyond the inevitable first wave of paranoid hand-waving and generalized blog comment brain-fog, with the New York Times and others noticing.
A search of the news archives shows NebuAd had been enjoying a quiet period of VC love and media tolerance for vague answers about who the company was working with. Maybe it was inevitable that taking a client as large as Charter (ISP Planet says it’s number 8 in the U.S.) would expose the company to more scrutiny.
NebuAd also relied on simple corporate opacity on the part of its ISP clients to operate with such a low profile for so long. The NebuAd appliance that works the surveillance magic sounds like a turnkey, plug-n-play box, so the ISP’s support personnel don’t really need to know anything about it. The ISPs don’t care to describe the business relationship they’re using to “enhance the user’s browsing experience,” as they euphemize the surveillance, which means even if they do much to disclose the surveillance, its mechanisms remain largely obscured, sometimes requiring users to carefully sift through their own network traffic to understand why something is strange about their Internet connection’s behavior.
Today, Singel reports that a pair of Congressmen are interested in NebuAd’s business model, which involves tracking ISP users as they move about the Web, then buying targeted ads on a number of ad networks.
He also raises some questions about just how “out” a user is when he or she tries to opt out of NebuAd tracking:
“Charter’s own opt-out page is careful not to claim that opted-out users won’t be monitored, saying only that if a user ‘would like to opt-out of this process’ an opt-out cookie means they ‘will no longer receive ads that are tailored to your web preferences, usage patterns and commercial interests.’
“Indeed, it is possible that the cookie system works to prevent opted-out users from receiving the third-party ads, and it could stop NebuAd from sharing a user’s profile with third-party ad networks — assuming those networks include a NebuAd image file, or some other embedded code, in the ads they serve on the web. But NebuAd’s claim that you can opt-out of the surveillance itself remains unexplained.”
And there’s a security angle beyond the mundane concern that someone is skimming information about your browsing habits whether you like it or not, based on patents the company has applied for:
“A patent application filed by the company in March 2007 describes a monitoring system that actually manipulates data packets and replaces advertisements on third-party websites with their own ads.
“That more-intrusive technique would doubtless anger commercial websites and ad networks, and their lawyers. But, ironically, it would also allow the company to live up to its opt-out claims, because NetbuAds could inject a call to its own website into third-party sites, and thus read the opt-out cookie.
“But by injecting ads into packets on the wire, the system described in the patent application would also creates a single vulnerability point for every website on the internet — at least for users whose traffic moves through those boxes. A malicious hacker would only need to be able to find a way to compromise NebuAd’s server in order to insert links to malware into every page loaded by customers on that ISP.”
Nice!
(Link)
Posted by mhall at 8:13 PM | Add Comment
May 15, 2008
More SSH-Targeted Attacks, This Time for Debian et al
I noticed a spate of SSH and SSL-related updates for Ubuntu on my eeePC. Here’s why:
“The Internet Storm Center (ISC) at SANS is raising the alarm on the issue with a yellow alert on the flaw. According to ISC handler Bojan Zdrnja, the development of automated scripts exploiting key based SSH authentication looks like a real threat to SSH servers around the world. In a blog post, Zdrnja argued that public keys generated on any Debian based machine between September 2006 and 13th of May 2008 are vulnerable.
“‘It is obvious that this is highly critical — if you are running a Debian or Ubuntu system, and you are using keys for SSH authentication (ironically, that’s something we’ve been recommending for a long time),’ Zdrnja wrote. ‘In other words, those secure systems can be very easily brute forced.’
“Security researcher HD Moore, leaders of the Metasploit security effort has gone a step further, explaining in a public post how he was able to brute force 1024, 2048 and 4096-bit keys. The flaw itself exists in a Debian-specific version of the OpenSSL package, which generates the keys that are used in OpenSSH. Even though OpenSSL is widely used by other Linux distributions, it is not necessarily at risk according to Moore.”
(Link)
Posted by mhall at 7:52 PM | Add Comment
May 14, 2008
Charter Officially Speaks on NebuAd
Saul Hansell at the NYT’s Bits Blog took some time yesterday to call Charter and ask for some comment on its partnership with NebuAd (noted here yesterday).
“I suggested to Mr. Schremp that there are likely to be a fair number of customers who don’t consider having their Internet activities tracked to be an enhancement.
“He responded several ways. He said that Charter convened focus groups of customers in two cities and found that most didn’t object when the program was explained to them. (A key aspect of the NebuAd system is that it claims not to record any personally identifiable information about users. Rather, it associates each user’s behavior with 1,000 categories of interest to advertisers.)
“He offered his personal view that the system is harmless and well within the norms of the Internet these days. ‘The mainstream Internet user is hugely aware of the fact that the fundamental economic model on the Internet is advertising,’ he said. While some people object to targeted advertising systems like Google’s Gmail, which displays ads related to the text of e-mail users are reading, many others don’t.”
“For those customers who disagree, Mr. Schremp said that Charter is offering the ability for them to choose not to be part of the system. I suggested that most privacy experts prefer opt-in systems where information isn’t collected until the user explicitly grants permission. He said that opt-out has become the norm for all targeting on the Internet.”
(Link)
Posted by mhall at 6:38 PM | Add Comment
May 13, 2008
Shorter Charter: We'd Rather You Just Not Read the Privacy Advisory in the First Place
Charter’s got a new user tracking program. From the Consumerist:
“Charter, which serves nearly six million customers, is requiring users who want to keep their activity private to submit their personal information to Charter via an unencrypted form and download a privacy cookie that must be downloaded again each time a user clears his web cache or uses a different browser.”
Charter could have saved a few hours of developer and designer time by dropping the bit about the cookie and the opt-out form and adding “so suck it!” to the notification letter it sent out.
(Link)
It appears, btw, that Charter is using NebuAd to do its tracking. You can read a bit more about that company in a January interview with ClickZ. Commenters in the Consumerist item linked above reflect some confusion about how it is NebuAd can place ads, but it seems the company just piggybacks on other ad networks:
“Q. How do you obtain ad inventory and where do you serve the ads?
“A. We buy the impressions from the ad networks. We are willing to buy from every ad network. Because of our micro-targeting capability, the CPMs we can charge our advertiser are quite a bit higher [than what networks can charge].
“Q. So you’re acting as an ad network yourselves.
“A. Correct, but we don’t want to replace existing ad networks we run on top of. We’re not looking to buy directly from publishers. We’re more interested in ad networks because they give us the best reach.”
The New York Times Bits Blog recently explained in a little detail:
“NebuAd is working with Web sites and advertising networks to identify which of their users are on its list of I.P. addresses for which it has profiles. When one of those users visits a Web page, NebuAd can check which categories the user appears to be interested in and display a message from an advertiser interested in that sort of product.
“Exactly how NebuAd compares its list of I.P addresses to visitors to Web sites was another question Mr. Dykes wouldn’t answer.”
So it has appliances installed at the ISP, the appliances track your behavior, and when you’re marked as a likely candidate for some sort of particular ad targeting, NebuAd works with one of the ad networks it contracts with to deliver the content.
There’s more on NebuAd from the Register:
“At least two WOW! customers argue that the ISP’s initial notification was not enough. Both of these Chicago-area customers were unaware that NebuAd was tracking their behavior until some unexpected Web cookies turned up on their machines. When they visited Google, non-Google cookies were being read by addresses such as ‘nebuad.adjuggler.com.’
“When these users contacted WOW! customer support, reps initially denied that the ISP was responsible for the cookies. So these customers did some digging on their own, eventually turning up the NebuAd mention in WOW’s terms of service. Only then did reps confirm that NebuAd was a partner.”
Posted by mhall at 7:20 PM | Add Comment
There's a Surge In Attempts to Compromise SSH Passwords
Sounds like it’s time to review your password policy for accounts with ssh access.
From SANS, a rundown on a recent surge in brute-force attempts on ssh:
“From the most recent reports I have seen, the attackers have been using either ‘low and slow’ style attacks to avoid locking out accounts and/or being detected by IDS/IPS systems. Some attackers seem to be using botnets to do a distributed style attack which also is not likely to exceed thresholds common on the network.
“So be warned that there does appear to be a bit more activity involving SSH and weak or otherwise guessable passwords. This would be a great time to do some investigation on your local network to see what servers have SSH open to the world on the default port, and may need to have its security posture reassessed.”
(Link)
I ran an item by Paul Rubens on how to use Hydra just last week:
“Online attacks are more than just slow. There are many security hurdles to overcome. Many servers have security features which limit the number of failed password attempts that are allowed before the account is suspended, your IP address is blocked or the period before a new login attempt can be made is extended. They should also log where failed attempts are coming from and alert administrators.
“This makes it hard for a hacker to carry out an online attack on your systems. Which is good. The question is how hard? Do the systems work? Would you know if someone was carrying out an online attack, and what would you do about it?
“The best way to answer these questions is to carry out an online attack yourself, and see how far you get.”
Previously:
- Ripping Passwords With Your Friend John
- Do We Need More Studies on Reused Passwords?
- Flush Out Rogue WAPs and Weak Passwords with Aircrack-ng and Linux
Posted by mhall at 6:35 PM | Add Comment
May 12, 2008
An Interview With AOL's Chief Privacy Officer
I’m still digging out from my long weekend, but I see Kenneth Corbin, a colleague over at InternetNews.com has posted a lengthy interview with AOL’s chief privacy officer. One interesting excerpt:
“Q: So if legislation can’t keep up with the nuances of technological innovation, is there any room for some kind of a baseline privacy law on data collection?
“I think this is an area where we’re still trying to figure out exactly what people’s expectations are. I would often have debates with the guy who was the inventor of the Buddy List, and he always had different ideas about different promotional things that he wants to do, and I’d say ‘No! You can’t do this! You can’t do this! It’s got to be opt-in…’ And he’d say to me, ‘You know, if you were around when I did the Buddy List, you would have said ‘opt-in’. People downloading instant messaging software shouldn’t be able to see whether your friends are online.”
“And I probably would have been. Why should you — just because you know my screen name — be able to track whether I’m online or not? That’s outrageous! Opt people in. And he’s like, ‘That would have been the end of it, because the whole point of instant messaging is that I can ping you because I see that you’re online. There, you broke my product.’
“You can easily see a law that says you shouldn’t, by default, broadcast information about what you’re doing to all your social networking friends. Well, I kind of like that; I like being able to do it. If I wasn’t even aware of that business model when I was drafting legislation, who knows what I would have broken that people do indeed want and are now using to promote political candidates or using to fundraise or using to do all sorts of things?”
(Link)
Which reminds me …
When I worked at Indiana University the public VAX system had three personalities: You could use the limited menu system to do stuff like read your e-mail and other basic activities, you could edit a dot or config file of some kind and use the system from the command line, or you could opt for an unsanctioned third personality and install a collection of utilities that provided a bunch of functionality you might expect to turn up on a college campus.
The developer had painstakingly mapped the IP addresses of every public terminal on campus down to their room and position, and he had an idea of where a lot of staff terminals in non-public locations could be found. So you could use the utilities to pull up a directory of which utilities users were online in a given lab or room and get a map of where those users were seated. Then you could use the utilities to open a ‘talk’ session (or whatever it was called in VMS-land) with the user you’d mapped.
The map database was comprehensive, but it didn’t keep up with developments in the real world, so if a pair of machines were switched, or if a whole lab went in for servicing and got put back in different order, the map would break. The fallout from these breakages was mildly comical: I’d be sitting in some lab catching up on my mail and I’d get a talk banner on my terminal that read “That’s a sexy top you’re wearing … wanna meet?” or “You look really nice … I can tell because I’m looking at you RIGHT NOW.”
It was, after all, 1991, and a generation of maladjusted dorks had been raised on movies that suggested a mild display of super stalker powers via the computer would eventually lead them straight to Ally Sheedy’s heart.
Anyhow … the point:
Those utilities were really just a crude social overlay for a system that had all the bits and pieces it needed to do that kind of thing. To get them you needed to a. know about them, b. be willing to turn off the friendly and utilitarian menu system and c. run a script out of the maintainer’s account that installed the utilities in whatever passes for ~/.profile in VMS. And plenty of people did. They even did it knowing they were subjecting themselves to stuff like that terminal mapping app, which would probably go by “stalkr” if it were out and about on the campus network now.
The engineer in that excerpt above was, I suspect, dead wrong. Opt-in presence wouldn’t have “killed” IM because there really aren’t a lot of soft barriers like “click a box at install-time” or even “turn off the existing interface and install a new interface by running a shell script in some stranger’s VAX account” that will stop people from doing things like, you know, installing software that tells everyone on campus exactly where they’re sitting at any given moment they’re using a computer.
Posted by mhall at 5:36 PM | Add Comment
May 7, 2008
Reprise: Leopard vs. Vista on Security
Kenneth Van Wyk revisits the question of how relatively secure he feels on each platform and comes up with the same, if qualified, answer. I identify with a lot of what he’s saying because I’m also a Mac user by way of Unix/Linux. But there are a few points one might consider open to debate:
On software management he writes:
“Previously, I wrote, ‘Here’s where OS X really shines. Apple has improved on UNIX in this area. Although the standard UNIX utilities are still in /bin, /usr/bin, and such, Apple apps and most third party apps install in /Applications.
“This hasn’t changed much with Leopard and Vista. I still don’t feel I can remove a major application from a Windows system without leaving behind significant residue, be it directly in the file system in the form of remnant DLLs or in a registry hive somewhere that the uninstaller didn’t clean up.”
Not being a Windows person, anything to do with the registry makes me break out in hives, and its mere existence creates a sense of unease for me. I like everything kept down in simple, plain-text files I can read and modify, and where there’s less chance of breaking everything by breaking just one thing.
If I were more familiar with Windows, I might not feel that paranoid about the registry, and I know Windows people who fear and despise plain text configuration files — especially if the people who designed the file format for a given app decided to model it after the syntax of some obscure pet programming language instead of using simple “foo = bar” declaratives.
But if there’s an overall difference between Macs and Windows machines in this area, it stops at the registry vs. file question. App bundles on the Mac make it easy to keep an application from sprawling all over the place, and I’ve written tools for myself (and others, I guess … if we count voodoo2palmthat rely on AppleScript’s (path to me). It’s a handy way to keep everything tucked down in the bundle.
But nobody says it has to be that way. Developers are free to do what they will. I recently, for instance, had a copy of Adobe CS3 (the entire suite, not one app from it) decide it wasn’t registered or licensed. To make a long story short, even Adobe’s own cleaner script (a Python wrapper around “rm -rf”) didn’t get rid of everything it needed to get rid of to allow me to run the software again. That involved finding files Adobe’s tech support don’t even seem to know about (or are instructed not to tell customers about) and removing them, too.
Other apps spread junk around, as well. Cisco’s VPN client sticks bits of itself all over the place, for instance. Apple’s even been accused of violating its own guidelines for where to put files on a system now and then.
And once you drag that tidy app bundle into the trash, all that happens is that the app bundle is now in the trash. Nothing comes along and makes all the configuration files left behind (~/Library/Preferences, ~/Library/Application Support, to name two places to look) go away. That’s why people buy stuff like AppZapper.
You can also find threads on assorted Mac fora where people are told that files with no apparent connection to a problematic app are corrupt and need to be fixed. I got bit by this one about a month ago.
And it’s not like I’m all misty for Unix on this score, either:
caladan: mph$ make uninstall make: *** No rule to make target `uninstall'. Stop.
‘nuff said.
Well, not quite ‘nuff said. Don’t let my tangent keep you from reading the rest of what he has to say:
(Link)
Note: I’m off for the rest of the week. Blogging will resume on Monday. See you then!
Posted by mhall at 3:15 PM | Add Comment
May 6, 2008
Zeroshell and My Interop Security Hangover
Carla Schroder in the first of two parts on how to set up Zeroshell, a small Linux distro designed to provide encryption and security for your wireless network:
“Zeroshell is designed to run on small form-factor routerboards like PC Engines WRAP, Soekris, VIA, and Alix. It also runs from a CD, and you can install it to a hard drive. This is a good way to put older smaller hard drives back to work. The hard drive installation is a hack using the Compact Flash image, so it will take over your entire hard drive. Data, configurations, and logfiles go on a separate partition or a separate device, such as a USB drive.
“Zeroshell includes FreeRADIUS, the popular network authentication server. RADIUS (Remote Authentication Dial-In User Service; despite the name, it works for all networking) authentication is a good way to control access to your network, both wired and wireless. It provides a central authentication server that can operate with any number of network access points. Zeroshell makes it easier to set up good strong wireless authentication with FreeRADIUS. I’m assuming you already have at least one working WAP on your network, and either bridging or routing in place so your wireless clients can access network resources, and you want to add some real security.”
(Link)
Some tangential thoughts:
I remember when I set up my first WAP at home. It wasn’t the most convenient arrangement: A Linux server provided a shared printer, we had a Linux desktop, a Windows desktop and a Linux laptop. With WEP enabled on the WAP, the networked printer couldn’t talk to the Linux laptop, and Samba performance was dreadful.
So WEP got turned off and everything app on the laptop that didn’t provide some sort of encryption on its own went through an SSH tunnel. That was seven years ago or so, but I can still look at my muttrc to see the SSH tunneling stuff.
In general, I’ve treated every wireless network connection as a potentially hostile one since then. On my laptop, I’m careful to make sure my bookmarks for sensitive sites point to the SSL version, I make sure IMAP runs over SSL, etc. etc.
One thing I haven’t gotten around to doing has been just setting up some sort of VPN connection for myself on my home connection, so I can just reduce all that hassle to a single concern.
Last week at Interop, I was my usual careful self when I wasn’t working through the corporate VPN, but my laptop did briefly come up on an unencrypted network and I hadn’t shut down Pidgin. So it went through at least one sign-on sequence to several IM services in the clear.
I didn’t think much of it at the time, but I did go back to my room that night to do some work, where one of my AIM accounts did the whole “Someone has logged on to this account from another computer” thing.
I booted the other user off and promptly changed my passwords (all of which, I can happily report, had the benefit of not being like any of my other passwords), but it was a little stunning to realize that just a few moments of exposure and a single unencrypted sign-on had caused an account to be compromised. I’ve been acting like a paranoiac for years, but up until about five seconds after the moment that message came up telling me someone who wasn’t me was signed on to one of my accounts, I’d been guiltily thinking that maybe I was taking myself a bit too seriously.
So I got home on Thursday night, and by Friday at noon I’d set up my DD-WRT-based router to provide me with that VPN I’d been putting off.
Posted by mhall at 4:16 PM | Add Comment
May 2, 2008
Ripping Passwords With Your Friend John
Today over on ENP I ran a tutorial from Paul Rubens on how to use John the Ripper:
“As a network administrator, how do you know which users have chosen passwords that can quickly be guessed or discovered using a brute force or dictionary attack, and which have chosen secure ones? After all, you can’t tell just by inspecting the hashes.
“That’s where John the Ripper - or ‘John’ to its friends – comes in. John is a multi-platform open source tool for carrying out smart guesses, wordlist attacks with word mangling, and even brute force attacks, on password hashes. Its primary purpose is to detect weak Unix password, but, according to Solar Designer, John’s developer, ‘besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.’”
And here’s his conclusion:
“How you decide to use John is up to you. You may choose to run it on all the password hashes on your system regularly to get an idea of what proportion of your users’ passwords are insecure. You could then consider how you could change your password policies to reduce that proportion (perhaps by increasing the minimum length.) You may prefer to contact users with weak passwords and ask them to change them. Or you may decide that the problem warrants some sort of user education program to help them select more secure passwords that they can remember without having to write them down.”
I’ve worked in settings where the password requirements were pretty stringent, with software analyzing passwords as they were requested by users and looking out for typical ‘l33t substitutions users might try to make the password at least somewhat memorable. I hated it, too.
Something like John the Ripper might represent a decent compromise: Set a reasonable baseline policy (at least one number, at least one non-alphanumeric character) and do periodic audits to make sure the very weakest passwords that still survive those criteria are flagged.
On the other hand, I just had a frustrating e-mail volley with an admin over a password. It wasn’t that my proposed password wouldn’t have been tough to guess … it was gibberish. The problem was, it was mnemonically simple gibberish (if you’re me), so it was too easy to try to touch-type it in.
In the end, I got myself locked out of the thing the password was protecting (3-strike policy) and had to get the password reset. Then I got locked out again. So I used a password generator, told it to avoid dictionary words and fed it parameters in line with the password policy. It produced a difficult password I will probably not memorize before the timeout makes me set a new one, but there’s zero chance I’ll try to touch-type it in.
I went around hating that for about a day, then I just wrote it down on a 3x5 card, folded up the card, and stuck it in my wallet where it is both safe and accessible, even if you’re sitting in the press room at Interop, which I was quite a bit this past week.
All of which is to say “hard passwords did not kill me.” And that causes me to think that it’s sort of patronizing to imply that hard passwords are just too hard for normal folks to cope with. “Normal folks” can use 3x5 cards and ball point pens, same as I can. If there’s any real problem with passwords at this point, it’s probably that it’s too easy to get people to give them up, and even that seems to be improving.
(Link)
Posted by mhall at 5:22 PM | Add Comment
