Sunday, December 14, 2008

Most Common Mistakes made by Linux Administrators

This article will help you avoid those mistakes by laying out the most typical Linux missteps.

Installing applications from various types

This might not seem like such a bad idea at first. You are running Ubuntu so you know the package management system uses .deb packages. But there are a number of applications that you find only in source form. No big deal right? They install, they work. Why shouldn’t you? Simple, your package management system can’t keep track of what you have installed if it’s installed from source. So what happens when package A (that you installed from source) depends upon package B (that was installed from a .deb binary) and package B is upgraded from the update manager? Package A might still work or it might not. But if both package A and B are installed from .debs, the chances of them both working are far higher. Also, updating packages is much easier when all packages are from the same binary type.

Neglecting updates

Okay, this one doesn’t point out Linux as much as it does poor administration skills. But many admins get Linux up and running and think they have to do nothing more. It’s solid, it’s secure, it works. Well, new updates can patch new exploits. Keeping up with your updates can make the difference between a compromised system and a secure one. And just because you can rest on the security of Linux doesn’t mean you should. For security, for new features, for stability — the same reasons we have all grown accustomed to updating with Windows — you should always keep up with your Linux updates.

Poor root password choice

Okay, repeat after me: “The root password is the key to the kingdom.” So why would you make the key to the kingdom simple to crack? Sure, make your standard user password something you can easily remember and/or type. But that root password — you know, the one that’s protecting your enterprise database server — give that a much higher difficulty level. Make that password one you might have to store, encrypted, on a USB key, requiring you to slide that USB key into the machine, mount it, decrypt the password, and use it.

Avoiding the command line

No one wants to have to memorize a bunch of commands. And for the most part, the GUI takes care of a vast majority of them. But there are times when the command line is easier, faster, more secure, and more reliable. Avoiding the command line should be considered a cardinal sin of Linux administration. You should at least have a solid understanding of how the command line works and a small arsenal of commands you can use without having to RTFM. With a small selection of command-line tools on top of the GUI tools, you should be ready for just about anything.

Not keeping a working kernel installed

Let’s face it, you don’t need 12 kernels installed on one machine. But you do need to update your kernel, and the update process doesn’t delete previous kernels. What do you do? You keep at least the most recently working kernel at all times. Let’s say you have 2.6.22 as your current working kernel and 2.6.20 as your backup. If you update to 2.6.26 and all is working well, you can remove 2.6.20. If you use an rpm-based system, you can use this method to remove the old kernels: rpm -qa | grep -i kernel followed by rpm-e kernel-{VERSION}.

Not backing up critical configuration files

How many times have you upgraded X11 only to find the new version fubar’d your xorg.conf file to the point where you can no longer use X? It used to happen to me a lot when I was new to Linux. But now, anytime X is going to be updated I always back up /etc/X11/xorg.conf in case the upgrade goes bad. Sure, an X update tries to back up xorg.conf, but it does so within the /etc/X11 directory. And even though this often works seamlessly, you are better off keeping that backup under your own control. I always back up xorg.conf to the /root directory so I know only the root user can even access it. Better safe than sorry. This applies to other critical backups, such as Samba, Apache, and MySQL, too.

Booting a server to X

When a machine is a dedicated server, you might want to have X installed so some administration tasks are easier. But this doesn’t mean you should have that server boot to X. This will waste precious memory and CPU cycles. Instead, stop the boot process at runlevel 3 so you are left at the command line. Not only will this leave all of your resources to the servers, it will also keep prying eyes out of your machine (unless they know the command line and passwords to log in). To log into X, you will simply have to log in and run the command startx to bring up your desktop.

Not understanding permissions

Permissions can make your life really easy, but if done poorly, can make life really easy for hackers. The simplest way to handle permissions is using the rwx method. Here’s what they mean: r=read, w=write, x=execute. Say you want a user to be able to read a file but not write to a file. To do this, you would issue chmod u+r,u-wx filename. What often happens is that a new user sees an error saying they do not have permission to use a file, so they hit the file with something akin to chmod 777 filename to avoid the problem. But this can actually cause more problems because it gives the file executable privileges. Remember this: 777 gives a file rwx permissions to all users (root, group, and other), 666 gives the file rw privileges to all users, 555 gives the file rx permissions to all users, 444 gives r privileges to all users, 333 gives wx privileges to all users, 222 gives w privileges to all users, 111 gives x privileges to all users, and 000 gives no privileges to all users.

Logging in as root user

I can’t stress this enough. Do NOT log in as root. If you need root privileges to execute or configure an application, su to root in a standard user account. Why is logging in as root bad? Well, when you log on as a standard user, all running X applications still have access only to the system limited to that user. If you log in as root, X has all root permissions. This can cause two problems: 1) if you make a big mistake via a GUI, that mistake can be catastrophic to the system and 2) with X running as root that makes your system more vulnerable.

Ignoring log files
There is a reason /var/log exists. It is a single location for all log files. This makes it simple to remember where you first need to look when there is a problem. Possible security issue? Check /var/log/secure. One of the very first places I look is /var/log/messages. This log file is the common log file where all generic errors and such are logged to. In this file you will get messages about networking, media changes, etc. When administering a machine you can always use a third-party application such as logwatch that can create various reports for you based on your /var/log

Read more!

Monday, December 8, 2008

Tried and Tested method to Recover Damaged CD / DVD

Well, there are many methods that can be used to recover damaged CDs but to recover DVDs is somewhat tougher, I have come across many software which claim to do the same but when I tried them, none of them was able to achieve the desired result.

So after banging my head for some time, I have come across one method that worked for me. I am just going to explain and then hope that maybe it would work for you too.

The tool I am going to use here is called CD Check. Well its a paid tool but you I happen to have copy which you can download here.

Whats better is that this tool is just 1.5 MB. Download and install.

This is how it looks


All you need to do is, click on check, once it checks the DVD, you can go ahead and click on Recover Button

You'll see something similar to below


Just specify an output folder and click continue, you should be good to go.

Please let me know if it worked

Read more!

Thursday, December 4, 2008

Minimize removable media headaches in Linux

For many new Linux users, removable media can be a deal-breaker. Anyone coming over from Windows knows you simply insert the CD, use it, and eject it. With Linux, it isn't always that simple. In fact, with Linux, removable media has always held a completely different philosophy.
In the old days of UNIX, removable media was seen in the same light as the PC itself -- multi-user. So when you inserted some form of media (usually a floppy disk, back then), it had to be mounted to a mount point (such as /mnt/floppy) and was then made available to all users on the system. Because of this, the removable media synchronization wasn't "on demand." It typically worked by caching the data until the media was unmounted. Upon unmounting the media, the data was written and the media could be removed.

Linux has caught up to the needs of today's user and, in many cases, the media mounting/unmounting is automatic. But not every situation is the same. Here are some tips that should make your Linux life with removable media better.


Use the right desktop
The right desktop can make your job so much easier. The newest releases of both KDE and GNOME offer systems that check for the insertion of removable media. When a CD is inserted, you will be greeted with a window asking what you would like to do with the media. You can even set that action you choose as the default action to take upon insertion of that type of media. Those desktops also have applets that reside in the panel (or desktop icons) that allow you to easily mount and unmount the media with a click of the mouse. No more entering commands like mount /dev/cdrom /media/cdrom.


Get to know /etc/fstab

Because I generally stick with more old-school desktops (such as Enlightenment DR16), I often still have to mount my removable media. So instead of having to issue the full command mount /dev/sda1 /media/mp3 to mount my MP3 player, I will add a line to my /etc/fstab file that will do two things: Point the device to the correct mount point and make sure the mount point is both readable and writable by the user. The fstab entry will look something like this:

/dev/sda1 /media/ipod vfat users,exec,noauto,managed 0 0

Now when you need to mount the device, enter mount /media/ipod. Just remember to unmount the device before you remove it.


Use udev to make your life easier
Let's build upon using fstab to simplify mount of removable media. Let's say you have an entry in your /etc/fstab file for your iPod pointing it from /dev/sda1 to /media/ipod. Now let's say you plug in another USB device or reboot. The problem is that entry in your fstab file may or may not be valid now because /dev/sda1 might be used by something else. To avoid this, make use of the udev system. You're going to tell udev to always make sure that device shows up with the same filename. Enter a line in the /etc/udev/rules.d/00.rules file that looks like:

## iPod
BUS="scsi", SYSFS{model}="iPod*", NAME="ipod"

Of course, your entry in /etc/fstab will have to change to reflect the above. So now /etc/fstab will look like:

/dev/ipod /media/ipod vfat users,exec,noauto,managed 0 0


Use menu entries for mount/umount
Back in the day, when I used AfterStep, I always had a submenu that included an entry for mounting and unmounting both the floppy and the CD-ROM. This made life much easier because I no longer had to open up a command line and enter the mount and umount commands to use the device. Granted, the window manager you use will determine how this is employed. For example, in Enlightenment, I can create two entries in the user_apps.menu file that look like:

"mount iPod" NULL exec "mount /media/ipod"
"umount iPod" NULL exec "umount /media/ipod"

Now on the Enlightenment menu, I will see two entries: mount iPod and umount iPod. With the device connected all I have to do is click the mount entry. To remove the device I only need to click the umount entry.


Be safe with your removable hard drives
One time, I left a USB drive plugged into a machine I was re-installing the operating system on. I wasn't paying enough attention and wound up with an operating system spanning both my internal drive and my removable drive. Yes, this was a big mistake and no, it has never happened since. Why? Because anytime I install an OS on a machine with a removable drive, that removable drive is removed during installation. It's not a problem, because upon first boot, I plug the drive back in and it is always automatically recognized and mounted. Of course, I will make an entry in /etc/fstab that will automatically mount the drive on boot.


Never forget to use the dmesg command
When you plug in a device or insert removable media, the dmesg command will give you the status of the system. For example, when I insert an iPod into a Mandriva 2008 machine I run the dmesg command and see:

usb 1-4: new high speed USB device using ehci_hcd and address 2
usb 1-4: configuration #1 chosen from 3 choices
usb 1-4: USB disconnect, address 2
usb 1-4: new high speed USB device using ehci_hcd and address 3
usb 1-4: configuration #1 chosen from 2 choices
Initializing USB Mass Storage driver...
scsi2 : SCSI emulation for USB Mass Storage devices
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usb-storage: device found at 3
usb-storage: waiting for device to settle before scanning
scsi 2:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0
sd 2:0:0:0: [sdb] 58605120 512-byte hardware sectors (30006 MB)
sd 2:0:0:0: [sdb] Write Protect is off
sd 2:0:0:0: [sdb] Mode Sense: 68 00 00 08
sd 2:0:0:0: [sdb] Assuming drive cache: write through
sd 2:0:0:0: [sdb] 58605120 512-byte hardware sectors (30006 MB)
sd 2:0:0:0: [sdb] Write Protect is off
sd 2:0:0:0: [sdb] Mode Sense: 68 00 00 08
sd 2:0:0:0: [sdb] Assuming drive cache: write through
sdb: sdb1 sdb2
sd 2:0:0:0: [sdb] Attached SCSI removable disk
sd 2:0:0:0: Attached scsi generic sg1 type 0
usb-storage: device scan complete

From this, I know the device is being seen at /dev/sdb. Without knowing this, I would have a hard time guessing where the device has been mapped to.


Don't forget the eject command
Most people don't know that there's a command to eject CDs from the CD drive. Naturally, this isn't an issue for those who have tray CD drives. But for those with slot-loading CD drives, eject will save you from pulling your hair out. After you have used and unmounted your CD drive, open up a terminal and enter the eject command, and your CD will pop out. To simplify the process, make a menu entry for the command.


Remember that the mount command tells all
If you're unsure what devices are mounted on your system, issue the mount command to see a listing of everything currently mounted on your machine. The output looks like:

/dev/sda1 on / type ext3 (rw)
none on /proc type proc (rw)
/dev/sda6 on /home type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
none on /sys/fs/fuse/connections type fusectl (rw)

From this output, I can see that I have no removable media mounted on the machine. So I know it's safe to unplug anything removable. Had there been an entry for, say, my iPod, I would know not to remove the device without unmounting it. Of course, on modern systems (using one of the major desktops), this will be made clear with the icon or the removable device applet on the panel. But this command will be helpful (along with dmesg) in debugging removable media issues.

Reformat your iPod to a Windows format
If you've tried to add songs on a Mac-formatted iPod on Linux, you've probably discovered that it's not possible without jumping through hoops even programmers don't want to jump through. Format your iPod in Windows format, and you won't have any problems using your iPod with Amarok, Banshee, or gtkpod.


Allow others to connect to your removable media
In my office, I have a removable drive mounted to /media/music that contains my entire music collection. I allow others to listen to that music via samba by including it as a share. I like doing this far better than allowing users to have access to my internal drive because 1) it keeps anyone from trashing the drive containing my OS and 2) it allows me to keep sensitive data physically separated from shared data. This approach doesn't have to be used for music, either. It's a great way to share interoffice files or have a single repository for backups. Once the drive is full, remove it and store it. Just add a new removable drive for the new backup.

Simpler, easier
Not only is today's Linux not nearly as challenged with removable media as it once was, it's really quite flexible and user friendly. With the help of these tips, you should now see how you can expand your Linux experience to include various ways to employ removable media.

Read more!

Monday, June 2, 2008

Cut down on Linux command-line typing with these 10 handy bash aliases

The Linux desktop has come a long, long way, but there are still times when I have to use the command line. (I am a hardcore user, after all.) But even though I'm used to typing, spending hours upon hours with my fingers at the keyboard, I still grow tired of typing the same commands over and over. To reduce that tedium, I always add aliases to my .bashrc file

What is an alias?
An alias is basically a shortcut for a command you place in your ~/.bashrc file. Aliases cut down on typing and can save you from having to look up a command

Aliases are set up near the bottom of the of the .bashrc file. You'll see a commented-out section that indicates where you should put them. The format of an alias is:

Alias NICKNAME='full command here'

The keyword alias must be used. The nickname is what you will type at the command line. Make this nickname easy to remember. The = sign must also be used. After the = sign, you enter the full command, including flags and switches, enclosed in single quotes. Once you are done, save the .bashrc file and open up a new terminal. I always find it best to leave the original terminal window open in case there are problems. In the new terminal, type the alias nickname and the command will run.

Following list of aliases to help make a command-line experience a bit easier

1. The ssh alias
This one should be a no-brainer for those of you who frequently secure shell into particular boxes. For this I add an alias like so:

alias server_name='ssh -v -l USERNAME IP ADDRESS'

Just change server_name to a memorable name for the server. Then, change USERNAME and IP ADDRESS to suit your needs.


2. The ls aliases
Some distributions don't include some of the handier ls commands. Generally, I like to see full listings instead of just filenames. For that I always include this alias:

alias ll='ls -l'

Another handy ls alias is this:

alias la='ls -a'


3. The rm safety net
I can't tell you how many times I have "rm'd" a file I shouldn't have "rm'd". To avoid this, I add this alias:

alias rm='rm -i'

Adding the '-i' flag it forces rm into interactive mode, which asks whether you're sure you want to remove a file


4. A more useful df command
This handy tool tells you how much space you have left on a drive. Only thing is, if you run the command by itself it replies in 1K blocks. Most people would prefer to see this in terms of MB. To make that happen, add this alias:

alias df='df -h'

Now, every time you run the df command, the information will be returned in a human-readable format


5. The nonstandard Firefox
Many times, I install Firefox in strange directories (or have more than one version of Firefox installed for testing purposes). For this, I will add an alias to start the correct Firefox. Say, for example, I have the beta of the newest, upcoming Firefox release installed, as well as the current stable Firefox. They are both installed in my home directory in different subdirectories. I will then add two aliases like so:

alias ff1='/home/jlwallen/firefox/firefox'
alias ff2='/home/jlwallen/firefoxb3/firefox'

Now I can start the stable firefox with ff1 or the beta with ff2


6. The bookmark alias
Speaking of Firefox, let's create an alias to open up it to a specific URL:

alias ffg='/home/jlwallen/firefox/firefox http://www.google.com'

This alias will open Firefox directly to the Google site


7. The constant editing of a file
There are certain files that I am constantly editing. For instance, when I used Enlightenment E16 (I now use E17), I was frequently editing the menu file ~/e16/menus/user_apps. Instead of constantly opening up a terminal and entering nano ~/.e16/menus/user_apps, I used an alias that allowed me to type emenu and start editing. I used this alias:

alias emenu='aterm nano -e ~/.e16/menus/user_apps'

Now, I just enter the command emenu (or I can enter that in the run command dialog) to open up this file in an editor


8. The apt-get update
There are numerous ways to use an alias to help you with apt-get. One of my favorite is to add this alias:

alias update='sudo apt-get update'

I only need to enter update and will be prompted for the sudo password. You can modify this to suit your frequent apt-get needs


9. The rpm batch install
I like to do a lot of batch installing with rpm. I will typically dump a bunch of rpm files into an empty directory (created for this specific purpose) and run the command rpm -ivh ~/RPM/*rpm. Of course, an alias makes this even easier:

alias brpm='rpm -ivh ~/RPM/*rpm'

You have to create the ~/RPM directory and enter the root password for this to work


10. The long, arduous path
There are some paths that I often change to that seem to take eons to type. When I was working on the Afterstep window manager, I had to constantly change to the ~/GNUstep/Library/AfterStep/start to edit menus. After a while, you get tired of typing cd ~/GNUstep/Library/AfterStep/start just to get to the directory. So I added an alias like so:

alias astart='cd ~/GNUstep/Library/AfterStep/start'

Naturally, you can change that to fit your needs. This will save you a lot of typing


So there you have it: a few simple bash aliases that will ease the load on your fingers. You can modify them to suit you, and they'll give you a good start on creating your own handy bash aliases

Read more!

Friday, May 30, 2008

10 ways to secure your Linux desktop

A Linux desktop is far more secure than most others. But this level of security doesn't necessarily involve typical security-focused software or techniques. Sometimes, the easiest means to security are those measures that are the easiest to forget. Let's take a look at 10 things you can do to secure a Linux desktop.
Note that we're talking about the desktop, not a server. Linux server security is another beast all together -- one that would confuse the average desktop user.


1. Locking the screen and logging out is important
Most people forget that the Linux desktop is a multi-user environment. Because of this, you can log out of your desktop and others can log in. Not only does that mean that others could be using your desktop, it also means you can (and should) log out when you're finished working. Of course, logging out is not your only option. If you are the only user on your system, you can lock your screen instead. Locking your screen simply means that a password will be required to get back into the desktop. The difference here is that you can leave applications running and lock the desktop. When you unlock the desktop, those same programs will still be running. Safe and secure.

2. Hiding files and folders is a quick fix
In Linux-land, files and folders are hidden by adding a "." before the name. So the file test will appear in a file browser, whereas .test will not. Most people don't know that running the command ls -a will show hidden files and folders. So if you have folders or files you don't want your co-workers to see, simply add the dot to the beginning of the file or folder name. You can do this from the command line like so: mv test .test

3. A good password is a must
Your password on a Linux PC is your golden key. If you give that password out, or if you use a weak password, your golden key could become everyone's golden key. And if you're using a distribution like Ubuntu, that password will give users much more access than, say, on Fedora. To that end, make sure your password is strong. There are many password generators you can use such as Automated Password Generator

4. Installing file-sharing applications is a slippery slope
I know many Linux users are prone to file sharing. If you want to run that risk at home, that's your call. But when at work, you not only open yourself (or your company) up to lawsuits, you open your desktop machine up to other users who might have access to sensitive data on your work PC. So as a rule, do not install file-sharing tools.

5. Updating your machine regularly is a smart thing
Linux isn't Windows. With Windows, you get security updates when Microsoft releases them (which could be many months away). With Linux, a security update can come minutes or hours after the security flaw is detected. With both KDE and GNOME, there are update applets for the Panel. I always recommend having them up and running so you know when updates are made available. Don't put off security updates. There is a reason they come out.

6. Installing virus protection is actually useful in Linux
Believe it or not, virus protection in Linux has its place. Of course, the chances of a virus causing problems on YOUR Linux machine are slim to none. But those e-mails you forward to others' Windows machines could cause problems. With a good virus protection, like ClamAV, you can ensure that e-mail going out of your machine doesn't contain anything nasty that could come back to haunt you (or your company)

7. SELinux is there for a reason
SELinux (Security-Enhanced Linux) was created by NSA. What SELinux does is help lock down access control to applications. And it does it very well. Sure, SELinux can sometimes be a pain. In some cases, it might take a hit out of your system performance. Or you might find some applications a struggle to install. But the security comfort you gain using SELinux (or Apparmor) far outweighs the negatives. During the Fedora installation, you get the chance to enable SELinux

8. Creating /home in a separate partition is safer
The default Linux installation places your /home directory right in the root of your system. Sure, this is fine, but

  1. It's standard, so anyone gaining access to your machine knows right where your data is and
  2. If your machine goes down for good, your data might be gone.
To solve this problem, you can place /home on a different hard drive or partition all together (making it a partition in and of itself). This is not a task for the weak of heart, but it is one worth employing if you're uber-concerned about your data

9. Using a nonstandard desktop is worth its weight in gold
Not only do the alternative desktops (Enlightenment, Blackbox, Fluxbox, etc.) give you a whole new look and feel for your PC, they offer simple security from prying eyes you may never have thought of. I have deployed Fluxbox on kiosk machines when I wanted a machine that could do one thing: Browse the network. How do you do that? Simple. Create a single mouse menu (or desktop icon) for the application you want to use. Unless the user knows how to get back to the command line (by logging out or hitting Ctrl-Alt-F*, where * is a desktop other than the one you are using), they will not be able to start up any application other than the one offered. Since most users have no idea how to move around in these desktops anyway, they aren't going to have the slightest idea how to get to your files. Simple pseudo-security

10 Stopping services is best
This is a desktop machine. It's not a server. So why are you running services like httpd, ftpd, and sshd? You shouldn't need them and they only pose a security risk (unless you know how to lock them down.) So don't run them. Check your /etc/inetd.conf file and make sure that all unnecessary services are commented out


You might find these suggestions to be pure common sense -- but maybe you'll see a means of security you never thought of before. And if you're a new Linux user, these tips are a great place to start to ensure that your Linux experience is a good one.

Read more!

Wednesday, March 12, 2008

How Hackers Breach Security

Hacking, cracking, and cyber crimes are hot topics these days and will continue to be for the foreseeable future. However, there are steps you can take to reduce your organization's threat level. The first step is to understand what risks, threats, and vulnerabilities currently exist in your environment. The second step is to learn as much as possible about the problems so you can formulate a solid response. The third step is to intelligently deploy your selected countermeasures and safeguards to erect protections around your most mission-critical assets. This white paper discusses ten common methods hackers use to breach your existing security.

Stealing Passwords
Security experts have been discussing the problems with password security for years. But it seems that few have listened and taken action to resolve those problems. If your IT environment controls authentication using passwords only, it is at greater risk for intrusion and hacking attacks than those that use some form of multifactor authentication.

The problem lies with the ever-increasing abilities of computers to process larger amounts of data in a smaller amount of time. A password is just a string of characters, typically only keyboard characters, which a person must remember and type into a computer terminal when required. Unfortunately, passwords that are too complex for a person to remember easily can be discovered by a cracking tool in a frighteningly short period of time. Dictionary attacks, brute force attacks, and hybrid attacks are all various methods used to guess or crack passwords. The only real protection against such threats is to make very long passwords or use multiple factors for authentication. Unfortunately, requiring ever longer passwords causes a reversing of security due to the human factor. People simply are not equipped to remember numerous long strings of chaotic characters.

But even with reasonably long passwords that people can remember, such as 12 to 16 characters, there are still other problems facing password-only authentication systems. These include:

  • People who use the same password on multiple accounts, especially when some of those accounts are
  • on public Internet sites with little to no security.
  • People who write their passwords down and store them in obvious places. Writing down passwords is
  • often encouraged by the need to frequently change passwords.
  • The continued use of insecure protocols that transfer passwords in clear text, such as those used for
  • Web surfing, e-mail, chat, file transfer, etc.
  • The threat of software and hardware keystroke loggers.
  • The problem of shoulder surfing or video surveillance
Password theft, password cracking, and even password guessing are still serious threats to IT environments. The best protection against these threats is to deploy multifactor authentication systems and to train personnel regarding safe password habits.

Trojan Horses
A Trojan horse is a continuing threat to all forms of IT communication. Basically, a Trojan horse is a malicious payload surreptitiously delivered inside a benign host. You are sure to have heard of some of the famous Trojan horse malicious payloads such as Back Orifice, NetBus, and SubSeven. But the real threat of Trojan horses is not the malicious payloads you know about, its ones you don't. A Trojan horse can be built or crafted by anyone with basic computer skills. Any malicious payload can be combined with any benign software to create a Trojan horse. There are countless ways of crafting and authoring tools designed to do just that. Thus, the real threat of Trojan horse attack is the unknown.

The malicious payload of a Trojan horse can be anything. This includes programs that destroy hard drives, corrupt files, record keystrokes, monitor network traffic, track Web usage, duplicate e-mails, allow remote control and remote access, transmit data files to others, launch attacks against other targets, plant proxy servers, host file sharing services, and more. Payloads can be grabbed off the Internet or can be just written code authored by the hacker. Then, this payload can be embedded into any benign software to create the Trojan horse. Common hosts include games, screensavers, greeting card systems, admin utilities, archive formats, and even documents.

All a Trojan horse attack needs to be successful is a single user to execute the host program. Once that is accomplished, the malicious payload is automatically launched as well, usually without any symptoms of unwanted activity. A Trojan horse could be delivered via e-mail as an attachment, it could be presented on a Web site as a download, or it could be placed on a removable media (memory card, CD/DVD, USB stick, floppy, etc.). In any case, your protections are automated malicious code detection tools, such as modern anti-virus protections and other specific forms of malware scanners, and user education.

Exploiting Defaults
Nothing makes attacking a target network easier than when that target is using the defaults set by the vendor or manufacturer. Many attack tools and exploit scripts assume that the target is configured using the default settings. Thus, one of the most effective and often overlooked security precautions is simply to change the defaults.

To see the scope of this problem, all you need to do is search the Internet for sites using the keywords "default passwords". There are numerous sites that catalog all of the default user names, passwords, access codes, settings, and naming conventions of every software and hardware IT product ever sold. It is your responsibility to know about the defaults of the products you deploy and make every effort to change those defaults to nonobvious alternatives.

But it is not just account and password defaults you need to be concerned with, there are also the installation defaults such as path names, folder names, components, services, configurations, and settings. Each and every possible customizable option should be considered for customization. Try to avoid installing operating systems into the default drives and folders set by the vendor. Don't install applications and other software into their "standard" locations. Don't accept the folder names offered by the installation scripts or wizards. The more you can customize your installations, configurations, and settings, the more your system will be incompatible with attack tools and exploitation scripts.

Man-in-the-Middle Attacks
Every single person reading this white paper has been a target of numerous man-in-the-middle attacks. A MITM attack occurs when an attacker is able to fool a user into establishing a communication link with a server or service through a rogue entity. The rogue entity is the system controlled by the hacker. It has been set up to intercept the communication between user and server without letting the user become aware that the misdirection attack has taken place. A MITM attack works by somehow fooling the user, their computer, or some part of the user's network into re-directing legitimate traffic to the illegitimate rogue system.

A MITM attack can be as simple as a phishing e-mail attack where a legitimate looking e-mail is sent to a user with a URL link pointed towards the rogue system instead of the real site. The rogue system has a look-alike interface that tricks the user into providing their logon credentials. The logon credentials are then duplicated and sent on to the real server. This action opens a link with the real server, allowing the user to interact with their resources without the knowledge that their communications have taken a detour through a malicious system that is eavesdropping on and possibly altering the traffic.

MITM attacks can also be waged using more complicated methods, including MAC (Media Access Control) duplication, ARP (Address Resolution Protocol) poisoning, router table poisoning, fake routing tables, DNS (Domain Name Server) query poisoning, DNS hijacking, rogue DNS servers, HOSTS file alteration, local DNS cache poisoning, and proxy re-routing. And that doesn't mention URL obfuscation, encoding, or manipulation that is often used to hide the link misdirection.

To protect yourself against MITM attacks, you need to avoid clicking on links found in e-mails. Furthermore, always verify that links from Web sites stay within trusted domains or still maintain SSL encryption. Also, deploy IDS (Intrusion Detection System) systems to monitor network traffic as well as DNS and local system alterations

Wireless Attacks
Wireless networks have the appeal of freedom from wires - the ability to be mobile within your office while maintaining network connectivity. Wireless networks are inexpensive to deploy and easy to install. Unfortunately, the true cost of wireless networking is not apparent until security is considered. It is often the case that the time, effort, and expense required to secure wireless networks is significantly more than deploying a traditional wired network.

Interference, DOS, hijacking, man-in-the-middle, eavesdropping, sniffing, and many more attacks are made simple for attackers when wireless networks are present. That doesn't even mention the issue that a secured wireless network (802.11a or 802.11g) will typically support under 14 Mbps of throughput, and then only under the most ideal transmission distances and conditions. Compare that with the standard of a minimum of 100 Mbps for a wired network, and the economy just doesn't make sense.

However, even if your organization does not officially sanction and deploy a wireless network, you may still have wireless network vulnerabilities. Many organizations have discovered that workers have taken it upon themselves to secretly deploy their own wireless network. They can do this by bringing in their own wireless access point (WAP), plugging in their desktop's network cable into the WAP, then re-connecting their desktop to one of the router/switch ports of the WAP. This retains their desktop's connection to the network, plus it adds wireless connectivity. All too often when an unapproved WAP is deployed, it is done with little or no security enabled on the WAP. Thus, a $50 WAP can easily open up a giant security hole in a multi-million dollar secured-wired network.

To combat unapproved wireless access points, a regular site survey needs to be performed. This can be done with a notebook using a wireless detector such as NetStumbler or with a dedicated hand-held device.

Doing their Homework

I don't mean that hackers break into your network by getting their school work done, but you might be surprised how much they learn from school about how to compromise security. Hackers, especially external hackers, learn how to overcome your security barriers by researching your organization. This process can be called reconnaissance, discovery, or footprinting. Ultimately, it is intensive, focused research into all information available about your organization from public and non-so-public resources.

If you've done any research or reading into warfare tactics, you are aware that the most important weapon you can have at your disposal is information. Hackers know this and spend considerable time and effort acquiring a complete arsenal. What is often disconcerting is how much your organization freely contributes to the hacker's weapon stockpile. Most organizations are hemorrhaging data; companies freely give away too much information that can be used against them in various types of logical and physical attacks. Here are just a few common examples of what a hacker can learn about your organization, often in minutes:
  • The names of your top executives and any flashy employees you have by perusing your archive of press releases.
  • The company address, phone number, and fax number from domain name registration.
  • The service provider for Internet access through DNS lookup and traceroute.
  • Employee home addresses, phone numbers, employment history, family members, previous addresses, criminal record, driving history, and more by looking up their names in various free and paid background research sites.
  • The operating systems, major programs, programming languages, specialized platforms, network device vendors, and more from job site postings.
  • Physical weaknesses, vantage points, lines of sight, entry ways, covert access paths, and more from satellite images of your company and employee addresses.
  • Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type,Web server platform, scripting languages,Web application environments, and more from Web site scanners.
  • Confidential documents accidentally posted to a Web site from archive.org and Google hacking.
  • Flaws in your products, problems with staff, internal issues, company politics, and more from blogs, product reviews, company critiques, and competitive intelligence services.
As you can see, there is no end to the information that a hacker can obtain from public open sources. This list of examples is only a beginning. Each kernel of truth discovered often leads the hacker to unearth more. Often, a hacker will spend over 90% of their time in information-gathering activities. The more the attacker learns about the target, the easier the subsequent attack becomes.

As for defense, you are ultimately at a loss—mainly because it is already too late. Once information is out on the Internet, it is always out there. You can obviously clean up and sterilize any information resource currently under your direct control. You can even contact third-party information repositories to request that they change your information. Some online data systems, such as domain registrars, offer privacy and security services (for a fee, of course). You can also control or limit the output of information in the future by being more discrete in your announcements, product details, press releases, etc.

However, it is the information that you can't change or remove from the Internet that will continue to erode your security. The only way to manage uncontrollable information is to alter your environment so that it is no longer correct or relevant. Think of this as a new way to deviate from defaults or at least deviate from the previous known.

Monitoring Vulnerability Research
Hackers have access to the same vulnerability research that you do. They are able to read Web sites, discussion lists, blogs, and other public information services about known problems, issues, and vulnerabilities with hardware and software. The more the hacker can discover about possible attack points, the more likely it is that he can discover a weakness you've yet to patch, protect, or even become aware of.

To combat vulnerability research on the part of the hacker, you have to be just as vigilant as the hacker. You have to be looking for the problems in order to protect against them just as intently as the hacker is looking for problems to exploit. This means keeping watch on discussion groups and web sites from each and every vendor whose products your organization utilizes. Plus, you need to watch the third-party security oversight discussion groups and web sites to learn about issues that vendors are failing to make public or that don't yet have easy solutions. These include places like securityfocus.com, US CERT, hackerstorm.com, and hackerwatch.org

Being Patient and Persistent
Hacking into a company network is not typically an activity someone undertakes and completes in a short period of time. Hackers often research their targets for weeks or months, before starting their first tentative logical interactions against their target with scanners, banner-grabbing tools, and crawling utilities. And even then, their initial activities are mostly subtle probing to verify the data they gathered through their intensive "offline" research. Once hackers have crafted a profile of your organization, they must then select a specific attack point, design the attack, test and drill the attack, improve the attack, schedule the attack, and, finally, launch the attack.

In most cases, a hacker's goal is not to bang on your network so that you become aware of their attacks. Instead, a hacker's goal is to gain entry subtly so that you are unaware that a breach has actually taken place. The most devastating attacks are those that go undetected for extended periods of time, while the hacker has extensive control over the environment. An invasion can remain undetected nearly indefinitely if it is executed by a hacker who is patient and persistent. Hacking is often most successful when performed one small step at a time and with significant periods of time between each step attempt - at least up to the point of a successful breach. Once hackers have gained entry, they quickly deposit tools to hide their presence and grant them greater degrees of control over your environment. Once these hacker tools are planted, hidden, and made active, the hackers are free to come and go as they please.

Likewise, protecting against a hacker intrusion is also about patients and persistence. You must be able to watch even the most minor activities on your network with standard auditing processes as well as an auto-mated IDS/IPS system. Never allow any anomaly to go uninvestigated. Use common sense, follow the best business practices recommended by security professionals, and keep current on patches, updates, and system improvements.

However, realize that security is not a goal that can be fully obtained. There is no perfectly secure environment. Every security mechanism can be fooled, overcome, disabled, bypassed, exploited, or made worthless. Hacking successfully often means the hacker is more persistent than the security professional protecting an environment. Ultimately, it is an arms race to see who blinks or falls behind first. With enough time, the right tools, sufficient expertise and skill, mounting information collection, and persistence, a hacker can and will find a way to breach any and every security system.

Confidence Games
The good news about hacking today is that many security mechanisms are very effective against most hacking attempts. Firewalls, IDSes, IPSes, and anti-malware scanners have made intrusions and hacking a difficult task. However, the bad news is many hackers have expanded their idea of what hacking means to include social engineering: hackers are going after the weakest link in any organization's security—the people.

People are always the biggest problem with security because they are the only element within the secured environment that has the ability to choose to violate the rules. People can be coerced, tricked, duped, or forced into violating some aspect of the security system in order to grant a hacker access. The age-old problem of people exploiting other people by taking advantage of human nature has returned as a means to bypass modern security technology.

Protection against social engineering is primarily education. Training personnel about what to look for and to report all abnormal or awkward interactions can be effective countermeasures. But this is only true if everyone in the organization realizes that they are a social engineering target. In fact, the more a person believes that their position in the company is so minor that they would not be a worthwhile target, the more they are actually the preferred targets of the hacker.

Already Being on the Inside
All too often when hacking is discussed, it is assumed that the hacker is some unknown outsider. However, studies have shown that a majority of security violations actually are caused by internal employees. So, one of the most effective ways for a hacker to breach security is to be an employee. This can be read in two different ways. First, the hacker can get a job at the target company and then exploit that access once they gain the trust of the organization. Second, an existing employee can become disgruntled and choose to cause harm to the company as a form of revenge or retribution.

In either case, when someone on the inside decides to attack the company network, many of the security defenses erected against outside hacking and intrusion are often ineffective. Instead, internal defenses specific to managing internal threats need to be deployed. This could include keystroke monitoring, tighter enforcement of the principle of least privilege, preventing users from installing software, not allowing any external removable media source, disabling all USB ports, extensive auditing, host-based IDS/IPS, and Internet filtering and monitoring.



There are many possible ways that a hacker can gain access to a seemingly secured environment. It is the responsibility of everyone within an organization to support security efforts and to watch for abnormal events. We need to secure IT environments to the best of our abilities and budgets while watching for the inevitable breach attempt. In this continuing arms race, vigilance is required, persistence is necessary, and knowledge is invaluable.

Read more!

Friday, March 7, 2008

Windows Vista: Is it secure enough for business?

Microsoft’s latest desktop operating system, Windows Vista, contains a wide range of new features, from the user interface to the heart of the operating system. However, it is the new security-related technologies which were given top priority by Microsoft in response to the many criticisms of the vulnerabilities in Vista’s forerunner, Windows XP. Developments include improved monitoring and reporting on security status, minimized opportunity for attack and improved defense against spyware. There is also a new mechanism to prevent rogue code from being able to make malicious changes to the operating system kernel, and improved browser and firewall functionality.

Windows Security Center

Windows Security Center (WSC) runs in the background, monitoring and reporting on the security status of a computer. First introduced by Microsoft in Windows XP Service Pack 2, the enhanced version in Vista provides greater integration both with other Vista security features and with third-party security solutions.

As with Windows XP, WSC monitors the internet firewall and checks the status of automatic updates and anti-virus software but it has been extended in Vista to include monitoring of anti-spyware applications. Monitoring of the security settings in Internet Explorer 7 and of the new User Account Control function (see below) has also been added.

Part of the reasoning behind the enhancements to WSC is to raise end-user awareness of security issues by alerting them to any problems. While this clearly has home-user benefits, businesses and other organizations like education and government institutions will find this both insufficient and annoying and so might well choose to disable these
end-user alerts.

In addition, some security vendors have reacted negatively to the fact that WSC cannot be automatically disabled when their alternative security solutions are installed, although Sophos cannot see why any vendor should object to a built-in security center reporting on the status of its software.

User Account Control

User Account Control (UAC) is one of the most important security features in Windows Vista. Its objective is to minimize the opportunity for attack, preventing the installation of today’s malware threats, in a scenario where end users are given local administrator rights. As with Windows XP, end users are given administrator rights by default. However, instead of invoking administrator status in a blanket fashion across all applications, the Vista login generates two security tokens: StandardUser and Administrator.

By default, Vista assigns the StandardUser token to applications, so applications that do not require administrator rights will run with no user intervention. However, many applications require administrator privileges and in this case the Administrator token is invoked and the user is asked to cancel or allow the program as appropriate, as shown in the figure.


From a security point of view UAC is a significant step forward and the principle of the least required privilege is theoretically a good one as, by default, registry and file system access are restricted. This means that malware is prevented from automatically copying itself to locations such as the Windows system folder and cannot be written to registry keys in order to be automatically launched by the operating system. The principle of the StandardUser token also prevents malicious applications from writing to the memory space of other processes, a technique commonly used by malware to bypass personal or client firewalls.

Unfortunately UAC is not just secure but intrusive, with a high level of alerts, many of which are not intuitive for non-technical users. The danger is that they will automatically select “Allow” when prompted, without fully considering whether they should. The other danger is that UAC can be disabled – and indeed many beta testers chose to do this – which removes the improved security.

Windows Defender

Windows Defender is a free anti-spyware program built into Windows Vista that will detect and remove some adware, spyware and other unwanted programs. The software uses automatic updates provided by Microsoft analysts to help detect and remove new threats as they are identified. This protection does not offer comprehensive antimalware protection, in spite of the fact that the information in WSC implies that it does.

Windows Defender only supports Windows XP Service Pack 2 or later, or Windows Server 2003 Service Pack 1 or later. It does not support other operating systems including Windows 95/98/Me and 2000. And because it is targeted at the consumer market it does not offer any central administration capabilities. So it offers little to multi-platform, centrally managed enterprise networks.


Kernel protection

Two new mechanisms have been introduced to protect the operating system kernel – Kernel Patch Protection (KPP), or PatchGuard, and mandatory signing of drivers.

KPP has been implemented in 64-bit Vista to prevent a particular type of malicious activity that manipulates the operating system kernel, causing serious security breaches and adversely impacting the stability, reliability and performance of the operating system and user applications. Commonly known as “rootkits” this type of malware is often used to hide other potentially unwanted software, such as bots and spyware. KPP prevents kernel mode drivers from extending or replacing operating system services and should therefore stop rogue drivers from making malicious changes to the kernel.

KPP has not been added to 32-bit Vista since many programs (including security software) use the kernel space in an undocumented way and Microsoft was concerned about compatibility with the existing application set. This means that 32-bit systems remain vulnerable to rootkit attack. However, the second kernel protection mechanism – mandatory signing of drivers – has been implemented in both 32-bit and 64-bit Vista and can be set to prevent unsigned drivers from loading.

Some security vendors have complained that they are being “locked out” of the Vista operating system kernel by KPP. This is because they need to be able to make changes inside Microsoft’s kernel in order to ensure their existing products can support 64-bit versions.

While it is true that there will now be some dependency on Microsoft to deliver kernel interfaces which could slow all security vendors down, this is more than compensated for by the additional security offered by a locked down kernel. Windows Vista with KPP is a step in the right direction for customers – although, since this is a software mechanism it is quite likely that it will be circumvented by malware writers sooner or later – and security vendors should embrace and work with it rather than fight it.


Internet Explorer 7

Windows Vista’s built-in web browser, Internet Explorer 7 (IE7), includes security enhancements designed to protect users from phishing and spoofing attacks. In protected mode it helps prevent data and configuration settings from being deleted or changed by malicious websites or malware.

The feature is enforced by a new mechanism, called Mandatory Integrity Control, whereby every process has an integrity level assigned and each level limits access to system objects (registry, file system, other processes. etc).

The new IE7 protected mode actually runs IE with the integrity level “Low” – which is lower than the default for most user processes. This happens for all security zones except the trusted zone. Downloaded programs inherit the low integrity level which should prevent malicious programs and PUAs from infecting the system and integrating with the browser.

IE7 also has a phishing filter, which helps users browse more safely by advising them when websites might be attempting to steal their confidential information. The filter works by analyzing website content, looking for known characteristics of phishing techniques and using a global network of data sources to decide if the website should be trusted.


Windows Firewall

Windows Vista includes a new firewall that goes beyond the Windows XP Service Pack 2 firewall. Application-aware outbound filtering has been added as have location-based profiles, which allow users to set up different rules based on the network location.

However, the default policy is still to allow all outgoing traffic and the default settings will not provide any additional protection over the firewall in XP SP2.

In addition, although some management is available through Group Policy, the central management function does not provide enterprise administrators with the visibility, monitoring, policy configuration and rapid response capability that enterprise-level security management consoles deliver.

Other security features

Windows Vista also includes improved Wi-Fi security, readiness for multi-factor authentication, BitLocker data protection, a Network Access Protection client, and improved auditing for compliance.

In Windows Vista, wireless networking is more secure by default, and includes support for the latest and most secure wireless networking protocol, Wi-Fi Protected Access 2 (WPA2).

Windows Vista comes with an API to make it easier to add smart card and other systems such as biometrics to Windows authentication, to make it harder for hackers to gain access to computers and data through password cracking or social engineering techniques.

Enhanced encryption enables organizations to protect against theft or loss of corporate intellectual property. Windows Vista has improved support for data protection at the document, file, directory, and machine level, including the ability to define which employees have access to certain data. Encryption keys can now be stored on smart cards. The BitLocker disk encryption system provides some protection against hacking attacks that involve booting from removable disks.

The Network Access Protection (NAP) client can be used to prevent rogue or unprotected computers gaining full access to a network, although it will only really be implementable once the necessary server components are released with the next release of Windows Server, codenamed Longhorn, expected to be released soon.

Read more!

Wednesday, March 5, 2008

How Does Ping Really Work?

Introduction

Ping is a basic Internet program that most of us use daily, but did you ever stop to wonder how it really worked? I don’t know about you, but it bugs me when I do not know how something really works. The purpose of this paper is to resolve any lingering questions you may have about ping and to take your understanding to the next level. If you do not happen to be a programmer, please do not be frightened off! I am not going to tell you how to write your own version of ping; trust me.

I am guessing that you know basically how the TCP/IP ping utility works. It sends an ICMP (Internet Control Message Protocol) Echo Request to a specified interface on the network and, in response, it expects to receive an ICMP Echo Reply. By doing this, the program can test connectivity, gauge response time, and report a variety of errors.


ICMP is a software component of the Internetworking layer of TCP/IP; essentially, it is a companion at that level to IP (Internet Protocol) itself. In fact, ICMP relies on IP for transport across the network. If you observe this sort of network traffic, say on an Ethernet network, then your protocol analyzer would capture an Ethernet frame transporting an IP datagram with an ICMP message inside.

Enter the problem: Since the ping program executes at the Application layer, how does it make ICMP do these tricks? You may recall, if you are a student of TCP/IP, that the Host-to-Host layer is sandwiched between these entities. Is that bypassed? If so, then how? Who is responsible for formatting these messages (Echo Request and Echo Reply)?

More vexingly, when unexpected ICMP responses, other than the customary Echo Reply, result from the Echo Request, how is it that they find their way to the ping program? This last question may seem obvious, but it is not. ICMP messages contain no addressing information that allows the TCP/IP protocol stack to discern the program that is to receive the message. TCP and UDP use port numbers for this purpose. So, how does this work?


Background

The TCP/IP protocol stack is organized as a four-layer model (see Figure). The lowest layer, commonly called the Network Interface or Network Access layer, is analogous to OSI layers 1 and 2, the Physical and Data Link Control layers. This includes things like media, connectors, signaling, physical addressing, error detection, and managing shared access to the media. For most of us this translates into Ethernet and our cabling system.

The layer above the Network Access layer, the Internetworking layer, is best likened to OSI layer 3, the Network layer. Here we expect to find logical addressing and routing: things that facilitate communication across network boundaries. This is where IP and its addressing mechanisms reside, as does ICMP.

ICMP is a necessary component of any TCP/IP implementation. It does not exist to provide information to the higher-layer protocols (like TCP and UDP) so that they may be more reliable. Rather, ICMP provides network diagnostic capabilities and feedback to those responsible for network administration and operation. See RFC 792, if you are really interested.

Above the Internetworking layer is the Host-to-Host layer, which is the counterpart of OSI layer 4, the Transport layer. I like to think that this also includes some of the Session layer (5) functionality as well. This is where we expect to find facilities for reliable end-to-end data exchange, additional error checking, and the means to discriminate one program from another (using port numbers). TCP and UDP reside at this level.

At the top of the stack, the Application or Process layer, we find high-level protocols (like SMTP, HTTP, and FTP) implemented. This is where applications execute as well. So when you do a ping, the ping program should be perceived to function at this level.


A Minor Mystery

With ICMP operating at the Internetworking layer and the ping program at the Application layer, how is the Host-to-Host layer bypassed? The answer lies in an understanding of what are known as “raw” sockets.

Well, for openers, what is a socket, right? Abstractly, a socket is an endpoint to communication, usually thought to consist of an IP address and port number, which identify a particular host and program, respectively. But a programmer has a slightly different perspective on a socket. From his vantage point, “socket” is a system function that allocates resources that enable the program to interact with the TCP/IP protocol stack beneath. The addressing information is associated with this only after the socket call is made. (Again, if you are interested, this is the role of the “bind” function.) So, take note, it is possible to allocate a socket and not overtly associate any addressing information with it.

There are three commonly encountered types of sockets: stream, datagram, and raw. TCP uses the stream type and UDP uses the datagram type. Raw sockets are used by any application that needs to interact directly with IP, bypassing TCP and UDP in doing so. Customers include routing protocol implementations like routed and gated (that implement RIP and OSPF). It also includes our friend ping.

There are some special considerations in using raw sockets। Since you are circumventing the facilities of the Host-to-Host layer, you forego the program addressing mechanism, the port numbering scheme. This means that programs that employ raw sockets must sift through all incoming packets presented to them in order to find those packets that are of interest.

What Actually Goes On

When the ping program begins execution, it opens a raw socket sensitive only to ICMP. This means two things:

  • On output: the sending of ICMP Echo Requests, the program is required to format the ICMP message. The system will provide the IP header and the Ethernet (usually) header.
  • On input: the program must examine all ICMP messages coming in and cull out the items of interest. The expected input is ICMP Echo Replies.

Let us take these things in turn.

On the outbound side, the Echo Requests are formatted in the manner shown in Figure. The message type is always the coded value eight (8). The code field always contains zero. The checksum is used for error detection. The ICMP message header and data are included in its computation. The ping program performs this calculation and fills in the blank. The identification field follows and is supposed to contain the process ID (PID) that uniquely identifies that execution of the ping program to the operating system. On Windows systems, this field contains the constant value 256. Next is the sequence number field, which starts at 0 and is bumped by one on each Echo Request sent. After these required fields, optional test data will follow. In the ping implementation that I examined (Slackware Linux), this included a timestamp used in the round-trip time calculation upon receipt of the Echo Reply.

As for inbound ICMP messages, ping’s task is a bit more complex. Because ping is using a raw ICMP socket, the program is presented with a copy of all incoming ICMP messages, except for a few special cases like incoming Echo Requests generated by other people pinging us (the latter are handled by the system). This means that ping sees not only the expected Echo Replies when they arrive but also things like Destination Unreachable, Source Quench, and Time Exceeded messages. (Figure summarizes the ICMP message types.)

Now think about this for a moment. If you have two copies of the ping program running at the same time, then they are each going to see one another’s Echo Replies and any other “nastygrams” that might show up. Each instance of the program must identify the messages that are relevant to it. If you guessed that this is what the PID (identification) field is used for then you are absolutely right.

How does the Windows flavor of ping accomplish this feat without the PID? You got me. That sounds like a topic for a future article. Let me get back to you on that.

Interestingly, the messages coming in are handed to ping with the IP header still intact. So, the program has access to important things there like the time-to-live (TTL) value and record route information (if the latter option is turned on).

Summary
At this point, you should have a fairly complete understanding of the cycle of processing associated with ping. Let me recapitulate the essential elements:
  • As the ping program initializes, it opens a raw ICMP socket so that it can employ IP directly, circumventing TCP and UDP
  • Ping formats an ICMP type 8 message, an Echo Request, and sends it (using the “sendto” function) to the designated target address. The system provides the IP header and the data link layer envelope.
  • As ICMP messages are received, ping has the opportunity to examine each packet to pick out those items that are of interest
  • The usual behavior is to siphon off ICMP type 0 messages, Echo Replies, which have an identification field value that matches the program PID.
  • Ping uses the timestamp in the data area of the Echo Reply to calculate a round-trip time. It also reports the TTL from the IP header of the reply.
  • When things do not work normally, ping may report some of the other ICMP message types that show up in the inbox. This includes things like Destination Unreachable and Time Exceeded messages.

Read more!

Thursday, January 10, 2008

10 security blunders

While one of the following links is actually from early 2008, they all refer to issues that arose during the year of 2007.

  1. The UK privacy breach: An employee of Her Majesty’s Revenue and Customs Office mailed two CDs containing confidential data on about 25 million UK citizens, including names, addresses, insurance account numbers, and bank account details for claimants in the national child benefit database. These CDs never made it to their destination. Just in case you think someone having your bank account number is no big deal, you should read about what happened to Top Gear TV series host Jeremy Clarkson when he published his account information in a newspaper to “prove” that having someone’s bank account will do nothing for a malicious party. At least Clarkson owned up to the mistake and started advocating disincentives for such poor security practice. I particularly like when he said “we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”
  2. Embassies confuse anonymity with security: Swedish security consultant Dan Egerstad showed that people all over the world, most notably certain embassies, tend to assume that using the Tor anonymizing network means they’re secure. Somehow, they’ve missed the importance of encryption to protect their data. One must wonder why governments are so bad at security. By the way, the Swedish equivalents to the FBI and CIA raided Egerstad’s apartment for undisclosed reasons, accused him of several crimes, then released him without charges.
  3. The iPhone runs everything as root: As Wired put it, IPhone’s Security Rivals Windows 95. This is very bad — and, of course, the root password for the iPhone was cracked in just three days. It had to happen eventually. To be fair, Windows Mobile devices all run everything as the administrative user as well, but this is not exactly unexpected (so it’s less notable). Credit to the fine folks at Metasploit for figuring it out, and figuring out how to make use of that fact.
  4. Sears installs spyware on customer computers: The depth and breadth of harvested data is truly frightening, and you just have to read it to believe it. Do not join the “My SHC Community”. Worse yet, if you follow the update link at the beginning of the article, you’ll find out that Sears (KMart is involved, too) is playing some pretty sketchy games with privacy policy presentation, based on whether the spyware is installed on your system. Considering this example, that’s probably reason enough to avoid ever getting mixed up in any online Sears community, but that’s not all. . . .
  5. Your Sears buying habits may be public knowledge: In short, by joining the Sears “Manage My Home” community, you can search through the Sears purchase history of anyone whose name and address you know. Not only should you avoid joining online Sears communities but, it seems, you should avoid shopping there as well. Apparently, major corporations are as bad as government agencies when it comes to security — especially Sears.

Old News

What follows is a list of older news items, from before 2007, that are still interesting and worth knowing about.

  1. Switching from Unix to MS Windows proves disastrous for air traffic control: A problem with a Microsoft Windows 2000 solution used to replace Unix air traffic control servers required regular restarts — and when the restart was overlooked once, it endangered 800 commercial aircraft in 2004.
  2. MS Windows crash cripples UK government agency: Only a couple months after the air traffic control debacle, almost the entire UK Department of Work and Pensions network crashed. This event was called the biggest crash in public sector history.
  3. The Pentagon improperly redacted text in a declassified document: Text was masked in a PDF by painting black lines over it, as if a physical, hardcopy, paper document had a black marker run over the relevant sections of text. Of course, doing that with Adobe Acrobat tends to leave all the text intact and recoverable, as such black “painting” occurs on a separate document layer. A Greek medical student at Bologna University recovered the obscured text with a couple of mouse clicks in 2005.
  4. The VA privacy breach: More than 26 million US military veterans’ personal data — including names, birthdates, and social security numbers — were taken home by a Veterans Administration employee. As necessitated by Murphy’s Law, the data was stolen (of course). It was stored on an unencrypted drive in the employee’s laptop but, surprisingly, it seems the thieves did not know what they had and the data was not used for identity theft purposes.
  5. Sony may have the worst consumer security record of any corporation: The six-part Boing Boing series on Sony’s “anti-consumer technology” problems makes a compelling case for getting your technology from anyone but Sony. If you thought the 2005 Sony rootkit was the only problem, you haven’t been paying attention — the rootkit installed even if you told it not to, there was a second Sony rootkit, the rootkit remover itself caused security issues, and the RIAA said it’s no big deal because other record labels also install rootkits. Somehow, I do not find that very reassuring

Read more!