AISA

December 15, 2007 | etbe

When I worked for Red Hat I joined AISA [1] (the Australian Information Security Association – formerly known as ISIG). Red Hat marketting paid for my membership so it was a good deal, I went to meetings (which often had free drinks), said good things about Red Hat security, and it cost me nothing.

I was recently asked why I chose not to renew my membership, I didn’t have time to give a full answer so I’ll blog it now.

AISA offers discounts on some conferences, books, and training related to computer security, if you plan to purchase such things then they do offer good deals. However I have little time to attend conferences at the moment, not enough time to read all the free Internet resources related to computer security, and feel no need to pay for such training. If at any time I plan to attend a conference where the discount for AISA members is equal or greater than the AISA membership fee then I can easily re-join.

AISA membership seems largely to consist of managers and consultants not technical people or people doing R&D type work. This isn’t a bad thing if you are a manager or consultant, but when attending AISA meetings I don’t meet the type of people I meet at events such as SecureCon [2], Linux Conf Au [3], RuxCon [4], and the SE Linux Symposium [5] (which I think is not going to be held again for a while). Meetings of my local LUG [6] typically have more people doing serious technical work related to computer security than the AISA meetings I’ve attended.

The AISA code of Ethics has as it’s second criteria “I will comply with all relevant laws“. Some laws can not be obeyed by decent people (study some German or Russian history or what is happening in China right now for examples). Many other laws should not be obeyed. Many countries (including Australia) have enacted many laws which should not be obeyed in the name of the “war on terror“.

A final thing that irked me about AISA is their professional membership system (click on this link and download the AISA_Professional_Membership_Requirements_Nov_2006 document for details). It seems that I don’t qualify because I don’t have one of the listed certifications, and a public credit on the NSA web site [7] doesn’t count (yes, I asked about this). I’m not overly worried about this, I figure that any clique that won’t accept me also won’t accept a significant portion of the people that I want to associate with – so we can hang out elsewhere. I don’t recall there being any great benefit to professional membership apart from the possibility of adding it to your business card if you are so inclined (I don’t recall ever putting B.Sc [8] on a business card and don’t plan on adding anything less).

There are some real benefits to AISA membership, but not for me.

[1] http://www.aisa.org.au/
[2] http://securecon.unimelb.edu.au/
[3] http://www.linux.org.au/conf/
[4] http://www.ruxcon.org.au/
[5] http://selinux-symposium.org/
[6] http://www.luv.asn.au/
[7] http://www.nsa.gov/selinux/info/contrib.cfm
[8] http://en.wikipedia.org/wiki/Bachelor_of_Science

SE Linux in other Distributions

November 17, 2007 | etbe

Recently a user has been asking about SE Linux support in MEPIS [1]. He seems to expect that as the distribution is based on Debian it should have the same SE Linux support as is in Debian.

The problem with derived distributions (which potentially applies to all variants of Debian, Fedora, and RHEL) is that the compilation options used may differ from what is required for SE Linux support.

If an application works in Debian then you can expect that it will work in all derived distributions. But SE Linux is not an application, it is a security extension to the OS which includes code in the kernel, login, cron, pam, sshd, logrotate, and others. For any one of these packages a maintainer of a derived distribution might decide to turn off features to save disk space or memory, or because they want to use features which don’t work well with them (due to functional differences or bugs). The maintainer of a derived distribution might even decide that they just don’t like a feature and disable it for that reason alone!

I believe that it is possible to use APT with multiple repositories and specify preferences for each repository. So it should be possible to use a source such as MEPIS for most packages but Debian (or my private repository of SE Linux back-ports [2]) for the packages which need SE Linux support.

That said, I am not sure why someone would want to use MEPIS with SE Linux. Currently the benefits of SE Linux are of most use for a server and MEPIS is a desktop focussed distribution. Debian works reasonably well for a desktop (it has worked well for me for most of the past 11 years), so it seems that Debian for a SE Linux desktop machine is a good choice and Debian is a better choice than MEPIS for a server.

Safe Banking by SMS?

November 17, 2007 | etbe

Is it possible to secure Internet banking with SMS?

As secure tokens are too expensive ($10 or more in bulk) and considered to be too difficult to use by many (most?) customers banks have sought out other options. One option that has been implemented by the National Australia Bank and will soon be available from the Commonwealth Bank is SMS authentication of transfers.

The idea is that when you issue an online banking request you receive an SMS with a password and then have to enter that password to authenticate it. If you receive an unexpected password then you know you have been attacked. I wonder how much information is in the SMS, does it include the amount and where the money is to be transferred (in the case of a funds transfer – the operation most likely to be used by attackers)? If the full details are not included then an attacker could hijack an active session, get the user to enter the password, and then act as if the user entered the password incorrectly. The user would then request a new SMS and complete their desired transfer without realising that they just authorised a transfer to Russia…

If the full details are recorded will the user look at them? Online banking fraud often involves transferring the funds to an idiot in the same country as the victim. Then the idiot sends the money to the attacker in some other manner which is more difficult to track. I wonder whether an attacker could divert the funds transfer to one of the idiots in question and have the victim not realise that the wrong account number was used.

Another issue is that of SMS interception. Anyone who can hack the network of a phone company could steal money from any bank account in the country! For wealthy people there is also the possibility of stealing their mobile phone and making funds transfers before they report the theft. Another possibility is to register for a new phone company. Last time I changed phone companies it took about an hour for the new company to have the phone number and I don’t recall the phone company doing anything to verify that I owned the number in question. If an attacker had a credit card with the same name as the victim (names are not unique so this is not impossible or even inherently illegal) they could open a new phone service and steal the number. Someone who’s mobile phone stops working probably wouldn’t assume that it was part of a bank fraud scheme and act accordingly, in fact if they don’t use their mobile phone later it might be several days before someone contacts them in some other manner and mentions that they weren’t answering their mobile phone.

A final possibility is the situation where a mobile phone is connected to a computer. Devices that combine mobile phone and PDA functionality are becoming common. A trojan horse program that offered to do something useful when a mobile phone was connected to the PC via a USB cable might fool some users. All that would be required is a few minutes of the phone being connected if the attacker already has the password for online banking. Maybe they could even make it appear that the bank was demanding that the phone be connected to the PC – that should fool users who don’t understand how SMS authentication works.

It seems to me that SMS authentication is an improvement (it adds an external device which usually can’t be directly manipulated by the attacker) but is far from perfect security.

I previously wrote about the bad idea that you can bank with an infected computer [1]. SMS authentication is a good step towards making things more difficult for attackers (which is always a good idea) but doesn’t really secure the system. Also it costs 5 cents for each SMS, I expect that the banks will want their customers to pay for this – I would rather pay for a $10 token up-front.

[1] http://etbe.coker.com.au/2007/10/19/banking-with-an-infected-computer/

Restorecon Equivalent for Unix Permissions

November 13, 2007 | etbe

SE Linux has a utility named restorecon to set (or reset) the security context. This is useful for many reasons, corrupted filesystems, users removing files or changing the context in inappropriate ways, and for re-creating files from tar files or backup programs that don’t restore SE Linux contexts. It can also be used to report the files that have different contexts to that which would be set by restorecon to verify the contexts of files.

Restorecon determines the context from two sources of data, one is the policy that came with the system (including any policy modules from other sources which were loaded) and the other is the local file contexts that were created by semanage.

It’s a pity that there doesn’t seem to be an equivalent program for Unix permissions. rpm has a -V option to verify the files from a package and dpkg doesn’t seem to have an option to perform a similar operation (/var/lib/dpkg/info/* doesn’t seem to have the necessary data). But even on an RPM based system this isn’t possible because there is no way to add local files into the list.

I would like to be able to specify that an RPM system should have root:root as the owner and permission mode 0755 for all files matching /usr/local/bin/* and use a single command to check the RPM database as well as this extra data for the permissions of all files.

Does anyone know of any work in this area?

I’m going to file Debian and Fedora bug reports about this, but I would appreciate any comments first.

Update:

Here is an example of how this feature works in rpm:
# rpm -Vv nash
…….. /sbin/nash
…….. d /usr/share/man/man8/nash.8.gz
# chmod 700 /sbin/nash
# rpm -Vv nash
.M…… /sbin/nash
…….. d /usr/share/man/man8/nash.8.gz

The “M” character indicates that the permission mode of the file does not match the RPM. There is no way to automatically correct it (AFAIK) but at least we know that something changed. With Debian AFAIK it’s only possible to verify file checksums not the permission.

SecureCon Lecture

November 10, 2007 | etbe

On Thursday at Secure Con [1] I gave a lecture about SE Linux that went according to plan, and they gave me a nice bottle of Penfolds Shiraz afterwards (thanks to the sponsors).

During my lecture I announced my plan to run the hands-on training session over the net. The idea is that the Debian and CentOS images from jailtime.org with minor modifications will be put online somewhere for anyone to download. Anyone can then run the images on their own Xen server, go through the exercises, and ask questions on IRC at the same time. If you are interested in such training then please indicate in a comment what times would be good for the IRC discussion. Note that I’m only available between 7AM and 10PM starts in time zone +1100 (that is 20:00 to 11:00UTC for the starting time), the finishing time would be two hours later – and it would be possible to do the training in multiple sessions.

One interesting thing was that at the end the moderator of the session offered a box of lollies to the first person who could tell him my user-name (which was included in ls output on one of the slides).

Afterwards I was in idle conversation with some delegates and the topic of the Mac Mini [2] machines came up. Those machines are smaller than the Cobalt Qube (that I have in the past lugged around for portable SE Linux demonstrations), quite powerful (1G of RAM with an 80G hard drive seems to be the minimum for buying new at the moment), and they have keyboard and video ports which is often more convenient than sys-admin by serial port. I am now patiently waiting for Intel-based Mac Mini’s to start selling cheaply on eBay. Such a machine with 1G of RAM would make a nice SE Linux demo machine, I could run at least 7 Xen DomU’s for different users! Of course a second-hand laptop would do just as well, but laptops seem to hold their value better than most other machines.

One thing that disappointed me was the small turn-out for the conference dinner. It seemed that as there was a gap in the program between the official end of the conference at 5PM and dinner at 6PM most people decided to go home. One thing to note for future events is that leaving gaps in this way is probably a bad idea. Maybe if they had said “drinks at the restaurant from 5PM and dinner at 6PM” then the turn-out would have been better.

SecureCon Tutorial

November 7, 2007 | etbe

My SecureCon tutorial went quite badly today. After having network problems and having both the Xen servers crash for no apparent reason I had to give up and give an impromptu lecture.

The original plan had been to use two Xen servers which each had 15 instances and have the delegates go through a training program that involved installing SE Linux on Debian and CentOS and comparing the features of them for various tasks.

Instead I spent just over two hours talking about SE Linux without notes (the beamer didn’t like my laptop and the desktop it was connected to was locked). I did end up getting another desktop machine working later in the lecture to type some notes.

My plan now is to make all the files available for download, additionally make some instances available on one of my servers, and then run some training via IRC.

Xen for Training

November 7, 2007 | etbe

I’m setting up a training environment based on Xen. The configuration will probably be of use to some people so I’m including it below the fold. Please let me know if you have any ideas for improvements.

The interface for the user has the following documentation:

sudo -u root xen-manage create centos|debian [permissive]
Create an image, the parameter debian or centos specifies which
distribution you want to use and the optional parameter permissive
specifies that you want to use Permissive mode (no SE Linux access controls
enforced).
Note that creating an image will leave you at it’s console. Press ^]
to escape from the console.
sudo -u root xen-manage list
Display the Xen formation on your DomU. Note that it doesn’t tell you whether
you are using Debian or CentOS, you have to access the console to do that.
sudo -u root xen-manage console
Access the console.
sudo -u root xen-manage destroy
Destroy your Xen image – if it’s crashed and you want to restart it.

Continue reading →

Squid and SE Linux

November 6, 2007 | etbe

Is Squid not returning some data you need on a SE Linux system?

The default configuration of the SE Linux policy for Squid only allows it to connect to a small number of ports which are used for web servers. For example ports http (80) and https (443) are labelled as http_port_t which permits serves such as Apache to bind to them and Squid to connect to them. But sometimes services run on non-standard ports and periodically new services are devised which use the HTTP protocol and thus you have Squid and Apache using new ports.

semanage port -a -t http_port_t -p tcp 11371

One example of such a port is hkp (11371) – the latest protocol for sending and receiving GPG/OpenPGP keys. Running the above command relabelled the TCP port 11371 in question as http_port_t and thus allowed everything to work.

setsebool -P squid_connect_any 1
An alternate option would be to run the above command to allow Squid to connect to any port.

I will suggest that the upstream policy be changed to make the default labelling of TCP port 11371 be http_port_t, but the same operations can be used for other ports.

Some people may claim that this makes things difficult for sys-admins. But the fact is that a well known port is a significant resource that you don’t want to permit any random user to access. Not only do the SE Linux port access controls prevent malice, but they also prevent system programs from accidentally using the wrong ports. A common example of accidental mis-use is the port 631 used for the IPP (Internet Printing Protocol – CUPS). When system programs need to use TCP source ports below 1024 they start at 1023 and work their way down, having such programs get down to 631 is not uncommon (there are some error conditions which result in ports being reserved for some minutes after use). In terms of malicious operations, it seems that the ports used by database servers such as MySQL and PostgreSQL would ideally be inaccessible to a Squid proxy, and services such as network backup should be inaccessible to everything other than the backup software.

SecureCon 2007

October 30, 2007 | etbe

I am running a tutorial and giving a talk about SE Linux at SecureCon 2007 [1].

The tutorial will go for 3 hours on Wednesday the 7th of November and will cover using SE Linux in CentOS 5 and Debian Etch, it will be a hands-on tutorial where every delegate gets ssh access to their own Xen DomU.

The lecture is on Thursday the 8th of November and will be a 45 minute talk with an overview of SE Linux. It will be similar to my speech at the AUUG conference [2] but probably cover more of the features. The AUUG talk was driven by questions from the audience to spend a lot of time justifying SE Linux design decisions which took time away from other materiel. This wasn’t inherently a problem (I provided the information the audience seemed to want and everyone seemed happy), but I would like to cover more of the features and new developments.

New SE Linux Play Machine Online

October 29, 2007 | etbe

After over a year I have finally got a SE Linux Play Machine online again.

The details for logging in are at this link [1]. I’ve created T-shirt and mug designs with the login details too, they are on cafepress.com LINK [2]. For fun wear such a shirt to a conference (or even when shopping at your local electronics store. ;)

etbe – Russell Coker

Linux, politics, and other interesting things

Category Archives: Security