Category Archives: Security

2006 Open Source Symposium

|

Today (well yesterday as of 30 minutes ago) I spoke at the Open Source Symposium in Melbourne. This is an event sponsored by Red Hat. The first day was the business day and the second day was the Red Hat developers day.

I attended both days and spoke on the second day (today). My talk was about designing and implementing a secure system on Red Hat Enterprise Linux 4 (the Inumbers system for gatewaying SMS to email which is currently in Beta at the time of writing). I covered the issues of designing systems for least privilege via a set of cooperating processes under different UIDs. Secure coding principles, and SE Linux policy design. My presentation notes are HERE (in OpenOffice 2.0 format).

The talk seemed to be well accepted, so I’ll probably offer variations of it at other venues in the near future. I’m thinking of making a half-day workshop out of it.

While at the symposium one of the SGI guys mentioned that an XFS expert was in Melbourne temporarily. I suggested that such experts should be encouraged to give a talk about their work when they are in town. As a result of that I arranged a venue for a talk on XFS, I had the venue arranged in about 4 hours, which resulted in about 24 hours notice given to LUV members. I wasn’t able to attend the meeting due to prior commitments, so I’m not sure how it went.

No related posts.

terrorist “weakest link”

|

In the game show The Weakest Link competitors get voted off, usually not on whether they are weak but on whether the other contestents consider them to be a threat. It’s mildly amusing as a TV game show but not funny at all when carried out on an airline.

Recently a flight from Malaga to Manchester was delayed because two passengers were considered to be suspicious by other passengers (either 6 or 7 passengers refused to get on the plane because of this). The passengers were thought to be speaking Arabic (as if there was anyone on the plane who would recognise Arabic when they heard it) and because they were wearing coats and looking at their watches. The two men in question had been searched twice and found to be clean, but a bunch of idiots on a plane thought they knew better and demanded that the passengers in question be removed.

Lessons to be learned from this for travelling to/from coalition of the willing countries:

  1. Avoid the urge to check your watch when your flight is being delayed unless you are white. Non-white people who do what white people do in this situation are considered to be terrorists.
  2. When travelling to a cold place (such as Manchester) you want to have a coat to wear when getting off the plane. The airline staff won’t allow you enough hand-luggage space to store a coat so you will want to wear it when getting on the plane. This is fine if you are white, but if not white just deal with the fact that you will shiver when disembarking.
  3. Learn to speak English for your travels. If you speak another language you will be considered to be a terrorist.
  4. Whatever country you visit, stick to major cities as much as possible. Smaller cities have more racists and nationalistically bigoted people, there probably wouldn’t have been a problem on a flight to London.

Also just avoid the coalition of the willing countries in your travels as much as possible. There are much less problems in this regard when the government doesn’t depend on terrorism hysteria to justify going to war on the basis of lies.

No related posts.

run an insecure system and get raped

|

After a recent mailing list discussion about computer security I’m going to be quoted in someone’s .sig so I think that I need to write a blog entry.

Here is an article about a 2001 case of a man who was arrested for pedophilia and spent 9 days in prison: http://www.xatrix.org/article.php?s=3549 .

This article on The Register has links to a few other articles and describes how a man has been found guilty due to the apparent actions of a hostile program on his machine (and served 20 days jail time).

Rumor has it that pedophiles are really disliked in prison and that they are often attacked by other prisoners. Even spending a few days in prison as a pedophile could be enough to get raped.

Run the latest version of the OS for your PC with all security patches. If you buy a second-hand machine reformat and reinstall as the first thing that you do just in case the last owner had kiddy porn (even though they may not have known of it).

No related posts.

laptop security on planes

|

There has been a lot of discussion recently about how to take laptops on planes following the supposed terror threat in the UK which has been debunked by The Register and other organizations. There is an interesting eWeek article about this that contains the interesting quote “The built-in locks don’t yet meet TSA specifications because they cannot be opened using the TSA master key” when reviewing a laptop case. Creating a master key is not that difficult and is explained in this PDF file. Theft by baggage handlers is quite a common occurance (see this google search for details).

So baggage handlers can easily reverse-engineer the TSA master key, steal laptops from baggage, smuggle drugs, and put bombs in baggage if they are so inclined.

There have been a number of cases of laptops containing sensitive financial, medical, and military data being stolen. Now someone who wants to steal data merely needs to work as a baggage handler and copy the hard drives of laptops before loading them. Data is more valuable if no-one knows that it has been stolen.

It would be ironic if an airline employee had their laptop hard drive copied and sensitive information about airport security was lost because of this.

No related posts.

a newbie question about SE Linux and anti-spam measures

|

An anti-spam measure that is used by a very small number of people is that of verifying the sender address by connecting to the sending mail server. For example when I send mail from russell@coker.com.au the receiving machine will connect to my mail server and see whether it accepts mail addressed to russell@coker.com.au and will reject my mail if that isn’t the case.

The problem with this is that if I try to send mail to someone who has their mail server listed as a SPAM source then their efforts to verify my email address will fail and then my message to them will bounce with a confusing error message. This means that if one of the two mail servers involved in the communication is listed in a DNSBL or RHSBL service then all communication will be impossible. There will not be an option for one person to say “please phone me on this number if you can’t send me an email”.

This happened recently when someone from Italy asked me a question about SE Linux. So I will answer here (maybe they read my blog). In any case the answer might be of general interest:

Firstly I have to note that I have a B.Sc degree and no post-graduate qualifications, so it is not accurate to address me as Dr. Coker.

The question is: Let’s imagine a user acquire root rights. Especially on Fedora Core, which modify su command to map it to sysadm_r role, couldn’t he/she simply disable SELinux, delete logs, and so on?

If a user obtains ultimate privileges then they can do all things including deleting logs etc.

One thing to note is that there is no need for any process other than kernel threads to have ultimate privs, it would be useful in some situations to make log files append-only for all processes and the SE Linux policy language supports this.

The nearest any release policy comes to implementing such things is the separation between sysadm_r and secadm_r in the MLS policy in recent versions of Fedora.

Also note that it is possible to configure a SE Linux policy that does not permit any process to request that a new policy be loaded, the policy files be changed on disk, or the use of programs such as debugfs. Using SE Linux to enforce a policy that can not be bypassed by anything less than booting from installation media is quite easy to achieve.

One idea that I had was to have GPG implemented in the system BIOS and have GPG checks performed on the kernel before it’s loaded (to verify that the kernel had not been modified). The kernel could be passed a decryption key for the root filesystem by the BIOS, and SE Linux would be enabled as soon as the root filesystem was mounted. Thus nothing less than disassembling the BIOS would allow a hostile person to access the data on the disk. This is all possible with technology that has been common for many years. I almost convincced a BIOS author to implement this in about 2002.

Related posts:

  1. invasive vs inconvenient security The recent news from the UK gives us an example...

invasive vs inconvenient security

|

The recent news from the UK gives us an example of invasive security. Preventing passengers carrying on any hand luggage (even wallets) and frisking all of them is the type of treatment you expect for criminals and visitors to maximum security prisons. It’s not what you expect for people who are involved in routine (or what used to be routine) travel.

The security measures offered by SE Linux are sometimes described as invasive. I don’t believe that this is an accurate description. I admit that sometimes minor tweaks are required (such as setting the correct context of a file). But for most users (corporate users and typical home users) the distribution takes care of all this for them. A default Fedora install should just work for the typical home user and a default Red Hat Enterprise Linux install should just work for the corporate user.

The main reason that it’s so easy to use is that the default domain for user sessions and for daemons that are not specifically configured in the security policy is unconfined_t. This means that programs for which there is no policy and programs run from a user session do not have SE Linux access controls. The default configuration of SE Linux only restricts programs that are known to be at risk.

The most common case of SE Linux access controls causing inconvenience is the policy for Apache (the daemon with the most configuration options). There are a set of configuration options (known as booleans) that can be used to determine what aspects of Apache will be confined, generally it only takes a few minutes to determine and specify the correct settings to support the desired operation.

Next time you are being frisked at a UK or US airport and are facing the prospect of a long flight with books and all other forms of entertainment banned keep in mind that airlines have invasive security and should be avoided if possible. SE Linux offers security that is at most a minor inconvenience (usually not even noticed) and should be embraced.

No related posts.