Risque Management

OLPC solves all security problems, among others

Ivan Krstic's presentation at AusCERT 2007 (PDF) is a fascinating reading. Until today I didn't realise that OLPC not only offers a solution to the world's educational woes, but also facilitates system security in a completely new way - that is, finally eliminates all opportunities for malware to exist.

Except that the way isn't completely new. In his writing Ivan suggests that before UNIX process model was invented in 1971, computer systems were running explicitely trusted code only:

No conceivable way for untrusted code to “appear” on a machine. You had to physically put it there via tape or punched card. 

My recollection is a little different - punch cards were prepared by one group of people (users), and processed by another (operators) - who have little interest in the code they are running. Getting elevated privilege on the mainframe was not only fun, but kinda essential for getting things done - or your program will be allocated miserable resources and you'll have to wait for ages for the output. Some clever JCL jiggery-pokery did help a lot, so did interactive systems supporting terminals.

Ivan re-iterates the mantra about users' dumbness by default, suggesting not giving any choice for the fear the user will degrade the systems security:

To users, security dialogs are a black box here clicking ’Permit’ or ’Allow’ maximizes the likelihood of getting their work done.

User is the fundamental problem:

We have failed as an industry, and modern desktop security is completely broken as a result. Put differently, it’s about the user, not about TCP/IP, or SSL, or AES, or IPSEC. The user.

Ivan goes on to introduce Bitfrost, a part of the OLPC system software that is using virtualisation to prevent malware from making impact on the system:

Main idea: run each application in its own virtual machine (really, OS container or zone). Give each program only the permissions it needs. With this approach, viruses and spyware argely “go away”.

Just like Java virtual machines. Isolated and with limited, explicitely given permissions to interact outside of the VM.

Unfortunately, Ivan repeats unsibstantiated legends about malware on the personal devices in order to sell his novel concept:

We’ve seen limited for-profit malware on mobile devices. Now there’s universal malware for Symbian. 

No, we haven't seen that - only heard about possibility of its existence - and there is no universal malware for Symbian. In fact, here's the situation with malware on mobile devices:

• No viruses on Symbian platform;
• No viruses on Windows Mobile;
• No viruses on Apple iPhone; and
  
• No viruses on BlackBerry.

And no credible reports of serious data theft from those. Pretty good situation, well before the OLPC. I'm hugely optimistic about upcoming Microsft Windows XP-based personal devices, too.

And I don't believe that users are dumb to an extent that few software developers can make security decisions on their behalf. 

Disabling Syskey startup password

So it happened: Windows starts up and asks for a password, and you don't know what that is. Either forgot, or didn't know the password. This is Syskey in action. What to do?

You can try brute forcing the password. Syskey gives unlimited tries. After the first hundred you'll come to the conclusion that brute forcing is overrated. And there are no reliable tools that will help brute forcing Syskey password.

You can forcibly switch Syskey off. The best tool for it is the Offline NT Password & Registry Editor, commonly known as NTPasswd. The bootable Linux-based CD image is just over 3MB, contains many SCSI drivers as read-write NTFS driver, as has intuitive text manu-based UI. It allows disabling Syskey. But there will be side effects:

• All locally stored encryption keys will become invalid;
• You will not be able to connect to Terminal Services - it's using encryption keys for session security;
• IIS-based services (W3SVC, SMTP and depending Exchange services) will not start - parts of Metabase are encrypted, and the keys aren't available;
• Any service running not as LocalSystem will not start. You'll need to reset the credentials cache. The easies way is to set the service to run as LocalSystem, and then change again to a service account;
• Same applies to scheduled tasks;
• All EFS-encrypted data, including that encrypted with the system key, will be permanently lost.

So the system will be severely damaged after it comes back up. Only do this to recover the latest data. If you need more - always back up System state offline. And do not forget test restoration before an incident happens.

Motorola's Ed Zander reinvents SIM

With all the buzz around major US wireless operators opening their networks to devices bought by the users, one may wonder if those businesspeople understand what they're talking about. There's no need to open anything at all in GSM and 3G (UMTS etc) worlds. CDMA was trickier but you usually could talk support person on the phone into connecting anything, provided you pay accounts. So opening up varies from symbolic act to... symbolic act. There's no need to reinvent the concept of openness.

Motorola CEO Ed Zander reinvents another concept - SIM, the Subscriber Information Module. here's what he said in a recent magazine interview:

Eventually, you'll have one SIM card for your mobile devices, and when you plug that card in, it will recognize the device and shut off all your other devices.

Some news for Mr. Zander: this is exactly how SIM always worked.

"Business intelligence" is category of software packages that helps organisations - and the execs - understand their business. Mr. Zander needs some, or Motorola is in big trouble.

Wireless network in Canberra's Paliament House

Recently I have visited Australia's Parliament House in Canberra. As parliaments of many other democratic countries, it is open for public access. Notably, there was no wireless LAN available. Not for long - implementation of
wireless network is forthcoming.

There are many interesting bits and pieces in the information. Focus on security is understandable. I do not expect the implementation be anything extraordinary - our usual mixture of Cybertrust consultants, and DSD analysts and government bureaucrats working on rather predictable solution (my bet is on wholesale implementation of Cisco equipment and software, and certificate-based authentication).  One thing that draws attention is that the intention is to provide wireless internet access capability to building occupants and visitors to the building such as delegates and invited guests. No public access.

That would be wrong. Australia needs to set example by providing free-for-all wireless Internet access in the Parliament House. This will be a token of Labor government's commitment to the broadband future for Australia. We have free parking at the House, why not free Internet?

Technically, providing public Internet access is not too hard, and it will only marginally increase the cost of the project. You create a separate SSID (open access), connect the clients to a separate VLAN, and route that outside of the government's firewall. Traffic shaping optional. Guests never really hit the "internal" network above the physical layer (which, being radio spectrum, is available to anybody anyway). If I'm right and Canberra goes with Ciso solution, this detailed guide is available.

I have emailed my MP asking for Internet access for general public. We'll see what comes out of it. Next time I'm going to Canberra I'm taking my laptop loaded with all the wireless tools to check out what the solution is.

What telephone is more secure?

On the more absurd side of security debates, new one has emerged: what is more secure - Apple iPhone or Google Android?

Yes, we have yet to see Google's product, but some guys are happy to talk. They happen to be security product vendors and security consultants. For example:

Gphone is open source, which means it can get a good kicking and shoeing, and can be worked on by just about anyone. It's starting out in a better way than the iPhone, which has seen vulnerabilities. However, any new consumer won't be secure when the first product comes out.

This comes form Ben Whitaker, head of security at mobile security development company Masabi. I'm puzzled. We haven't seen anybody who has been impacted by vulnerabilities in iPhone. Same goes for other mobile platforms that already exist - Symbian, Windows Mobile and BlackBerry. Interestingly: iPhone runs Mac OS X, with Darwin core that is a derivative of FreeBSD, open and free as in fish and chips; Windows Mobile is based on Windows CE - you can get the source and modify it; and Linux is Linux. SDKs, APIs and emulators are widely available for all telephone platforms. And users mostly run in privileged context (as in: root, or can do anything on the systems).

But where are the evil hackers? There is more talk of vulnerabilities than there are vulnerabilities, let alone real exposures. New telephone platforms are the proof that security is changing, and the industry has to change from its current focus.

Pictures at a VMWare Exhibition

Not really pictures but few notes from recent VMWare Virtualisation Forum - the regional mini-VMWorld. It started with a lot of pictures - trees, water, animals and I think smiling babies.When an event starts with those, expect a lot of marketing dung - and we got plenty in a day. For example, one of the VMWare keynote speakers said that virtualisation is the only way to manage hardware resources efficiently. Or, in BEA's leaflet words: Virtualization: Same Servers, More capacity. As if the hypervisor and the OS image per each guest take none. Or this apparent inefficiency is compensated by flexibility allocating more resources, should the need be. If you cannot effectively manage resources on physical servers, you're likely to waste those in virtual. Virtualisation just gives a chance for a fresh start - and some different tools.

VMWare's updated product line includes a OS patching solution that will allow patching systems that are shut down. Virtually shut down, of course. I believe this is the industry's first. My concern is that VMWare is losing focus: they shouldn't really go into patching and software delivery.

Both EMC and Network Appliance were presenting their storage offerings. Virtualisation requires shared storage, and those vendors are ready to sell - at premium price. One thing they aren't interested in is storage enterprise commoditisation (despite the fact that commoditisation will allow them to enter mass market). But NetApp mentioned something that is definitely worth noting: good old NFS provides solid and viable alternative to Fibre Channel- and iSCSI-conected storage. This blog explains why: VMWare over NFS. Suddenly NFS is making a comeback. Enterprise-class virtualisation with commodity and/or open source storage is coming.

Also both storage vendors presented their backup offerings. Two main points: direct-from-storage backups and data de-duplication. Watch the space - backups may finally become reliable and usable!

IBM was touting new server. While doing that they have admitted that big-iron, multi-CPU approach is much better than using blades. Surprisingly many people believe that blade servers are the best for virtualisation - in fact, the opposite is true.

Wyse and HP pushed their desktop virtualisation solutions - e.g. thin clients. After so many failures, will thin client solutions succeed? I'm sceptical. Virtual desktops tend to be more expensive than traditional desktops. But the functionality is less crippled this time around - thanks to full dedicated OS image per client.

Overall, virtualisation drive is a welcome shakeup of the industry. But promises - and expectations - tend to be overblown.

Capturing Windows user logon traffic

I don't need to go into many details about the startup process and importance of analysing it in case of problems. Here's how I do it:

The tools:

• Wireshark (http://www.wireshark.org/)
• PSTools (http://www.microsoft.com/technet/sysinternals/Utilities/PsTools.mspx)
• Windows ResourceKit tools (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd)

Install the tools accepting all defaults (you should always go with defaults unless you have really good reasons not to - and security through obscurity is not one). Follow the Resource kit documentation to install Autoexnt service, use interactive option.

The most important information that is not in the network traffic capture is the process map - the information that allows to identify what processes are making connections.

I'm using c:\tmp folder for the captures and other files. This is the autoexnt.cmd file:

@echo off
move c:\tmp\capture.cap c:\tmp\captureX.cap
move c:\tmp\capturelog.txt c:\tmp\capturelogX.txt
start /D"C:\Program Files\Wireshark\" tshark.exe -i 2 -w c:\tmp\capture.cap
:loop
cscript //Nologo c:\tmp\now.vbs >> c:\tmp\capturelog.txt
netstat -ano >> c:\tmp\capturelog.txt
pslist >> c:\tmp\capturelog.txt
sleep 1
goto loop

In the tshark command line options, the interface number (the -i option) may be different on your system - use "tshark -D" to list interfaces on your system. I found that in some cases tshark has visibility of all interfaces on the system whereas Wireshark GUI doesn't let you choose the right interface. Now.vbs prints current time with seconds. The whole script is:

WScript.Echo Now

After rebooting the computer and the user logon there will be two windows on the screen  - cmd.exe and tshark.exe. Close both -you'll find the traffic capture in the c:\tmp\capture.cap and process/connection lists in c:\tmp\capturelog.txt. That's enough information to do analysis.

The beauty of the approach is that no hubs or switches are involved, and all of it can be done remotely. Evidently, both scripts and the approach can be improved in many ways. Suggestions welcome.

More daily hacks

Getting free access to communication services was always one of the primary hacking activities, still is. The recent proliferation of commercial Wi-Fi hotspot networks made them one of the prime targets. Stealing somebody's access by cloning a MAC address or performing a man-in-the-middle attack are well-known techniques. But if there is nobody in the area whose connection is available for stealing?

Nokia to the resque. In some countries (Australia, Indonesia, maybe more) Nokia teamed up with local operators of Wi-Fi hotspot networks to provide free Wi-Fi Internet access to the owners of Nokia N-Series multimedia devices. In Australia, their partner is Azure. The service is available in many locations in Melbourne CBD and also blankets the fun part of Chapel Street in South Yarra - if you're visiting, don't miss the place.

From a user's perspective, the service is same as with any other commercial hotspot - you find the network, associate to Azure, browse anywhere with your Web browser, and you'll be sent to the provider's captive portal. Then you'll see the difference -  a "free access for Nokia N series" pictogram. Click on it, and you're logged on. Can browse Internet and place Internet calls with built-in SIP client.

So where's free access in this scenario? Simply put, the provider's authorisation system (that includes the captive portal and some kind of backend) has no way of knowing that I'm using the N Series. I don't know what kind of basic check is conducted by the server - can't figure anything but the MAC address first octets verification - but the onus is basically on me. The good news is that Nokia's product line is great. It gives Mac OS- and Windows-based telephones tun for the money. Symbian OS interface and applications are great, features that inclide full VoIP support (both standards-based and Skype), full support for secure wireless (including support for PEAPv0 that many Windows-centric corporate networks are using - not available in Windows Mobile yet). Prudly proprietary. Free Wi-Fi is a welcome bonus - and a chance to feel like hacker once more.

Other recent observations include some news about Bill Gates. I think BillG isn't @microsoft.com any longer. I mean, the account. End of the era, beggining of another one. Good luck and thanks to Bill.

Zero-knowledge Intrusion: upcoming 2600 article

Soon 2600 will publish my article on practical NIDS avoidance. As soon as it comes out, it will be on my Web site.

The magazine is quite an interesting reading - sometimes entertaining, sometimes educating, never boring. I'm glad to contribute.

How to stop Skype using ISA server, and why

Skype is a good example of how defying open standards can result in a better product. H.323, the first attempt at VoIP standard, failed miserably. SIP stands much better chance but there are numerous issues with SIP operator interconnections and crossing organisational perimeter. Skype doesn't have any of these issues: it doesn't interconnect with third parties, using PSTN as the only interface available; and it supports HTTP proxy for connectivity, effectively eliminating difficulties sending voice/video traffic to external parties.

Of course, Skype is scary (as in: buy a firewall, and may it protect you against Skype). It is the perfect backdoor, can only slow down the exploitation of it, and may protect a 0-day - Desclaux Fabrice of EADS does a decent research only to come to wrong conclusions. What's certain - Skype is a perfect target for hacking.

Some security people hate Skype and want to stop it. rootn0de provides a smart way of doing that (see Blocking Skype Using Squid and OpenBSD). Skype doesn't rely on DNS resolution for contacting its supernodes (because Internet DNS resolution may not be available on semi-isolated networks) - so rootn0de configures Squid proxy to block CONNECT tunneling connections to destinations represented by IP address. You cannot even modify the list of supernodes so that DNS resolution will work - so this is a really good hack. It doesn't require OpenBSD.

What about numerous organisations using Microsoft ISA Server as their Internet connection gateway? The solution is even easier. Configure ISA to require Windows integrated authentication and Skype will not work. Just checked - that's fixed recently in Skype for Windows 3.2 hotfix. Back to square one - no easy solution for ISA. You can be creative with Winsock client, or write custom filter, or channel traffic through Squid (defying the purpose of ISA to an extent). Besides, getting arount restriction to use Windows integrated authentication only can be relatively easily worked around - by modifying the client.

Solution, did I say? No. Trying to block Skype on the Internet access gateway is an example of wrong approach taken because of wrong problem definition. Skype is just a videophone with chat, that can also send files - most of potential Skype users on corporate network have Web access that allows chatting, sending files and placing telephone calls.  If you don't want users to run software that you don't approve - don't let them by strictly controlling their operating environment (thin client solutions help here). If you don't want them to share information - don't give access, or protect it (RMS solutions help with this). But don't try to cripple the functionality that is already given to the users - they may as well have business need for it.

VoIP Scaremongers

DEF CON, an "underground" information security conference (appropriately held in an upscale hotel in the entertainment capital of the US) is on, together with sister Black Hat Briefings, and the fresh crop of FUD is already making it to the business press worldwide. There's nothing like a catchy headline, and Forbes has got one of those: VoIP Vandals. Let's see what it's about:

Security professionals at the Black Hat conference in Las Vegas spent Wednesday outlining the exploitable vulnerabilities in voice over Internet protocol technology, or VoIP. In a series of presentations, they demonstrated ways in which cybercriminals can eavesdrop on VoIP calls, steal data from Internet telephony devices, intercept credit card numbers from VoIP connections and shut connections down altogether.

I wonder if there's something radically new. Some details:

"VoIP is about convergence. The idea is that you save money and resources and time," said Barrie Dempster, a senior security consultant at Next Generation Security Software who made a presentation at the conference. "But convergent systems give you more avenues of attack, more ways in. It's not a secure environment." Because VoIP connects telephone calls via the Internet, it shares the Internet's weaknesses, Dempster argued. Those include vulnerability to denial of service attacks, which overload servers with thousands of simultaneous requests for data, as well as basic hacking tactics like guessing the password of users who fail to change default settings.

Environments become secure if and when we chose to secure them. VoIP set of technologies gives countless ways to achieve integrity and privacy of communications. It's much better in that regard that POTS, the pretty old telephony service it's replacing. And by the way - many people who witnessed major disaster, or attended a sports event, or just tried to call relatives in a developing country on a public holiday, know of limitations of POTS is its susceptability to load-based denial of service. Plus, legacy telephones don't have passwords to speak of, so there's nothing even to guess.

Well Mr. Dempster may have said FUD without substance, but other guys conducted cool demonstrations. They have shown weaknesses resulted in insecure iplementation of MGCP, and lack of touch tone protection in ZRTP, o VoIP protocol invented by Phil Zimmermann of PGP fame. Nice hacks they may be. Pity no one's using the protocols. SIP and proprietary protocols like Skype have won the protocol race.

Of course, Microsoft's embrace of the realtime communications and VoIP is considered no less than upcoming doom:

Eric Winsborrow of Sipera Systems says that the wave of threats has been brought on by VoIP's new popularity in the business world as well as the technology's growing connection to the Internet at large, instead of smaller networks. He also points to plans at Microsoft to introduce VoIP applications into upcoming software as a sign that the technology's security issues are reaching a tipping point.

I don't know where Mr. Winsborrow has spent last several years, but conf.exe is a part of Windows for a long while, and we are long past the tipping poing. There will be no VoIP crash boom bang. It is secure. Mr. Winsborrow and his squad managed to crash a BlackBerry handheld and a D-Link phone by injecting packets into Wi-Fi network (as if you couldn't crash any of those networks entirely with a microwave), and simulated the theft of private data via VoIP from a laptop. I invite them to exploit a setup with Kerberos authentication and SIP signaling secured with TLS. That is common in Microsoft world and is used to interconnect organisations as well as internally.

VoIP scaremongering is pathetic.

Virtually hopeless

I don't know if that's CIOs, or the press, or both. Recently Byte & Switch, CMP Technology's zine on storage networking, published a chef d'oeuvre on troubles with virtualisation. Some amazing thoughts by the captains of the industry. Take this one:

Time is definitely a major concern of ours," said Jim Steinmark, director of architecture and engineering at Fidelity Investments. "One of the big challenges is the time that it is taking to get people to accept virtualization as a production-ready technology," added the exec, who uses VMware, Citrix, and SoftGrid within his infrastructure. For this reason, Steinmark estimates that it probably takes 40 to 50 percent longer to get an application deployed on virtual machines than it would on physical servers. A complex virtual application shared by a number of different users, he said, could easily take a year to deploy.

The whole idea and practice of virtualisation is to implement an efficient hardware abstraction layer. Applications don't know and don't care if they are running in a virtual machine. Even detecting virtual environment is not a trivial task. How it will increase implementation time at all is beyond me. Any clues? Here's another product of disturbed minds:

Another attendee, George Scangas, lead IT infrastructure analyst at Welch's Foods, warned that developers are often the hardest group to get on board. "A lot of them are from the old school of thinking -- they want to run [applications] on a physical box," he added.

If developers have concerns like that, they are thoroughly unprofessional (Mr. Scangas's colleagues definitely are).You cannot develop application for a box with redundant power supplies and six cooler fans inside. With few exceptions (like device drivers, operating systems and virtual machine hypervisors) applications have requirements like certain operatins system, runtime libraries, disk space and available RAM - nothing that cannot be provided in a virtual environment. And if there's somebody who's hard to get onboard, that is not developers or system administrators.

On giant databases

Why Wal-Mart, Tesco and other big retailers build giant databases that record every purchase and whatever else their customers are doing? Here's how Peter Dorrington of SAS, a software vendor, puts it:

Not only do firms like Tesco have good operational systems that control their costs, but they understand their customers and can offer particular product mixes which are attractive to certain groups

So this is the big idea. Businesses are sold on the hope of better understanding their customer and therefore finding better ways of taking the business to new levels. In fact, the best they can hope for is running the business efficiently as it is - without transformations. Without data that is not in the database you cannot attract new customers. You don't know how big is your customers' appetite for schinkenspeck until you offer some. And the database will not tell you that it won't be popular in Middle East because it's neither halal nor kosher unless there is appropriate database field, and you ask. And asking the right question is the hardest bit.

Banks are legally obliged to keep all information about their customers' transactions for a long period of time. That information is readily available but it doesn't help developing new products, market expansions and major investments. This is where artificial intelligence can assist. AI is bound for a big comeback.

Meanwhile, we have systems ironically classified as business intelligence and giant databases. They are surrounded by aura of mystery. Here's what Anthony Bianco writes in The Bully of Bentonville, a leftist anti Wal-Mart opus:

From their perch in the Glass center, Information systems technicians monitor the computer-to-computer interplay using software that enables them to anticipate glitches, or "exceptions", as they're known in digitese, and intervene to prevent them from occuring. "We are pretty near real time. We can tell people that they need to go do something and we are within hours, depending on the event", said Linda Dillman, who, as Wal-Mart's chief information officer, runs the Glass Center.

Funny as it is, this description of how Wal-Mart's is running their RetailLink infrastructure also gives indication how distant from reality is the perception of the giant databases.

Virtual infrastructure v Terminal servers

Virtual infrastructure based on products like Microsoft Virtual Server, VMWare and Xen is the flavour of the month. People are talking about reduced cost of ownership, energy consumption and increased security risks resulting from use of virtualisation - all of which is questionable. But without a doubt virtual infrastructure, especially in the datacenter space, will change the way we do things today. System deployments will take much less time. Recovery procedures will change dramatically. In enterprise space, virtualisation will change networking and storage architecture as well: IP subnets will span multiple physical sites, and storage will become more flexible. I'm doing my reading on iSCSI - IP-connected storage is the way to go.

There are other effects of the emergence of vitualisation. Blade servers won't ever become mainstream solution because of it, and possibly will die off altogether. And there will be a very interesting clash with terminal server solutions - technology space dominated by Citrix Systems, History of terminal servers is interesting: developed as a way of enabling multiuser access to systems, it evolved into bandwidth-saving way of using legacy applications, then to the core of thin client infrastructure (remember Oracle's Network Computer?) and now it's all of the above plus secure remote access mechanism and software distribution application delivery system. Virtual infrastructure hosting any modern OS has all the same features - but approach is different. Some may argue that terminal servers are utilising less resources since htey are using single OS image for all clients - which is probablu true, but becomes less of an advantage as both VM resource management ans sytems' awareness of the virtual infrastructure improves. And terminal servers can become legacy systems themselves.

Security theatre

Steve Riley of Microsoft is a controversial figure. Some believe he's a hacker and others that he's a social engineer. Having argument with him is very difficult. Steve's got great mind and unique aility to inspire people, get them thinking about information security. Recently I have read about security theater in his newsgroup posting, in response to suggestion to rename Administrator account as a security measure:

Rename it back to "Administrator" and set a long passphrase on it.

Changing account names is just security theater. Names are intended to be
public, there is no mechanism in place to prevent discovery of names. So
don't treat such elements as secrets. The secret in a set of credentials is
the password.

Other elements of security theatre are, according to Steve, port hiding (another unneeded change from the default, a bad sysadmin practice), and outbound traffic control on personal firewall. I couldn't agree more. Too many times I have seen Windows guest account disabed and renamed...

The term security theater appears to be coined by Bruce Schneier. It's great. Much better than security through obscurity  - meaning the same, leaves no space for argument. It's spot-on. Security theatre is the best way to create problems for yourself while not creating those for potential intruders.

Governments are hopeless at information security

One of the good things about BlackBerry - apart from the main client platform that will never get really damaging and widespread malware - is clever server infrastructure that routes data streams between the handhelds and the enterprise infrastructure. A mother ship in Canada handles all signaling and connections between various operators around the world so that roaming experience is really smooth (this also contributes to the business model that makes the operators hugely enthusiastic about BlackBerry). Data communication is direct between the handheld and the BlackBerry Enterprise Server, using UDP. Using Wi-Fi is possible. All is heavily encrypted.

But one thing happens over and over when governmentslook at BlackBerry security: they suddenly learn about the Canadian intermediary (for they believe it is), become concerned about non-existing snooping possibility, and place BlackBerry on hold for pointless yet lenghty review. It happened before in Australia. Now it happens in France: Blackberries nipped amid security fears. Some interesting details:

BlackBerry handheld computers, or "Le BlackBerry" as they are known France, have been called addictive, invasive, tiresome for thumbs - and, now, a threat to French secrets.

That, at least, is the fear of French government defence experts who have advised against their use by officials in France's corridors of power, reportedly to avoid snooping by US intelligence agencies and the loss of commercial and other secrets.

"It's not a question of trust," French legislator Pierre Lasbordes said today. "We are friends with the Americans, the Anglo-Saxons, but it's economic war."

...

Lasbordes, who was commissioned in 2005 by then-Prime Minister Dominique de Villepin to look into such issues, said he alerted the government about the issue months ago.

So it took two years for a politician to identify a non-issue as a problem. Apparently RIM cannot easily stand up to the politicians' stupidity:

The Canadian company "admitted that there was a certain fragility in the protection of information when you use the email system" and promised it would be resolved, said Lasbordes, adding: "That was more than a year ago."

Of course, we shall never know what exactly is that certain fragility, because it is certaintly an uncertainty - please pardon my French. And, of course, there is another official to voice the concerns:

BlackBerries pose "a problem with the protection of information" and "the risks of interception are real," Alain Juillet, in charge of economic intelligence for the government, told Le Monde.

What is the most amazing here is that the Mr. Jullet is responsible for some kind of intelligence. He should know the meaning of "real".

Remembering things to do

Andrew "Angry" Anderson, a fellow security specialist who suddenly passed away on 21 June, once said in response to a request to bring a pen to a meeting:

If you give me more tasks than I can remember, I won't be doing them all anyway.

Come to think of it, most things that are getting forgotten weren't important in first pllace. So who says that setting priorities is hard?

Use glue instead

Amazingly, many companies offer software that is designed to prevent users from connecting USB and other external storage devices. Apparently, there's demand for products creatively named DeviceWall, DeviceLock and Sanctuary Device Control. The problem they are trying to solve is described by Pointsec, a vendor of another such product:

Data leaks can be devastating
Moving digital files from a PC to a storage device is very easy, using a USB or Firewire connection, or wirelessly, using Bluetooth, Infrared or Wi-Fi connectivity. Users innocently plug personal storage devices into their work PC to upload music, or transmit digital photos, but the ability to also siphon off corporate data from a PC onto peripherals places organizations at considerable risk of undetected data leaks.

 
Now let's analyse this. Users already have access to the information - it is stored on their computers. Often the computers are laptops that the users can take anywhere and connect to any network. The users can post forms to Web sites, send emails and (horrors!) encrypt information using likes of Winzip without telling password to anybody. If they want to siphon off the information, they can. And blocking USB ports won't help. Use glue to fill the ports instead - it's cheaper, and achieves similar outcomes.

The attack surface

Jabez Gan, a fellow MVP, did an interesting book review - that of Professional Windows Desktop and Server Hardening by Roger A. Grimes, published by Wrox. Jabez summarises his learnings from the book in 10 points:

1. To Linux fans out there: Whatever is Popular Gets Hacked. How true is this statement? You might be saying that Windows is full of exploits because it is unstable and vunerable. If it’s the days of Windows 9x/NT, I would agree with you that Windows isn’t that secure. However things have changed, thus vunerabilities have decreased tremendously.

If you think about Apache, you’ll notice that it has more vunerabilities than IIS. (Since Apache is more widely used).

2. Don’t Let End Users Make Security Decisions. Heck I don’t even trust end users myself, so why should we let them make security decisions? They will only increase our workload when they submit support tickets!

3. Security-by-Obscurity Works! Change to some random port for our RDP (remote desktop protocol) instead of the usual 3389. Change to some random port for our HTTP instead of the default port 80 (do this only for internal users, not external users).

4. Assume Firewalls and Antivirus Software Will Fail. I’ve been doing some consulting for a few companies, and this statement is true. Updated antivirus software with properly configured firewall isn’t enough. Malware nowadays comes through port 80 and Antivirus doesn’t work as great when it comes to detecting new viruses.

5. Minimize Potential Attack Vectors, Decrease Attack Space. Everybody knows this. Disable services or programs that you do not need. Close the ports you do not need. Use IPSec for communications between machines.

6. RunAs. Remember the long forgotten RunAs? Administrators should provide users (and themselves) with limited user accounts (LUA) and use the RunAs if they want to install applications. Also, I’ve learnt not to provide users with the permission to install new applications. It must be done by an administrator.

7. Keep Patches Updated. To cut things short, Keep Patches Updated. All of you know why.

8. Use a Host-Based Firewall. Who said Windows XP SP2’s firewall isn’t good? It is a host based firewall… Nah, it doesn’t provide Outgoing firewall monitoring. So use a 3rd party instead.

9. Rename Admin and Highly Privileged Accounts. Scripts or hackers will try to hack through the system through the default administrator account. So on every installation of Windows (or any OS or applications), rename the default high privileged accounts.

10. Install High-Risk Software (IIS) to Non-Default Folders.  I know lots of you out there will just install everything to the default folder, but here’s a tip: Don’t! Take the hassle to reconfigure things if you have IIS installed to the default folder. I know it will break some web app (if you have any) but do you want to fix your web app or secure your server?

Interesting. Let's analyse. The first thing that comes to mind is that renaming admin and highly-privileged accounts and installing software to non-default folders are variations of the security-through-obscurity approach - in addition to using non-default ports for IP services. Incidentally, that contradicts on of sys.admin's principles that I follow - Use Defaults Whenever Possible. Using the defaults allows quicker problem resolution, which is good for security. Another note is about renaming high-privileged accounts - there are none by default, why then?

Minimize Potential Attack Vectors, Decrease Attack Space sounds like stating the obvious - besides, there's at least one thing that is not so obvious here: security through obscurity leaves the attack surface intact, not cutting it even a tiniest bit. Proper systems management and access control are to shrink it.

Should we disallow end user installing software and making any security decisions? The proper question here is - are you ready to make all the decisions on the users' behalf? A personal firewall is a good example. Controlling outbound communication sounds like a good security (so may denying all of it by default) - but are you ready to make the decisions for the users whereever they are? In any environment of scale, you won't be able to cope - thus the users must have a level of freedom here. They are already trusted with business information that you're trying to protect. A better rule is to disallow users making decisions that will impact other users.

And the final note is about the Whatever is Popular Gets Hacked. Reality gives it an interesting twist: whatever is not popular also get hacked - but most hardly notice and often don't know. Obscure systems with zero known vulnerabilities should never be considered safe.

Integrating Java, JDBC and Kerberos

This notes are to help integrating Java applications into Kerberos environments (most likely Active Directory-based). It's not a cookbook but gives few pointers that I find useful.

Background

I have integrated Windows Kerberos environment with alien platforms before. See, for example, my notes on Configuring Apache on Linux for Kerberos Authentication. So when I faced the need to configure Java environment to use Kerberos for Microsoft SQL Server authentication, I was excited. As it turns out, Java is as bad as Linux - if not worse

Problem

There's a Windows-based Java environment and a Microsoft SQL Server database. The task is to configure Java to connect to SQL Server database using Kerberos authentication in the current user security context - that is, without specifying the account name or keytab file. Not changing Kerberos encryption types for the account in Active Directory highly desired.

Solution

For this particular solution I was using DataDirect JDBC driver for Microsoft SQL Server. Other options are OEM versions of the same (that are cut-down, with the cut including some authentication features), and Microsoft SQL Server JDBC driver (that does support integrated authentication but only on Microsoft Windows operating systems - I naturally want to go multiplatform). DataDirect provides two testing tools - WATest for basic Kerberos functionality testing and ConnTestWA for JDBC specifically , as well as testforjdbc utility included with the driver distribution set.

The steps of the solution include: installation of Java Virtual Machine, configuration of Kerberos, and configuration of login parameters for particular connection. On Windows you can choose not to use keytab files; on UNIX/Linux you have to.

The success criteria was successful run of testforjdbc, with Kerberos ticket for SQL Server service added to the local ticket cache. You can check the cache using Kerbtray GUI or klist.exe command line utility, from Windows Resource Kit utilities and support tools respectively. On UNIX and Linux, you have to run klist. If the connection works and uses Kerberos, a service ticket is added to the cache.

Caveat

Don't take for granted that Kerberos authentication is available on the server, even if it comes from Microsoft and is using Windows integrated authentication. In case of SQL Server, you need to refer to Q319723 - How to use Kerberos authentication in SQL Server. Note that you need to use service account, and there are some specifics when you use cluster; also note that delegation settings are only required if there is an intermediary point in the communication (like IIS in the KB article scenario). IIS configuration for Kerberos has similar caveat(s).

Installing the JVM

Remember Wirite Once, Run Anywhere capability (see INDEPENDENT TESTS DEMONSTRATE WRITE ONCE RUN ANYWHERE CAPBILITIES OF JAVA)? Well, that doesn't quite work any more. For that reason you have different constraints with each version of JVM. Pure Java (that is, without using native platform calls and only JVM in-built features) Kerberos failed for me using Sun's JVM 1.4. With JVM 1.5, Windows default encryption types for Kerberos (namely, RC4-HMAC) are not yet supported, so you have to use DES encryption types for Kerberos (using AD Users and Computers GUI in the service acccount properties - and see  833708 for issue with Windows 2003 domain controllers). Only Java 1.6 comes with RC4-HMAC support. Use the latest version if you can.

Configuring Kerberos in Java

Just like in UNIX/Linux, java is using krb5.conf file and exactly same format. On Windows, the file is renamed to c:\winnt\krb5.ini (if c:\winnt\ directory doesn't exist, you have to create it). Details about the location of the configuration file and search order please find here. here's my configuration file:

[libdefaults]
 default_realm = EXAMPLE.COM
 default_tkt_enctypes = aes128-cts des3-cbc-sha1 rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = aes128-cts des3-cbc-sha1 rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 permitted_enctypes = rc4-hmac arcfour-hmac-md5

Important: RC4-HMAC is not enabled by default, so it needs to be on the list.

Configuring login parameters

Kerberos requires configuration file for every connection using Kerberos login. The one for DataDirect JDBC driver is by default named JDBCDriveLogin.conf (akternative configuration file can be specified by changing java.security.auth.login.config Java environment variable), and should look like this:

Explanations: debug=true is self-explanatory, and it's essential during the configuration. The "useTicketCache=true doNotPrompt=true" pair chieves using Windows ticket cache (as opposed to useKeyTab, which is another option); it's addressing a potential "No CallbackHandler available to garner authentication information from the user" error.

The rest

...is well documented in DataDirect KB article Setup of pure Java approach for Windows Authentication with DataDirect Connect for JDBC.

Point solutions

You can as well avoid the hassles of pure Java just by using Type 2 (Windows native) integration for DataDirect driver. All that ise required is connection string like jdbc:datadirect:sqlserver://yoursqlserver.example.com:1433;AuthenticationMethod=Type2 or jdbc:datadirect:sqlserver://yoursqlserver.example.com:1433;AuthenticationMethod=auto (as opposed to jdbc:datadirect:sqlserver://yoursqlserver.example.com:1433;AuthenticationMethod=Type4 or jdbc:datadirect:sqlserver://yoursqlserver.example.com:1433;AuthenticationMethod=Kerberos required for pure Java Kerberos authentication). Make sure that java.library.path includes path to DDJDBCAuth04.dll supplied with the driver. Or you can use Microsoft JDBC driver. Both will integrate with Windows.

Troubleshooting

1. Verify SPN in question. In AD, use ADSIedit to check the SPN. The LDAP attribure you are looking for is "servicePrincipalName";
2. Enable Kerberos logging on the DCs (http://support.microsoft.com/kb/262177/) and look for relevant information in the logs;
3. Capture traffic on the client requesting Kerberos ticket and see Kerberos communications and error codes in the capture;
4. Review Q326985 (http://support.microsoft.com/kb/326985) -it's about troubleshooting Kerberos with IIS but gives good idea about other services.
5. Did I mention enabling Java debugging where possible?
6. And if you use Java security policy, there's a whole new world for stuff-ups.

Good luck with the integration, and don't hesitate to post your own experiences on the Internet. Scenarios are plentiful, documentation scarce, and every piece of information helps.