bill's blog

Just another WordPress weblog

Browsing Posts in Tips & Tricks

When booting a UNIX-like OS its sometime necessary to see messages that are printed to screen as the operating system loads. Sometimes you may just want to make sure that a service is starting up correctly but it really comes in handy when trying to troubleshoot a start up issue.

Apple has conveniently hidden these start up messages! BUT You can seeing them on screen by holding down the Command and “v” keys (Command-V) immediately after powering on your Mac.

SO what if you always want to see these messages every time you boot your Mac?

To always boot OSX in verbose mode you’ll need to fire up a terminal session and issue the following command:

sudo nvram boot-args="-v"

If after a period of time you grow tired of seeing these messages scroll across your screen, you can disable verbose booting by issuing the following command:

sudo nvram boot-args=

Software applications are complicated things. Developers need to think about what the application is supposed to do… then write code to make it happen. They need to anticipate how the end-user is going use the application and how the application could be misused. Trying to understand all possible scenarios is nearly impossible and added to that large monolithic applications may have many different coders working on it at any given time. This leads to situations where defects (or bugs) crop into applications. It is these bugs that hackers look to exploit! Very often it is in the form of a buffer overflow attacks that leads to the compromising of an application and depending on the crash… to root access to the box.

I have always said that with the iPhone’s popularity exploits will come… and they have! Apple has tried very hard to lock down the iPhone so that it can’t be used on other carrier’s networks and so applications can only be loaded via the iTunes Music Store. Apple has in many ways crippled it’s own phone. Apple said that the original iPhone 2G could capture video… It can! It said that it couldn’t be used to tether a laptop to the Internet… It can! Why because AT&T wanted to prevent their network from collapsing under the load of this Smartphone. Additionally, it didn’t want to lose the revenue stream by cannibalizing its mobile broadband market. Many people saw this as an unfair business practice and sort to find ways of breaking these locks to allow unrestricted access to the phone.

Jailbreaking is a process that allows iPad, iPhone and iPod Touch users to run third-party unsigned code on their devices by unlocking the operating system and allowing the user root access (Wikipedia.org, 2010). Jailbreaking the phone takes advantage of un-patched security holes within the iOS. The jailbreaking of iPhones has been a cat and mouse game between hackers and Apple. Apple patches the phone and the hacker set off looking for new vulnerabilities to exploit. Apple recently release iOS4 that set the ball in motion once again to find a new exploit to unlock the phones. The Jailbreak that worked against iOS 4 was particularly problematic in that it exploited vulnerability in the displaying of PDFs on the devices. These specially crafted PDFs could be sitting out on the Internet and when the Safari browser tries to display the PDF… a buffer overflow condition happens and the phone is then “rooted.”

The vulnerability is caused by a flaw in the FreeType font engine… which is called upon when displaying a PDF with embedded fonts. A full description of the bug can be gotten by googling CVE-2010-1797. Apple’s information regarding the flaw cab be found in it’s update info at http://support.apple.com/kb/HT4291

CVE-ID: CVE-2010-1797
FreeType

Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later,
iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

It is so easy to exploit this vulnerability in fact that individuals have taken to Jailbreaking iPhone in many Apple stores. They merely visit the website JailbreakMe.com and leave a trail of jailbroken iPhone in their wake! In an effort to thwart the Jailbreaking of phone in their stores, Apple has had to set up a DNS forward for the site until they had a patch for the vulnerability. Apple released a fix for FreeType 2 CFF font stack corruption vulnerability August 11th (on of the fastest turn around times for an iOS patch).

Jailbreaking one’s iPhone will void Apple’s product warranty though it is a simple task to restore the phone to a factory “new” default.

NOTE: You need to remember to restore a jailbroken phone before bringing it to an Apple store for repair.

The Library of Congress is required to revise Digital Millennium Copyright Act (DMCA) rules every 3 years. On July 26th, 2010, issues it’s update to the DMCA and made it legal for iPhone owners to jailbreak their phones. Corynne McSherry, a senior staff attorney for the Electronic Frontier Foundation, (a San Francisco-based privacy-rights group) had this to say about the ruling.

“Now people can go ahead and fix their phones and jailbreak them so they can run all sorts of different applications,” “They can make full use of the phone they bought without some kind of legal liability hanging over their head. (Bloomberg.com, 2010)”

It should be noted that the Electronic Frontier Foundation is the advocacy group that initiated that petitioned with the Library of Congress for this ruling said.

Resources:

Shields, T. & Satariano, A., (2010, Jul 26th), `Jailbreaking’ of IPhones to Add Apps Backed by U.S. Retrieved on August 13th, 2010 from http://www.bloomberg.com/news/2010-07-26/apple-iphone-users-have-u-s-blessing-to-jailbreak-add-own-applications.html

Various, (2010, August 13th), iOS Jailbreaking, Retrieved on August 13th, 2010 from http://en.wikipedia.org/wiki/IOS_jailbreaking

I was recently asked to redo the permissions on 5TBs worth of data. There were inherited permissons that conflicted with the users new requirements… it was just a mess! I figured the best way to deal with this was to start from scratch… remove all ACLs and start fresh.

The easiest way I’ve found to do this is…

sudo chmod -R -N ./*

Steganography is the art of hiding things in plain sight!  The practice dates back to the days of ancient Greece. One story has it that Histaeus, the ruler of Miletus, shaved the head of a slave, and tattooed a message on his scalp and then sent the slave to Greece where the head was shaved and the message delivered. Fast-forward two thousand years to the American Revolution, both the British and American forces made use of invisible inks. They would write a message using special ink on a nondescript piece of paper. When the message got to its intended recipient, a reagent would be used to make the ink (and the message) visible again. Today, through the use of specially designed tools, we can embed messages in common graphics and/or music files. Once the file has been encoded, one can then post the files on a webpage or through some other accessible means and instantly pass along our hidden message.

Much press has been given to using steganographic tools on the Windows platform but does that mean those of us using a Macintosh or Linux distribution are out of luck? Certainly not! This posting will detail out how to encode a jpeg on both the Macintosh platform using an application called Cryptix and then we will look at a command line option of the Linux platform.

Cryptix on OSX

You can download a copy of Cryptix from http://www.rbcafe.com/cryptix. Once downloaded the operation of the encrypting a jpeg is pretty straightforward. Under the Tools pull down menu select Steganography. You have two choices either to use Cryptix’s built in tool or the GUI version of open source tool Outguess. One thing to keep in mind… If you use Cryptix’s built in tool only Cryptix can unlock the secrets embedded in the file that was created. If you need to share with users on other platforms… Outguess GUI is your best bet! Let’s take a look at Cryptix’s built in tool!

In the Key field we added a very simple passphrase. In real life you may want to use something a bit more complex. The message field is where we place the data we were looking to embed in our JPEG. If the message is short typing the message is fairly simple otherwise Cryptix does allow you to paste data into the message field. Next click of the Encrypt button. You will be presented with the following dialogue sheet.

Select the file you wish to embed your data into. Next select a filename for the newly created (or modified) JPEG.

Now you can open the newly created file within an application that can read a .jpg file.

NOTE: A word of caution! The file size of the newly created jpeg was 10X larger than the original file. Additionally, there were some extreme artifacts left after the embedding process. I originally tried to embed Sun Tzu’s Art of War into the file and got some erratic results. I attributed the result due to the amount of data I was trying to embed. However, in the above How-To, the amount of text embedded into the jpeg was minimal! If you look closely at that file, there still some visual artifacts remaining. (See below)




Original JPEG How-To JPEG Art of War JPEP

One could over look the artifacts left behind in the how-to JPEG if the original file was not on hand to compare the difference. Additionally, if you were to look at the histograms of all the modified files one could definitely see there are problems with the file. Your results will vary based on how much data you’re trying to embed into and how big the original graphic file is.

Outguess on Ubuntu

Outguess is a command line driven tool. Some find this an obstacle but it is easy to use. The man page for the use outguess is pretty complete with examples.  An online version can be found at http://manpages.ubuntu.com/manpages/gutsy/man1/outguess.1.html.

Installing Outguess on Ubuntu is fairly straightforward. Open Synaptic Package Manager and type outguess.

Once that completes, outguess can be found in /usr/bin. Open a terminal window. NOTE: I placed both the jpeg I wanted to embed with data and the file containing my data into the same directory for simplicy’s sack! Navigate to the dictortory that your files are located in. Enter the following command (please modify the file names based on your files).

root@corusant# outguess -k password -d TopSecretMessage.txt before.JPG after.JPG

The –k flag is the passphase you’re going to use to protect the embedded data. You will need this to extract the data at a late date. The –d flag is the file that contains the data you want to embed in the jpeg. The before.jpg needs to be available before the process begins BUT the after.JPG is created by outguess at the end of the embedding process.

You should see similar output:

Reading before.JPG....
JPEG compression quality set to 75
Extracting usable bits:   181591 bits
Correctable message size: 14684 bits, 8.09%
Encoded 'TopSecretMessage.txt': 1400 bits, 175 bytes
Finding best embedding...
0:   682(47.6%)[48.7%], bias   739(1.08), saved: 2, total:  0.38%
2:   682(47.6%)[48.7%], bias   687(1.01), saved: 2, total:  0.38%
46:  685(47.8%)[48.9%], bias   679(0.99), saved: 1, total:  0.38%
72:  676(47.2%)[48.3%], bias   675(1.00), saved: 3, total:  0.37%
82:  688(48.0%)[49.1%], bias   650(0.94), saved: 1, total:  0.38%
152: 698(48.7%)[49.9%], bias   638(0.91), saved: 0, total:  0.38%
152, 1336: Embedding data: 1400 in 181591
Bits embedded: 1432, changed: 698(48.7%)[49.9%], bias: 638, tot: 180854, skip: 179422
Foiling statistics: corrections: 324, failed: 0, offset: 64.375546 +- 165.386280
Total bits changed: 1336 (change 698 + bias 638)
Storing bitmap into data...
Writing after.JPG....

Congratulation! You’ve just embedded the contents of the file TopSecretMessage.txt into the file after.JPG. The process to retrieve data from after.JPG is just as simple.

root@corusant # outguess -k password -r after.JPG hidden.txt
Reading after.JPG....
Extracting usable bits: 181591 bits
Steg retrieve: seed: 152, len: 175

You now have a file (hidden.txt) that contains the same data that was stored in TopSecretMessage.txt

Resources:

Pierce, D. (2010, February 8th) How To: Smuggle Secret Information with VOIP, Retrieved on March 12th, 2010 from http://www.wired.com/dangerroom/tag/steganography/

Provos N., (2006, January 4), OutGuess – Information, Retrieved on March 12th, 2010 from http://www.outguess.org/info.php

Additional resources:

http://lifehacker.com/230915/geek-to-live–hide-data-in-files-with-easy-steganography-tools

http://www.linkgard.com/security_blog/introduction-to-steganography-and-steganalysis/

In an odd twist of faith, risk assessment and encryption follow many of the same principles. It’s about indentifying what the data is worth and the putting a value to it. Once that is done, protecting the data becomes a matter of pain threshold. In other words, what can we afford to lose and how much will it cost use to protect it. In encryption the principle in effect is… How long will it take someone to crack the encryption and will the data still be valuable when they do. It is tricky to assess pain threshold as everyone feels like his or her data is the most important to the organization. Certainly trade secrets and financials rate high on the pain threshold index. BUT what about creative artwork? It depends. Is time to market critical? Or is there a feature set that will put your organization far in front of the competition? These are all questions that need to be answered before one can determine the worth of the data being protected.

Ultimately, if you want to deploy a technology it’s up to you to determine the ROI and present it to the holders of the purse strings. It’s up to you to convince them that what you’re trying to do is worth the investment.

ROI (or Return on Investment) is the key to the budgeting for any project particularly so in IT. We are a cost center in most organization. That doesn’t have to be. While we may spend dollars with the implementation of a project, we also are instrumental in saving the company money. Sometimes what seems like a mundane request from an end-user such as “The colors in this printer doesn’t match the other printer” can lead to a cost savings of over 3.4 million dollars a year in overall printing costs. Wish I saw some of that… maybe a small vacation… perhaps! Other projects have a much more expensive ticket to admission and being able to justify the cost is something you need to be equipped to deal with.

Spending on an Intrusion Detection System is tough. Why? Because there are no real hard up-front savings. IDSs need to be pitched as an insurance policy. You never know when you’re going to need it but when you do you’ll be glad you have it. PKI, and most encryption for that matter, works on the principle that it will take more time to crack the encryption than the information protected is good for. In his book, Time Based Security, author Winn Schwartau applies this concept to Intrusion Detection. If the time that protection mechanisms can withstand attack exceeds the time it takes to detect and effectively respond to attack, then a system can be secured (Schwartau, 1999).

Resources:

Schwartau, W., (1999), Time Based Security, Interpact Press

Project Management is an art form and anyone that tells you differently… Well let’s just say we all have our own opinions. The best-laid plans are just that plans. They are not steadfast nor have outside influences acted upon those plans. Projects are always in a state of flux until completed. And then even when you think they are done… well let’s just say some projects never end (especially in IT). The pioneers of modern project management, Henry Gantt (who gave us the Gantt charts) and Henri Foyol (who introduced the 5 stages of project development) are the fundamental tools used by any project coordinator. The author of the textbook takes Foyol’s basic principle and modifies them to meet the needs of someone rolling out an IDS.

Foyol’s five basic stages are:

    1. Initiation
    2. Planning
    3. Execution
    4. Monitoring
    5. Completion

Using these steps as a guideline merely sets the stage for a successful project. Without following these basic steps you may complete your project but I guarantee it won’t be as easy as it could have been.

Gantt charts are an excellent was of tracking a project. Both MS Project and ACE FastTrack allow for the setting of milestones. I personally use FastTrack and one of the really cool features of this program is its ability to push back other milestones based on missed deadlines. All projects get behind at some point (humans can’t predict when someone is going to be out sick). Seeing how one task is dependent on another is a valuable tool. There are many variables in life… many of which we can’t control. On the other hand… many things we can. It is the balancing of these two that lead to the meeting of deadlines. This makes me think back to Kennedy’s promise to put a man of the Moon by 1970. The deadline was established! However since no one had ever under took a project of this magnitude… It was incredibly difficult to budget and plan man-hours to accomplish the project. The contractors knew enough about their businesses to be able to balance what they knew with the unknown and unexpected AND they managed to make Kennedy’s dream a reality 5 months before the deadline. How’s that for project management?

Another wonderful malware day… Well not exactly, but a beautifully executed social engineering attack! Today a lot of my users called to say that they were getting emails from friends asking them to join tagged. A classic phishing attack and I can’t tell you how many people fell for it! In this case it wasn’t as bad as some of the ones asking for bank PINS & passwords but it’s another example of people not using common sense! Now I can’t say for certain what information they asked for but one should never give any person information.

tagged_1

The information age has made the exchange of data common place. Many of the things like our social security number and mother’s maiden name are so freely available that credit card companies already know the answers before you ever speak with them.

http://www.consumerfraudreporting.org/phishing_Tagged_dot_com.php

It seems that this particular scam has been circulating since 2007. SO my big question is why did it get past DefenderSoft? So for all you network admins out there the lesson learned is there is a big difference between companies that offer SPAM protection.

Password enumeration while not related to phishing should be mentioned.

A couple of things to keep in mind is never just click and email link and expect that is brings you to the site that is advertised in the email. When signing up at legitimate social networking sites be careful of allowing them access to your address book.

Luckily for me… a lot of the emails came from other employees so they were able to verify that the email was a scam.

ETHERAPE is an excellent “real-time” network-monitoring tool. It allows you the ability to see how your network is being utilized! The first time you start up Etherape you’ll know immediately what you are looking at. The larger the line the more traffic you’re seeing. Etherape separates out different types of traffic by color making it very easy to see which services of traffic are used the most relative to one another. Lastly, you can see which host is send verses, which is receiving the data. This is very important information. It will allow you to see whether the traffic is normal or not. For instance… Normally with http traffic, the server should be sending the vast majority of traffic out onto the wire. HTTP requests are far smaller then the actual content the server is putting out. However, if this is reversed and you see huge amounts of traffic coming in… and people are complaining they can’t get to the site… you may be the target of a Denial of Service attack! Simple yes BUT it does take a lot of the guesswork out of the troubleshooting process.

One nice feature to Etherape is that it has the ability to play back dump files. This comes in handy when you’re trying to analyze something that is happening when you’re not there to watch it. The down side to this is that there is no control over the speed of playback (therefore you’re watching packets fly by in real time). Ouch! Etherape doesn’t do much but what it does do it does nicely!

WIRESHARK like tcpdump uses the same libpcap library. So to that end you can make use of the same filters to capture/show only the traffic that relates to your specific area of concentration. Very often we are looking at a specific problem. It is always good to see the bigger picture and to that end one should be capturing all traffic at first to eliminate all variables (sometimes your traffic it simply being dropped). That would point you in a very different direction than if your packets were getting to the intended host but you were getting the wrong/inappropriate information back. Sometimes a machine will host many different services. You may want to filter out all traffic except the service that you’re having problems with. This is the sort of thing that filters would be great at. So let’s take a look at libpcap filters…

Let’s say we have a user who cannot log into their computer. Authentication is being provided from a server running Mac OSX v10.5. Their home directory also resides on the same host. The key thing here is that this user is trying to login from their Mac to an OpenDirectory server! There are a bunch of tools that you can use such as ping, traceroute, dscl, kinit and nslookup! BUT sometimes they can be deceiving! Based on the above info we need to make sure we are capturing traffic on the following ports: 53 for DNS, 88 for Kerberos, 389 for LDAP.

The first thing we could try is:

port 53

This will yield the results of a DNS query! OK yes you could do that using nslookup or dig… BUT those tools will not tell you how or what a host is sending for lookups. What is the query string that the host is sending? Perhaps you didn’t send the FQDN or better still the host is getting hung up on multiple search domains. DNS can be finicky!

Next filter…

port 88 and host 192.168.1.15

We know our KDC resides at 192.168.1.15 and Kerberos runs on port 88 by default. The granting of tickets should only yield 4 packets. If you’re seeing more than that perhaps the wrong password is being sent. We added the host IP address to make sure that we are actually seeing the right server. Additionally by looking through the packets we can make sure the Kerberos DOMAIN is being sent correctly.

One other really nice feature to Wireshark is that you can apply these same files to all the data already capture (whether it’s still in/tmp or in a pcap file).