c0t0d0s0.org

User have the habit to break any security policy. At least as long you don't enforce it. One of the most annoying habit from the view of the security people is the tendency to choose weak passwords, the name of the boy or girl friend, the prefered brand of cars, birthdays ... you name it. This passwords are everything but secure. But you can configure Solaris to check the new passwords.

Many people are unaware of the fact, that only the first eight characters of a password are used in the default configuration of Solaris. Don´t believe it? Let´s try it.

The password is the key to the system. When you know the username and the password, you can use the system. If not ... well ... go away. You can´t overemphasize the value of good passwords. There is something you can do as the admin at the system level to ensure such passwords: At first you can use stronger mechanisms to hash the passwords. And you can force the users of your system to use good password. This tutorial will explain both tasks.

A hard disk goes down in flames through the atmosphere and specialists were still able to recover 90 percent of the data: Data recovered from Seagate drive in Columbia shuttle disaster. At the end, data seems to be more resistant then most of us believe, when you put a vast amount of effort behind the recovery.

This leads me to annother thoughtgame: Let´s assume, you shredder a disk to pieces as tiny as 1 square millimeter. This would just look like dust to you. A modern harddisk stores 200 gigabit per square inch. One square inch are 645.16 square milimeters. Thus a harddisk would store 310 megabits on a square milimeter. Let´s assume 10 bits per byte (for error correction and similar things) and you have 31 megabytes worth of data on one of these pieces of dust.

It´s just a question of effort to recover the data, when you can yield 10 million euros out of the data (trade secrets, credit card data) it would give you a nice profit when you spend for example 9 million to recover the data. Yet another reason for cryptography everywhere or you may end up with degaussing, shreddering and remelt your old harddisks just to be safe.

No software is without errors. This is a basic law of computer science. And when there is no bug in the software (by a strange kind of luck) your hardware has bugs. And when there are no bugs in the hardware, cosmic rays are flipping bits. Thus an operating system needs some mechanisms to stop a process or the complete kernel at once without allowing the system to write anything back to disk and thus manifesting the corrupted state. This tutorial will cover the most important concepts surrounding the last life signs of a system or an application.

A really interesting article about Automatic Patch-Based Exploit Generation:

Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it. Thus, Microsoft should redesign Windows Update. We propose solutions which prevent several possible schemes, some of which could be done with existing technology.

(found via Bruce Schneiers blog)

I found two really interesting interesting presentation. At first Brent Paulson wrote an really interesting presentation about practical Opensolaris Security. It´s a good overview about the possibilities of Solaris to increase the level of security at your installation. Ben Rockwood of cuddletech.com wrote an good preso about the usage of dtrace in conjunction with mysql.

When you want to place a system into a network, it´s a good practice to harden the system. Hardening is the configuration of a system to minimize the attack vectors for an intruder by closing down services, configuring stricter security policies and activating a more verbose logging or auditing.

Okay, at the first moment i was really in fear that we have installed OS images with a nasty new security vulnerability or we installed a solaris version with the infamous telnet bug, when i´ve read this Sun confirms it shipped vulnerable servers. Okay, then searching for the SunAlertSome Sun SPARC Enterprise T5120 and T5220 Servers Shipped With an Incorrect Solaris 10 Image Containing an Insecure Configuration. Drama queens ... just a little experience from the field: We delivered a system in a configuration that many systems gets within 10 minutes after booting anyway .. with activated remote root login Well, believe it or not ... there are customers still using telnet. The day when the last admin understands that telnet or remote direct root login are bad ideas will be the same day i´m out for figure skating in hell ...

PS: Nevertheless, something like that should not happen ....

I´ve linked to the Opensolaris project for implementing Flexible Mandatory Access Control a few days ago. Yesterday we´ve made the announcement that a joint effort of Sun(NASDAQ:JAVA) and the NSA ("No such agency") to implement NSA's Flux Advanced Security Kernel (FLASK) in Opensolaris was started by the both partners.

Your colleague is at lunch, he or she didn´t loged out, and the screen is locked? And you need the workstation right now? No problem! Adam Boileau has a neat solution or this problem. Simply use winlockpwn to unlock the system. You colleagues notebook has no Firewire port? No problem, you only have to put a Cardbus Firewire card into the system. Wait for auto installation (Windows autoinstall drivers while screenlocked) and use winlockpwn to get access to the system.

Don´t hassle around with this strategy to cool down chips and put them in a different system for the cold boot attack, you can read the memory of the live system.

How does this hack work? Well, just read this presentation:Hit by a Bus: Physical Access Attacks with Firewire . This trick was presented 2 years ago, but you can still use it. This hack uses a feature of Firewire: It uses DMA for the fast transfer of data. With this capability you can read and write the memory of the system ... and that´s the master key to the kingdom. And to add insult to injury: You can´t really change it, as the DMA is the "Fire in Firewire" as Adam coined it ..

PS: Where is my credit card ... i need a firewire card for my old notebook

Some weeks ago i posted an article about the signed binaries in Solaris. Every binary in Solaris has an digital signature. It´s the next logical step to execute only signed binaries. And ... welll ... now there´s a project in progress to give Solaris exactly this capability: Validated Execution. It uses the signature for binaries and BART manifests for securing shell scripts.

My considerations about the security of virtual machines seem to be correct. The Register writes about a VMware Workstation exploit in VMware vuln exposes the perils of virtualization:

The exploit uses a specially crafted path name to access folders that are being shared between the host and virtual environments. VMware applications fail to validate the malicious parameters passed from the guest system to VMware's Shared Folders mechanism. The Shared Folders mechanism then hands off the bad data to the host system's file system, which allows the exploit complete access.

At the end virtualisation is based on software and software has bugs. Such exploits are inevitable. You have to consider this in your security policies. You can´t assume that a virtual server is as secure as a physical one. This is not a problem, you just have to take it into consideration.

On the foundations of Dtrace the security specialists Tiller Beauchamp and David Weston created a tool for finding vulnerabilties in your code (or writting exploits, depends on your objectives). It uses the mechanisms of DTrace and extends them. As Internetnews writes in Blackhat: Dtrace a Rootkit:.

Sun's Dtrace application was developed primarily as a tool to help monitor functions on Solaris. According to a pair of security researchers at the Black Hat conference, you can also use Dtrace as the basis for a rootkit-like tool for offensive and defensive security operations.

Finding vulnerabilties and writting exploits are different sides of a special case of debugging code. And debugging is exactly the job, we´ve developed dtrace for. It was really obvious, that someone will use dtrace for such an usecase.

Das ist die Präsentation zum Thema "Das sicherste Betriebsystem". Es ist die Version, die ich eigentlich halten wollte bevor ich mit Keynote Mist gebaut habe und die Mittagspause zur schnellen Wiederherstellung vom Hirnbackup nutzen musste. Diese Version ist etwas länger. Habe sie eben aus der Time Machine geholt und grob noch mal durchgesehen. Auch hier fehlt wieder die Tonspur ...