Monday, May 19, 2008

Opinion: Responses to OpenSSL Vulnerability

As those of you in the IT Security world know, last week there was a serious vulnerability in Debian's/Ubuntu's OpenSSL random number generator [link].

The vulnerability in OpenSSL was announced by the Debian Project on Thursday, May 13th, 2008 [link]. That same day updated OpenSSL packages were released for Debian, Ubuntu and Debian-based distributions [e.g., link]. Shortly thereafter code was being posted to Full Disclosure and other lists to exploit this vulnerability on unpatched systems.

I was very surprised by people's reaction regarding this vulnerability. In particular, there was a noticeable amount of OS bashing; discrediting the affected operating systems. That irony is that majority of this negative publicity came from from other *NIX centric individuals who simply stood back while proudly saying, "look, my superior OS wasn't affected." It's funny that the elitist OS wars of past still continue continue today. It's also entertaining - but that's besides the point. Unfortunately, this type of negative publicity doesn't contribute to building and strengthening the communities that are working so hard to build incredible flavors of their OS of choice. In one way or another, some requiring more creativity than others, the family of *NIX operating systems share a common ancestry [see UNIX family tree image below].

Click on above image to enlarge [image:
For a more complete timeline, see Eric Levenez's UNIX History [link].

I can imagine Rodney King, while waiving a black flag with a the Linux penguin mascot, now saying, "People, I just want to say, you know, can we all get along? Can we get along?"

I agree, it's too bad that the code that made the latest OpenSSL vulnerability a reality existed. It also highlights the blind trust people generally place into the operating systems that they use. However, what I also clearly see is how the community quickly worked together and released fixes prior to exploit code being widely disseminated. Now, that's awesome! There was no Patch Tuesday to wait for. Rather, the fixes were created, tested, and distributed as soon as possible.

Without a doubt I'm very glad to have moved my desktop OS of choice to Ubuntu two years ago. Sure, I'd be happy with SUSE, Fedora, RedHat, FreeBSD, OpenBSD. I've used them all. However, for reasons that work for me I've settled on Ubuntu ... for now.

Saturday, May 17, 2008

Security: Debian and Ubuntu OpenSSL Vulnerability

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."
Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

Tuesday, May 13, 2008

HowTo: Uncomplicated Firewall (ufw) in Ubuntu 8.04

I've recently upgraded several of my systems to Ubuntu 8.04 (Hardy Heron). While poking around, figuring out what has changed since 7.10 (Gutsy Gibbon), I came across the 'ufw' command, which is an acronym for Uncomplicated Firewall.

Personally, on my linux systems I've preferred working with iptables directly. Several years ago I started using 'fwbuilder' to manage my iptables. Nonetheless, I'm still interested in playing around with ufw to see what value it has.

Here's an ifw example using OpenBSD's PF syntax:

  • Let's assume I want to allow all ssh traffic (22/tcp) from the 10.10.1.0/24 subnet to my host at IP 10.10.2.10:
sudo ufw allow from 10.10.1.0/24 to 10.10.2.10 port 22
  • Is there a single host that's bothering you and you want to block it?
sudo ufw deny from {IP address}
If you're interested in testing ufw, the Ubuntu Unleashed Blog [link] has a useful guide on using the tool. Of course, you can always use the man pages as well [`man ufw`].

Sunday, May 11, 2008

BlackHat and DEFCON

It's that time of year again when I start looking at the logistics involved so that I can attend both BlackHat and DEFCON. It's also the time when I start figuring out costs and hope that work will cover them under the training budget...which is an entirely another story!

The two-day training at BlackHat, Enterprise Security from Day 1 to Completion, if I register now will cost $2200 and runs from August 4th to the 5th (all of the trainings look interesting, but I believe the Enterprise Security will give me the forum to answer some questions I have as an IT security professional). Next, there's the BlackHat briefings from August 6th to the 7th for a cost of $1495 - again, this is if I register now. By registering for BlackHat I will be able to get into DEFCON for free. DEFCON runs from August 8th to the 10th.

Next there's the cost of the flight - I'm estimating about $250 roundtrip. Lodging from August 3rd to the 10th will be about $1600...then there's the $320 for food.

Here's the rough breakdown:

Airfare.............$250
Conference Fees....$3695
Lodging............$1600
Meals...............$320
Car Rental (maybe)..$320
========================
Initial Total......$6185

Now it's time for me to get the funding to cover the training expenses this week so that I can register before prices go up.

I look forward to catching up with many of my colleagues, friends, and Security Twits!



UPDATE [5/15/2008]: I've received approval from my management for the training. Now I'm working with purchasing to get the travel request fulfilled.