Sunday Post #11 - Memorial Day

Where does one begin saying "Thank You" to all those who have given everything so that we may have our freedom?

Photo: Steve Zenone (Golden Gate National Cemetery)

"That from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion ... that we here highly resolve that these dead shall not have died in vain."
-- Abraham Lincoln, spoken at Gettysburg in 1863

Walking through the cemetery, contemplating, I was in awe. Each tombstone not only represents a single serviceman/servicewoman. Rather, every tombstone also represents the family and friends whose lives were interwoven so intimately...in addition to the lives the family and friends touched. Clearly, we're all affected and connected.

Opinion: Responses to OpenSSL Vulnerability

As those of you in the IT Security world know, last week there was a serious vulnerability in Debian's/Ubuntu's OpenSSL random number generator [link].

The vulnerability in OpenSSL was announced by the Debian Project on Thursday, May 13th, 2008 [link]. That same day updated OpenSSL packages were released for Debian, Ubuntu and Debian-based distributions [e.g., link]. Shortly thereafter code was being posted to Full Disclosure and other lists to exploit this vulnerability on unpatched systems.

I was very surprised by people's reaction regarding this vulnerability. In particular, there was a noticeable amount of OS bashing; discrediting the affected operating systems. That irony is that majority of this negative publicity came from from other *NIX centric individuals who simply stood back while proudly saying, "look, my superior OS wasn't affected." It's funny that the elitist OS wars of past still continue continue today. It's also entertaining - but that's besides the point. Unfortunately, this type of negative publicity doesn't contribute to building and strengthening the communities that are working so hard to build incredible flavors of their OS of choice. In one way or another, some requiring more creativity than others, the family of *NIX operating systems share a common ancestry [see UNIX family tree image below].

Click on above image to enlarge [image: ZwahlenDesign]
For a more complete timeline, see Eric Levenez's UNIX History [link].

I can imagine Rodney King, while waiving a black flag with a the Linux penguin mascot, now saying, "People, I just want to say, you know, can we all get along? Can we get along?"

I agree, it's too bad that the code that made the latest OpenSSL vulnerability a reality existed. It also highlights the blind trust people generally place into the operating systems that they use. However, what I also clearly see is how the community quickly worked together and released fixes prior to exploit code being widely disseminated. Now, that's awesome! There was no Patch Tuesday to wait for. Rather, the fixes were created, tested, and distributed as soon as possible.

Without a doubt I'm very glad to have moved my desktop OS of choice to Ubuntu two years ago. Sure, I'd be happy with SUSE, Fedora, RedHat, FreeBSD, OpenBSD. I've used them all. However, for reasons that work for me I've settled on Ubuntu ... for now.

Security: Debian and Ubuntu OpenSSL Vulnerability

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

HowTo: Uncomplicated Firewall (ufw) in Ubuntu 8.04

I've recently upgraded several of my systems to Ubuntu 8.04 (Hardy Heron). While poking around, figuring out what has changed since 7.10 (Gutsy Gibbon), I came across the 'ufw' command, which is an acronym for Uncomplicated Firewall.

Personally, on my linux systems I've preferred working with iptables directly. Several years ago I started using 'fwbuilder' to manage my iptables. Nonetheless, I'm still interested in playing around with ufw to see what value it has.

Here's an ifw example using OpenBSD's PF syntax:

• Let's assume I want to allow all ssh traffic (22/tcp) from the 10.10.1.0/24 subnet to my host at IP 10.10.2.10:

sudo ufw allow from 10.10.1.0/24 to 10.10.2.10 port 22

• Is there a single host that's bothering you and you want to block it?

sudo ufw deny from {IP address}

If you're interested in testing ufw, the Ubuntu Unleashed Blog [link] has a useful guide on using the tool. Of course, you can always use the man pages as well [`man ufw`].

Off Topic: Manualism

Recently I learned about the entertaining subculture of manualism. It happened by complete chance, I swear! You believe me, don't you?

While searching YouTube for "Cantina Band", there was a video that I couldn't resist watching. Without skipping a beat I moved my mouse over the video and clicked play. As I began watching the video of a manualist playing the Star Wars “Cantina Band” song with his hands, distant memories from my past started to emerge. It had nothing to do with rice and beans. Please!

As I was saying, we were just about to take a stroll down memory lane...

[dream sequence]
I remembered my sophomore year in high school; I was sitting in my desk during Spanish class. I should have been conjugating verbs, but instead I was attempting to squeeze air through my hands while pressing them together, firmly. Minutes passed and I kept trying to make sound with my hands. Suddenly, and quite unexpectedly, there was a hush in class, and it was during that silence that my hands made “the sound”. If I recall correctly, the moment my hands made the sound of bodily relief, my face grew bright red. I had no idea if my classmates thought I had uncontrolled flatulence or if my hands made the sound.
[/dream sequence]

Fast forward twenty years, and there I was watching a guy play “The Cantina Band” using his hands! I wondered how much the musician must have practiced to be able to play the song as well as he did? Interestingly, according to Wikipedia, “Some manualists practice for as much as 30 years before finally reaching a presentable level of proficiency.” Apparently the first individual that was documented to have made musical parody with his hands was Cecil Dill. He claims to have learned how to play “Yankee Doodle” using his hands back in 1914.

Now, isn't that a gas!

Video of manualist playing "The Cantina Band" [link]
Video of Cecil Dill and his Musical Hands [link]
Wikipedia article on Manualism [link]

UPDATE [6/13/2008]: My piece aired this afternoon. If you missed it, you can download the two minute segment here [link to mp3]

Sunday Post #10

Maintaining a healthy balance between work and our personal lives requires ongoing attention and dedication. Think back over the past week, or month, and you'll see that there were probably days where things seemed to have been in perfect harmony, and then there were also days where it felt as if everything was happening a bit chaotically and out of control. We then end up labeling these experiences as either good or bad.

This week's Sunday Post is a quote from Alan Weiss, author of "Getting Started in Consulting". The quote below continues to remind me about my goal of fulfilling my ambitions and dreams, and that the path to the realization of this goal requires balance...and awareness.

Photo: Steve Zenone, Creative Commons License

"As you become more successful, you'll have the opportunity to transfer some of the intensity, passion, focus, time, and perseverance that you've invested in your business -- and necessarily so, to launch and sustain it successfully -- to your private interests, family, community, and friends. Ironically, that transfer to a greater balance of life and work will actually accelerate your business growth still more."
-- Alan Weiss, PhD: "Getting Started in Consulting", page 4.

BlackHat and DEFCON

It's that time of year again when I start looking at the logistics involved so that I can attend both BlackHat and DEFCON. It's also the time when I start figuring out costs and hope that work will cover them under the training budget...which is an entirely another story!

The two-day training at BlackHat, Enterprise Security from Day 1 to Completion, if I register now will cost $2200 and runs from August 4th to the 5th (all of the trainings look interesting, but I believe the Enterprise Security will give me the forum to answer some questions I have as an IT security professional). Next, there's the BlackHat briefings from August 6th to the 7th for a cost of $1495 - again, this is if I register now. By registering for BlackHat I will be able to get into DEFCON for free. DEFCON runs from August 8th to the 10th.

Next there's the cost of the flight - I'm estimating about $250 roundtrip. Lodging from August 3rd to the 10th will be about $1600...then there's the $320 for food.

Here's the rough breakdown:

Airfare.............$250
Conference Fees....$3695
Lodging............$1600
Meals...............$320
Car Rental (maybe)..$320
========================
Initial Total......$6185

Now it's time for me to get the funding to cover the training expenses this week so that I can register before prices go up.

I look forward to catching up with many of my colleagues, friends, and Security Twits!

UPDATE [5/15/2008]: I've received approval from my management for the training. Now I'm working with purchasing to get the travel request fulfilled.