Opinion: Responses to OpenSSL Vulnerability

As those of you in the IT Security world know, last week there was a serious vulnerability in Debian's/Ubuntu's OpenSSL random number generator [link].

The vulnerability in OpenSSL was announced by the Debian Project on Thursday, May 13th, 2008 [link]. That same day updated OpenSSL packages were released for Debian, Ubuntu and Debian-based distributions [e.g., link]. Shortly thereafter code was being posted to Full Disclosure and other lists to exploit this vulnerability on unpatched systems.

I was very surprised by people's reaction regarding this vulnerability. In particular, there was a noticeable amount of OS bashing; discrediting the affected operating systems. That irony is that majority of this negative publicity came from from other *NIX centric individuals who simply stood back while proudly saying, "look, my superior OS wasn't affected." It's funny that the elitist OS wars of past still continue continue today. It's also entertaining - but that's besides the point. Unfortunately, this type of negative publicity doesn't contribute to building and strengthening the communities that are working so hard to build incredible flavors of their OS of choice. In one way or another, some requiring more creativity than others, the family of *NIX operating systems share a common ancestry [see UNIX family tree image below].

Click on above image to enlarge [image: ZwahlenDesign]
For a more complete timeline, see Eric Levenez's UNIX History [link].

I can imagine Rodney King, while waiving a black flag with a the Linux penguin mascot, now saying, "People, I just want to say, you know, can we all get along? Can we get along?"

I agree, it's too bad that the code that made the latest OpenSSL vulnerability a reality existed. It also highlights the blind trust people generally place into the operating systems that they use. However, what I also clearly see is how the community quickly worked together and released fixes prior to exploit code being widely disseminated. Now, that's awesome! There was no Patch Tuesday to wait for. Rather, the fixes were created, tested, and distributed as soon as possible.

Without a doubt I'm very glad to have moved my desktop OS of choice to Ubuntu two years ago. Sure, I'd be happy with SUSE, Fedora, RedHat, FreeBSD, OpenBSD. I've used them all. However, for reasons that work for me I've settled on Ubuntu ... for now.

Security: Debian and Ubuntu OpenSSL Vulnerability

I won't go into all the details since majority of the security mailing lists and blogs are covering the issue -- however, I'm blogging this as a reminder. The recent Debian/Ubuntu OpenSSL random number generator vulnerability is very serious, especially if you had generated any keys on Debian or Ubuntu systems running vulnerable versions of OpenSSL (e.g., ssh keys, OpenVPN keys, etc).

There's an excellent detailed summary regarding this issue on HD Moore's web site hosted on Metasploit (link below). To quote from the website:

"All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL's PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."

Per the standard recommendation, patch all vulnerable systems as soon as possible. In addition you will need to generate any keys that were created previously using vulnerable versions of OpenSSL.

HD Moore's Website [link]
Official CERT Advisory [link]

HowTo: Uncomplicated Firewall (ufw) in Ubuntu 8.04

I've recently upgraded several of my systems to Ubuntu 8.04 (Hardy Heron). While poking around, figuring out what has changed since 7.10 (Gutsy Gibbon), I came across the 'ufw' command, which is an acronym for Uncomplicated Firewall.

Personally, on my linux systems I've preferred working with iptables directly. Several years ago I started using 'fwbuilder' to manage my iptables. Nonetheless, I'm still interested in playing around with ufw to see what value it has.

Here's an ifw example using OpenBSD's PF syntax:

• Let's assume I want to allow all ssh traffic (22/tcp) from the 10.10.1.0/24 subnet to my host at IP 10.10.2.10:

sudo ufw allow from 10.10.1.0/24 to 10.10.2.10 port 22

• Is there a single host that's bothering you and you want to block it?

sudo ufw deny from {IP address}

If you're interested in testing ufw, the Ubuntu Unleashed Blog [link] has a useful guide on using the tool. Of course, you can always use the man pages as well [`man ufw`].

BlackHat and DEFCON

It's that time of year again when I start looking at the logistics involved so that I can attend both BlackHat and DEFCON. It's also the time when I start figuring out costs and hope that work will cover them under the training budget...which is an entirely another story!

The two-day training at BlackHat, Enterprise Security from Day 1 to Completion, if I register now will cost $2200 and runs from August 4th to the 5th (all of the trainings look interesting, but I believe the Enterprise Security will give me the forum to answer some questions I have as an IT security professional). Next, there's the BlackHat briefings from August 6th to the 7th for a cost of $1495 - again, this is if I register now. By registering for BlackHat I will be able to get into DEFCON for free. DEFCON runs from August 8th to the 10th.

Next there's the cost of the flight - I'm estimating about $250 roundtrip. Lodging from August 3rd to the 10th will be about $1600...then there's the $320 for food.

Here's the rough breakdown:

Airfare.............$250
Conference Fees....$3695
Lodging............$1600
Meals...............$320
Car Rental (maybe)..$320
========================
Initial Total......$6185

Now it's time for me to get the funding to cover the training expenses this week so that I can register before prices go up.

I look forward to catching up with many of my colleagues, friends, and Security Twits!

UPDATE [5/15/2008]: I've received approval from my management for the training. Now I'm working with purchasing to get the travel request fulfilled.

Firefox within MythTV

I recently setup a MythTV box with dual tuners. For those that aren't familiar, MythTV is essentially TiVo on steroids! I'm running Ubuntu 7.10 (Gutsy) as my operating system with MythTV v 0.21.20070820-1 as my personal video recorder (PVR). For keyboard and mouse I'm using a BTC 9019URF. I'm also using a Logitech Harmony 670 universal remote to control both my TV and MythTV box -- and it works flawlessly after configuring, testing, and tweaking.

Yesterday I decided I wanted to switch from Mythbrowser as my MythTV web browser to Firefox. Looking around on the web I saw that one simply needs to replace /usr/bin/mythbrowser with /usr/bin/firefox in within Web Settings -- it didn't work.

Here's the problem and what I did to fix it. First, when I made the change and tried launching the browser, nothing happened. The next logical step was to look at the logs (/var/log/mythtv/ mythfrontend.log). I ssh'd in to my MythTV box from another system and saw the following error:

Usage: /usr/lib/firefox/firefox-bin [ options ... ] [URL]

Ok - so some options are being passed to firefox which it can't handle. I went back into the Web Settings in MythTV and changed the browser back to /usr/bin/mythbrowser. I launched the browser and then ssh'd in to my MythTV box from another system and looked for relevant processes:

ps -ef | grep mythbrowser

What I saw, which shed light on the issue, was the following:

sh -c /usr/bin/mythbrowser -x 0 -y 0 -w 800 -h 600 -z 20 http://www.google.com/

See those screen commands, "-x 0 -y 0 -w 800 -h 600 -z 20"? Firefox doesn't like those. The quick solution was to create a simple script that acts as a wrapper to filter out those options. Simply do the following to create the wrapper (I was using tcsh when I did the following...use whatever you want; vi, pico, vim, emacs, whatever...and set the permissions correctly afterwards. This also assumes your firefox is located in /usr/bin -- of course, change this as necessary to match your system):

sudo echo "#\!/bin/sh \
/usr/bin/firefox --fullscreen $11 \
exit 0" \
> /usr/bin/firefox-wrapper
sudo chmod 755 /usr/bin/firefox-wrapper

Then, back on the MythTV frontend, go to Web Settings and change the browser to /usr/bin/firefox-wrapper.

I also installed the following addons and themes for Firefox:

• Mostly Crystal Theme
• Autohide Addon
• • Set mine to Autohide Menu Bar, and Show Always Navigation Toolbar & Tab Bar
• Better Youtube
• • Enable Theater View
• Download Statusbar
• Keyconfig
• • Will work on this ... but leaning towards just using the wireless keyboard/mouse for web needs
• Locatiobar
• • Enable "Show the favicon"
• PageZoom
• Tab Mix Plus
• • Check "Enable Single Window Mode"

I may experiment with using Smart Bookmarks Bar and NoScript.

I've now replaced Mytbrowser with Firefox on my MythTV box and am loving it!

Test Lab: iPhone, Ubuntu, and XP in VMware

I recently purchased an iphone. I was totally stoked - but I realized that there weren't any Linux native tools to activate my iphone. Apparently one needs to use iTunes to activate, and iTunes is made for Mac and Windows. Ultimately, to activate my iphone, I had to borrow a laptop running XP.

Now that my iphone is activated, I'm unable to upload mp3's using my computers running any native Linux tools (or XP in VMware). Oh yeah, and in order to jailbreak, from what I've researched, one needs either a Mac or Windows.

The most success I've had is with VMWare Server running an XP Guest on my Ubuntu box.

Here's what I started out with:

• Ubuntu 7.10
• VMWare Server 1.0.4 build-56528
• iPhone (1.1.13)

Within VMware:

• XP container with all of the latest patches
• iTunes 7.6

Before doing anything, I backed up my VMX file for my VM image of XP. Then, I edited the original VMX and added:

usb.generic.skipSetConfig = "TRUE"

The most success I've had is after I do the following:

1. Cable up iPhone to USB port -- Cancel out of camera import dialog box
2. Doing a `lsusb` shows the phone there. Ok, not a step, but a confirmation of sorts.
3. Startup VMware - turn on XP guest. While it boots XP...
4. In VM, go to VM | REMOVABLE DEVICES | USB DEVICES and make sure "Apple Inc. (port 1)" is checked
5. (Warning: Windows Talk) Log into XP
6. Go to the control panel, administrative tools, and launch the services app
7. Click on the "Apple Mobile Device" service. Hmmm..no options to start | stop | restart
8. So, back in VM, go to uncheck "Apple Inc. Iphone (port 1)"
9. Now recheck "Apple Inc. Iphone (port 1)". Windows will detect the new hardware
10. Back in Windows, go to services again and click on "Apple Mobile Device" again. Restart the service.
11. Awesome - iphone detected. Windows pulls up a window asking to import photos.
12. AHHH - blue screen! haha, so typical!!!!!

So, I still haven't figured this out yet. I've gone through the steps uninstalling Quicktime, Apple Software Update, and Apple Mobile Device Support ... and then reinstalling iTunes (which installs everything). I'll continue working on this. Any comments to help figure this out will be greatly appreciated!

Grouping Application Windows in Ubuntu/GNOME Taskbar

I just came across a blog posting on Tech-Recipe about grouping application windows in Ubuntu/GNOME taskbar. It's a useful optimization for newbies as well as the old-timers running a GNOME-based desktop. This feature allows a user to group application windows together in a way similar to Windows XP.

The way to enable application window grouping is simple. On my desktop I right click on the dotted vertical line between the quickstart icons and my open application windows. With my setup this is on the bottom taskbar (which is default with GNOME on Ubuntu). Select Preferences. You'll see a window similar to the image here. Under Windows Grouping yo have three choices; Never group windows (default), Group windows when space is limited, and always group windows.

[Enable Window Grouping on the Window List] -- Tech-Recipes Blog