Sunday, April 26

New Link, RSA Conference 2009 - Webcasts

The folks at the RSA conference have posted all of the key note speeches online. There are some good ones including James Bamford, Jamie and Adam from Mythbusters, and many others throughout the week.

Monday, April 20

New report released! - Office of the Auditor General of Alberta

The latest report from the Office of Auditor General of Alberta has been released this afternoon and contains several findings which point to specific deficiencies within the Government of Alberta's processes used to manage information risks and the effectiveness of their control environment.

It appears that even though additions and changes to the OAG budget have affected their future plans for auditing security, they are still moving forward with their audits and recommendations related to information security in the GOA.

Thursday, April 9

New Updates Conficker - April 9th

As expected, the conficker worm has continued it subtle updates and is using the newly acquired p2p functionality to do it. In addition it also appears to update the payload functionality and may also be actively defending itself by affecting the availability of the conficker working group site.

Researchers are looking at the new code and initial analysis points to key-logger software and new protection mechanisms. I think most security professionals would serve their clients well by keeping up to date on this.

UPDATE:

It looks like the code is starting monetize, by installing a scamming anti-virus software package which costs you $49.99, and in some cases installing spamming relay software. There are also reports that it is set to delete itself on May 3rd (I'm skeptical about this one).


Time for law enforcement to do their job and follow-the-money!

Sunday, April 5

OpenSolaris, ZFS, iSCSI and OSX - Creative Storage - Part I

After getting through the steps required to setup a local network storage solution - I thought I would publish my steps for others that are doing the same thing. Not exactly security related but once the Solaris developers implement encryption into ZFS it will be :)

The needs for the solution were simple - a network (IP) based storage solution which is both reliable, meets performance needs and doesn't break the bank.

There are many people who would argue that a hardware based RAID array with it exposed through some NAS protocol would be a much easier solution to this need, but I'm intentionally trying to be cheap. The steps:

1. Hardware installation

Easiest part - install SATA disks on a supported platform for OpenSolaris. No details here unless someone wants them.

2. Software installation

OpenSolaris 2008.11 - 1 CD image found here. Burn the ISO, boot into the liveCD, double click on the "Install Solaris" icon on the desktop, and follow the instructions. I used many of the default options, but the installation will step you through it.

Reboot, and voila - default Solaris install with an SSH daemon running so that I don't have to use x-windows sessions.

3. ZFS Configuration

Connect with SSH to the console, check the installed disks.

root@CoreOpenSolaris:~# format
Searching for disks...done


AVAILABLE DISK SELECTIONS:
0. c0d0 <DEFAULT cyl 1242 alt 2 hd 255 sec 63>
/pci@0,0/pci-ide@6/ide@0/cmdk@0,0
1. c3t0d0 <ATA-WDC WD10EADS-00L-1A01-931.51GB>
/pci@0,0/pci1043,815a@7/disk@0,0
2. c3t1d0 <ATA-WDC WD10EADS-00L-1A01-931.51GB>
/pci@0,0/pci1043,815a@7/disk@1,0
3. c4t0d0 <ATA-WDC WD10EADS-00L-1A01-931.51GB>
/pci@0,0/pci1043,815a@8/disk@0,0
4. c4t1d0 <ATA-WDC WD10EADS-00L-1A01-931.51GB>
/pci@0,0/pci1043,815a@8/disk@1,0
Specify disk (enter its number):

The first disk is the boot disk, which also uses the ZFS filesystem and won't be part of the raid. The other four will.

Create the ZFS pool.

root@CoreOpenSolaris:~# zpool create CoreStorage c3t0d0 c3t0d1 c3t1d0 c3t1d1

root@CoreOpenSolaris:~# zfs list CoreStorage
NAME USED AVAIL REFER MOUNTPOINT
CoreStorage 400G 2.28T 41.9K /CoreStorage

Once the pool has been created we need to set a few properties to enable the types of access we want to provide. First is enabling CIFS and iSCSI access to the pool.

root@CoreOpenSolaris:~# zfs set shareiscsi=on sharesmb=on CoreStorage



4. CIFS Configuration

With the pool setup, we need to configure Solaris to provide connections for CIFS and iSCSI. Lets focus on CIFS first. The CIFS packages are not installed by default so we need to install them.
root@CoreOpenSolaris:~# pkg install SUNWsmbs SUNWsmbskr

Then add the driver, start the service, configure the PAM services needed to properly authenticate (I needed to reboot after these steps).
root@CoreOpenSolaris:~# add_drv smbsrv
root@CoreOpenSolaris:~# svcadm enable -r smb/server
root@CoreOpenSolaris:~#

I then needed to re-set the password of the user that will be using the share.
root@CoreOpenSolaris:~# add_drv smbsrv
root@CoreOpenSolaris:~# svcadm enable -r smb/server
root@CoreOpenSolaris:~#


Part two of this will include the iSCSI Target and Initiator Configuration, and a discussion of the advantages/disadvantages of using this.

Wednesday, April 1

Conficker Reporting

There has been so much misinformation being spread regarding what conficker will or will not do. And now that the mainstream media is picking up on the story they are repeating some of the speculation. I like to look at it in simple terms without muddling in all the technical details;
  • All the research done suggests that the people behind conficker are intelligent, and well resourced which indicates that whatever motivation they have will be very well thought out and executed.
  • The large amount resources used to develop and maintain conficker mean that the owners will spend large amounts of effort defending it and increasing its ability to spread efficiently.
The whole circus around April 1st was the fact that the software would begin receiving new instructions, in no way did this mean that it would start acting in a more malicious way. The simple fact is that this virus could do anything it wants, and we should be prepared to handle this today or any of the other 365 days of the year.

I hope that the media starts focusing on the security of computing including all the risks one of which is worms, and more on common prevention and detection techniques that can keep us all safer.