Wednesday, December 7, 2011

Kids vs Adults 1-0

Since a while now we have these subway access gates. The main idea is that everybody would pay for their ride. Pretty soon you saw people piggy backing with people that did pay.

Not so long ago I saw a couple of 8 year olds outsmart the adults :). Instead of all, one by one, forcing themselves through the little gate only one did it. He went to the exit gate that opens without any verification. The kid let his friends in and off they were to discover the world.

I personally think it is wrong not to pay for public transport but I must say that I liked the fact that adults got outsmarted by 8 year olds.

Saturday, November 26, 2011

IPv6 talk at BNC 2011

A couple of weeks ago I was at the Belnet Network Conference 2011 and there were a couple of interesting talks but I want to write in particular about some advise that was given during the talk of Andy Davidson about implementing IPv6.

This was his advise:

1. Buy only IPv6 enabled hardware and software. Since quite a number of people had to do this a kind of template called the Ripe501 template http://www.ripe.net/ripe/docs/ripe-501
came into existence.

I personally think that the remark of paying attention to software too is quite correct. Thinking about hardware is very normal, but one has too take into account you have to manage the hardware.

2. Make sure you have connectivity.
This is pretty obvious, if you want to have a connection to the Internet, you need connectivity.

3. Make sure you train your staff.
It seems normal to the outside world that IT people have knowledge about IT stuff so you have to train them.

4. Do trails
Ok, it seems dumb to put a car on the market before doing crash tests but the same thing applies to you IT infrastructure. If you don't make sure you have done your tests you will regret it.

5. Take it to the users
Once you've done your tests, take it to your users. Some trouble might come up but it should be minimal.

6. Dual stack some of your services.

7. Dual stack all of your services.

Tuesday, May 17, 2011

Fun with Adito VPN

I once saw a demo of Adito VPN on Hak5 and I was pretty impressed by it. Recently I had to install one and although it didn't go as smooth as in the video the install was still easy.

The first step was preparing the OS. In my case it was a Ubuntu. I needed to adapt my /etc/apt/sources.list so I could install partner repository software.

Our first part in preparing the OS is installing Sun Java

$sudo apt-get update
$sudo apt-get install sun-java6-bin sun-java6-jdk
$export JAVA_HOME=/usr/lib/jvm/java-6-sun
$export PATH=$PATH:$JAVA_HOME/bin

To test if java works correctly:
$java -version

The second step in preparing the OS is installing ant.
$sudo apt-get install ant

Now we come to the phase where we can install Adito.
$cd /opt
$wget http://downloads.sourceforge.net/project/openvpn-als/adito/adito-0.9.1/adito-0.9.1-bin.tar.gz (note: at time of writing this was the latest version.)
$sudo tar zxvf *.gz
$cd adito-0.9.1/
$sudo ant install

At a certain point in the installation you'll get the request to open a browser and open a session to http://server:28080/

This web-based wizard helps you configuring Adito. First I had to create a new certificate and choose a nice passphrase for it. The following page where the details of the certificate. After creating the certificate I created the administrative user and configured on which port the server has to listen for which interfaces. If you use a proxy, you can also configure this.

The last step was less easy to figure out. The normal procedure is:
$ant install-service
$ant start

The output to screen said that the start dynamically created a wrapper but eventually I got the following message back:
[exec] exec: 370: install/platforms/linux/x86/wrapper: not found

The solution to this problem was to have a look at /etc/init.d/adito in an editor.
The new script looks like this:
#!/bin/bash
#
export WRAPPER_CONF="/opt/adito-0.9.1/conf/wrapper.conf"
#exec /opt/adito-0.9.1/install/platforms/linux/adito $*
cd /opt/adito-0.9.1
ant start-using-java &

To start Adito VPN:
$sudo /etc/init.d/adito start

A nice resource for more information is http://www.8layer8.com

Tuesday, March 22, 2011

Privacy is not an option

Yesterday there was an ISSA-BE event about IT and privacy. Marc Vael gave a very good presentation on what privacy is and what laws do apply.

The first thing to know is that the European directive, 1995/46/EC, is according to Marc one of the better ones on this planet. Each European country made it part of its law but some countries like Germany and Italy are more severe than others. Another interesting fact is that the directive applies to the EEA, the European Economic Area.

I asked Marc the question how to handle these differences as an organization. The best way to handle this is creating a baseline valid for all members of the EEA and make sure that you add the specific requirements for the more severe states.

An interesting fact is that if you for instance visit a website in South-Africa, it is the South-African law that applies to the personal data. The reasoning is that the law applies where the company owning the website is located. This creates very interesting situations, Google is a global company with sites all over the EEA but if you log in over their web servers in the USA, it would be the American law that applies.

One of the nice remarks that the presentor made was that personal information and sensitive data are not the same thing.

Since we were talking about dealing with international privacy we discussed the US safe harbor frameworks.

Wednesday, February 23, 2011

Mounting XFS

Somebody I know recently had troubles with his NAS and needed to turn in the NAS device but wanted to recover his data. According to the information he was able to gather it was an XFS file system.

He had little to no linux knowledge but to recover he made a Ubuntu machine and asked my help to mount his drive. I didn't have any previous experience with XFS so here is how we did it:

The device showed up in the system as sdb3.

1. sudo mkdir /media/nadisk
2. sudo mount -o inode64 -t xfs /dev/sdb3 /media/nadisk

After this he was able to get his data back and bring his NAS device back to the store :)

Monday, February 14, 2011

Symantec Endpoint Protection 11.0.6 MR2 and the internal database

I had the case where I did an implementation of SEP 11.0.6 MR2 and the internal database grew too big. Thanks to my pervious life as a DBA I was able to interprete the logs and discovered a couple of problems:



1. The cache size for the database was set to 65536K as well for the lower as upper limit.

The cache size for a database varies on the size, but there is no direct parameter where you can influence this.



2. No unique index or primary key for table "a_table_in_the_database" in database "sem5".



3. Performance warning: Database file "...\Program Files\Symantec\Symantec Endpoint Protection Manager\db\sem5.db" consists of 9468 disk fragments.



Just for info, the internal database of Symantec is a Sybase database, so it is very similar to MS SQL 2000.


I openend a case at Symantec Support and after the classic "gather the logs" round we finally concentrated on the database.


Step zero was of course run dbvalidator.cmd ("...\Program Files\Symantec\Symantec Endpoint Protection Manager\Tools") and this showed that the database was still ok to use.


The first step was making a backup with the "Backup and Restore" tool that comes with the installation. The next step was to open "services.msc" and stop the Symantec Endpoint protection Manager services and stop/start the Symantec database service. The database backup was written as a zip file to "...\Program Files\Symantec\Symantec Endpoint Protection Manager\data\backup\"


To shrink the database I needed to execute the following command:

'...\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\Win32\dbunload -c "uid=dba;pwd=your_install_db_pwd" -ar '. The -c specifies the connection parameters and the -ar means rebuild and replace.


I asked the engineer if the shrink tool is possible to use on the MS SQL database but according to the engineer this was not the case.

The database was back to a normal size and the server disk was happy again.

Wednesday, January 12, 2011

Error 404 ... we are watching you.

The other day I helped out with the coding of a php page for error 404 handling in a Joomla framework. The idea was that when a 404 is generated the event would be logged for analysis.

The results where pretty boring, GoogleBot who scanned the website for pages that didn't exist anymore ... so nothing special to report until I got this one:

Page:/[a path on the server]/index.php
Browser:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de;rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Request Method: GET Request
Request URI: /en/components/com_oziogallery2/imagin/scripts_ralcr/filesystem/writeToFile.php

The remote IP addresses where 188.61.137.55 and 195.191.54.46. A lookup on MaxMind Geoip shows us that 188.61.137.55 is an IP address in Aarau, Switzerland (ISP: Bluewin) and 195.191.54.46 is an IP in Latvia (ISP:Sia Venditore).

It was clear that this scan was part of some scanner but why the website on which my code is running is targetted is still unclear to me. The ozio gallery2 was never installed on this joomla installation.

A google search for the websites with a url containing the string "/en/components/com_oziogallery2" gave me a list of 13.500 possible exploitable sites. A look at exploit db gave us immediately an insight what the attacker was up to.

So my lessons learned from this is :
1. Modify the error 404 page in any framework so you can find interesting data.
2. I have proof that any website is scanned and there has not to be any particular reason. This was an eye opener to the person who asked me to code the page.