The Security Skeptic

Today I registered a domain name for my security web log:

securityskeptic.com

Why did I choose skeptic? The Oxford dictionary defines a skeptic (sceptic) as "a person inclined to question or doubt accepted opinions". The etymology of skeptic is either Latin (scepticus) or Greek (skeptikos). Skeptikos means thoughtful, a derivative of skeptesthai (to look, consider). If a skeptic is "one who instinctively or habitually doubts, questions, or disagrees with assertions or generally accepted conclusions" then I am decidedly an Internet security skeptic.

I've sometimes described myself and others who rant about the sad and deplorable state of Internet security as "curmudgeons". Friends and colleagues tell me this is not quite an accurate description of my dominant attitude when discussing security. I'm glad I'm not perceived as being crusty, irascible, ill-tempered, cantankerous and *old*.

So I will soon be publishing my weblog from www.securityskeptic.com.

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID593 by Dave Piscitello  

I had many reasons to begin migrating my "production" computing and networking to an Intel MacBook. I wanted a laptop that could run multiple Operating Systems as painlessly and transparently as possible. I had used BSD in the past to host my first firewall (TIS Gauntlet). I dreaded the thought of mucking with Vista as long, frequently and hard as I had XP. I shouldn't whine overly much about my XP-erience since I earned a nice living freelancing articles on XP security and performance. And frankly, I still felt separation anxiety every time I saw my trusty MacSE slumbering safely in its original packaging in the corner of my attic.

Over time, I've accumulated dozens of network assessment and security utilities for Windows XP, so initially, I chose a migration path of least resistance. I installed XP on my MacBook using the Parallels Desktop, downloaded the Win32 installers and replicated my tool kit.

I've had time to learn more about Mac OS X. To explore the world of network assessment utilities that complement many popular Open Source network and security utilities with Mac's friendly UI, you'll need to install several important software packages: X11, Xcode, MacPorts (a.k.a. DarwinPorts), and Subversion client (svn).

Both the X11 window system and Apple developer code platform (Xcode) are self-installing packages provided by Apple. I found copies on the OS X Install Disc 1 that comes with any Mac. Xcode Tools is in its own folder. You'll find X11in the Optional Installs package on the same disk. Yes, it's really there, you have to scroll to the bottom of the Install Disc window to see it.

The MacPorts (formerly the DarwinPorts Project) provides users with an easy way to install over 3000 open source applications that have been "ported" from a developer's original OS platform (some Linux, BSD platform) to MacOS X (and the rest of the Darwin OS family). What's a port? A port is a set of instructions (typically a file) that can be used to automate a software (source) download and compile. The port identifies compile time options, whether any patches are available that should be applied to compile or upgrade the software; generally speaking, the port enumerates all the commands that the automation must perform to correctly install the software. You'll find a complete set of instructions for installing DarwinPorts at Darwin Ports or MacPorts. Well, almost complete. You should also be aware that the current versioning system (CVS) client installed with DarwinPorts uses rsync to selfupdate its database of application ports so you'll need to open a port of a different kind to use this port, namely RSYNC/873:-)

Once you have DarwinPorts installed, you can search the list of networking utilities available as ports.

Subversion is an open source project that aims to improve on CVS. As I began building my utilities tool kit, I discovered that some applications I wanted were more commonly referenced and easily obtained using this client.

UNIX versions of networking utilities including nmap, netcat, nessus, openSSH, openVPN, tcptrace, etc. are available. This are often "the original work". In some cases, the functionality is improved because better drivers are available for Linux/BSD than for Windows, or they can be readily compiled from source.

In my future blogging, I'll describe utilities I chose to fill my tool kit and my experiences installing them.

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID592 by Dave Piscitello  

Georgia Public Broadcasting reports that a bill has been passed by the Georgia House which allows gun owners to keep *loaded guns* anywhere in vehicles without concealed weapons permits; specifically, the bill allows the guns to be kept in plain view and in the glove compartment. One of the State House representatives of a rural county in Georgia claims that this bill "gives back a piece - a small piece - of the Second Amendment that has been deprived of so many law-abiding citizens over the past few years".

Reading further down the day's news, three Dawson County students have been charged with multiple counts of aggravated assault in more than 30 sniper-type shootings that targeted businesses, cars, houses and a school. The students are suspected of using a 22-caliber rifle, firing at targets across 6 counties last month. Call me crazy, but isn't is possible that an "in plain view" legislation will encourage more such sprees?

I shouldn't be such a skeptic. If the law passes the Senate, it will undoubtedly stimulate a new "conversion" industry in the Peach State. Instead of simply pimping one's ride, Georgians could legally add a turret mount on their F150s, doolies, and HumVs.

Is it any surprise that Georgia ranked 41^st in the Smartest State 2006-2007 poll?

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID591 by Dave Piscitello  

In my Blog #580 I describe an call for community participation by the ICANN Root Server System Advisory and Security and Stability Advisory Committees to test firewalls for IPv6 and EDNS0 Support at the root level of the DNS. Over two dozen test results have been reported (see SAC016), with the majority indicating that, unless configured to specifically block DNS responses containing AAAA RRs or configured to block UDP-encapsulated DNS messages that are fragmented, firewalls will not interfere with a priming exchange if the root zone were to include IPv6 addresses of root name servers.

RSSAC and SSAC are now calling for additional testing to determine whether DNS implementations (software and appliance) used to provide recursive name service will operate correctly when type AAAA resource records are added to the root hints file and root zone.

The complete name server bootstrap process must be tested to verify that changes at the root level of DNS service do not adversely affect production name service. First, the test must verify that an implementation that is configured with a hints file containing type AAAA resource records will bootstrap and operate correctly. Tests must then confirm that a resolver does not fail when it performs the priming exchange over UDP, which involves sending a DNS query for type NS for the root (".") to one or more of the root name servers identified in the test version of the hints file that contains AAAA RRs. Finally, tests must confirm that the resolver can use the information in DNS response message to perform iterative name resolution; simply put, test musts demonstrate that the resolver will operate correctly in a production name service environment.

Several root name server operators have volunteered to operate test name servers for this exercise. These servers have been configured to be authoritative for "test" root and root-servers.net zones that contain both type A and AAAA resource records for the authoritative root name servers. A test root hints file, instructions for performing the desired test, and instructions for reporting results can be found at http://www.icann.org/committees/security/sac017.htm.

Before the committees posted this advisory, I helped verify the test methodology by performing the tests on 5 DNS server implementations in my lab. My results for Windows 2000/2003 DNS server, SimpleDNS, BIND 9.2.3 running on OS X and Posadis are already reported. As I did for firewall testing, I'll contact as many DNS server vendors as I can through support and other contact methods to encourage vendor participation as well.

Tests like these provide a terrific opportunity to step outside your "day job" and learn something new. I've found about three dozen DNS server products, and many free or offer a free trial. I encourage you to install a DNS server, the dig DNS query program, and the trusty Ethereal LAN analyzer on a host and see what you can see.

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID590 by Dave Piscitello  

Remodeling is a journey not a destination. Our master bath has "evolved" from repairing the water damage to a 70s style popcorn ceiling to removing the textured ceiling, replacing the light fixtures and wall-width ceilings, replacing the plumbing fixtures, and finishing with new paint and wall paper.

Removing a popcorn ceiling is a simple but nasty business. Some of the sprays used contained asbestos and often a prior owner has painted the ceiling and made the texture resistant to the "wet removal" method. However, if you dodge the asbestos containment bullet and take your time, you can strip a ceiling quickly and you shouldn't have to spend a great deal of time applying thin coats of plaster to get the smooth texture ceiling you want.

The more challenging task in this project was removing three mirrors spanning 12 feet of wall space above double sink vanity. All of them had deteriorated silver, not at all unexpected since we have three large skylights above the vanity! Asking friends and consulting online DIY web sites, I learned that there were three ways one removes mirrors from drywall:

• Whack away with a hammer.

• Use a heat gun to melt the bonding agent.

• Use a guitar string or fishing line to "saw" through the bonding agent.

The authors of all three methods recommend that you cover the mirrors with duct tape, wear protective eyewear, long sleeves, and gloves. I dismissed the hammer method as a last resort. Dodging and cleaning up shards of mirror seem are the kinds of tasks I instinctively avoid. I don't own a heat gun, but I do have guitars and even spare strings and this seemed like a cautious approach with a high probability of success so I wrapped the ends of the guitar string around two six-inch dowels, and began by removing the mirrored trim around the mirrors. I donned the protective gear, duct taped the mirror and went to work.

I found a gap between the leftmost and center mirror and worked from the upper left corner of the mirror down and to the right until I was able to get the string across to the upper right corner. At this point, I discovered that the guitar string was not long enough to continue the sawing motion I'd used to cut through the bonding.

I studied my progress. I decided to repeat my sawing effort, this time, first beginning at the upper right hand corner and proceeding clockwise around the mirror until I'd sawed through as much of the bonding I could reach with this method. Using multiple putty and spackling blades, I shimmed the left side of the mirror away from the dry wall. I used dowels as wedges and slowly and gently applied force to break the bond without breaking the mirror.

Using this method I was able to safely remove all three mirrors, intact. I attribute some of this success to the fact that the workman who installed the mirrors had applied the bonding agent in a series of six to eight circles of approximately 8 inches in diameter. I suspect that I would have had considerably more trouble if the agent had been applied more liberally or sloppily.

Some of the patches of bonding agent pulled away with the mirror, and left me with a fair bit of patching to do. Others had to be removed with spackling knives. I'll have to rough sand the areas where the bonding was applied and thin coat if I expect even primer to apply.

One danger of removing nearly 40 square feet of mirror is that you don't know what surprises lie beneath. The electricians who wired our home were not as professional as other subcontractors and I have several "exploratory" holes to patch. Overall, however, I'm pretty pleased to have completed this task without injury:-)

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID589 by Dave Piscitello  

Attackers often include "banner grabbing" to identify potential targets. The practice commonly involves scanning for mail, web, and file server listening ports and collecting server type and version information, but as name service become more and more the target for disruption attacks, "version grabbing" will no doubt increase.

Ask any group of security practitioners and some will say that obfuscating banners and versions web and other servers is "security through obscurity". Others will concede the point but add that there's little point in making it easy for an attacker. Still others will add that the less information you reveal, the more a motivated attacker my persist in probing, and this provides a monitoring opportunity and an increased chance to detect and thwart the attack.

By default BIND9 returns the real version number of the server via a query of name version.bind in class CHAOS [1]. To hide your version type and run BIND, you add a version option to your named.conf file. Version hiding is also possible with other DNS server software: SimpleDNS Plus, for example, allows you to specify the string returned when your name server is queried for the version number. Another strategy is to simply refuse to answer to a version query (in BIND 9, specify version none). An even stricter strategy is to refuse to answer queries from an untrusted host about domains you do not trust.

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID588 by Dave Piscitello