Sunday, September 28, 2014

A Shell of a Bash: Shellshock in Lay Terms

A few days ago, researchers revealed a software vulnerability that quickly became known as "shellshock." It's a bug - an error in the software code - in a core piece of many Unix operating system flavors, and it can be used by an attacker to gain control of Unix computers. You don't use Unix, you say? I'll bet you do: a great many Internet-connected devices run on Unix because it can run on a minimal computer.

For those of us that make a living in the security field, it has been a pretty exciting week. Bash (the vulnerable shell program) is everywhere. Not everywhere everywhere, but it turns up in many unexpected places. Think robotic toys, DVRs, wireless routers, smart televisions, enterprise web servers, cloud storage servers, printers, network equipment, the list goes on.

Thursday, September 25, 2014

Shellshocked: what is the bug in Bash?

The Internet has been awash with information and misinformation about a bug in GNU bash, a common system shell in many Unix variants. Here are some initial thoughts about what it is, and what it is not.

A shell is a way of giving a computer commands, that it in turn executes. The Windows CMD shell (aka "DOS Prompt") is one example of a shell. Unix has many different shells, but a common one is bash, or "Bourne Again SHell." It is common in Unix and Linux variants ... which happen to be the operating system of choice for a great many non-PC Internet devices. Think wireless routers, Blu-Ray players, network hard drives, printers, Internet TVs, etc. Not all run bash - as I said there are a number of different shells - but many do.

Tuesday, September 23, 2014

Installing Kali Linux and Snort on a Raspberry Pi

Last week I wrote about building a passive network tap with about $10 in off-the-shelf parts. Building a tap is a nice little project, but what do you do with it? A simple first step is to install Wireshark on a laptop and capture some packets. I wanted something a little more elegant though. Earlier this year I posted an April Fools gag on various uses for a Raspberry Pi ... this time I am putting it to legitimate use.

The Raspberry Pi is a minimalist computer: a processor; a bit of memory; ports for network, video, and sound; an SD card slot for data and operating system storage; a few USB ports to attach additional components; and a micro-USB port to supply power. Altogether a bare-bones Pi costs about $35. You can buy a Pi with a protective case, an SD card, and a power supply for around $50 to $60. I picked up bundle with the Raspberry Pi model B, clear case, and wireless adapter for $49.95, plus a 16 GB SD card for another $10. In truth, I could have gotten by with a smaller SD card, but the software tools I had in mind to use take up some space, and network captures can quickly fill up a drive.

Tuesday, September 16, 2014

The naked truth about celebrity photos

"We all have secrets. Some secrets are scandalous, but most are simply things we would like to keep private. Here are some lessons from the iCloud celebrity photo leak, and a way to protect secrets in the cloud.

Update September 30, 2015 Two significant flaws were just discovered in TrueCrypt, one of which could lead to complete compromise of a Windows PC. I am leaving this post active, but with the caveat that it may now be time to migrate off TrueCrypt. I have not yet used it myself, but VeraCrypt is an open-source project that took the last-known-good version of TrueCrypt and updated it, including fixing these newly-discovered bugs.

We all have secrets. They may be intimate photos. They may be financial documents. Perhaps they are records indicating a medical condition. For some they are invention prototypes, or business plans. For others they might be battle plans or defense strategies. Some secrets are scandalous, but most are simply things we would like to keep private. In my line of work, occasionally I discover security flaws that could be damaging if details leaked before the affected party has a chance to fix things. The nature of secrets varies as widely as the nature of those that hold these secrets. My point though is that we all (with the possible exception of Jim Carrey’s Fletcher Reede character) have things we would prefer not be seen by others.

Tuesday, September 9, 2014

How to build a $10 passive network tap

When one's profession involves network security, sometimes it helps to capture network communication to analyze. Often the simplest way to do this is to install packet capture software such as tcpdump or Wireshark on the system in question. This has the advantage of being easy (tcpdump may even already be installed - it is common on Linux systems), and by running on the target system there can be less unrelated traffic to wade through.

The downside, of course, is sometimes I don't have access to the target system ... or do have access but do not wish for the user of the system to know it is being investigated. If it is malware I am investigating, the malware might tamper with software running on the same system. In any of these cases, it is to my benefit to capture the network traffic from somewhere other than the target system.

Tuesday, September 2, 2014

Change the phone book: what is this "DNS" thing?

If you are reading this, chances are you made use of a Domain Name System, or DNS. Don't panic! After a brief lesson on a fundamental piece of modern networks, I will explain a very simple step you can take that dramatically reduces the risk of encountering malicious software or scam / phishing traps.

Putting aside for a moment the possibility that you are reading a printout, you are more than likely using a web browser. Perhaps you clicked a link in search results, or on another web site, or in an email from a friend. Maybe this blog is syndicated to your RSS feed. Or maybe you typed the URL in directly or used a bookmark. Regardless of the source, your browser did not just yell out on the Internet, "show me David Longenecker's blog." Instead, it referred to a DNS, a phone book of sorts, to translate the human-readable web site name or URL into an address it could travel to.