Articles in the Security category

  1. Linode Hacked: Thoughts About Cloud Security

    April 16, 2013

    I bought a Linode VPS for private usage just after the report that Linode had reset all passwords of existing users regarding the Linode management console.

    Resetting passwords is not something you do when under a simple attack such as a DDOS attack. Such a measure is only taken if you suspect or have proof of a serious security breach. I should have known.

    There are strong rumours that Linode has actually been hacked. Although I signed up for a Linode VPS after the attack, I still checked my creditcard for any suspicious withdrawals.

    Linode is as of this writing very silent about the topic, which only fuels my, and every other's suspicion that something bad has happened.

    Whatever happened, even it isn't as bad as it seems, such an incident as this should make you evaluate your choices about hosting your apps and data on cloud services.

    I don't care that much about rumours that creditcard information may have been compromised. Although in itself quite damning, what I do care is about the security of the data stored in the virtual private servers hosted on their platform.

    I like this phase: "There is no cloud, only Other People's Hard Drives".

    Everybody uses cloud services, so we all put our data in the hands of some other third party and we just hope that they properly secured their environment.

    The cynical truth is that even so, a case can be made that for many companies, data stored in the cloud or on a VPS is a lot safer than within their own company IT environment. But an incident like this may prove otherwise.

    And if you believe that data on a VPS is more secure than within your own IT environment, I believe that you have more pressing problems. The thing is that it doesn't tell you anything about the security of those cloud solutions. It only tells you something about the perceived security of your own IT environment.

    The cloud infrastructure is just another layer between the metal and your services, and it can thus be attacked. It increases the attack surface. It increases the risk of a compromise. The cloud doesn't make your environment more secure, on the contrary.

    So anyway, who performs regular security audits of Linode or (insert your current cloud hosting provider?) and what is the quality of the processes that should assure security at all times?

    Questions. Questions.

    This incident again shows that you should clearly think about what kind of security your company or customer data warrants. Is outsourcing security of your data acceptable?

    Maybe, if security is an important factor, those cheap VPS hosts aren't that cheap after all. You may be better off creating your own private cloud on (rented or owned) dedicated servers and put a little bit more effort in it.

    Building your own environment on your own equipment is more expensive than just a simple VPS, but you are much more in control regarding security.

  2. Setup a VPN on Your iPhone With OpenVPN and Linux

    January 19, 2013

    Introduction

    I'm quite happy because finally there is an official OpenVPN client for IOS. It took me about an hour to setup an OpenVPN server and got the iPhone working. This is the 'press release'.

    screenshot

    The OpenVPN client is great because it automatically reconnects when your iPhone wakes from sleep, do you don't have to manually reconnect.

    So this is how to quickly setup your own OpenVPN server and hook up your iPhone.

    How It Works

    OpenVPN is an SSL-based VPN solution. SSL-based VPNs are cool because if you set it up properly, you will never be blocked by any firewall as long as TCP-port 443 is accessible. Standard, OpenVPN uses UDP as a transport at port 1194, but you can switch to TCP to increase the chance that your traffic will not be blocked.

    Authentication is performed based on public/private key cryptography. The OpenVPN server is similar to an HTTPS server. The client however, does not authenticate with a username and password but you use a client certificate.

    So before you can setup an actual VPN configuration with OpenVPN, you need to setup a Certificate Authority.

    With the CA you can create the server certificate and then generate all client certificates for authentication. Clients use the CA certificate to validate the server.

    OpenVPN installation

    OpenVPN is often standard on most common Linux Distros. apt-get install openvpn for any Debian or Ubuntu version is all you need to install OpenVPN.

    Or take a look here

    Creating a certificate authority.

    I assume that you will create a configuration in /etc/openvpn. But before you can setup the configuration, you need to create a certificate authority. I used the folder /etc/openvpn/easy-rsa for this.

    This is no coincidence, as we use the easy-rsa scripts as part of OpenVPN to quickly setup our certificate authority.

    We start with copying all these files to this new directory:

    cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0* /etc/openvpn/easy-rsa
    

    Next, we cd to this directory and edit the 'vars' file. The following instructions are straight from the OpenVPN howto.

    export KEY_COUNTRY="US"
    export KEY_PROVINCE="California"
    export KEY_CITY="San Fransisco"
    export KEY_ORG="My Company"
    export KEY_EMAIL="my@mail.com"
    export KEY_CN=server
    export KEY_NAME=server
    export KEY_OU=home
    

    Then I had to copy openssl-1.0.0.cnf to openssl.cnf because the 'vars' script complained that it couldn't find the latter file.

    cp openssl-1.0.0.cnf openssl.cnf
    

    Then we 'source' var and run two additional commands that actually generate the certificate authority.

    . ./vars
    ./clean-all
    ./build-ca
    

    You will have to confirm the values or change them if necessary.

    Now we have a certificate authority and we can create new certificates that will be signed by this authority.

    WARNING: be extremely careful with all key files, they should be kept private.

    Creating the Server Certificate

    First we create the server certificate:

    ./build-key-server server
    

    It's up to you to come up with an alternative for 'server'. This is the file name under which the key files and certificates are stored.

    All files that are generated can be found in the '/etc/openvpn/easy-rsa/keys' directory.

    Creating the Client Certificate

    Now that we have a server certificate, we are going to create a certificate for our iPhone (or any other iOS device).

    ./build-key iPhone
    

    Last, we must generate Diffie-Helman parameters like this:

    ./build-dh
    

    So now we have everything in place to start creating an OpenVPN configuration. We must create a configuration for the server and the client. Those configurations are based on the examples that can be find in /usr/share/doc/openvpn/examples/.

    Example Server configuration

    This is my server configuration which is operational. It is stored in /etc/openvpn/iphone.conf

    dev tun2
    tls-server
    dh easy-rsa/keys/dh1024.pem
    ca easy-rsa/keys/ca.crt
    cert easy-rsa/keys/server.crt
    key easy-rsa/keys/server.key
    server 10.0.0.0 255.255.255.0
    log /var/log/openvpn-iphone.log
    comp-lzo
    script-security 2
    route-up "/sbin/ifconfig tun2 up"
    port 443
    proto tcp-server
    keepalive 30 120
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 8.8.8.8"
    

    I use TCP-port 443 as this destination port is almost never blocked as this would break most internet connectivity. The downside is that I can no longer host any secure web site on this IP-address.

    I'm aware that you now know that I'm running OpenVPN on this box and you will be able to talk to this service, however, as it uses certificates for authentication, security will be sufficient, unless OpenVPN itself is vulnerable.

    The keepalive parameter prevents your phone from reconnecting every 40 seconds by default, as I experienced.

    Change any parameters if required and then start or restart the OpenVPN service:

    /etc/init.d/openvpn restart
    

    Make sure that the server is running properly in /var/log/openvpn-iphone.log

    If you want to use your VPN to browse the internet, we still need to configure a basic firewall setup.

    I'm assuming that you already have some kind of IPtables file wall running. If not, you might want to look at LIFS, a powerful Linux firewall script. So I assume that you already have a secure IPtables configuration, you only need to add some stuff.

    Assuming that you will - for example - use the 10.0.0.0/24 network for VPN clients such as your iPhone, you must also create a NAT rule so VPN clients can use the IP-address of the Linux server to access Internet.

    iptables -t nat -A POSTROUTING -s "10.0.0.0/24" -o "eth0" -j MASQUERADE
    

    Please note that you must change eth0 with the appropriate interface of your router. Change the IP-address range according to your own situation. It should not conflict with your existing network.

    iptables -A FORWARD -p tcp -s 10.0.0.0/24 -d 0.0.0.0/0 -j ACCEPT
    

    Please note that I haven't tested these rules, as I have a different setup. But this should be sufficient. And make sure that forwarding is enabled like this:

    echo 1 > /proc/sys/net/ipv4/ip_forward
    

    Example Client configuration

    Create a file called iphone.ovpn and configure it like this:

    tls-client
    remote <some domain name or IP address>
    ca ca.crt
    cert iphone.crt
    key iphone.key
    comp-lzo
    port 443
    proto tcp
    

    Setting up your iPhone

    You need to get the following files on your iOS device:

    iphone.ovpn
    ca.crt
    iphone.crt
    iphone.key
    

    The safest way is to use iTunes and connect your device with a cable, although I believe that iCloud stuff works too.

    1. Open iTunes
    2. Select your device at the top right
    3. Go to the Apps tab
    4. Scroll to the file sharing section
    5. Select the OpenVPN application
    6. Add all mentioned files at the right side
    7. Sync your device

    Test your iPhone

    Open the OpenVPN client. You will see a notice that a new configuration has been imported and you need to accept this configuration. As it might not work straight away, you need to monitor /var/log/openvpn-iphone.log on the server to watch for any errors.

    Now try to connect and enjoy.

    Updated 20130123 with keepalive option. Updated 20130801 with extra server push options for traffic redirection and DNS configuration

  3. Personal Security: Erase Your Computer or Phone Before Repair

    November 04, 2012

    Computer nerds are self sufficient when it comes to fixing their computer. Non-computer experts have to find some other person with greater computer knowledge to repair their computer or phone. That person will then be able to access all data stored on their computer or phone.

    By handing over their computer to a third party, such as a computer repair shop, they are giving their personal data to a stranger. And it is so easy for that stranger to access this data. So they will.

    This is not only true for computers, but especially for phones. If you are a women, you should be extra concerned. It is so easy to obtain access to your photos. And people do.

    The only safe thing to do is either:

    1. encrypt your computer with full disk encryption (Truecrypt?);
    2. wipe all internal hard drives.

    Both actions will make it impossible for the computer technician to resolve any operating system or software related issues. Also, it will be harder to diagnose hardware failure. And if you erase the computer, who is going to reinstall it?

    A third option would be to implement a secure file container where a user would put personal information. But this concept is way too hard to understand and implement for most users.

    So in the end most people must find a person they can trust and who is willing to fix their computer. But that is never a safe bet.

    So assuming that you must trust your computer to a person you don't know too well, it is smart to never store any content, especially personal pictures or videos on your computer that you would not want them to see.

    I had to turn in my iMac for repair because the internal hard drive was dying. So I erased the entire disk by overwriting it with zeros. This takes a few hours, but it guarantees that my data will not fall in the wrong hands. Honestly, I don't have any data I'd really want to hide, but still, it's my data and I don't want it in the hands of unknown people.

  4. Setting Up a Squid Proxy With Clamav Anti-Virus Using C-Icap

    August 26, 2012

    Security is all about a defence-in-depth strategy. Create multiple layers of defence. Every layer presenting a different set of challenges, requiring different skill sets and technology. So every layer will increase the time and effort to compromise your environment.

    A content-scanning proxy server may provide you with one of these defensive layers. A content scanning proxy checks all data for malware. It blocks all content presumed to be infected. This may prevent numerous infections of company computers. Basically, the proxy server is virusscanning all network traffic.

    warning

    But there is a severe limitation. Any data requested through an SSL-connection (https://) cannot be scanned, precisely because it is encrypted. So if a blackhat is smart and serves all malware through HTTPS, a content scanning proxy will not stop that malware. There are man-in-the-midle solutions that do allow you to inspect SSL traffic, but there are some limitations and this is outside the scope of this post.

    As I believe that most malware is still being served through unencrypted HTTP sites, a content-scanning proxy does create an extra layer of defence. I think it is worth the effort.

    So I decided to create a content-scanning proxy based on available open-source software. In this case, open-source as in free to use in commercial settings.

    So in this post I will document how to setup a content-scanning proxy based on Squid 3.1, c-icap version 1, the Squidclamav module and the Clamav anti-virus scanner.

    The basis of this proxy server is Ubuntu 12.10 LTS.

    Important:

    How does it work?

    The Squid proxy server must pass all content to the Clamav daemon. Squid can't do that by itself. It's needs some glue service. For this purpose, a standard protocol has been designed called 'ICAP'. The c-icap daemon, combined with the squidclamav module, is the glue between the proxy server and the anti-virus software. The fun thing about c-icap is that you can add extra content scanning features if you want, just by adding those modules. You can decide to implement additional commercial anti-virus products in addition to Clamav.

    Installing Clamav and c-icap + development files

    1. apt-get install clamav-daemon c-icap  libicapapi-dev apache2
    2. freshclam (update clamav on the spot)
    

    Apache or any other HTTP server with CGI support is required to display virus-warnings to end-users.

    Installing squidclamav module for c-icap

    Do not install squidclamav with apt-get, this version seems to contain bugs that prevent pages from loading properly. The latest version straight from the vendor does work properly.

    1. cd /usr/src/
    2. download the source from: 
    "http://sourceforge.net/projects/squidclamav/"
    3. tar xzf squidclamav-6.8.tar.gz
    4. cd squidclamav-6.8
    5. ./configure
    6. make -j 2
    7. make install
    

    Squid configuration

    Please download my sample Squid.conf configuration. The icap lines are of interest.

    icap_enable on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_encode off
    icap_client_username_header X-Authenticated-User
    icap_preview_enable on
    icap_preview_size 1024
    
    icap_service service_req reqmod_precache bypass=0 \ 
        icap://127.0.0.1:1344/squidclamav
    icap_service service_resp respmod_precache bypass=0 \ 
        icap://127.0.0.1:1344/squidclamav
    
    adaptation_access service_req allow all
    adaptation_access service_resp allow all
    

    It is the icap:// URL that calls a particular icap service (squidclamav) that processes all data.

    Squidclamav icap module configuration

    The configuration is stored in /etc/squidclamav.conf, and this is what I used:

    maxsize 5000000
    redirect http://proxy.company.local/cgi-bin/clwarn.cgi
    clamd_ip 127.0.0.1
    clamd_port 3310
    timeout 1
    logredir 0
    dnslookup 1
    

    Of interest is the redirect url, which tells the user that a virus is found. That line redirects the user towards a page as shown at the beginning of this post. You can customise this page with CSS, for example, you can add the company logo to make it more official.

    c-icap configuration

    This is the configuration I use:

    PidFile /var/run/c-icap/c-icap.pid
    CommandsSocket /var/run/c-icap/c-icap.ctl
    Timeout 300
    MaxKeepAliveRequests 100
    KeepAliveTimeout 600  
    StartServers 3
    MaxServers 10
    MinSpareThreads     10
    MaxSpareThreads     20
    ThreadsPerChild     10
    MaxRequestsPerChild  0
    Port 1344 
    User c-icap
    Group nogroup
    ServerAdmin you@your.address
    ServerName Anti-Virus-Proxy
    TmpDir /tmp
    MaxMemObject 1048576
    DebugLevel 0
    ModulesDir /usr/lib/c_icap
    ServicesDir /usr/lib/c_icap
    TemplateDir /usr/share/c_icap/templates/
    TemplateDefaultLanguage en
    LoadMagicFile /etc/c-icap/c-icap.magic
    RemoteProxyUsers off
    RemoteProxyUserHeader X-Authenticated-User
    RemoteProxyUserHeaderEncoded on
    ServerLog /var/log/c-icap/server.log
    AccessLog /var/log/c-icap/access.log
    Service echo srv_echo.so
    Service squidclamav squidclamav.so
    

    Configuring Apahce web server

    The warning page should be put in /usr/lib/cgi-bin. You may have to copy clwarn.cgi into this directory. Also make sure that your Apache configuration contains a directive like:

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all
    </Directory>
    

    Automatic proxy configuration through DHCP and WPAD

    To make the entire setup extra nice, use your DHCP configuraiton to inform clients about the proxy configuration. Clients must be configured to autodetect proxy settings for this to work.

    Put a wpad.dat in the root directory of your http server:

    function FindProxyForURL(url, host)
    {
        if (dnsDomainIs(host, "localhost")) return "DIRECT"; 
        if (isInNet(host, "127.0.0.0", "255.0.0.0")) return "DIRECT";
        if (isPlainHostName(host)) return "DIRECT";
        if (isInNet(host, "192.168.0.0", "255.255.255.0")) return "DIRECT";
        return "PROXY proxy.company.local:3128";
    }
    

    And also add the appropriate mime type for .dat files in /etc/mime.types

    application/x-ns-proxy-autoconfig           dat
    

    Restart the apache webserver after these modifications.

    Now add the proxy to the DNS configuration of your DNS server like proxy.company.local.

    Most important, add this directive to the general portion of the configuration file:

    option local-proxy-config code 252 = text;
    

    Add this directive to the particular scope for your network:

    option local-proxy-config "http://proxy.company.local/wpad.dat";
    

    Restart your DNS and DHCP server.

    Monitoring proxy performance

    The cagemgr.cgi file provides very detailed information about the performance of your Squid proxy. This is more relevant regarding actual cahcing performance than for anti-virus scanning, but this may be of interest. Especially the 'general runtime information' is of interest, as it shows the hit-rate, memory usage, etc.

    First, make sure you take the appropirate precautions as not to expose this page to the entire company network without some protection, as it can contain sensitive information.

    If you have installed squid-cgi just browse to http://your.proxy.server/cgi-bin/cachemgr.cgi

    Some example data:

    Cache information for squid:
        Hits as % of all requests:  5min: 10.3%, 60min: 4.1%
        Hits as % of bytes sent:    5min: 81.4%, 60min: 5.2%
        Memory hits as % of hit requests:   5min: 0.0%, 60min: 14.8%
        Disk hits as % of hit requests: 5min: 0.0%, 60min: 74.1%
    

    Final words

    This whole configuration shouldbe sufficient to setup a content-scanning proxy server. I have no experience how well this solution performs and you may have to do some benchmarks if your own to determine if it is capable of handling the traffic users generate. The fun thing about this setup is that it is modular. For example, you can have one Squid + HTTP box, and a separate host just for the c-icap service and Clamav service.

    Besides the whole content scanning part, a proxy server, based on some non-scientific tests, does seem to improve performance for end-users. It may save you an expensive upgrade to a faster corporate internet connection.

  5. Improving Web Application Security by Implementing Database Security

    May 18, 2012

    Security is about defense-in-depth. It bogles my mind why it is so difficult to implement defense-in-depth security in web applications. 99.9% of applications use a single database account, with root-like privileges. Easiest for the developer of course, and the database is just a data store. It is not understood for what it really is. Your database is your only and last defensive layer that you have before the attacker compromises your data. Use it well.

    For example, you can use your database to protect you against high-impact attacks such as SQL-injection.

    I created a presentation about this topic a while ago You can download this presentation here:

    http://mini.louwrentius.com/static/files/designingsecureapplications.pdf

    A short summary of the points made.

    • Truly understand your application and their requirements.
    • Do not create a monolithic application, create separate applications. For example, at least separate front office and back office.
    • Run those applications under different operating system users or ideally on different servers, residing in different network segments.
    • It suddenly makes sense to put your database server in a separate secure network segment as opposed to running it on the same box as the application server.
    • Do not use a single database account with root-like privileges.
    • Create separate database accounts for separate application components. Only assign those privileges required for that application. White-list privileges within the database. This is key.
    • Understand that for end-user authentication, 'select username,password from user' kinda privs is not required!
    • Use stored procedures and functions wisely. By only providing access to functions, views and stored procedures, while preventing access to tables, you can significantly reduce the impact of SQL-injection or other application level security breaches.
    • In any case, understand that an attacker can never obtain more database privileges than the database account used. Even if the entire application server is compromised. This is especially important for your internet-facing applications.
    • Use your database as an extra layer of defense.

Page 2 / 5