Perhaps another step forward towards disposable end-point tablet computing. (Wow, that was a mouth full). I would be interested in piloting the Cisco Cius coupled with VDI.

"Cisco announces that it will be launching an Android-based tablet next year named the Cius, aimed squarely at the business market."

http://feeds.wired.com/~r/wired/index/~3/nvydbm03px8/

In InfoSec risk management, one area that does not get much press is risk transference. That is, using insurance (or agreements) to transfer the risk to a third party. Brian Krebs makes the case, anecdotally, on his blog.

After an incident in which the attackers raided a company’s bank for $750K, “The company managed to recover three of the fraudulent transactions, and its total loss now stands at just shy of $100,000. Golden State Bridge is confident that after paying its $10,000 deductible, the insurance company will cover the rest…” 

http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/

Google’s announcement that it is pulling out of China over continued hacker attacks has highlighted problems in Internet Explorer. Wired has an article in which Dmitri Alperovitch says of the Google attacks: "We have never ever, outside of the defense industry, seen commercial industrial companies come under that level of sophisticated attack."

McAfee’s CTO blog breaks it down further and gives the name Operation Aurora to the attack. Technical details on "Operation Aurora" exploit and payload are on McAfee Labs Blog. McAfee will be hosting a webinar on Thursday to discuss the exploit and attack. Meantime, for those of us who like to play with Aurora, HD Moore recreated the exploit for Metasploit.

One concern that I have is script kiddies downloading and running the exploit across anything they can get their hands on, particularly in light of the press.

I wager many of you (like me) have to use Internet Explorer for business purposes. So please note that the current "Aurora" public exploits do not work if you are running IE8 with DEP enabled. If you are running older versions of IE, you might consider upgrading while Microsoft prepares the patch.

There is rumor that the exploit could be modified to bypass DEP. Such a modified exploit is currently not publically available. It will take some time before a modified exploit to be developed, which should give Microsoft time to patch.

Happy New Year! Thank you for bringing in the new decade with me.

Ten years ago, we thought, just maybe, this Y2K thing would cause widespread computer system breakdowns.

I was with an IT consulting firm and was working on New Year’s Eve. (What!? It was a Friday. Cut me some slack.) I had my young son with me at the office. We had hooked up analog call forwarding to send incoming calls to the vice president’s house, and we had armed him with a stack of paper workorders and an analog fax machine. The idea being, should pandemonium ensue, people would call firms such as ours. The VP would get a signed agreement and send in the techs. I was on-call for second level support.

Before I left, I shut down the network and PBX and disconnected power. You never can be too safe, right? After all, who knew how bad it would get. (Actually, we were doing much of this in a tongue-in-cheek fashion.)

My son and I drove home early. We picked up my wife, then very pregnant, and went to see a movie. It might have been Pokemon. It might have been Wild Wild West. None of us can quite remember and agree which movie it was now. Anyways, we were in the Krafft 8 movie theater standing in line when the first call came in.

I answered my trusty Nextel, fearing the worst. It was not even close to midnight but you never know. What had happened?

On the line was Thailand. My good friend had called to wish me a happy new year. Life was still going, he assured me, with no disruptions in Tokyo or Bangkok. We had a good laugh and chat.

My family enjoyed the movie. Then we dropped my son off at his grandmother’s. They had their party, and my wife and I had ours. The night passed quietly. Then the weekend passed quietly. Then my daughter was born and I forgot all about Y2K.

And before I knew it, it was 2010. Somewhere along the way, we hooked back up the firm’s computer and telephony equipment. Other bugs came and went. But Y2K, for me, was the dog that did not bark.

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the network and storage adapters.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 

Configure apt-get to download the Lucid (2.6.32-7) kernel.

sudo bash

nano /etc/apt/sources.list

# added by -JWG- for Hyper-V integration

# The Lucid repository contains the 2.6.32-7 kernel

deb http://archive.ubuntu.com/ubuntu/ lucid main

apt-get update

Install the kernel and then comment out the repositories.

apt-cache search linux-image-2.6.32

apt-get install linux-image-2.6.32-7-generic linux-headers-2.6.32-7-generic build-essential

nano /etc/apt/sources.list

Comment out the #deb line

Validate the kernel after rebooting to ensure we are on 2.6.32-7.

uname -r

Enable the GPL integration components.

uname -r

sudo bash

cd /lib/modules/2.6.32-7-generic/kernel/drivers/staging/hv

insmod hv_vmbus.ko

insmod hv_blkvsc.ko

insmod hv_netvsc.ko

insmod hv_storvsc.ko

Add the modules to the startup file.

nano /etc/initramfs-tools/modules

# added by -JWG- for Hyper-V integration

hv_vmbus

hv_blkvscb

hv_netvsc

hv_storvsc

update-initramfs -u

reboot

Confirm that the modules are loaded. You will have full network and disk integration. The mouse integration (Inputvsc) is currently provided by Citrix Project Satori and has not yet been patched to 2.6.32-7.

lsmod | grep vsc

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the mouse, network adapter, and storage adapter.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 
Download the Linux Integration components for Windows Server 2008 R2 (LinuxIC v2.iso).
Download the Citrix Project Satori mouse driver (Inputvsc.iso)

Configure apt-get to download the previous version of the kernel, which includes first flushing and renewing the encryption keyring.

sudo bash

apt-key list

apt-key del 437D05B5

apt-key del FBB75451

apt-key list should now return an empty list.

Install the keyring

apt-get install debian-archive-keyring

Load the key for the ftp.us.debian.org and security.debian.org.

cd /home/tiger/.gnupg/

mv gpg.conf gpg.con~

gpg --keyserver wwwkeys.eu.pgp.net --recv 9AA38DCD55BE302B

gpg --list-keys 9AA38DCD55BE302B

gpg --export 9AA38DCD55BE302B > 9AA38DCD55BE302B.gpg

apt-key add ./9AA38DCD55BE302B.gpg

apt-key list

Add the repositories to the end of the sources list, and update the apt list.

nano /etc/apt/sources.list

# Repository for older kernel versions

# added by -JWG- for Hyper-V integration

deb http://ftp.us.debian.org/debian etch main

deb http://security.debian.org/debian-security etch/updates main

cd /usr/src/

apt-get update

Install the kernel and then comment out the repositories.

apt-cache search linux-image-2.6.18

apt-get install linux-image-2.6.18-6-amd64 linux-headers-2.6.18-6-amd64 build-essential

nano /etc/apt/sources.list

Comment out the two #deb lines.

Modify the menu.lst file so it defaults to the 2.6.18-6 and reboot.

nano /boot/grub/menu.lst

default 2

reboot

Validate the kernel after rebooting to ensure we are on 2.6.18-6.

uname -r

Insert the LinuxIC v2.iso disk, copy locally, and install the drivers.

sudo bash

mkdir /opt/linux_ic

cd /opt/linux_ic

cp -R /media/CDROM/* /opt/linux_ic/

./setup.pl drivers

cat drvinstalls.err

The only error should be "make: udevcontrol: command not found" and "make: *** [install] Error 127". These simply indicate that we will need to manually add the services to the init modules file.

Insert the Inputsvc.iso disk.

mkdir /opt/inputvsc

cd /opt/inputvsc

cp -R /media/CDROM/* /opt/inputvsc/

./setup.pl drivers

cat drvinstall.err

Again, the only errors should be related to the modules. Edit that file now.

nano /etc/initramfs-tools/modules

# added by -JWG- for Hyper-V integration

netvsc

blkvsc

storvsc

inputvsc

update-initramfs -u

reboot

Confirm that the modules are loaded. Then it is play time.

lsmod | grep vsc

Matriux is a vulnerability assessment / penetration testing Linux distribution. The team's beta release was the beginning of this month, and I have been playing around with the distro for the past couple weeks. What can I say? I am a sucker for Latin motto's ("Aut viam inveniam aut faciam" or "I shall find a way or make one") and for cleanly laid out VA/PT toolsets.

The bonus, for those running Hyper-V, is that Matriux is a Kubuntu based and comes with the Jaunty kernel (2.6.28-13-generic). Setting up a Hyper-V security appliance is as simple as creating a vm, using the legacy network adapter, skipping the hard drive, and booting off the downloadable ISO. Matriux works right out of the box within Hyper-V.

You can compare this to the Slax VA/PT distros, which do not support the network adapter. Often times, these distros do not even support the mouse. Using the Matriux Live CD in Hyper-V is a breeze. For an environment to support a demo or an occassional vulnerability assessment, you cannot ask for more.

If you are doing regular assessments, there are a couple limitations with Hyper-V. The legacy network adapter performs at 100 Mbps (significantly slower than the 10 Gbps speed of the standard network adapter.) The Live ISO is read-only, too. The mouse integration is present, but it is not the seamless integration one is used with Windows vms. Oh, and the mouse integration does not work when connected to Hyper-V over RDP. To get full functionality, you will need to install Matriux into a vhd and install the Hyper-V integration components.

The Jaunty kernel does not support integration. You have two options: (1) downgrade Matriux's kernel to 2.6.18 and install Hyper-V's integration components; or (2) upgrade Matriux to the Lucid kernel (2.6.32-7) and enable the Hyper-V GPL code. Option (2) provides faster performance and is in-line with the Matriux planned Beta 2, but it does not support the full mouse integration.

Detailed steps for both options are in the links above. For those who want to skip to the chase and simply try out Matriux under Hyper-V, I have done the steps for you. You can download the security appliance from SimWitty's website. Enjoy!

Matriux beta (0.9.4) with 2.6.18-6 kernel
Matriux beta (0.9.4) with 2-6-32-7 kernel

Thank you to the Matriux team for a smooth, well done security distribution beta. Thanks goes, too, to Tom Houghtby for providing the Linux knowledge and guidance that made the integration possible.

jwg

VDS returns the following when you select a partition format that it does not recognize:

C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> list part
DISKPART> select part (id)

Virtual Disk Service error:
The pack is not online.

The pack is not online error (VDS_E_PACK_OFFLINE 0x80042444L) is returned when Diskpart attempts to get the file system properties on, say, an ext3 or hfs+ file system. Diskpart works only with Fat and Ntfs file systems. If the goal is to delete the non-Microsoft partition, use the clean command.

DISKPART> list disk
DISKPART> select disk (id)

DISKPART> clean

An SSL/TLS renegotiation attack has been carried out against Twitter. The Register has some details on the Twitter attack, while Educated Guesswork has the technical details on the renegotiation vulnerability itself.

SSL/TLS renegotiation has been used to get a web server to downshift its cipher and key length before. The new angle is using renegotiation to cause both the web server and the browser to renegotiate and create a man-in-the-middle scenario. Once in the inserted in the middle of web server and browser, the attacker can access the HTTP stream unencrypted.

Being an IT operations security guy, my focus is on auditing for and protecting against the weakness. The mitigation is simple: disable renegotiation. As for auditing, you can use openssl on any Linux OS to test.

sudo openssl s_client -connect www.yourhosthere.com:443

You will see the certificate chain, server certificate, SSL handshake, and SSL session details. The session is established when you get prompted verify return code: 0 (ok).

Now suppose OpenSSL reports verify error:num=20:unable to get local issuer certificate.)I have seen this error on GoDaddy websites. To resolve, browse to the website with Firefox. Open the certificate viewer and click the details tab. There, below the details, click the Export button. Save the certificate file in the x.509 PEM format with a .pem extension (Example: godaddy.pem). Then rerun OpenSSL and specify the certificate authority file.

sudo openssl s_client -connect www.yourhosthere.com:443 –CAfile godaddy.pem

Make an HTTP request and then request renegotiation.

HEAD / HTTP/1.0

R

The error ssl handshake failure indicates the web server is denying renegotiations.  If OpenSSL renegotiates successfully, you will see a new certificate path and then read read:errno=0. Contact your web server administrator if the server renegotiates.

(Update 2009-12/18: You can use the Matriux distro to perform the above steps.)

To use the command line to bring a disk online, create a partition, and format it, run the following commands:

 C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> online disk (if the disk is not online)
DISKPART> attributes disk clear readonly
DISKPART> clean
DISKPART> convert mbr (or gpt)
DISKPART> create partition primary
DISKPART> select part 1
DISKPART> active (if this is the boot partition)
DISKPART> format fs=ntfs label=(name) quick
DISKPART> assign letter (letter)
DISKPART> list volume

The following are common errors you may see if you miss a step: 

DISKPART> clean
DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Resolution: run attributes disk clear readonly before trying to clean the volume and create the partition.

DISKPART> convert mbr

Virtual Disk Service error:
The specified disk is not convertible. CDROMs and DVDs
are examples of disks that are not convertable.

Resolution: clear all data off the disk before converting by running the clean command.

DISKPART> create partition primary
Virtual Disk Service error:
There is not enough usable space for this operation.

Resolution: run clean before trying to create the partition.

DISKPART> format fs=ntfs quick
Virtual Disk Service error:
The volume is not online.

Resolution: online the disk, create the partition, and convert to mbr before formatting.