uncompiled.com

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the “/var/log” and “/var/run” directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.

Source

The development team behind secure shell server OpenSSH have released version 5.4, which includes a range of new functions and fixes a number of bugs in the previous version.

Following a transition period of more than 10 years, OpenSSH 5.4 finally disables, by default, the old SSH protocol version 1. The legacy SSH version, which is no longer considered secure, can still be used by adjusting the appropriate settings in the configuration file. Where certificates are used to authenticate users and computers, version 5.4 offers a new minimal OpenSSH format. Key pairs for users can be revoked using the new RevokedKeys option. Host keys can be revoked in the known_hosts file.

Using the -W switch and a host:port argument, OpenSSH 5.4 can be started in netcat mode, which connects a local computer’s standard input channel (stdio) to a port on a remote PC. The SFTP server, which carries out FTP-like file transfer, now protects file sharing settings from being overwritten (read-only mode) and can, if required, set explicit privileges when generating new files (umask) at the command line. The SFTP client now has tab completion for commands and paths and supports recursive get and put commands which allows entire file trees to be transferred between client and server.

Source

North Korea has reportedly developed its own version of the Linux operating with a graphical user interface that closely resembles Microsoft Windows.

A copy of the North Korean Linux distribution, called Red Star, was purchased in Pyongyang for US$5 by a Russian student named Mikhail, who then posted a brief review of it on his blog using the Russian embassy’s Internet connection, according to the English-language Web site of Russia Today, a Russian television news channel.

Mikhail, who described himself as one of two Russian students at North Korea’s Kim Il-Sung University, posted several screen shots of the operating system, including a system clock with a date based on North Korea’s calendar, which considers 2010 to be year 99 of its Juche ideology — with his review.

Although the operating system is still considered stable, it was easy to set up, taking around 15 minutes to install, Mikhail wrote, adding that it came with a single language option: Korean.

The desktop interface shown in the screenshots closely resembles Windows, and appears to be based on a recent version of the K Desktop Environment (KDE). The Red Star browser, which Mikhail said was called My Country, is based on Mozilla’s Firefox browser, and allows users to access North Korea’s closed network , called My Country BBS.

Other features of Red Star include a word processor, an e-mail client, antivirus software, multimedia players for audio and video, as well as several games.

Source

Con Kolivas had stopped working on the Linux kernel for two years after he became fed up with the kernel development community, but last year he made a return by introducing the BFS scheduler. The BFS scheduler for the Linux kernel is quite simple in design compared to other schedulers, but it performed fairly well on desktop systems. Due to Con’s past frustrations, he has no intentions of mainlining the Brain Fuck Scheduler, but he has now offered up another batch of patches.

Kolivas has released a new set of patches this morning that are “designed to improve system responsiveness and interactivity with specific emphasis on the desktop.” There are 13 patches he has made available that can be applied against the freshly released Linux 2.6.33 kernel. One of the patches is BFS, another changes the default timer frequency to 1000Hz, another adds new values that allows the timer frequency to be upped to 10,000Hz, and various other changes.

While Con Kolivas is not likely trying to get these patches pushed into the Linux 2.6.34 kernel, he has published this to the Linux kernel mailing list. His patches can be found in the 2.6.33-ck1 directory.

Source

According to a study by researchers at the University of Oviedo (Universidad de Oviedo) in Spain, the estimated total value of the 2.6.30 Linux kernel, released in June of 2009, is more than €1 billion. Using the kernel development history from version 2.6.11 to 2.6.30, the researchers calculated the costs by using the Constructive Cost Model 81 (COCOMO 81) and taking the average annual salary for a developer in 2006 in the European Union as a parameter. According to EUROSTAT, that was approximately €31,000. The Linux Foundation published a similar study in October of 2008.

The COCOMO algorithm calculates the value of software using a number of specific metrics, specifically the number of lines of code written. The study looks at the estimated annual research and development (R&D) costs of the kernel releases and shows that the annual Linux kernel R&D cost increased significantly in 2008. Between 2005 and 2006, annual R&D was estimated at between €72 to €94 million, however, in 2008, that number rose to more than €228 million.

The two researchers responsible for the study, Jesús García-García and Mª Isabel Alonso de Magdaleno, will be be presenting their findings at the Concord 2010 conference on corporate R&D taking place on the 3rd and 4th of March, 2010 in Seville, Spain.

Source

Get a grip people. A recent story about the so-called Chuck Norris botnet implies that it breaks Linux’s security. Wrong.

Windows malware, whether it comes in the form of a Trojan, virus, or worm, works by exploiting security holes in either the operating system itself or an application like Adobe Reader or Internet Explorer. Whatever the bug or the method it uses to arrive on a Windows PC, the fundamental way it uses to exploit the system is that Windows itself is inherently insecure.

While Chuck Norris runs on Linux-based DSL modems and routers, it doesn’t actually attack Linux at all. Instead, it runs as a normal Linux application. So how does it get there if it doesn’t try to crack Linux? It infects routers by trying common and default passwords. That’s it. That’s all there is to it.

To blame Linux because someone is so dumb as to not change the default password is kind of like blaming Honda or Ford for their car anti-thief systems for not preventing your car from being stolen if you left the doors unlocked and the key in the ignition. At some point, the user has to take responsibility for basic security and this most recent assault on modems and routers is a perfect example.

How do you prevent this from happening to you in the first place? Look up how to change your device’s password and give it a new one that’s not mindlessly simple to guess. And, how do you get rid of it if you already have it? Reboot the device. Don’t know how to do that? Try pulling the plug and then putting it back in. Mission accomplished.

Linux has security problems. This isn’t one of them. This is a network security for dummies problem.

Any time you get a device that uses a password — DSL modem, cable modem, router, whatever — the first thing you should do after making sure it works is to change the default password to something that combines letters and numbers and isn’t easy to guess. That alone will stop Chuck Norris faster than Bruce Lee did in Way of the Dragon and 99% of all other common router password attacks.

Source

Hi Dave & list:

I’m writing to report a bug in recent vanilla kernels regarding the
ability to execute in non-executable pages on SPARC. I’m no SPARC
expert, but I’ll try to explain as best I can the problem and make
myself available for debugging/testing any fixes.

I have 4 sparc systems currently, a Netra T1, an Ultra 10, a Sunfire
V210, and a Blade 2500. The first two systems run the latest 2.4
kernels and experience no problems. The second two systems run recent
2.6 kernels (2.6.31 and 2.6.32) and both utilize the Cheetah+ MMU. Both
of these systems running the recent 2.6 kernels exhibit the problem.

I’ve provided two simple testcases that illustrate the problem. Either
run them in a loop or just multiple times — eventually instead of
receiving a segfault (as it should every time for attempting to execute
on the stack, which is non-executable by default per ABI) the shellcode
I’ve set up on the stack will execute without problems. In the first
testcase I haven’t set up enough code to perform a return from the
function pointer, so you see the varied signals when an instruction
fetch is attempted on the 2nd instruction (made up of whatever
happened to be located on the stack). In the second case I set up the
proper ret/restore and the program is able to exit cleanly.

I’m willing to do anything to help debug the problem, but I thought it
would
be wiser to report it first in case anyone had any immediate ideas on
what the problem could be. I figured it would also help in being able
to debug the issue more effectively, given its seemingly somewhat-random
nature.

Please keep the PaX team and myself CC’d as we’re not subscribed to the
list.

Thanks for your help,
-Brad

cat /proc/self/maps output (showing the stack non-executable):
00010000-00014000 r-xp 00000000 08:02 1769474 /bin/cat
00024000-00026000 rwxp 00004000 08:02 1769474 /bin/cat
00026000-00048000 rwxp 00000000 00:00 0 [heap]
f7cf0000-f7e2a000 r–p 00000000 08:02 295830 /usr/lib/locale/locale-archive
f7e2c000-f7fa4000 r-xp 00000000 08:02 1277958 /lib/ultra3/libc-2.7.so
f7fa4000-f7fb4000 —p 00178000 08:02 1277958 /lib/ultra3/libc-2.7.so
f7fb4000-f7fba000 rwxp 00178000 08:02 1277958 /lib/ultra3/libc-2.7.so
f7fba000-f7fbc000 rwxp 00000000 00:00 0
f7fbc000-f7fde000 r-xp 00000000 08:02 1270085 /lib/ld-2.7.so
f7fec000-f7ff0000 rwxp 00020000 08:02 1270085 /lib/ld-2.7.so
f7ff0000-f7ff2000 rw-p 00000000 00:00 0
ffdb6000-ffde0000 rw-p 00000000 00:00 0 [stack]

First test case:
#include

typedef int (* _wee)(void);

int main(void)
{
char buf[4] = { ‘\x81′, ‘\xc7′, ‘\xe0′, ‘\x08′};
_wee wee;
printf(“%p\n”, &buf);
wee = (_wee)&buf;
wee();

return 0;
}

gdb output in 90-95% of the cases:
Program received signal SIGSEGV, Segmentation fault.
0xff9d9cb0 in ?? ()

gdb output in the other 5-10% of cases:
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/test
0xff811cb0

Program received signal SIGBUS, Bus error.
0xff811cb4 in ?? ()
(gdb) x/x 0xff811cb0
0xff811cb0: 0×81c7e008
(gdb) x/i 0xff811cb0
0xff811cb0: ret
0xff811cb4: lda [ %g4 + %l0 ] (229), %f31

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/test
0xff97dcb0

Program received signal SIGILL, Illegal instruction.
0xff97dcb4 in ?? ()
(gdb) x/8x $pc-4
0xff97dcb0: 0×81c7e008 0xff97dcb0 0xf7f3af00
0×00000000
0xff97dcc0: 0×00000000 0×00000000 0xfffffffc
0×00000000
(gdb) x/i $pc-4
0xff97dcb0: ret
0xff97dcb4: ldqa [ %i7 + %l0 ] (229), %f62

modified code so it executed a ret / restore:
#include

typedef int (* _wee)(void);

int main(void)
{
char buf[8] = { ‘\x81′, ‘\xc7′, ‘\xe0′, ‘\x08′, ‘\x81′, ‘\xe8′,
‘\x00′, ‘\x00′ };
_wee wee;
printf(“%p\n”, &buf);
wee = (_wee)&buf;
wee();

return 0;
}

gdb output in the 5-10% case:
Starting program: /root/test
0xffb4fca8

Program exited with code 01.

Source

ASF Flagship Project is World’s Most Popular Web Server, Powering More than 112 Million Websites

FOREST HILL, MD, 23 February, 2010 — The Apache Software Foundation (ASF) — developers, stewards, and incubators of 138 Open Source projects — today announced the 15th anniversary of the Apache HTTP Web Server.

The ASF’s first project became the world’s most popular Web server software within the first six months of its inception. The Apache HTTP Server today powers nearly 112 million Websites world-wide.

A triumph for the all-volunteer Foundation, the Apache HTTP Server reliably delivers petabytes of data across the world’s most demanding uses, including real-time news sources, Fortune 100 enterprise portals, cloud computing clusters, financial services platforms, mission-critical military intelligence applications, aerospace communications networks, and more. The server software can be downloaded, modified and installed by anyone free of charge.

History

The Apache Server started as a fork (an independent development stream)
of the NCSA httpd, a Web server created by Rob McCool at the National Center for Supercomputing Applications. Further development to the server ceased after McCool’s departure from NCSA in 1994, so an online community of individuals was formed to support and enhance its software via email collaboration. The founding members of that community (the Apache Group) included Brian Behlendorf, Roy Fielding, Rob Hartill, David Robinson, Cliff Skolnick, Randy Terbush, Robert Thau, and Andrew Wilson.

Within less than a year of the Apache Group’s formation, the Apache server surpassed NCSA httpd as the #1 server on the Internet.

In March 1999, members of the Apache Group formed The Apache Software Foundation to provide organizational, legal, and financial support for the Apache HTTP Server. An additional goal for the Foundation was to serve as a neutral, trusted platform for the development of community-driven software.

Growth, the “Apache Way”

Beyond the Apache HTTP Server, dozens of ASF projects – from build tools to Web services to cloud computing and more – lead the way in Open Source technology.

At the ASF, community plays a vital role in the collaborative development of consensus-driven, enterprise-grade solutions. The number of projects led by the Apache community has grown from the singular Apache HTTP Server at the ASF’s inception in 1999 to nearly 140 projects today.

The ASF’s commitment to fostering a collaborative approach to development has long served as a model for producing consistently high quality software and helping advance the future of open development. Through its leadership, robust community, and meritocratic process known as the “Apache Way”, the ASF continues to gain recognition as one of the most successful influencers in Open Source.

Through the Apache Way, the ASF is able to spearhead new projects that meet the demands of the marketplace and help users achieve their business goals. With the Apache Incubator mentoring more projects than ever before, the ASF continues to meet the growing demand for quality Open Source products.

“Community Over Code”: among the Foundation’s core tenets is open collaboration through respectful, honest, technically-focused interaction. The ASF’s success is testament to its outstanding community efforts that serve as best practices widely embraced by organizations and individuals alike.

“If it didn’t happen on-list, it didn’t happen”: building upon the transparency-oriented culture of the Apache Group, whose collaboration took place on email lists, millions of messages are archived on Apache publicly-accessible mailing lists, documenting the ASF’s achievements over the past decade.

“Meritocracy in Action”: the ASF’s tagline reflects an average of 10,000 code contributions (commits) made each month. The ASF is responsible for millions of lines of code by more than 2,000 ASF Committers and countless contributors across the Open Source landscape. Nearly 500 community-driven modules have been developed to extend functionality of the Apache HTTP Server alone.

Milestones

February 23, 1994: Individual patch authors around the world are invited to join the “new-httpd” mailing list to discuss enhancements and future releases of NCSA httpd. The Apache name was chosen for this new effort within the first few days of discussion, along with basic rules for email-based collaboration and a mission to replace the existing server with a standards-based, open source, and extensible software system.

March 15, 1994: Apache-style voting created (+1, 0, -1; with ‘-1′ meaning ‘no’, ‘0′ meaning ‘neutral’, and ‘+1′ meaning ‘yes.’)

March 18, 1994: First Apache Group release (Apache 0.2)

Apache server v.1.0 was released in December 1995. Four years later, Apache HTTP Server v.1.3.0 was released, and rapidly becoming the most popular Web server on the planet.

Apache HTTP Server v.2.0 alpha was released in March 2000, with the first general availability release two years later. V.2.0 remained best-of-breed sever until the release of v.2.2.0 in December 2005, and is widely deployed across the Internet.

In February 2009, the Apache HTTP Server became the first Web server software in history to surpass the 100 million Website milestone.

The most current, best-of-breed, stable version of the Apache HTTP Server is v.2.2.14, released September 2009. Developers seeking to test new features and preview what will become stable Version 2.4 are able to do so today with the development of v.2.3.5.

Earlier this month, after ten years and more than forty revisions, the Apache HTTP Server v.1.3.x officially reached end of life status with the release of v.1.3.42. Future patches to v.1.3.x will be for critical security updates only.

The Apache HTTP Server remains the world’s most beloved Web server, forming the backbone of nearly 70% of all sites on the Internet.

Availability

The Apache HTTP Server is available for a variety of operating systems, including Unix, Linux, GNU, FreeBSD, Netware, Solaris, Windows, Mac OS X, OS/2, TPF, and eCS. In addition, the Apache HTTP Server is redistributed through many proprietary software packages such as WebSphere, Oracle RDBMS, Kylix, NetWare, and Delphi, as well as numerous Linux distributions.

All ASF projects, including the Apache HTTP Server, are available free of charge under the Apache Software License v.2.0. To download, or for more information, visit http://httpd.apache.org/

About The Apache Software Foundation (ASF)

Established in 1999, the all-volunteer Foundation oversees more than seventy leading Open Source projects, including Apache HTTP Server — the world’s most popular Web server software. Through The ASF’s meritocratic process known as “The Apache Way,” more than 300 individual Members and 2,000 Committers successfully collaborate to develop freely available enterprise-grade software, benefiting millions of users worldwide: thousands of software solutions are distributed under the Apache License; and the community actively participates in ASF mailing lists, mentoring initiatives, and ApacheCon, the Foundation’s official user conference, trainings, and expo. The ASF is funded by individual donations and corporate sponsors including Facebook, Google, HP, Microsoft, Progress Software, SpringSource, and Yahoo! For more information, visit http://www.apache.org/.

Source

John Johansen, a developer with commercial Ubuntu sponsor Canonical, has submitted an updated version of the AppArmor security framework to the Linux kernel developers for inspection. Johansen writes that, like the SELinux and Tomoyo solutions already integrated into the kernel, this fourth general posting of AppArmor uses Linux Security Modules (LSM) to hook into the kernel. Some, but not all of the characteristics criticised by the kernel developers when AppArmor was posted last have reportedly been corrected in the new posting – known for his rather direct comments, however, the maintainer of the Virtual File System (VFS) of Linux soon also found various inconsistencies in the newly posted code.

Novell had bought the company that originally developed AppArmor and released the code under the GPL in 2006. Despite various attempts by Novell developers, however, the code was not integrated into the main development branch of Linux because the kernel developers didn’t approve of some of the security framework’s properties. With things having gone quiet around AppArmor and Novell also experimenting with SELinux, Canonical began to put more effort into preparing the technology for integration a few months ago. As reported by Johansen at the end of his email, the code is now hosted at kernel.org and launchpad.net rather than Novell Forge.

Source

Internet engineers continue to enhance Internet security with the release of OpenDNSSEC, a tool which simplifies the process of signing one or more zones with DNSSEC. OpenDNSSEC handles the entire process, including secure key management and rollover issues. With OpenDNSSEC, fewer manual operations are needed by the operator.

OpenDNSSEC ensures that all the steps in signing process are done in the correct order and at the right time, making sure that nothing breaks. The issue of storing the private keys associated with DNSSEC signing has been handled using so-called HSMs (Hardware Security Modules), so that the private keys can not be leaked to an unauthorized third party.

OpenDNSSEC works in all Unix-like operating systems and is suitable both for those who will only sign a single large zone (such as top-level domains) and those who have many small zones (e.g. web hotels, ISPs).

Developed by industry leaders including .SE (The Internet Infrastructure Foundation), NLNetLabs, Nominet, Kirei, SURFnet, SIDN and John Dickinson, OpenDNSSEC will seamlessly integrate domain name security extensions (DNSSEC) into already existing IT systems without the need for organizations to change their infrastructure.

OpenDNSSEC has some known issues, but they will be fixed in a future release:

* Auditor slow for large zones
* KSK rollover requires manual timing
* Too slow when handling massive number of zones.

Source