Debian backup script updated

Posted on March 23, 2011 by Stephen Reese

A quick note that I updated my Debian backup script located here: https://code.google.com/p/debian-update-script/. I have fixed a few bugs that became apparent with the release of Debian 6 “Squeeze” and made a few other tweaks. I have also added the ability to encrypt MySQL database backups. Feel free to try it out and let me know if you have any issues. I plan add AWS S3 and Google Storage functionality, soon, I hope.

* Shell script to update Debian system via APT.
* Backup systems and send the backups to remote systems
* MySQL backup
* Encrypted backups available
* System information like disc usage, network traffic
* Log file output from syslog

Posted in systems administration | Tagged , | Leave a comment

Blocking evil with the Enhanced Mitigation Experience Toolkit EMET

Posted on January 29, 2011 by Stephen Reese

While experimenting with EMET I decided to put together a little presentation demonstrating how it can be used to prevent exploitation of a known threat to Acrobat Reader. The presentation first demonstrates the exploit using Metasploit, provides some high level analysis and then goes on to describe how EMET can mitigate the vulnerability. It may be a little choppy to follow so feel free to provide any constructive feedback. The presentation is available via Google Viewer or PDF.

Posted in security | Tagged , , , , , | Leave a comment

Pseudo Gmail address obfuscation

Posted on January 10, 2011 by Stephen Reese

I was hunting around for a way to create email aliases for mailing-lists and whatnot. It is a little disappointing to learn that there is not away to create true aliases with Google’s Gmail. You can create aliases if using Google’s hosted application service but I do not use this for my personal mail. Here are three interesting item’s I came across; Google’s mail servers ignore period’s for the username context, googlemail.com may be used instead of gmail.com and finally you can append notes after a plus symbol.

firstname.lastname@gmail.com may be written as first.name.last.name@gmail.com

firstname.lastname@gmail.com may be written as firstname.lastname@googlemail.com

firstname.lastname@gmail.com may be written as firstname.lastname+sometext@gmail.com

It’s not really obfuscation but it may help confuse someone not the wiser. Maybe one day Gmail will allow for true alias creation.

Posted in internet | Tagged , | 2 Comments

Insecure Library Loading Could Allow Remote Code Execution

Posted on November 23, 2010 by Stephen Reese

Note this is an older post that I am migrating from another blog I previously maintained.

Metasploit has already provide a nice write up of the pwning, I mean testing the vector http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html. It does involve a bit of prep work but I tested it on a fully patched Windows XP sp3 host and it does provide you with the same privileges as the user who executes the exploit remotely giving the attacker access to the system.

So we want to be concerned with how to prevent evil doers from exploiting this vector.

1. Do not open any network shares or websites that you are unfamiliar with, furthermore avoid executing unknown files from either. 2. Decide which workaround you would like to use per http://www.microsoft.com/technet/security/advisory/2269637.mspx.

  • Workaround #1 Disabling and stopping the Webclient services is the easiest method to prevent the attack but may cause other problems.
  • Workaround #2 Blocking ports 139 and 445 may not be ideal to block due to file sharing and other problems that may arise.
  • Workaround #3 Download and install the tool from Microsoft that allows control of the DLL search path algorithm from http://support.microsoft.com/kb/2264107 for your specific Microsoft distribution, i.e. Windows XP. Modify the registry key that turns on, off or specifies the action per http://support.microsoft.com/kb/2264107 section “Example 1: How to disable loading DLLs from a WebDAV share for all applications that are installed on your local computer”.

Okay, so in short there are two ideal ways to disable to attack, disable the Webclient service or install the tool and modify the specific registry key.

  • Note many of us run docked and undocked, therefore we need to modify both controlset001 and controlset002 to cover both situations.
Posted in security | Tagged , , | Leave a comment

Keeping your hardware safe and avoiding the evil maid

Posted on November 23, 2010 by Stephen Reese

This installment is about keeping your notebook and other technology items safe. I was recently asked what the Defcon locks were for that I have been distributing with the new notebooks. I jokingly said to keep people from taking your monitor and chair from your desk while your on travel but there is a better reason I distribute them.

People assume having your hardware stolen is the ultimate way to compromise your data. An adversary that is smart enough will know better though. A system running TrueCrypt or similar encryption is a near impossible target if powered off while you are away but a system running encryption that powered on on, not so much. Passwords and keys to most encryption are stored in memory while the system is running. Recovering said keys is not an easy task but is possible. If you cannot break the habit of leaving your device on when not around or putting it standby because you cannot stand the boot up time then make sure you are using strong passwords that a difficult to guess to avoid giving the attacker the chance to use tools to capture memory and parse it for your super secret pass-phrase.

Even this has it’s downfalls though, there have been attacks that can thwart the password mechanism on a device and run an attack such as stealing the pass-phrase. An example is the Firewire attack which provides direct hardware access from some devices to your system. If the attacker can do this then it is game over for your data as they can use a tool to crack your system password. Fix, do not let an attacker walk away with your device still powered on, i.e. use a lock when at clients or at a hotel room.

The evil maid attack is often not thought of. You are supporting a remote client, come back to your room to check your mail and leave for dinner leaving your notebook. While gone the evil-doer aka evil maid visits your room to fluff your pillows and notices your notebook on the table. Whether it’s on or off a device that you probably won’t notice is plugged into your system and it records your pass-phrase when you type it in. The evil maid returns to then steal the notebook as they now have the passphrase to get your data. To avoid this one, pay attention to rogue devices plugged into your hardware. Sounds simple but who would check for a small USB device plugged into the back their host. Also use a lock to keep the evil-doer from stealing the hardware after obtaining the key after such an attack.

What am I trying to say here?

  • Use encryption, the performance hit is very small and the newest notebooks with the “i” series chipsets use hardware encryption.
  • Avoid leaving your device running if not around when at foreign locations, i.e. hotels, clients, etc…
  • Use a lock to attach the notebook to a desk, chair, whatever. I know these are not exactly Fort Knox but it is a deterrent.
  • Epoxy ports (warning this may not be an available option for a corporate assets). Yes this is extreme but why do you think some companies enforce this on their desktop systems and/or servers.
Posted in security | Tagged , , | 1 Comment

Creating VMware VMDK files from DD images using Live View

Posted on November 7, 2010 by Stephen Reese

While watching some Florida football today I decide to figure out how to mount/run a DD image in VMware Workstation. My image mounting skills were a little lacking so Google it was. I found a ton of great examples that seemed like they should work but the steps seemed a little incomplete. To further complicate the task was I was trying to run two partitions from the same disk.

The first method I found was to manually create the VMDK file from scratch. This seemed promising when I found http://sanbarrow.com/vmdk/disktypes.html#partitionedDevice and even better an AppSpot application http://www.schatzforensic.com.au/2006/p2v/ to produce the configuration for me but determining the CHS values were not going very well with the images I was working with so I kept looking.

ProDiscover looked rather promising https://irhowto.wordpress.com/2010/07/05/booting-a-dd-image-with-vmware/ but the VMDK files generated for the images did not seem correct and sure enough the guest system would not fire.

Live View was the next tool to try. Initial attempts to use it on a Windows 7 x64 host failed so I moved the image and required tools to a Windows XP host. There are several prerequisites for Live View which it will prompt you for so heads up.

You will need to create a VMDK for each image that you want to use even if it is for the same VM guest. The coolest part of it all is that you can use the DD image in a read-only state and all write are saved to a separate state/snapshot file. Very nice as it keeps from trashing the original image.

Posted in systems administration | Tagged , , , | Leave a comment

How I got started in information technology

Posted on August 17, 2010 by Stephen Reese

Every once in a while someone asks me how I got started in working in the information technology realm. Usually someone that is not in the industry or they are interested in working with computers as a career and are not really sure where to start. I do not think I have been able to come up with a great answer but here is how it has worked for me thus far.

I have always had a mechanical inclination. I was one of those kids that would rather take apart their toys (read break) then play with them. I originally had a love affair with cars, especially engines. I would have one of my parent’s take me to the junk yard (before I could drive) just so I could pull old V8’s and bring them home to disassemble them. This was entertaining but then our family got a new computer. I had worked with friend’s computers but was careful not to break them as I knew their cost. You can imagine my dad’s face when he brought home our first computer and shortly thereafter I had the internals of it laid out across the floor. Lucky for me I somehow was able to put it back together and it still worked. I was hooked as there seemed like an endless amount of possibilities to keep me occupied.

I continued on my quest of learning more by installing other operating systems such as Redhat 6 besides the Windows 95 install as a dual boot installation. Not a very interesting feat now but at the time it was amazing for me. Fast forward a few years and I had gotten various jobs working for firms setting up and maintaining computer systems. I eventually got bit but the security bug while working at a university. I find the aspect of securing computer systems quite interesting as not only are you concerned with how information systems are implemented but also what vectors may be used to attack them and so much more. Enough about that here’s what I told the last person that was interested in getting into the technology scene. Opinions vary greatly here.

It depends upon what you see yourself doing in 10, 20 years from now. Computer Science (CS) degrees are great and they usually cover the spectrum when it comes to the world of computing. I was going to get a CS degree but was undecided the first two years and by the time I pulled it together I realized I would need two years of Calculus and Physics before most universities would even consider me for their programs. I instead went the Computer Information Science (CIS) route. This worked well for me as they are well recognized and the prerequisites were less demanding and time consuming.

Many universities now offer a number of programs such as Decision Information Science (DIS), this example focuses on more of the business perspective. I know one person whom has gone this route but they have done well. Most jobs will say they want a technology oriented degree though are not always specific. Regardless do your research. This ultimately depends upon what you expect to do and where you want to work. If you know the type of position you might see yourself in then look a position descriptions and figure out what the firms desire in that field. There are plenty of jobs out there but just more competition for them.

Due to competition in the market I would definitely recommend three things. One, if feasible, regardless of the bachelors program get a masters, these seems to open more doors and some schools have 3/2 programs that allow you to pretty much get a masters and bachelors at almost the same time. Two, get an internship and/or job working with computers, helpdesk at a university or work for a small company maintaining their network, etc. Besides education, experience is highly regarded in the industry regardless of your concentration and this will help you figure out what you want to do career wise. Three, look into certifications such as a CCNA, Security+, MCSA. Even entry level certifications may help get you in the door though this is debatable by some.

I will state that I know people that rely purely upon their experience and others that are more academically focused. I do not think there is a sure fire method but for me a combination of both has worked fairly well.

Posted in education | Leave a comment

Finally migrated from Blogger to WordPress

Posted on May 23, 2010 by Stephen Reese

I haven’t posted in a while because Blogger finally did away with their FTP/SCP publishing ability meaning if I wanted to continue using Google’s Blogger platform I would have to allow them to host my content for me. I don’t mind this except there are small annoyances such as having to still use a third party host for files that are not part of a blog post. I have also never been a real fan of their themes. I’m not much of a designer when it comes to websites, my focus is usually on the technical operations and not making things aesthetically pleasing. WordPress has Blogger beat hands down in this department as there are thousands of freely available themes and plug-ins for their platform.

The flip-side is securing WordPress. There are countless known vulnerabilities to the WordPress platform. There are ways to stay on top of these. First use the general lock-down suggestions provided by WordPress and other sites. Secondly or maybe primarily, stay up on new releases that fix bugs and security vulnerabilities by subscribing to the mailing-list or keeping an eye on their blog. Overall I look forward to the new platform and hope you enjoy the content to come.

Posted in blog | Tagged , | Leave a comment

Redirect Blogger URL using Mod Rewrite and shell scripting fu

Posted on February 13, 2010 by Stephen Reese

Blogger is doing away with the option to host your blog via your own host and migrating everything to the cloud. I wanted to have the option to continue hosting my blog on my own server even though as of now I am still hosting with Blogger. The main concern I had was redirecting URLs that blogger had created to a new blogging platform such as WordPress. I looked around and found several methods here, here, and here for redirecting one URL to another. The two primary method were HTTP redirects by modifying the page header or Apache’s mod_rewrite. I like Apache so I opted for the latter.

I only had about 60 posts so creating a few mod_rewrite rules is not a big deal. There were a number bloggers had complaints about Blogger removing FTP/SFTP publishing capabilities and they were considering a migration away from Blogger. This got me thinking about how to help others in transferring thousands blog entries.

I decided to try to automate this process somewhat with a little scripting fu. This could be scripted into a single script and if there is enough interest, I will make it happen.

The first step is to import your Blogger posts into your WordPress database. Blogger can export it’s posts but WordPress does not have a native plug-in for importing the posts in the XML format that Blogger is capable of exporting. WordPress can however import posts and comments from a Blogger Blogspot hosted profile. Create a Blogspot host and import the posts that you have backed up from your main profiles XML file. Make sure to disable search engine indexing for the temporary site so that you don’t hurt your SEO.

The second step is to import the posts into WordPress. This is relatively easy to do, basically login to your WordPress administrative tools and import the blogger posts from your Blogspot profile that you created in the first step. I tried using the recommended tools per WordPress and a third party tool but they did not work very well for me.

Now your WordPress install should have all of your content and comments and your WordPress install is working correctly. This tutorial also assumes you are using the following permalink format for your WordPress posts, if not you will have to adjust this tutorial to your liking:

/%year%/%monthnum%/%postname%/

You will notice that your URL conforms to the WordPress install and not to Bloggers. This means that when you migrate your DNS to point at your shiny WordPress install all of the links that users have bookmarked and the search engines have crawled will no longer be valid. Worse, this could hurt your search engine rankings as it will take time for search engines to realize the new content and during that time you will have duplicate content floating around. Not an ideal situation.

Third step is to determine all of the URLs that your Blogger account was using the XML file that you exported from your Blogger blogs profile. This will produce a file with your Blogger file names. It should be the same as the number of posts you have published on Blogger or in other words imported to WordPress. Note you will need to change the XML file name and domain name to match your settings:

# Produces blogger file names.
sed "s/\(href='[^']*'\)/\1\n/g" blog-02-04-2010.xml | \
grep "href='http://www.rsreese.com/20.*html'" | \
sed "s+.*href='http://www.domain.com/\(20[^']*\)'.*+\1+" | \
sort -ut/ -k3 | xargs -I{} basename {} | sort -u > /tmp/blogger.txt

Next you want to generate a similar listing from your WordPress install that is populated with all of your Blogger content. This involves logging into your MySQL install and exporting a little data.

mysql -u wordpress_user -p
mysql> USE wordpress_db;
mysql> SELECT post_name FROM wp_posts INTO OUTFILE '/tmp/wp.txt';

Next you want to ensure that your post line up from the two files. In my case I had some that were not sorted exactly right, this basically let me know how much manipulating I would have to do. Paste this into a file on your Linux and provide executable permissions such as ‘chmod +x filename’. Then run the file ‘/filename’. Note you will need to specify the paths to your wp.txt and blogger.txt in the small script.

paste blogger.txt wp.txt | while read Line
do set $Line
echo "This is from FileA: " $1
echo "This is from FileB: " $2
done

Lastly lets actually generate the mod_rewrite rules for Apache. Again when this runs the sort function may not match up the file names exactly right so you may have to do some manual manipulation.

paste blogger.txt wp.txt | while read Line
do set $Line
echo 'RewriteRule ^([0-9]{4})/([0-9]{1,2})/'$1'$ $1/$2/'$2'/ [NC,R=301,L]'
done

You probably want to redirect the output to a file so you can go in and fix the values that have not sorted correctly.

The last part of the configuration here’s a section from my Apache configuration file. I have also included a little bit to redirect the feeds though for me this was not very important as I syndicate through FeedBurner allowing me to modify my feed without effect subscribers.

# This has two of my rewrite rules, I have many more but kept it brief for readability.
<Directory /var/www/apache2-default/wordpress/>
RewriteEngine OnRewriteBase /wordpress/
RewriteRule ^atom.xml$ feed/ [NC,R=301,L]
RewriteRule ^rss.xml$ feed/ [NC,R=301,L]
RewriteRule ^([0-9]{4})/([0-9]{1,2})/adding-character-to-line-using-perl.html$ $1/$2/adding-a-character-to-a-line-using-perl/ [NC,R=301,L]
RewriteRule ^([0-9]{4})/([0-9]{1,2})/authenicating-kerberos-against-active.html$ $1/$2/authenicating-kerberos-against-active-directory/ [NC,R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]</Directory>

Finally you should test your setup to determine that all of the links redirect.

sed "s/\(href='[^']*'\)/\1\n/g" blog-02-07-2010.xml| \
grep "href='http://www.rsreese.com/20.*html'" | \
sed "s+.*href='\([^']*\)'.*+\1+" | \
sort -ut/ -k3 > /tmp/full_blogger_urls.txt

Next you can use wget to test the URLs to make sure they all redirect correctly.

wget -i /tmp/full_blogger_urls.txt

This tutorial is not an end all solution is not perfect by any means. It still requires some manipulation of data but if you have a large number of URLs to redirect then you may find it useful. Your mileage may vary though if you have problems or recommendations than drop a comment…

Posted in coding | Tagged | 2 Comments

A few tools that may help rid of malware

Posted on February 9, 2010 by Stephen Reese

These tools may help rid a computer system of malware but be warned they can be very destructive to your system. In other words if you don’t know what you’re doing then backup what you can and take it to a professional.

  • Ad-Aware – This seems to be a popular click and point tool
  • Spybot – Search & Destroy – Same as above
  • RootkitRevealer – Older tool but still useful
  • GMER – Great manual tool but can cause more damage than good if you do not know what you are doing.
  • HijackThis – Similar to above, if you do not know what to remove manually then be careful as you could damage your system.
  • McAfee Labs Stinger – Detection tool from McAfee
  • Sophos Anti-Rootkit – Requires sign-up to download, annoying to say the least

Of course keep your current anti-spyware and virus installs and definitions up2date.

Posted in security | Tagged | Leave a comment