Stefan Esser quits PHP Security Response Team

posted Apr 17, 2013, 3:30 PM by John Jones

    Although this announcement was made last year, I did not catch it until today on darknet. This is sad news, and in my opinion, a big blow to PHP’s developer’s community. There are other efforts out there trying to improve PHP’s inherently weaker security model, such as the new and the hardened-php folks. For those of you who know me well, you know that although I use PHP, I am not a huge fan of it. For some reason, some people argue that this is an easy language to pick up for beginners. I can only guess that it is because PHP is very “graphical” and users can generate web pages with ease. But as far as a language goes, I would think that python is a much easier language to pick up for beginners.

20 “Get the facts,” a twisted campaign.

posted Apr 17, 2013, 3:28 PM by John Jones   [ updated Apr 17, 2013, 3:28 PM ]

    In this article EC: ‘Open source almost always cheaper option’, about findings of a study done by the European Commission, Europe is really pushing for the long-term endorsement of open source solutions as opposed to proprietary ones. This is in the wake of Microsoft UK’s ad campaign called “Get the Facts” which persuades readers to choose Windows over Linux for server solutions. The article goes on to praise Open Office as a comparable substitute over proprietary office suites since it’s free and just as stable. The study also noted something fairly interesting:

    But the report issued two notes of caution. Firstly, it said that short term costs would be higher for organizations migrating, even partially, to open source, largely because of the initial cost of training. Secondly it said some workers may feel undervalued if they are required to work with free software.

    This has a bite of reality to it. It isn’t always cheap switching to something free, once the price of adjusting or training is factored in. I like that second point the most, because although it may go against logic and the bottom-line, I have witnessed this stigma first-hand. Despite these two initial hesitations, we’re going to see an increasing number of start-ups and big-business choose or incorporate open source solutions to surpass their long term goals.

Travel Back Vim Time

posted Apr 17, 2013, 3:26 PM by John Jones

      Cheesy title, I know. But this is one of the two features I was waiting for in Vim 7.0 (the other is tabs): go back in time. Everyone (especially programmers) has run into this situation at some point: you know you want to uncover the version you have that doesn’t cause the segmentation fault, and you know that’s the version from 45 minutes ago. I can already hear some people whisper “version control”, but not everyone has SVK, and not everyone commits regularly. Well, now you can travel back in time easily with Vim, just issue this command and you're back to the version from 45 minutes ago:

      :earlier 45m

      And to go forward in time, just do this:

      :later 30s

      You can manipulate time in Vim like Super Hiro, and you don't even have to make the funny face!

Cisco owners be very afraid

posted Apr 17, 2013, 3:09 PM by John Jones

Cisco Systems Inc. security has announced 3 remotely exploitable flaws for the Cisco IOS software:

    Usually these security notifications are released to large customers before the general public, so large customers have time to update or protect their equipment. However, it’s the smaller networks that are at the greatest risk. Many don’t have Cisco support contracts (or can’t afford them), or don’t have an individual on staff to upgrade their equipment.

    When will the first exploit code be released? Will anybody admit to being compromised by the exploit? How will a common user realize they have a problem? The small business customers who think owning Cisco is the way to go need to address the total cost of keeping those systems up to date. Many times a customer won’t upgrade a core router or switch because they don’t know how or don’t know they have a problem. How many service providers will contact their customers warning them about these flaws? Most small businesses don’t have a clue if they are vulnerable or not. How does Cisco fix this issue? What means does a small company have to keep all their systems up to date? Most end users barely can keep up with Windows, virus, adware and spyware updates little alone keeping up with all their network equipment. How many people have updated the software on your home router?

    I believe the next great worm will be targeted towards networking equipment. How about taking over all the Linksys routers/access points and making them spam bots or open relays? What about using a Cisco vulnerability to create tunnels to specific locations to monitor all traffic through a router. More to come …

InfoWorld LIVE debut

posted Apr 17, 2013, 3:08 PM by John Jones

Catch q!Bang Solutions’ very own High Mobley as he was featured in the InfoWorld LIVE radio show broadcast on January 23, 2007. Co-Hosts of the show were Scott Draughon and Oliver Rist. The show was hosted by Radio Shows, which host a variety of programs on technology, business and policy. Oliver Rist is a fellow colleague who is a Senior Contributing Editor and frequent blogger of InfoWorld. Another program guest was good friend, Brian Chee, who is also a Senior Contributing Editor of InfoWorld.

Listen to the archived show.

Computer security explained for the masses

posted Apr 17, 2013, 3:06 PM by John Jones

(Originally posted on InfoWorld Magazine)

It is often cited that the biggest issue in the fight against worms and viruses and other such malware is uneducated users. If a person doesn't understand why it’s a bad thing to open email attachments from people that he doesn't know, then you can bet that he will open every attachment which comes to him. Several email clients (not just MS Outlook!) will happily open and execute any Visual Basic or batch file that a user clicks on. Then wham! – You've got an infected machine that’s probably already calling home to the nasty individual who wrote the malware and now “owns” the user’s computer – which you as the IT department have to go and fix…

Of course the various network security and bug tracking sites are great about announcing the security flaws and exploits that are found, but arguably their audience is only people who are already pretty savvy about security issues. So I was pleased to see an article written more for public consumption at today, entitled “What’s the problem with Microsoft Word?”. The author, Julia Layton, does an excellent job of explaining some computer security jargon and bringing the layman up to speed with the MS Word zero-day flaws which were recently announced. I hope that this is a sign of a new trend of educating the end user in a comprehensible language.

When I was a full time sysadmin and helpdesk tech responsible for a few hundred users and 50 servers, I struggled to explain the same topics to the many end users individually. So instead, I sent out occasional messages via email with some helpful tip on how to use their computer or a link to a web article that contained some useful information on a subject that I knew would tweak their interest. So I always had these sorts of articles bookmarked to send out to my users. They appreciated that I was trying to educate them and I appreciated that I had fewer infected machines to reformat and reinstall.

High Mobley
Co-Owner of q!Bang Solutions

Google Analytics is Worth a Look

posted Apr 17, 2013, 3:03 PM by John Jones   [ updated Apr 17, 2013, 3:03 PM ]

(Article originally posted at InfoWorld Magazine)

Have you checked out Google’s Analytics package yet? No? Why not? It’s a strong web analytics package and is offered for free from Google.

Let’s first address the definition of “web analytics.” Wikipedia offers the following explanation which fits the parameters of this article quite well:

Web analytics is the measurement of the behaviour of visitors to a website. In a commercial context, it especially refers to the measurement of which aspects of the website work towards the business objectives; for example, which landing pages encourage people to make a purchase.

Google Analytics is not a web log file analyzer – which is a good thing. Log file analyzers are dependent upon the web server to execute the analyzer scripts on a regular basis and can get a little resource intensive for a busy site. Plus, what happens if you lose those log files due to a disk error or filesystem corruption before they are analyzed and put into the web statistics database? And what good is your log file analyzer data when you’re moving to a new server platform? You would most likely have to start from scratch with your data collection.

Enter Google Analytics. It works based on small snippets of code embedded in your web pages which cause the user’s browser to call a script on Google’s servers which culls the pertinent information from the user’s browser. So web analytics doesn’t take place on your servers or use your bandwidth! There is nothing for the IT staff to monitor or maintain.

Just in case anyone is entertaining thoughts of massive Google conspiracy theories, don’t fret! The data which is being noted by Google Analytics is the same data that your web browser freely and happily gives up every time it hits any web site. This includes things like what type of web browser you’re using, which operating system your computer uses, etc. It’s pretty innocuous stuff, and every other web site that you visit gets the exact same information from your browser, so Google’s not doing anything nasty.

Don’t think that a free analytics package doesn’t come with serious features. In addition to the standard statistics you would expect from a good web log file analyzer, Google Analytics provides you with the ability to view trends over time with user-definable date ranges. For your marketing department, Google Analytics has user-defined goals which are reported separately. You can also define the “funnel” or chain of URLs that the user is expected to follow to reach the goal URL. This enables you to track the effectiveness of your marketing campaigns individually and see which ones are really paying off.

And if that feature sounds attractive, then you will like the fact that Google has integrated its AdWordsadvertising program with the Analytics program. Your AdWords keywords are automatically imported into your Analytics account. And from within the AdWords interface, you can see ROI and other metrics for each keyword you bought on AdWords. Google Analytics plays nice with the competition too. The keyword campaign comparison reports show all your keywords from all the search engines.

Like any good analytics package, Google Analytics will track a user’s navigation through your web site. However, Google’s package has an additional feature that I expect many people will like. You can view an overlay of your site. For each clickable link on your web page, you will see a small bar graph representation of how many clicks that particular link gets. The longer the bar, the more clicks that particular link got during the time period for which you are viewing results. Sure, it’s kind of eye candy, but some people work better with visual representations, and here they have it. Speaking of eye candy, I’m partial to the Geo Targeting feature which shows a world map and places colored dots based on where your web traffic is coming from. The dots get bigger for a region which has more traffic coming to your site.

Google Analytics has a lot to offer. It’s packed with useful features, and it’s free. Well… kind of free. You get up to 5 million page views per month. That’s a lot of page views though, and if your site will go over the 5 million views per month, then all you have to do is open an AdWords account to get unlimited page views for your Google Analytics. It’s still a darned cheap option. And if your site gets that much traffic, you could pay for the AdWords account by putting up Google’s AdSense advertisements on your busy site, but that’s another article…

High Mobley
Co-Owner of q!Bang Solutions

Secure Linux Appliances in Your Enterprise

posted Apr 17, 2013, 3:00 PM by John Jones   [ updated Apr 17, 2013, 3:01 PM ]

(Article originally posted at InfoWorld Magazine)

By now you’ve either seen them or read about them. Companies are selling all kinds of useful appliances based on embedded Linux. Some are for small tasks like wireless APs, mobile devices, or cell phones. Others are geared towards enterprise needs like load balancers, routers, and NAS (network attached storage) and SANs (storage attached network). They all run some version of Linux or BSD. You know you have a couple of Linux geeks working for you in the IT department. Why aren’t they coming up with some of these cool Linux appliances for your own company to use? The excellent Debian Router project by Vadim Berkgaut is the help that your Linux admins need to develop their very own Linux appliances.

At my company, q!Bang Solutions, we provide all types of IT solutions, but our strong suit is our solutions built upon Open Source software. Our employees have used the Debian Router Project (which we refer to as “DebRouter”) to build numerous solutions, including firewalls, OSPF and BGP routers, DNS servers, and even VoIP servers. DebRouter is a cornerstone of our technology solutions.

What’s great about DebRouter is that you get a fully functional Debian Linux installation. So you can add whatever software packages you want to extend the functionality of the DebRouter. This is implemented through the usual Debian package management utilities, which means that you can change a DebRouter’s functionality on the fly and in the field after it’s been deployed.

Another important feature of DebRouter is that it boots from a flash device like a compact flash card (via an IDE adapter) or a USB flash drive. So if there are any problems with changes you’ve made, a reboot takes you back to the previous known-good version of your running system. Does this mean that you lose changes you’ve made when power to the DebRouter goes out? No. DebRouter implements a “write to flash” function much like a hardware router or manageable switch. So you can install and configure new packages, test them out, and write your changes to the flash-based boot media if everything went well in testing. If your tests revealed there was a problem, then just reboot without writing the changes to flash and you will roll back to the same state of the filesystem that you had before your changes. This makes it extremely easy to test potentially unstable software and configuration changes. If things don’t work, just reboot, and voila! Your working system is back within seconds.

This also means that the machines are harder for crackers to abuse if they succeed in infiltrating the DebRouter. If you discover that your DebRouter has been compromised, you can reboot and be rid of the cracker. Then you check for security updates from Debian, install them, write your changes, and you’re back up and running. I can tell you from experience that eradicating a cracker’s presence from a normal machine with hard drives whose data persists across reboots is not this easy!

The boot process of the DebRouter provides another nice benefit. DebRouter boots from flash media, creates a RAM disk, copies the flash media’s filesystem to the RAM disk and then unmounts the flash media filesystem and runs from the RAM disk. RAM is fast – lot faster than any hard drive. So now your filesystem I/O speed is absurdly fast. So if you install the Apache web server and put up some HTML and image files, you now have one of the fastest web servers available – without the hassle of a special configuration to load your pages into a ramdisk. It can also run web scripts (such as PHP, Perl, Python, Ruby, etc.) as fast as your normal hard drive based servers do.

What can you build with a DebRouter? Here are a few ideas to get you started:

  • Add the Quagga routing software package to make an OSPF/RIP/BGP router
  • Install the Apache web server with Perl/PHP/Python/etc scripting environments
  • Use the Asterisk software for a cheap VoIP server for a remote office
  • NAT/Firewall
  • Web content filtering via the Squid proxy package
  • Make a captive portal system for wireless networks in cafes or other public access areas
  • DNS server using the venerable and always popular BIND software
  • Create a network sniffer with the tcpdump utility which writes data to a remote NAS or other storage device
  • Combined with a NAS (Network Attached Storage) or an NFS server, a DebRouter can do most anything.

Since most enterprises will try to install all machines in racks, I checked a couple of online vendors to see how much it would cost to build a good 1RU DebRouter machine. I found that a 1RU machine far above the minimum specs can be had for $500, including shipping. This includes a 1RU case, motherboard with all essential functionality on board, a P4 2.8GHz CPU, 1GB ram, and a 512MB CF card and IDE-based CF reader.

So how about a $500 router that can do RIP/OSPF/BGP? Consider both the business and technology reasons that your company might want to use a DebRouter instead of a router from Cisco or one of the other routing big boys. The business side is easy. The hardware is cheap, even for a system with generous amounts of RAM and CPU. For the price of a typical router support contract, you can buy a couple of extra DebRouters to have sitting around as spares ready to jump into action if you have a hardware failure on your primary DebRouter. Subsequent years of support contracts you don’t need to buy equal money that remains in your coffers helping to fatten up your Christmas bonus next year. Of course, let’s not forget that most router vendors charge extra for the advanced software like OSPF or BGP routing, or encryption software so that you can use the more secure SSH instead of the gaping security hole called Telnet to remotely connect to your router. DebRouter has all that (and so much more) for free!

On the technology side, with the screaming fast processors available today, a DebRouter can pretty well hold its own against most of the major router vendors’ offerings. And it’s the versatility of the DebRouter that will likely interest your techies. Did I mention that Linux does 802.1q VLANs? How about an OSPF router that does double duty as a slave DNS server? Or perhaps an edge router that also acts as a VPN concentrator with strong encryption for hundreds of tunnels?

So walk on down to IT and find those two Linux guys tucked away in their cubicles and let them loose on a Debian Router project. They should be glad to have an interesting project to work on instead of trying to recover emails that Marge from Accounting accidentally deleted the other day, and you just might get some nifty devices from them that save you some cash on your bottom line. Your Linux admins are welcome to reach out to me if they need some help or just want to share their ideas on a new use for a Debian Router.

In the future, I’ll touch on embedded Linux in extremely cheap devices that are excellent for smaller tasks.
[My q!Bang Solutions co-owner Josh Kuo beat me to the punch. Read his article "Beef Up Your Wireless Router".]

High Mobley
Co-Owner of q!Bang Solutions

Beef Up Your Wireless Router

posted Apr 17, 2013, 2:48 PM by John Jones   [ updated Apr 17, 2013, 2:59 PM ]

(Article originally posted at InfoWorld Magazine)

Sure you have one. Everyone nowadays has at least one wireless router at home, be it LinksysNetGear,D-Link, or Buffalo. With new wireless products being released nearly every month, I am willing to bet that some of you even have a couple of the older wireless routers collecting dust in your closet. Well, it’s time to take them out and put them to good use.

Check out the OpenWRT project. OpenWRT is a Linux distribution for embedded devices, and it brings a lot of exciting possibilities to your humble wireless router. Although still in its release candidate stage (currently at RC6), OpenWRT is very usable and feature-rich right out of the box. Be warned, you could void your manufacturer warranty by installing OpenWRT on your wireless routers.

So what can you do with an embedded Linux device running on limited RAM and very small storage? As it turns out, quite a lot actually. You can install asterisk, and have your personal, customizable PBX (private branch exchange). If you already have a SIP phone or some kind of VoIP phone interface (such as the Cisco ATA 186 adapter), you can have your very own VoIP system at home, all running out of your low power-consumption embedded hardware.

Put your router/firewall on steroids by installing packages like nmap (network security scanner), snort(intrusion detection), and tcpdump (packet sniffer). Together with iptables (which comes with the Linux kernel), you can turn your OpenWRT box into a powerful security tool. Install openvpn, and you have a very affordable VPN device. And if it strikes your fancy, you can install quagga and turn your dusty little Linksys into an OSPF and BGP-capable router.

Want to provide your own wireless hotspot? No problem. Install chillispot, and you are ready to go. You can even install FreeRADIUS on the OpenWRT for the authentication back-end, and WPA (wifi protected access) for the added security.

You can turn it into an all purpose office server by installing DHCP, cups (print server), lighthttpd (web server), NTP (time server) and OpenSSH or dropbear (secure remote administration). If your router has a USB port, you can also turn it into a file server by hooking it up with a USB hard drive and installing NFS.

And don’t forget that this is a wireless router. It has a wireless card, so take advantage of it! Install kismeton it, and you have a wireless sniffer. This can prove to be invaluable if you ever need to analyze the airwaves at a remote location, but don’t want to leave your expensive laptop on-site. Drop in place a $50 OpenWRT box loaded with kismet instead.

Here is one way to use your old wireless router: In the past, I had setup a few cheap Linksys WRT54g boxes with OpenWRT and vtun, and dropped one at each of our remote locations. This gave me the ability to have layer 2 tunnels to each of the remote sites. I kept one in my house, and if I ever needed to troubleshoot a remote network problem, I just setup the tunnel between the two OpenWRT boxes, connected my laptop or testing equipment to the OpenWRT sitting on my desk, and it was like being on the remote physical network! This saved me a number of times, being able to perform packet capturing on the remote network, observing the network traffic in real-time, requesting and obtaining DHCP addresses… essentially, I could experience exactly what the remote user was experiencing, all from the comfort of my own home.
This is just the beginning of what embedded Linux can do for you. To find out more what embedded Linux can do fo r your enterprise, check out Secure Linux Appliances in Your Enterprise. So dig up your old wireless router, check it against the hardware compatibility list, and see if your router is OpenWRT compatible, and open yourself up to a wrt of possibilities!

Josh Kuo
Co-Owner of q!Bang Solutions

Speed up encryption with PadLock

posted Apr 17, 2013, 2:42 PM by John Jones

(Article originally posted at InfoWorld Magazine)

Security is a topic that is getting more and more attention these days, and encryption plays a large role in security. However, those of us who have played with encryption know that it consumes a significant amount of system resources. If you are doing your encryption in software, you are most likely playing a catch-up game to your network speed (when encryption network traffic) and storage volume (when encrypting file system).

The tradition approach is to get an encryption card and drop it into your PCI slot. But have you checked out encryption built directly into the CPU? This is not exactly news, since VIA Technologies has been making CPU’s with encryption built-in since 2004. VIA processors with PadlLock has SHA1-256 (Secure Hashing Algorithm), AES (Advanced Encryption Standard), and random number generator all built into the hardware.

So how fast is hardware encryption? In this benchmark, you can see that a 1.2GHz VIA processor can encrypt about 5 to 16 times faster than a Pentium IV 2.4GHz. And in this benchmark, where the author tests against encrypted file system and IPSec connections, there is almost no slow down when doing IPSec with PadLock, and you only lose about 10% of performance when writing to encrypted file system. Compare that to software encryption where you are looking at roughly 50% to 80% loss in performance.

Josh Kuo
Co-Owner of q!Bang Solutions

1-10 of 21