I.T. Security and Linux Administration

July 31, 2013  2:31 PM

Debugging Yourself to Stop Eavesdropping

Eric Hansen Eric Hansen Profile: Eric Hansen

I read an interesting article talking about how a piece of malware placed a very interesting blockade in being figured out by hooking into Windows’ debugging functionality itself.  The article itself can be found here: http://blog.malwarebytes.org/intelligence/2013/07/zeroaccess-anti-debug-uses-debugger/ but this raises an interesting point in malware analysis.

According to the article, debuggers are used heavily to analyze what is going on behind the scenes, which makes sense.  A debugger is a tool that allows you to browse memory and most will decompile programs into bytecode or convert the program into assembly best it can.  This allows analysts to be able to see what’s going on and also browse various aspects of binaries such as text strings.

This program however prevents a lot of this functionality from happening by debugging itself on start up so nothing else can.  This is a fault in the Windows API itself as it only allows 1 program access to debug another at a time.

So, why am I talking about Windows on a Linux-centric blog?  Because this is also about security.  After what feels like years of the same old methods just being renamed, something new…something interesting…happens.  Now, this technique isn’t exactly new in the realm of programs, because a lot of programs in the 90’s, when cracking and pirating was all over the news, put in place measures to prevent people from debugging their code like this.  I  dabbed into this side of security when I was younger so I have a fair understanding of what went on.

I don’t see this being a major turning point in malware, but it definitely makes the field that much more interesting.

July 31, 2013  2:03 PM

What My Linux is Like: Browser

Eric Hansen Eric Hansen Profile: Eric Hansen

This is one I was really looking forward to writing about, simply because I find it fun to mess with different browsers.

My netbook, as ironic as it will be in a little bit, uses Firefox and Chrome, depending on the need.  Using Chrome’s DOM inspector and such is far superior as far as I’m concerned compared to Firefox, while Firefox offers a different view of how the page is rendered.  Since I don’t care to support IE, I support these two and it works.

However, my PC uses a different browser usually called LuaKit.  As the name suggests, it involves the Lua scripting language, however its more than that.  It bundles the rendering engine found in Chrome into a small, bite-sized application that is extremely extendible.  Wha tmakes it ironic though as that this is entirely keyboard driven (similar to Awesome).

I’ve tried using it on my netbook, and while I still do occasionally, I just feel its too difficult to work with.  I feel this has more to do with my fingers being big and the keys being small more than anything else, however.

I do also use Firefox and Chrome on my desktop, but have began to stray away from Chrome more and more.  I’ve noticed over the years that Firefox has greatly improved their product and it is no longer the bug-riddled, memory using product it used to be and is actually comparable, perhaps even better than, Chrome at this point, at least for me.

I also don’t have a bunch of extensions installed for either browser, either, so that probably plays a part in it as well.

July 31, 2013  1:46 PM

What My Linux is Like: Text Editor

Eric Hansen Eric Hansen Profile: Eric Hansen

I do a lot of programming.  Way more than I like to even admit at times.  There’s a lot of options out there, including Eclipse, vi/vim, emacs, etc…  Eclipse, while being probably 2nd most popular next to vi/vim, is also way too much.  If you were to program in Java its great, but 99% of my work now is in Python, and I want to make a mobile app I just use something like Phone Gap.

I’ve tried different writers, like KWrite, and used vim for a while with a plethora of plugins to make things even easier.  However, I eventually discovered Sublime Text Editor.  This program is like the Notepad++ of Linux editors as far as I care.

If you want extreme control, Sublime offers a good chunk of it but not to the extent of vim.  The matter of this really is moot, I suppose, as what editor you use is extremely dependent on what you need, want, and how you have it set up.  For me though its very nice, it also plays nicely with Git if you install a plugin for it.

For Python, I personally recommend STE because it has a lot of features you would need from vim right out of the box, but it also costs money too…

July 31, 2013  1:20 PM

What My Linux is Like: Terminal (desktop+laptop)

Eric Hansen Eric Hansen Profile: Eric Hansen

This was the biggest point of me moving away from Awesome3 for my PC.  I don’t use my netbook often enough for it to really effect me, but my PC is used virtually 24/7 (at least it feels like it).  As such, I had to find something that worked more in my favor.  I always loved Konsole, and it plays nicely with what I like (easy shortcut keys, not Gnome, works without having to customize it much).

The problem is with my netbook I got used to Stjerm, which basically emulated Quake-style console where you hit a key and it drops down, hit it again and it rolls back up.  I loved this feature, and luckily someone emulated it in KDE as well.  This is where Yakuake makes me a happy Linux user.

It doesn’t take a lot to get Yakuake up and running, its basically just a container of sorts for Konsole but adds some extra eye candy to make it a bit pleasing.  Pretty cool, huh?

Stjerm on the other hand requires some slight work to get it working.  While it can be simple run ad play, if you want anything customized from what I found you have to pass arguments to it.

July 31, 2013  1:12 PM

What My Linux is Like: The Distro (desktop+laptop)

Eric Hansen Eric Hansen Profile: Eric Hansen

A little series I thought I would start detailing various aspects of what my daily uses of Linux are, including the distro, programs, tools, etc… and why.  Sounds fun, no?

The one will cover the distro, and since I use it for both my PC and netbook (aka laptop in this), I’ll join it into one.  I’ll also cover the window manager and all that pretty stuff, next will go into the specific programs I use to make my life easier (i.e.: terminal, text editor, etc…).

My systems have Arch Linux installed.  For my netbook, its a prime candidate for it, as I only have 160GB of space and 1GB of RAM,  I didn’t want to fuss around with Ubuntu, Fedora, etc…  My desktop, while I only have 250 GB of space, it has 8GB of RAM (why?  because I wanted to max out my board, even though I’m only ever using ~5-30% of it, depending on what I’m doing).

The “funny” part though is that I’ve ended up working with two different environments from my laptop to my desktop.  My laptop uses the Awesome3 (aka Awesome) window manager, and it works well because the touch pad mouse annoys me greatly, and I’m too lazy to get a spare USB mouse.  Awesome is a keyboard-driven tiling window manager that fits in nicely for those who also want extremely fine-grained control over how they use their computer.  It is very easy to customize and theme, and virtually everything can be modified.

Now, for my desktop.  This one is a little bit different because I started out with Awesome as well, but I couldn’t find a good enough terminal to use.  What I ended up doing is just installing KDE, and I’ve been happy with that since, actually.  Sure it comes with a good amount of bloatware too, but…well, knowing me I’ll just be reformatting and fixing things up anyways come fall (I tend to reformat every 6 months for no other reason than just because).

May 31, 2013  6:56 PM

Dynamic or static website?

Eric Hansen Eric Hansen Profile: Eric Hansen

Should you run a dynamic or static website?  Its typically a tough call.  Dynamic sites offer a lot of functionality that, for obvious reasons, you don’t get in a static version.  However, there are some things to consider:

1.  Dynamic sites end up giving a lot more overhead and resource usage from your server (not good if you plan on running multiple sites on one server)

2.  Static sites, while may not have search functionality, can still provide other options like a tag cloud (just make sure you use good tags is all)

3.  Dynamic sites are more vulnerable to security issues opening up a flood gate to hackers entering your server

#3 is the biggest concern I have.  WordPress, for example, is an amazing piece of software for blogging…and now website management.  Its not hard to install a theme, plop a plugin or two in, add some pages and make a blog post welcoming the world.  Static sites, however, can be very tedious to work with, even if you template-ize the whole thing (i.e.: put common code in separate files and include that at run time).

What does that have to do with security?  Everything.  WordPress has been hot under the gun lately for some security issues, as well as Drupal having some issues not too long ago (though not with their software…yet).

In rebuilding my business’ website, I had to sit down and really think about what was used and not-so-used.  I didn’t make a lot of blog posts, no one commented, and for all intents and purposes the page design broke in different instances.  Basically  I had a set up that was using around 50MB of RAM (Apache2 + PHP + MySQL), powering WordPress, and was doing nothing that its intended for.  So what if I cut all that down?

If someone wants to comment, I have Disqus available.  Now the main focus on the site is not about blog posts, but about what my business offers.  I can still use Apache, but why?  Sure I might need it for my CMS (client management system), but my website won’t need it.  Install Nginx, have that serve the static content, off-load everything else to Apache via proxy and be happy.  Apache won’t be trying to do so much with the disk and resources now, and I’m able to improve speed performance by not running my rarely-modified files through a pre-processor (i.e.: PHP).

May 31, 2013  2:56 PM

Outlook.com vs. GMail : Part 2 – Sending Emails

Eric Hansen Eric Hansen Profile: Eric Hansen

Besides mentioning the whole GMail IM-email concept that I stated my dislike for in part 1, there’s some points to make about both in terms of composing email.

Lets take GMail’s full window composing version for this, as an equal comparison.  It was nice, but it threw a whole lot of things into your face.  You had about 20 options in front of you before you even started typing a recipient or anything.  Which, for a user who wants to customize the heck out an email is great.  But, when you just want to type up a quick “how do you do” email, why?

Outlook, on the other hand, sets it up pretty neatly.  The left side has the recipients and the right side allows you to set the subject, some formatting tools and then the body.  Plain, simple, easy to manage.

Google’s IM mail offers sort of the similar feature set, but its layered into menus.  So, if you want to remove the formatting, you have to click the “A” symbol, wait for the menu, then click on the format remover option.

The recipient area is quite similar in that you can type in the name or email and it’ll populate a list for you.  One thing that does bother me though about Outlook is that it lists frequent people you email.  I understand the logic as to why, but I do feel it can be a privacy concern if you are emailing someone that you don’t want others to know, or don’t want others to easily see the email address of.

May 31, 2013  1:43 PM

Authenticate with Picaso

Eric Hansen Eric Hansen Profile: Eric Hansen

In my SSH Picaso post, I mentioned about how the fingerprint is displayed as ASCII art.  But what if we took that a step further?  What if that ASCII art was our password?

The fingerprint of a keyfile is supposed to be as unique as the keyfile itself, as its derived from the data, right?  Who is to say then that we cannot compare arts and match what we have stored with what we received?  The article I linked to in the post made a good attempt at doing similar with GPG, and I commend the author in it.  But what about SSH?

Sure, public key authentication is amazing, but what if it isn’t good enough anymore?  What if we have to end up encrypting those files via GPG to make it secure?  There’s a lot of what if’s but not that many answers.

This would also open the doors of storing ASCII art in the database instead of hashes for passwords, and using the password itself as the fingerprint.  Of course it’d still have to be salted to reduce collision, but its one more method that could be useful.

May 31, 2013  1:10 PM

The SSH Picaso

Eric Hansen Eric Hansen Profile: Eric Hansen

If you’ve ever created a SSH keypair, you’ve been graced with SSH’s artistic abilities.  You know, that little character map that shows you the key’s fingerprint:

➜  ~  ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/eric/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/eric/.ssh/id_rsa.
Your public key has been saved in /home/eric/.ssh/id_rsa.pub.
The key fingerprint is:
08:48:6e:8a:6a:14:5d:58:d3:10:54:f2:7b:e0:33:0c eric@home
The key's randomart image is:
+--[ RSA 2048]----+
|  . +O=.         |
| o.o. +.         |
| .+..E o         |
|.o.  .+.o        |
|o.    .*S.       |
|o       +        |
|..               |
|.                |
|                 |

I found an article that goes into detail about how this is created, and its rather interesting.  Basically what’s going on behind the scenes is it’s taking the key (in this case: “08:48:6e:8a:6a:14:5d:58:d3:10:54:f2:7b:e0:33:0c”), and converting each pair (“08”, “48”, etc…) into binary.  it then takes each pair, and reads the binary in reverse order (so 08 = 00001000 = 00010000).  After that, its broken off into pairs again (so it is handling either 00, 01, 10 or 11 in binary).

The board you see is basically the board you get.  The concept behind it is to show you how frequent a value exists.  Each character represents a specific frequency at that location:

0 - " "
1 - "."
2 - "o"
3 - "+"
4 - "="
5 - "*"
6 - "B"
7 - "O"
8 - "X"
9 - "@"
10 - "%"
11 - "&"
12 - "#"
13 - "/"
14 - "^"

The S and E you see there stand for where the art generator started and ended.

Now, there’s some mathematics behind how the board sets the position and such, and the analogy that the SSH devs used to explain this is a lot better (drunk bishop).  The article I read that covered this a little bit more than me can be read here: http://pthree.org/2013/05/30/openssh-keys-and-the-drunken-bishop/

May 31, 2013  12:23 PM

Leaking information through API

Eric Hansen Eric Hansen Profile: Eric Hansen

I’ll be honest, I was torn on whether to post about this or not.  On one hand its perfect for this blog as it mentions security…on the other hand, it kind of opens up new doors for stalkers.  But, here I go.

I’ve never heard of this service before, but apparently there’s a social media website out there called Skout, which basically is a 4square service for meeting up.  There was a recent article though on a blog (http://corte.si/posts/security/skout/index.html) that mentioned that Skout was sending back more in the API than they should.  Namely the concern was the geographical coordinates of the user (longitude and latitude).

This issue has been resolved, but it got me wondering, what other services leak such sensitive information?  I know Facebook’s tagging system works by ID, but what about when its trying to find your location?  It goes through your phone’s GPS system, that’s sent over the air, nothing is saying that the data is encrypted.  Its one reason why I prefer open-source, but that’s a different topic.

When you create an API for your service, whether it be web or not, you have to consider what you are returning as well as receiving.  If you’re going to just dump the records into a JSON object and return it, then why not just let the user have free reign over your server?  You’re essentially doing the same thing.  Not to mention, returning only what you need speeds up the process.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: