Category Archives: Security

What an Enormous, Unbelievable Mess

Posted on by
Reply

I’ve been trying to config our Apache server today.

These are the requirements:

  • We want PHP version 5.
  • All users accounts are separated through virtual hosts.
  • PHP should be run with the same user rights as the user, this means either CGI or FastCGI with suexec; because when frameworks create files in the home directory, they should be owned by the user, not by apache.
  • PHP should be locked down with open_basedir, and session storage should be in the user’s own home directory.

What an enormous, unbelievable mess this has been to set up. We’re also doing this with CentOS 5.1.

suexec is a bitch to set up, but, in the end, it works.

There is practically no documentation on FastCGI and how it works. There is a ton of user-submitted scripts, all of which are crazy in one way or other, and don’t seem to work on my box.

Many of these methods seem to rely on patches, and I want to maintain my yum compatibility.

The most difficult thing was to make PHP default to different values for each user account, and in the end, I had to make a cgi-bin/php5 file, setting PHPRC to the user’s home directory, and build a small shell-script that copies /etc/php.ini, tacks on a few custom settings at the end, and puts that where the cgi-bin php script can find it.

Unbelievable. But, the good news is, with a plain vanilla suexec + php-cgi setup, it now works.

Essential PHP Security

Posted on by
Reply

Good book to read for anyone working with PHP.

It started off easy enough, you know, don’t trust input, always escape output, stuff like that. “Yeah, yeah”, I thought, “I learned that in kindergarten”.

But with each chapter, my attitude kind of changed from a “yada, yada” to “hmmmm” to “oops”.

The author doesn’t quite go into great depths of PHP programming, and there are some answers that are somewhat simplified; but with each merciless chapter, he brings up exploit after exploit, asking “did you think about this? and this? you thought about that, didn’t you?”

And you’re left wondering about that particular piece of code you wrote a few months back, because in the back of your head, you know that you didn’t think about that.

I have now resolved never to trust a programmer who hasn’t read at least a few good books about computer security (and can tell me which books he read).

Neither do I trust myself.

Verifying a Root Certificate

Posted on by
Reply

One thing you must do some day, is to try and verify a root certificate.

We’re installing a program in our systems that connect to the Swedish payment transfer service BankGirot. As a part in the installation/setup process, the program wants to add a custom root certificate to my Windows machine. This makes me feel somewhat queasy, as does putting my signature on a document I haven’t read. I therefore began the process of trying to validate it.

My first attempt was rather fruitless. I contacted a representative of BGC via email, sending him the certificate details and thumbprint, asking him to validate it. My inbox has been disturbingly quiet since then.

The next attempt was marginally better. I phoned their customer service number, and talked to a very nice lady, who unfortunately had no idea what I was talking about. After briefly discussing my electronic ID card and concluding that this card had nothing to do with my question, she transfered me to another lady, who was very professional, courteous, but equally clueless. (I have no complaint against any of these persons: I realize the slightly technical nature of my question.)

Next, I received an email from another representative who sent me a screen dump of the Windows front page of the VeriSign certificate used in their normal environment. I remain boundlessly thankful for this; but, as the root certificate I question is not signed by VeriSign (in fact, it is not signed at all), it didn’t help me very much. I am now eagerly awaiting the follow-up to my reply to this letter.

I also contacted the support division of the company who wrote the program trying to install this root certificate by support mail, and am now eagerly awaiting a reply from them as well.

What frightens me in all this, is that nowhere in my attempts to verify this root certificate, have I been met with the slightest level of understanding; and it leads me to believe that I may very well be the first person to attempt this. Which means that there may be possibly hundreds of companies, doing monetary transactions over the Internet, running with a completely unverified root certificate as the security foundation.

Using Junctions to Host IIS Ftp Home Folders

Posted on by
2

So, the problem I faced was that I was trying to set up the IIS ftp service to handle multiple users. However, in its User Isolation mode and with using Local users, the IIS expects the folders to be named “LocalUser\username” within the ftp-root. It’s not difficult to set that up, if you have a clean installation.

The problem was that we had an existing infrastructure in place, where the folders were named c:\inetpub\user01, c:\inetpub\user02…, etc. So it was impossible to add a directory structure that the IIS would recognize as the users’ home folders.

We tried accomplishing that using Virtual Directories, but for some reason, IIS failed to recognize them when we tried to add two virtual folders in succession (one LocalUser virtual folder, and then “user01″, “user02″ virtual folders beneath that).

Ultimately, the solution we found was to use NTFS junctions, using the SysInternals junction utility.

By creating a folder “LocalUser” within the ftproot directory, and adding junction points under that, we were able to create a directory structure that accommodated our setup. It looks like this:

c:\\InetPub
   + ftproot
      + LocalUser
         - user01 -> ..\\..\\user01
         - user02 -> ..\\..\\user02
   - user01
   - user02

This means that users can be added to or deleted from the ftp service simply by using junctions. Moreover, it means that we don’t have to use the IIS administrator utility to do that, but can script it using conventional bat files (and without using the iisftp tool either).

Provided that using junctions doesn’t open the system up to any security vulnerabilities (which I haven’t found so far), this is (I think) a very neat setup.

Future Software Development: My Predictions for the Next 50 Years

Posted on by
1

The discipline of writing computer software has existed for about 50 years now, give or take. Over the years we’ve learned a lot, produced a lot of good software and immense amounts of bad software. The current discipline is maturing slowly, but it’s a far cry from other fields of engineering which have been around since, say, the Roman empire, for instance.

An immense amount of computer languages have been developed; but by now, with a few exceptions, practically all of them include some basic concepts such as for/while loops, conditional branching etc. It seems that we have locked in some of the basic foundational syntactic elements of how computer software should be written. One could argue that more modern methodologies, like object-oriented programming with classes, inheritance, properties and components, are also quickly becoming a de facto standard – with individual variations of course.

What will happen ahead? As usual, impossible to say, but since we’re in the New Year mood still (some of us), let me venture a few predictions for the next 50 years (now there’s a risky concept)… or at least my dreams:

  • More and more research will go into the development of object-oriented frameworks and components; but the focus will be on interoperability: how to get the darn things as separate as possible and yet fundamentally stay together. Web services or SOA is just a hyped-up buzzword. We need real interoperability; to look beyond “services” and start using components directly.
  • As systems are getting more and more complicated, and frameworks get bigger and bigger, increasingly powerful forms of abstracting logic from the components will be required. There will be a lot of research about functional and/or descriptive languages, where the systems will be described instead of programmed. The systems might then be programmed or even evolved themselves, naturally solving the descriptive statements and developing itself. This might be seen as the next generation of reflection.
  • As we get more and more processors into our computers, instead of faster and faster processors, expect processors to become more specialized. Why should I have 256 generic processors in my computer, all identical, when some processors can instead be tailored towards very specific work? We already have graphics processors that are as advanced as the CPU (at least in terms of energy and cooling requirements).
  • Programs will also fundamentally change, on some levels, and will be written (or bred, or evolved) to favor a distributed computational model. Problems will be broken down to favor parallel processing. Given the different setup of everyone’s computer, it might be wise to let the main CPU or operating system to distribute the problem over several nodes. Descriptive languages might of course make all of this easier. Might “matrix programming” one day become a future buzzword?
  • The big question is: What will happen to databases? Despite all the service-oriented, distributed logic that people talk about today, the actual data is still typically stored in a huge database server (or cluster). And that’s a huge limitation, because “one database – one system”. If objects could be freed from their dependency on storage and persistence, they might be allowed to travel between systems. Nowhere is this more exemplified than when a business unit is using two systems in parallel, and nobody knows in which system a specific data exists. A great example is journals or prescriptions within the medical care. Will object-oriented databases provide the key? And don’t tell me XML is the solution. XML is just a tool, and sometimes, it’s a silly tool. (The thing speaking against the abolition of relational databases is that they have become as ubiquitous as for/while loops. What works tends to stay.)

In fact, I would suggest that the single biggest change within computer systems will be to “Free The Objects”. We must free them from constraining dependencies, such as persistence, assembly dependencies, and allow them to roam free, code and data [seemingly] intertwined. Fly free, objects! Roam free, components! Until the day when objects, components and frameworks can interact and interdepend freely and without restriction, we have not yet arrived.

Am I right? Am I wrong? Fifty-fifty? Who knows. The software industry might take an unexpected turn at any corner. And, as usual, expect a nasty kick in the pants from security.

Great Books: Programming .NET Security

Posted on by
Reply

programming-net-security.gifProgramming .NET Security (available from O’Reilly, Amazon) is a great book which everyone should read.

It is possibly one of the best books introducing you to defense-in-depth in .NET runtime environments, assemblies, and classes. It goes into Role-Based Security, Code Access Security and how to practically implement it, as well as providing a very good overview of security in general, the different pitfalls you can fall into and the procedures and practices that underlie any successful implementation of security.

If you’re serious about security (especially in .NET), this book is a must-read.

Freedom is Old, Try Safety

Posted on by
Reply

In his book Fighting Terrorism, Benjamin Netanyahu describes a fundamental shift that most democracies go through in their battle against terrorism. Sooner or later, it becomes necessary for a democracy to adopt “anti-terror laws” which enable the government to take unprecedented action against terrorist through espionage, surveillance and other unorthodox methods. These anti-terror laws adopted have been restricted in time or effect, and subject to cancellation when no longer necessary. Britain adopted anti-terror laws and courts in facing the threat of the IRA; Germany likewise against Baader-Meinhof and the RAF; Italy, France, and several others at one point or other did the same. This is all necessary, and correct.

But since 9/11, the world seems to have taken a turn. The old mantra was Freedom, Freedom; the new one seems to be Safety, Safety. While some efforts to contain international terrorism – in similar ways to the anti-terror laws during the 60′s, 70′s and 80′s in Europe – are just and necessary; much additional “safety” is being sneaked in that do not immediately relate.

This is very scary, because it is coupled with the almost all-pervavise profileration of technology, all connected through the Internet.

The Internet, as such, is free. There are few laws imposed on it. It is possible to print, copy and publish almost anything – whether legally or not. Online, traditional national boundaries become fuzzy and jurisdiction is no longer self-evident. Who commits the crime and what laws apply when the publisher of malicious content sits in Sweden and the server on which the content is published is in Australia?

It is not strange, then, to hear politicians clamoring for more restrictions on the Internet. Congressmen in the US want all traffic logged, shouts the headlines boldly. The EU introduced legislation recently that would require all Internet Service Providers to log traffic for six months. All in the name of safety: To combat the great evils of the internet: Crime, terrorism, child pornography, abusers and so on. But this is very, very dangerous. To the uninitiated, it may seem like a good thing. But the physical equivalence of that – if we take the same logging measures and apply them to our daily lives – would be logging every phone call, everywhere we go, everything we purchase, everything we say or do in a gigantic database that can be searchable at will by government agencies to fight crime. As Bruce Schneier commented: It used to be “follow that car!” Now, it’s “follow every car!”

The immediate danger is not the data in the fight against cybercrime. The danger is that this all is a slippery slope. If it’s easy enough to introduce logging which may be used against people involved in child pornography today, then what’s the next step? Using it against all “cybercriminals”? Against political dissidents – such as China is doing? Against non-democratic elements? Against people who think and feel otherwise than the politically correct view? Against Christians?

“But it’s for the common good! We’re fighting terrorism!” Then why, kind Sir, do none of the present proposals for Internet traffic logging have any conditions imposed on it? Why are these not subject for annual review by a separate entity or committee? The anti-terror laws passed in Britain against the IRA were required to be renewed every year, otherwise they would by default expire. But no such things are mentioned today. And thus we enter down the slippery slope of wholesale surveillance, where we are constantly watched, day and night, in our every online activity (and why not our offline activities as well?) by men we don’t know, with all our actions and words logged and scrutinized by automatic systems set to trigger at predefined conditions. And these conditions may be changed, as time goes by, to suit the current political views. It is a wet dream of any would-be dictator, and indeed present-day dictators as well.

When during World War II President Franklin D. Roosevelt made his address to congress, he commented on four essential freedoms that all Americans shared: Freedom of speech and expression, Freedom of worship, Freedom from want and Freedom from fear. To me, freedom means not having to fear waking up in the middle of the night by police bursting through the door and dragging me and my wife out of bed because of something we did or said six months ago. Freedom means not having to think about what we say or how we say it, because we have freedom of speech that can never be contested.

The Internet is part of that. Internet transcends any boundaries, any controls, any limitations or censorships. It is as free as the wide-open seas… but maybe not for long. Soon, we may need to think about what we write or say online. Because every word we publish online – due to traffic logging – may be subject to the whim of a controlling part of a watchdog government, whom nobody controls. We may, in fact, be the last – and only – generation who lived to see a free Internet.