The Quiet Earth - General

Policy-based routing on Linux

nospam@example.com (Axel Eble) — Fri, 17 Oct 2008 23:18:19 +0200

A customer system needed to be upgraded and for several reasons it was supposed to be moved from Windows server to Linux (more on that another time). The server was supposed to be moved from one IP range to another as we are moving from our old Provider Aggregatable (PA) IP addresses to our "new" Provider Indepedent (PI) addresses.

I set the system up and it was supposed to be a hard cutover on one day. It quickly turned out that this was not feasible (again, for several reasons, e.g. the amount of data to copy over was too big). So, finally, it was decided that the cutover was to be smooth: the majority of data was rsync'ed over from Windows in the days before the cutover date, then the rest on the cutover day. The SSL certificate was to be copied over on day X and the new server running Linux should take over the IP address of the old (Windows) server. As the system was now multihomed we needed to cope with asymmetric routing. First off, we thought it should be possible to hide all incoming traffic to the old IP addresses behind the internal IP address of the firewall - but it turned out our product does not allow for that.

The solution to this is policy-based routing: if the packet goes out on Interface_new, a different routing decision needs to be taken than when it would go out Interface_old. Fortunately, Linux does allow for this with the iproute2 package: you can have several routing tables glued together with a routing policy, i.e. a set of rules that controls the selection of the routing table. If a rule matches and a route is selected from a routing table the packet gets routed according to this route. If there is no matching route the rule traversal continues.

In our setup this means, that all packets from IP_PI-Space should get routed to the PI-Space gateway whereas all packets from IP_PA-Space should get routed to the PA-Space gateway. Currently, the default gateway is the PA-Space one, so we don't have to do much.

In Debian/Ubuntu syntax, the network is then setup through /etc/network/interfaces with a stanza like the following:



auto eth0

iface eth0 inet static

        address   A.B.C.D

        netmask  255.255.255.240

        network   A.B.C.128

        broadcast A.B.C.143

        dns-nameservers some.dns.serv.er

        gateway A.B.C.129

And for the Interface in the PI address space, the stanza looks like this:



auto eth1

iface eth1 inet static

        address   V.W.X.Y

        netmask  255.255.255.240

        network   V.W.X.128

        broadcast V.W.X.143

        dns-nameservers some.dns.serv.er

        post-up ip rule add from V.W.X.Y table PI-Space

        post-up ip route add default via V.W.X.129 table PI-Space

The two post-up lines are the magick in here: the first adds a rule to the routing policy that, for all traffic originating from the PI space interface, a lookup should be performed in routing table PI-Space. Then, we add a second default route to that very same routing table. Now, whenever a packet goes out Interface eth1, the kernel checks if there is a matching route in routing table PI-Space. As we have a default route, this will always match and the packet gets routed to the gateway in our PI space.
Obviously, all other traffic originates on eth0 so the "normal" routing table will be used, thus this traffic will go out via the gateway residing in the PA address space.

loose ends

Actually, the kernel does not check a routing table named "PI-Space". It will use a numerical identifier that is mapped in /etc/iproute2/rt_tables like this:



#

# reserved values

#

255     local

254     main

253     default

0       unspec

#

# local

#

#1      inr.ruhep

100     PI-Space

The European Blackout on November 5, 2006

nospam@example.com (Axel Eble) — Thu, 23 Nov 2006 22:55:00 +0100

On November 5th, 2006, a power outage caught about 10 million people all over Southern and Western Europe unawares, half of them in France alone. The cause of the problem? Human error - and a cruise ship leaving its dockyard for the North Sea. From around 10pm CET to around 11pm Western Europe was black.

The following is a summary of the official report by e.on to the Bundesnetzagentur.
Continue reading "The European Blackout on November 5, 2006"

Requiescat In Pacem, WinFS

nospam@example.com (Axel Eble) — Mon, 26 Jun 2006 15:13:38 +0200

Today, Heise Newsticker (German only) mentioned that Microsoft finally killed WinFS for good. Of course, they are going to call it differently (like: "[...] WinFS has always been about many things – a new model to enrich how users manage information, rich storage technology, and sometimes also a packaging of technology.[...]" according to Quentin Clark from the WinFS team). But, let's face it: there won't ever be a separate piece of software to install that will enable us to use advanced features and fast search procedures.

Why? Difficult question. Personally, I guess that they got overwhelmed by the complexity and the tight integration philosophy that is so deeply ingrained into Microsoft products. Trying to fit too much into it until they realized that pulling the plug is the only valid solution.

What does it mean? Well, it's a big deal for Vista (or, rather, a huge blow to Vista) as the only really useful advanced feature for Vista won't ever be available. Obviously, Microsoft miscalculated something quite important. While I won't go so far as calling it a Doomsday scenario for Microsoft, as an analyst I would be wary and start investing in other companies.

And the security linkage? Well, if you really want to have one - think for a bit about what something like this could mean to the security initiative and the overall state of Microsoft software. Will they ever be able to handle their boatloads of highly complex software? I doubt it, but then, I'm a heretic and a sceptic anyway.

Identity: Information, Theft, Cards - Culture!

nospam@example.com (Axel Eble) — Mon, 26 Jun 2006 13:12:31 +0200

With the continuing theft of personal identifying information (PII) in the US the old question pops up all over: why is what Americans understand as "identity theft" not a problem in Europe? I think three main factors need to be taken into account here:

European data privacy and data protection legislation forces companies to only collect as much data as they really need to process. That limits the amount of data that can be stolen (or, rather, illegally disclosed) in the first place. Besides, it is highly unusual for contractors to have private, production data on their personal systems.

No "Easy Credit" culture like in the US. From what I've been told by quite a few US citizens by now, the US have a culture of buying things on credit - and thus rely on receiving credit fast and without hassle. In Europe, people tend to inquire for credit only for large sums and usually only for buying a car, a house, an apartment - or other larger investments.

Europe (with the exception of the UK) has government-issued identity cards that uniquely identify the persion. There simply is no need for a social security number that can be shared easily without accompanying documents (and pictures. And whatnot).

These issues in combination make illicit information access much riskier in Europe than it is in the US. Oh, and it shows that identity documents don't have to be such a bad concept as many US and UK citizens make them out to be.

Over at the Identity Corner, Stefan Brands has an interesting series of articles about the UK identity cards:

Final UK study on digital identity (Part I)

Final UK study on digital identity (Part II)

Final UK study on digital identity (Part III)

Final UK study on digital identity (Part IV)

WTF - Apple's OS X is NOT As Secure As a Fortress?!

nospam@example.com (Axel Eble) — Mon, 12 Jun 2006 14:18:51 +0200

Oh holy Guacamole! OS X has lots of heap and buffer overflows! Quick, buy Vista and all will be well again! Oh, right. Vista isn't out yet. You've just switched to Apple because of all the exploits and dangers of running XP or some *gasp* older version of Windows. And now you're still insecure?!

Why, yes, of course. There is no such thing as ~~a free lunch~~ 100% security. Every reasonably complex piece or suite of software will. be. buggy - to some extent at least. Granted, there's lots of talk out there about how secure OS X is - and, actually, it still is. It's just not invincible, as it's cracked up to be. But, when Apple says it's products are the best, why would you believe them when you don't believe Microsoft? All vendors are alike in that regard.

And let's not forget that OS X is a revamped version of NeXTSTEP, the OS of the famous NeXT computer. That one was said to be riddled with local exploits, so don't expect OS X to be much better. As OS X is gaining market share, it will become more and more the target of choice for malware programmers.

What is different, though, is the use of administrative accounts (like on Windows where accounts by default are administrator accounts). On OS X, the only administrator account, root, is disabled, and to run administrative tasks one has to enter the password (this is a better-working equivalent to the runas command in Windows).

Moral of this? If someone tells you they are offering perfect security, chances are they are lying and only want your money. Be careful, always - it's a dangerous world out there.

ESAG vanished

nospam@example.com (Axel Eble) — Mon, 12 Jun 2006 13:36:58 +0200

I've written twice before about the European Security Advisory Group. I thought I'd check up on them again - only to find they have gone as quietly as they appeared. telepolis guesses (I believe correctly) that it was just a smokescreen for the US DoD propaganda group called Office of Strategic Influence.

Good riddance - another open book closed.

"Nah, we don't need no steenkin' study!"

nospam@example.com (Axel Eble) — Fri, 03 Feb 2006 09:47:30 +0100

As could be expected the European Commission "sees no need" for a study about the effects of the advance collection of data they have decided to enforce. Heise covers this yesterday (German only).

RFID Based Passports With BAC Vulnerable

nospam@example.com (Axel Eble) — Fri, 03 Feb 2006 09:41:57 +0100

In a current news item Heise reports that the Dutch security company Riscure found a way to brute-force attack the encryption of the Dutch ePassports. Let's recap: the ICAO has issued a set of guidelines on "Machine Readable Travel Documents" that basically states that passports and other travel documents should use an RFID chip that can be used to read the individual's data contactless. Apparently the field strength is strong enough to be read from several meters distance. However, the transmission is encrypted by "Basic Access Control" (BAC) where the key is comprised of the serial number of the document itself, it's issue date and it's invalidation date. This gives about 56 bit of key length (which is not really that much and it's questionable if it will be safe to use on a mid-term timeframe. Now, the issuer of the Dutch ePassports uses sequential serial numbers and the number of documents issued is basically constant per time unit. This gives a linear connection between the issue date and the passport serial number, thus effectively reducing key length to about 35 bit - which is easily breakable in a few hours without special hardware equipment.
This attack vector is valid for every document that uses BAC and uses predictable serial numbers for the documents!
What hasn't been stated so far is the fact that once the key is known the RFID chip could theoretically be read everywhere. Consider a country that's gone off the deep end with hysterics about terrrorism and thus has installed RFID scanners throughout what they consider critical points. Now they only need those scanners hooked up to a central database where all keys to all passports ever seen entering has been stored and they can easily find out where a person goes (given they take their passport with them).

What type of RPG player are you?

nospam@example.com (Axel Eble) — Mon, 28 Nov 2005 21:53:05 +0100

You scored as Method Actor. You think that gaming is a form of creative expression. You may view rules as, at best, a necessary evil, preferring sessions where the dice never come out of the bag. You enjoy situations that test or deepen your character's personality traits.

Method Actor

92%

Storyteller

83%

Tactician

67%

Power Gamer

50%

Specialist

42%

Casual Gamer

17%

Butt-Kicker

Law's Game Style
created with QuizFarm.com

via kris

Airline Passenger Data Transmission To US May End

nospam@example.com (Axel Eble) — Wed, 23 Nov 2005 10:28:34 +0100

In 2003 the US ordered airlines to transmit flight passenger data for all flights ending in, stopping over in or just crossing US American territory. It was made clear that all data was to be stored in raw form and would be subject to further analysis, leading to profiling of passengers, all, of course, in the name of fighting terrorism. It is completely unclear what sort of profiling will be done and what else the US government will be doing with the data (e. g. handing it over to some commercial data brokers like gasp ChoicePoint for analysis). The Washington Post has a good summary as well.

The EU Commission and the EU Council caved in instead of taking a strong position against this practice and declared the US data handling processes as equivalent to European processes and, in general, good enough. This led to a huge outcry from the EU Parliament and several Civil Rights organizations (like the European Digital Rights Initiative) but both the Commission and the Council wouldn't budge.

Now, however, things start to look a bit brighter: the Advocate General at the Court of Justice at the European Communities recommends to annul the Council decision about the agreement. The Court will have to rule about a law suit by the Parliament against the Commission and the Council decisions. The recommendation of the General Attorney are not binding but in most cases the Court will follow advisory opinions.

References:
Heise Newsticker (German)
Washington Post

The City of Dis

nospam@example.com (Axel Eble) — Wed, 23 Nov 2005 07:08:23 +0100

Well, what do you know? I've landed in Dis after taking the Dante's Inferno test:

The Dante's Inferno Test has banished you to the Sixth Level of Hell - The City of Dis!
Here is how you matched up against all the levels:

Level	Score
Purgatory (Repenting Believers)	Very Low
Level 1 - Limbo (Virtuous Non-Believers)	Very Low
Level 2 (Lustful)	Very High
Level 3 (Gluttonous)	High
Level 4 (Prodigal and Avaricious)	High
Level 5 (Wrathful and Gloomy)	High
Level 6 - The City of Dis (Heretics)	Extreme
Level 7 (Violent)	Moderate
Level 8- the Malebolge (Fraudulent, Malicious, Panderers)	Very High
Level 9 - Cocytus (Treacherous)	High

Take the Dante Inferno Hell Test

Thanks to Adam.

Security Convergence

nospam@example.com (Axel Eble) — Thu, 17 Nov 2005 20:30:49 +0100

"Security Convergence" is the subject of The Alliance between ISACA, ISSA and ASIS. Seeing what the focus of all the three groups is it really does make sense: ISACAs main operational field is Governance, especially IT governance; ISSA is "the global voice of information security" and ASIS is primarily concerned with physical security.
It's pretty clear that those three fields do converge more and more, so The Alliance is an important step in the right direction. It will help to open the eyes of security professionals worldwide to the other fields. It will, thus, help to raise a more business oriented security program in enterprises. We shouldn't expect too much in too little time, however: I don't believe that many companies understand at the moment that security is something that needs to be considered in a (I hate to use the term, but it does fit so nicely) wholistic way.
So, at the Network Security Conference/Security Management Conference of ISACA in Amsterdam last Monday the panel discussion was just about this: "Security Convergence". I was invited to represent ISSA at the panel. It was rather interesting to see the different points of view on the panel - and in the audience. Another member of the panel, Carl Thorp, stayed on for the day (I had to get back unfortunately) and reported that there were quite a few interesting discussions about the convergence thing. However, it seems to be of prime import to define what "Convergence" really means.
It will be interesting to see the discussions around the term in the near future.

First time to the Netherlands

nospam@example.com (Axel Eble) — Mon, 14 Nov 2005 07:44:02 +0100

I've been invited to represent ISSA at a panel discussion at the ISACA Network Security/Security Management Conference in Amsterdam. It's my first time to the Netherlands and, unfortunately, I won't have any time to do some sightseeing.
The panel discussion is about The Alliance between ISACA, ISSA and ASIS about the convergence of physical security and information security. The folks are great and I wish I had more time to spend here.

The Dangers of Inference

nospam@example.com (Axel Eble) — Thu, 03 Nov 2005 01:47:15 +0100

Here I am, taking a strong stance about government agencies that collect data and use inference to think about what it might possibly mean. There's no lack of wrong inferring to be done that way, starting from false assumptions about coherence of incoherent data or by simply interpreting too much into too little data.

And suddenly I find myself here, doing exactly the same: thinking F-Secure jumped on the bandwagon of Mark Russinovich's posting at sysinternals for their excellent work of analyzing the Sony DRM Rootkit. Independently, I should say, because that is what they did. They did not, however, manage to make it clear how they got wind of the thing (which they did earlier than Russinovich and were in contact with Sony to discuss the issue). After Mark published his findings, F-Secure thought it was now time to publish theirs, too.

Can't blame them, really. I blame myself, however, for jumping to unjustified conclusions. Ah well, as I said: inference is bad.

Ch-ch-ch-changes

nospam@example.com (Axel Eble) — Tue, 01 Nov 2005 00:03:01 +0100

Jon Toigo is annoyed at the lack of progress the information security field has made since the Medieval. I feel his pain, too. But what are the alternatives? Or rather, why are we still using the same concepts? Are we just too stupid to come up with something new or are the concepts just so basic and so sound that there is no better way? Let's take a look at the items Jon mentions.

Access Control: moats and stockades then, firewalls now. Access control is still one of the soundest principles of information security. Control who may access information when and how and you have removed several vulnerabilities and reduced your risk dramatically. However, the technologies being used for access control change considerably over time. Up until the 1980s to 1990s access control meant control of physical access. Computers were large and heavy and access to them could be controlled pretty strictly and fairly easily. Enter The Network - and things shift completely. Or, to be fair, they get expanded. Physical access control is by then pretty much a commodity: people just do it anyway. What's new is that access to the computers is not only available by physical access but by network access as well. While the Light Side had control for an enjoyable while it was only a matter of time until the Dark Side jumped on the bandwagon and started to use the Net for their sinister purposes. So well, Marcus Ranum writes the DEC SEAL and it starts to get a success quite fast: companies hire firewall administrators to take care of these arcane beasts that are tough to tame (alliteration not intended but gladly taken). Fast forward to today: every simple DSL router for home use has a NAT firewall included; the network guys do the firewalls on the side and up come web services with the nice side effect of tunneling "stuff" across HTTP (yes, and other protocols, but HTTP really is ubiquitous by now and a nice example of the ever changing technologies, thank you). So now we have web application firewalls which really are nothing else than application layer proxies. And so it goes, goes round again. (Kudos to Joe Jackson)

Signet Rings and Trusted Certificates - now there you've hit a sore spot, Jon. I don't trust the PKI model with a commercial head - much less even if said head is Verisign. The last piece in the puzzle was their Sitefinder "service" which accidentally broke half the Internet. But really, why do we trust signatures, signets or certificates at all? Chances are, the signature is illegibile anyway so a cursory glance of similarity is all we get. Same with certificates (without even the added benefit of Verisign). No solution there, I'm afraid.

Edicts and Policies - good point, Jon. However, I consider them to lay out the rules by which we play. We agree upon a set of rules to be able to note deviant behaviour and sanction it. Thus, policies and edits are rather useful tools as they prepare the ground for legal skirmishes or, in some cases, provide the opportunity to find out unwanted behaviour in the first place. I wouldn't want to live without them.

Codes and Encryption are powerful tools, too. Unfortunately, many people tend to forget that encryption is a temporary safeguard at best. Even if the encryption algorithm has no known weaknesses it still will fall given enough time. There's the rise in computing power and the change to other technologies (can you say Quantum Encryption? I knew you could!). As long as people recognize this, they are quite secure. All they have to do is select an algorithm that will possibly keep the information secure as long as it has to be classified.

Interestingly enough, the bad guys don't seem to have learned either how to circumvent the safeguards we set up. Either they are as caught in our ways of thinking or there simply Is No Better Way at the moment.

What do you think?

All of this, however, has nothing to do with vendors coming up with new products all along instead of listening to what the customers want - just like in the storage market. Thanks for the eye-opener, Jon!