July 22, 2009 1 comment

I am playing around with konboot after first hearing about it on the Hak5 podcast.  If you haven’t heard about it, it is a boot disk you can create on a floppy, CD or USB drive (see Irongeek’s site for USB instructions). The disk changes the windows or Linux kernel on the fly while booting to allow you to bypass the login password.  In windows you just use any valid user name and a blank or garbage password, you will then be logged in as that user and can access all their files.  So naturally you will probably want to try the local administrator user which will allow you to access all files on the computer.  In Linux you will use the user name kon-usr and no password.  This will give you full root access on the Linux machine.

I have found it works well if the system is not muti-boot.   On my systems which are all multi-boot it would only work on one system and only on one OS which happen to be EEEbuntu.  My other laptop gave me error about the cylinder number being too high like the old school days of LILO where the boot image had to be below cylinder 1024. I am assuming this is the same issue as the days of old.  Also a caveat don’t use Konboot to login to a domain account on a computer that is connected to the network.  This will disable the account on the domain and won’t allow you to login.  In most environments user credentials are cached in case the network goes down.  So air gap the computer before using a domain account.

Remediation steps are fairly simple.  Lock the bios with a password and only allow the system to boot from the hard drive.  This should already be in the check list of task to perform when deploying a new PC. Since this type of threat isn’t new kon-boot just make it a little simpler to access the PC than loading up a live linux distro like knopix.  If there is any sensitive information on the hard drive encryption should be used of course since if someone steals the computer or hard drive its game over.  With the breach notification laws in most states that is not a fun proposition.

Categories: Geeky stuff, Security

Getting rid of volume group that doesn’t exist in linux

July 17, 2009 Leave a comment

I was setting up a test VM with 4 one TB SAN LUNS.  After successfully creating and testing the VMware image I blew it away without touching the LVM. After greating the production image I tried to add the LUNS back to the LVM and I of course got errors when adding the LUNS to the LVM.  The meta data for the old volume group was still there and the OS refused to add the LUNS to the existing volume group.  I then tried to remove the volume group with the vgremove but since the devices with the UUIDs themselfs were long gone I could not do it.

I finally found a very simple solution just DD the damn things with zeros.  That will blow out all the metadata. So for each lun I ran

if=/dev/zero of=/dev/XXX bs=512 count=5

Probably only needed a count=1 but what the hell I don’t care I didn’t have anydata on the LUNS anyways.  After that  running lvscan came back clean with no orphaned UUID’s and I was able to initialize the LUNS again and add them to the new volume group.

Categories: Geeky stuff

No viruses and no spyware does not mean its more secure.

September 9, 2008 2 comments

I hear this argument all the time that Mac OS X is better than windows becuase it is more secure.  The proof alot of people stat is there are very few virus and spyware on OS X.  Yes that is true there are also very few on OS/2 warp, minux, BeOS, windows 3.11, NT 3.51, Irix, linux, solaris, BSD, and pretty much every other operating system know to man compared to windows.  That doesn’t make them more secure.  That makes them a small target compared to windows, it doesn’t make OS X more secure.  There is a reason why tons of bugs were found in safari when Apple ported it to windows.  Was the code so different from the OS X code base?  I doupt it, there are many more automated security tools build for use on windows which also makes it that much easier to find the flaws in XP and Vista than in OS X.  Any one who thinks apple cares that much about security let me remind you it took apple three weeks to patch the DNS vulnurability!!  Weeks after there were working exploits.  The larger the market share grows for Apple the more virus and malware you will see released targeting OS X.

Apple fan boys please don’t bug me.  I personally use a mac as my main lap top now.  I personally like OS X better than Vista and XP because I am a unix fan boy.   But that is a personal choice.  Also Linux fan boys I love linux and am a RHCE but I need an OS for my day to day work where I don’t have to wory about breaking everything because I upgraded lib c compat, or installed a new kernel.  I run Cent OS on all my servers when I can and I also have another Ubuntu laptop that I use for certain security tools.  Windows fan boys, securing mainly windows boxs is my bread and butter.  Windows with AD in an enterprise is the way to go.

Categories: misc

Open Source Asset Tracking software

July 17, 2008 Leave a comment

The University of Washington has released a free and open source system for tracking computers called Adeona.  I have installed it on my work laptop and it gets the job done.  This is a great solution for home users as it works on Linux, Mac, and PC and doesn’t require anything else from the user as far as a server or service fee to use it.  There are some defiant short comings though.

  • First as with all non BIOS tracking software this won’t work if a thief wipes the drive without booting up.
  • Second it sends the location data pseudo randomly every half hour, so if a thief boots a laptop and sees a login screen and shuts it down, it probably won’t be recorded.
  • Third would be a nightmare to mass deploy.  I have thousands of computers I would want to install this on.  To do this I would have to manually install it on everyone since it asks questions during the install and you have to copy a file to a central server that you have to have to check on the location data.
  • Fourth it uses OpenDHT to store the location information.  I don’t trust the stability of an open source distributed storage system that anyone can use for distributed storage.  Its only a matter of time before this starts to be used to distribute illegal material or the popularity of it cripples it.  I am all for open access to things but time and time again a few people always ruin it.

For my purposes I think it would be better just to write a program that posts the computer name and IP address to web server that stores the information in a MySQL database.

Categories: Security

Roku Netflix Player

July 4, 2008 Leave a comment

There has been some buzz about the Roku netflix player releasing some of its source code. The thing is they have to release the code as its GPL open source code that they modified. The truth is the code should have been available since day 1. This is no different than the Tivo source code that has been released. They didn’t release any of their proprietary code. Now that I know that this is based on Linux though this should hopefully be pretty hackable. It would be great if Xvid and H.264 support can be added. Then I won’t have to use my noisey Xbox 360 to stream my movies off my computer.

Categories: Geeky stuff

Linux Cisco VPN

April 11, 2008 Leave a comment

The Linux Cisco VPN client seems to try the first avalable interface to make a connection. In my case this was eth0 which is my wired port which isn’t connected to anything. In order to get it to work I had to down the interface with ifconfig eth- down then it would connect fine with my wireless interface eth1. I haven’t seen any documentation to see if there is a way to manually bind it to a specific interface, and there is no MAN page installed. At least –help gives some usage, which is heads and shoulders over the tsmc tivoli command line I was using today what a royal PITA. Just encase anyone needs it the command to restore a previous version of a file is “tsmc restore -todate=yyyy-mm-dd -inactive /path/to/file” the documentation gave the format for the date as mm/dd/yyyy and the command would just come back and say -todate not recognized. Not wrong date format no that would have saved Jeff an hour of goggling.

Categories: Geeky stuff, Security

PCI, Why store Credit Card Numbers?

October 5, 2007 Leave a comment

Well it has been a while since I have posted anything.  I have been really busy this past month.  I was promoted to the  IT security  manager  at my current employer.   I am now dealing with IT security almost full time, they still need to fill my vacant position.  So I am much happier now not having to deal with a lot of the boring mundane task, and now instead get to do what I love, security.

I was reading another blog security blog entry and it got me thinking.  Why do POS systems have to store credit card numbers?  There really is no rational reason that I can think of.  I have had quite a bit of experience with a POS POS system (note that isn’t a mistake only 1 POS means Point of Sales).   The way credit card transactions work is that the stores POS system calls a card processing system.  The stores computer then asks the card processors computer if this credit card has enough money to cover this purchase.  If it does then it “reserves” these funds for the store for some time period and gives the store a magic approval number, no actual money is taken at that time.  I don’t know exactly why they do this, my guess is that they reserve a slightly higher amount of money than is actually needed so that it can be adjusted down if the transaction needs to be modified, IE you give the waiter a tip or you decide you really don’t want to buy that Iphone.

The store will then within a day or two do a batch settlement transaction where the store goes back to the card processor and says yes all these transactions really did happen so send us money.

So the only point in that process where the store actually needs the credit card number is the first transaction to the card processor.  After that the store could just use the unique authorization number to identify the transaction.  So now a hacker could still get credit card numbers but only in real time sniffing all the transactions as they go instead of the cue de gra 18 months or more that they currently can get if they hack into a POS system.

Categories: Security