Tuesday, December 11, 2007

Take two FUD and call me in the morning

My esteemed colleague at 360is, Nick Hutton, has been on the post again. He's written a short article for Exaprotect on the ROI of security and how vendors often choose to sell security based on Fear, Uncertainty, and Doubt.

Wander on over to Exaprotect's site for an informed read.

Sunday, October 21, 2007

Solaris 10 package for pam_mysql

There are many choices for authentication in the UNIX operating system, and PAM (Pluggable Authentication Modules) gives a flexible and powerful interface to many of them.

Over at http://pam-mysql.sourceforge.net you can download source for a PAM module that allows authentication against MySQL - very handy. At 360is we have a managed email solution that permits virtual domain information to be stored in a MySQL database, and pam-mysql provides a nice method to authenticate IMAP and SMTP sessions against this database.

Faced with rolling this out to many Solaris systems we decided to compile pam-mysql and produce a Sun package of it - you can download it from here. We've only built this on Solaris 10 for i386 so far, but if demand for a Sparc version arises, we can probably build it too.

It's compiled with Sun Studio 11, complete with optimisations, and is linked against MySQL5 from Blastwave. You'll need a couple of packages from Blastwave to satisfy the dependencies (noted in the package) - CSWmysql5rt [mysql5rt] and CSWosslrt [openssl_rt].

A typical usage would be to have Cyrus SASLauthd authenticating against pam. Here's a quick example pam.conf entry for smtp:


smtp auth sufficient pam_mysql.so user=[SQLUSER] passwd=[SQLPASSWD] host=/tmp/mysql.sock db=[SQLDATABASE] table=[SQLTABLE] usercolumn=[SQLFIELD] passwdcolumn=[SQLFIELD] crypt=1 sqllog=0
smtp auth required pam_mysql.so user=[SQLUSER] passwd=[SQLPASSWD] host=/tmp/mysql.sock db=[SQLDATABASE] table=[SQLTABLE] usercolumn=[SQLFIELD] passwdcolumn=[SQLFIELD] crypt=1 sqllog=0
smtp account sufficient pam_mysql.so user=[SQLUSER] passwd=[SQLPASSWD] host=/tmp/mysql.sock db=[SQLDATABASE] table=[SQLTABLE] usercolumn=[SQLFIELD] passwdcolumn=[SQLFIELD] crypt=1 sqllog=0


...replace all the [] with your correct information.

Wednesday, October 10, 2007

Security assessments of Solaris systems

One of the banes of our lives whilst doing vulnerability assessments of Solaris has been finding what process owns a given TCP port that may be listening. On Linux this is easy to establish with a 'netstat -p', but Solaris has always called for the additional lsof package to help out. You could always mess about with pfiles to find the answer, but now somebody has kindly written a wrapper around it and created pcp.

Here's a quick example...


root@web ~ # netstat -an | grep LISTEN
88.111.12.111.80 *.* 0 0 49152 0 LISTEN
127.0.0.1.25 *.* 0 0 49152 0 LISTEN
127.0.0.1.587 *.* 0 0 49152 0 LISTEN
88.111.12.111.22 *.* 0 0 49152 0 LISTEN


During our assessment we spot the open port 587, and we're a little unsure about it. So we run pcp with the '-p' switch and the port number...


root@web ~ # pcp -p 587
PID Process Name and Port
_________________________________________________________
853 /usr/lib/sendmail 587
sockname: AF_INET 127.0.0.1 port: 587
_________________________________________________________



Et voila! It's sendmail with a process ID of 853. So simple.

pcp is a great tool to establish what process owns a listening port, and makes assessing Solaris systems considerably easier!

Friday, September 14, 2007

360is Quarterly Now More Widely Available

First published in early 2003, "Executive Intelligence" is the quarterly security briefing provided by 360is to our current clients. The briefing is extended to all former clients. Now in its 5th year, it is one of the longest running UK information security publications. No spam, no hype, no advertorial, just the facts 4 times a year, delivered to you as a PDF. For the first time ever, we have opened up distribution of EI to other professionals in our network or those recommended to us by our clients.

For those of you not on the distribution list and wondering what I'm talking about, the Executive Intelligence quarterly bulletin is composed of 4 sections:
  • Regulatory, Legal, and Governmental Developments. Our pragmatic analysis on the relevant interractions between UK compliance, UK law, and IT security for UK companies will mean you are not caught unprepared by questions from your auditors or your board.
  • Significant Global Security Events. We distill only the most important developments from this quarters press, allowing you to determine whether any change in strategy or priorities is appropriate for the security team under your direction.
  • Successful Operations. If a significant security weakness has been fixed, or a major criminal element has been busted, this is where you will learn about it.
  • Security and The Macro Environment. In the most unique part of our briefing, we analyze the impact on the IT security function of events in the wider environment. Geopolitical, economic, and social influences and how you can be better prepared for their impact on your responsibilities.
If you get your hands on a copy and want to be added to the official distribution list, register your details.

Tuesday, August 21, 2007

Solaris 10 package for scponly

A common situation we come across is one of allowing people secure filecopying to a system, but without giving full shell access to the system at the same time.

We've long since recommended scponly, which is a great solution to this very problem. scponly is a shell for UNIX systems that allows just that - scp/sftp only, with no access to an actual shell.

Today we were implementing this on a Solaris 10 x86 system, but couldn't find a Sun package to do it - so we compiled it up and rolled our own package

The version we've built was compiled with Sun Studio 11, complete with optimisations for speed. It installs to /opt/tsis/bin. If you're after scponly for Solaris x86, feel free to download and use our package. If you want the package for Sparc just drop us an email, and we'll probably be able to wrap it up for you pretty quickly (for free :-))

Friday, August 17, 2007

The magnificent 7

Here at 360is we've been using some common tools for a number of years - because, despite looking elsewhere, these tools have proven again and again to be great at the jobs they set out to do.

So we've picked out our most frequently recommended pieces of software and investigated them in more detail - the people behind them, how they came about, and what makes them worth using.

The seven are: nmap, syslog-ng, tcp-wrappers, ssh, sudo, postfix and rsync.

Go read the article!

The Growing Trend of Security Whitelists

My esteemed colleague here at 360is, Nick Hutton, has written a great article about security whitelisting.

In case you're not familiar with the phrase, security whitelisting takes the opposite (and some would say far more sensible) approach to security than we do today.

Go have a read of the article to get in the know.

Tuesday, May 15, 2007

Looking for some Sunshine

Here at 360is we're big fans of UNIX. Predominantly we use Sun Solaris, with some FreeBSD and Linux for specific tasks. Our desktop of choice is Mac OS X - founded on UNIX. We prefer UNIX over Microsoft's offering because of the flexibility and accountability of the systems. You can always get to the bottom of a problem.

There are plenty of other reasons too, but here's a good enough reason alone to be considering Sun - the mentality of their CEO, Jonathan Schwartz...

Free advice for the litigious

In a time when some vendors are intent on keeping their share of the market by peddling FUD (fear, uncertainty and doubt) Sun are going from strength to strength by doing what they do best, and going about it in a professional, congenial, way.

We share Schwartz's attitude - we don't like to sell security by using FUD either (the traditional way to make somebody invest in security - scare them!). Security is a vital part of any business, and building your infrastructure on UNIX is a really good start. We'll be publishing our Solaris 10 hardening guide soon, along with some information about our favourite open source tools for looking after your business.

Tuesday, February 20, 2007

Methods and tactics for avoiding failure in large SEM implementations

Most of the work we undertake is a mixture of penetration testing, audits, post-incident clean-up, and secure infrastructure deployment. However, over the last 12 months we have repeatedly been called upon to rescue failed or failing projects around the area of Security Event and Information Management (SEM/SIEM). We've collected all the knowledge gained in these "rescue projects" and have packaged it in a short whitepaper for download. For those of you that like to know what they have been given before it is unwrapped, here is the abstract:

"Many will be familiar with the English proverb “more haste, less speed”, or to put it another way, finishing a task quickly is not about rushing. This advice could have been tailor made for complex IT projects. In this paper we learn how to mitigate some of the risks and reduce the costs associated with implementation of Security Event Management systems, arguably among the most complex and highest profile information security projects undertaken today."

If you are considering one of these systems then we think you should spend 9 pages and 15 minutes in this vendor-free hype-free document.