Open Source Security
Welcome at » 2009 » April

Intel has done a study on the costs associated with a stolen or lost laptop. One of the most interesting aspects of the study is that they were able to quantify how much a company saves when the confidential data on the lost laptop is encrypted. The grand total is

$18,722

saved per lost laptop when the confidential data is encrypted.

I’d recommend using eCryptfs if you are running Linux on your laptop.

by Klaus Heinrich Kiwi, IBM LTC Security Team.

In the Information Security world, authentication and authorization are orthogonal concepts:

  • Authentication refers to the act of correctly identifying an user or other entity, e.g.: making sure a user is who he really say he is. This is often done by associating passwords or keys to user accounts.
  • Authorization refers to the act of granting access from certain users to certain services or resources, e.g.: allowing the user john_doe to read the file /foo/bar. This is usually done by mapping users and groups to resources through the use of permissions.

Kerberos is a network authentication protocol aimed at providing secure and reliable authentication semantics over an insecure (open) network. In a glimpse, it relies on symmetric key cryptography and in a trusted third-party to provide mutual authentication between two entities (called Principals in Kerberos nomenclature). This means that in a scenario where a user is authenticated against a network service, not only the service can be sure of the user identity, but the user can also be sure that he is communicating with the right server. All of this is done without exposing clear passwords or keys in the network.

The Kerberos Protocol is a standard (RFC 4120) with different implementations such as Microsoft’s Active Directory, Heimdal, the AFS kaserver and the Open Source MIT-Kerberos implementation.


LDAP, on the other hand, is an information retrieval protocol for accessing special purpose databases, called Directories. Directories are usually optimized for reading (queries) as opposed to writing operations (inserts), thus they are often used in write once, read many scenarios. This optimization aspect, associated with the hierarchical manner the objects are organized in the database makes LDAP an ideal choice for performing the mapping operations an authorization system needs.

LDAP is also a standard (RFC 4510, RFC 3494 among others) with numerous implementations such as the Open Source OpenLDAP and the IBM Tivoli Directory Server, aimed at enterprise use.

Since release 1.6 of the Open Source MIT-Kerberos (krb5) implementation, it is possible to combine the powerful authentication aspects of the Kerberos Protocol with the reliability and scalability provided by LDAP authorization. Such feature is included in recent enterprise distributions like Red Hat Enterprise Linux 5 series and Novell SUSE Linux Enterprise Server 11 and later, giving those platforms the possibility to benefit from combining the Open Source MIT-Kerberos implementation with the enterprise features of IBM Tivoli Directory Server.

It was with the intention of demonstrating how the above scenario can be achieved that I wrote a Blueprint covering the subject of Using MIT-Kerberos fo IBM Tivoli Directory Server backend.

Blueprints are documents describing the detailed plan of action for a specific task involving IBM hardware or technology. Blueprints bring a step-by-step description showing the exact actions needed to perform a certain task. Those steps are written with the expertise from the Software Engineers who actually work on development, but are also tested for correctness inside IBM labs – an IBM-branded HOWTO.

Besides the above Blueprint, please check-out the other publications I’ve authored or co-authored, including the Enterprise Multiplatform Auditing Redbook and  my Logical Volume Management developerWorks article.

And as always, feedback is greatly appreciated!

-Klaus Kiwi

Malware (malicious software), not virus, is the general term for software that is designed to behave badly. Malware encompasses the complete line of viruses (boot sector, stealth, polymorphic, multipart, self-garbling), worms, trojan horses, logic bombs, rootkits, etc. As you can see by the list above, malware comes in many shapes and sizes. We previously talked about viruses, so let’s briefly address some of the other forms of malware.

A trojan horse is malware that comes packaged along with something that the user does desire (data, software, whatever). Open source software has been attacked a few notorious times via trojan horse attacks. The most infamous is probably the time in 2002 that the OpenSSH server was compromised and versions of OpenSSH were replaced with trojaned versions of SSH. You can still read the CERT Advisory about the attack.

A worm is a piece of software that exploits a vulnerability to get itself established on a host and then uses that host to attack other systems. A worm is self-replicating and stand alone. The most notorious worm that affected many Linux systems was called L10n and attacked via bind in 2001.

A rootkit is a program designed to hide that malware in on the system. Rootkits have taken the form of kernel modules, binary replacements for key system utilities (ls, ps, etc.) which hide malware processes and files from the output that administrators uses to see what is happening on the system.

A botnet is a network of subverted machines that are running a rootkit or other malware on their system that makes them remotely directable. Botnets are frequently used to launch distributed denial of service attacks. The evolution of botnets is fascinating because they have gained sophistication in command and control structure to avoid single points of failure. In a very interesting turn of events, two Symantec researchers discovered the first Mac botnet. The botnet malware was distributed as a trojan horse connected to pirated iWork ’09 software.

This covers just a few of the additional types of malware and as you can see there are many. The study of malware is one of the “cooler” (or just more flashy) specialties of the computer security profession.

This article was part three in a multi-part series about anti-virus and Linux which was announced in the article Anti-virus for Linux Redux.

by George Wilson <gcwilson@us.ibm.com>, IBM Linux Technology Center

Operating system security features are notoriously difficult to explain. Folks who work on security have their own specialized vocabulary, which serves well to communicate concisely with other members of our community. However, it can be difficult to translate concepts into everyday language. Have you ever tried talking about SELinux to those who have never been exposed to MAC? You have to provide a large amount of background material simply to describe what SELinux is, let alone what interesting things can be done with it.

The LTC Security Development Team have developed a number of security features over the years. We’ve discussed them on mailing lists, written conference papers, and otherwise communicated our work to other technical folks. However, explaining the relevance of Linux security features to non-geeks remains a difficulty.

To help address the communications gap, the LTC Security Development Team in concert with the Information Development Team have created a customer-level Linux security brochure. In it, we discuss the various capabilities we have helped bring to Linux distros. Please take a look. It is available for download here: ftp://ftp.software.ibm.com/linux/pdfs/LTC/SecurityTeam.pdf, which BTW is one of the many resources available from the LTC Library here: http://www-03.ibm.com/linux/ltc/whitepapers.html.

In brief, some cool links:

Rational Survivability is a very readable blog focusing on the timely issue of cloud security. I especially liked yesterday’s entry: Private Clouds: Even A Blind Squirrel Finds A Nut Once In A While which discusses the differences between a private, public, managed and hybrid clouds calling out the level of trust you should place in each. I also enjoyed one from last month on How to be PCI compliance in a cloud…. What I like most about this blog is the clear and rational dissection of the technology and hype around cloud security expressed in a fairly sassy, funny, non-mean tone.

Wietse Venema’s RFC for PHP taint. Added a TODO to my list to try this out and see whether I can still get my blog to run.

A few noteworthy developerWorks articles:
Ramon de Carvalho Valle has a two part series on triggering buffer overflows on Power and Cell B.E:
LoP/Cell/B.E.: Buffer overflow vulnerabilities, Part 1: Understanding buffer overflow issues for Linux on Power-based systems
LoP/Cell/B.E.: Buffer overflow vulnerabilities, Part 2: Discovering how buffer overflow mechanisms work for Linux on Power-based systems
I’m hoping that he produces a third part to this series discussing overcoming buffer overflows on Power and Cell B.E.
Serge Hallyn has written yet another excellent security article on developerWorks, this time on Secure Linux containers cookbook. What I liked about this article is that he included the recipe for containing containers using Smack.

By Bryan Jacobson, Linux Technology Center, IBM ( bryan.jacobson@us.ibm.com).

Emily – thanks so much for the guest blogging opportunity!!

On January 5th, Twitter was hacked. “I am high on crack right now might not be coming into work today” came from the account of Rick Sanchez, CNN Anchor and top 20 Twitterholic.  33 high profile accounts were hacked, including those belonging to Barack Obama, Britney Spears and Bill O’Reilly.

All because a Twitter administrator chose a password susceptible to a dictionary attack. blog.wired.com/27bstroke6/2009/01/professed-twitt.html

There are 22 trillion 8 character alpha-numeric passwords.

But studies of actual passwords have found 20% or more to be guessable.  A 2006 analysis of 34,000 MySpace passwords found 4% to be dictionary words, and many others were variations on the user’s name, pop culture references like “blink182”, or just adding a “1” to the end of a word or name. The most common password was: “password1”.   schneier.com/essay-144.html.

The prevalence of weak passwords creates an environment where internet worms can replicate and spread. For example, a worm that exploits weak passwords is currently mounting a Distributed Denial of Service attack against DroneBL.org (see dronebl.org/blog/8).

Can’t we just tell everyone to start using good passwords? The list of 500 Worst Passwords illustrates how even when users try to form secure passwords, the result may be guessable: whatsmypass.com/?p=415.

Fortunately, on Linux, the problem of weak passwords is curable, using pam_cracklib, which was written by Cristian Gafton.

By default my Ubuntu (Intrepid Ibex) laptop required 8 character passwords, but allowed “arkansas”, other dictionary words, or even the user’s name.

Loading pam_cracklib was easy. The command “sudo apt-get install libpam-cracklib” both installed the package and configured pam_cracklib in /etc/pam.d/common-password.

Now when I try to set a password to “arkansas” I get: “BAD PASSWORD: it is based on a dictionary word”.

A wide variety of guessable passwords were also rejected with “BAD PASSWORD”, including an explanation of the reason:

“testuser1”: it is based on your user name
“arkansas9”: it is based on a dictionary word
“7ytiruces”: it is based on a (reversed) dictionary word
“12345678”: it is too simplistic/systematic
“blink182”: it is based on a dictionary word
“12121212”: it does not contain enough DIFFERENT characters

I did find a couple guessable passwords that pam_cracklib accepted:
“qwertyui” (from the top row of the keyboard).
“qazwsxed” (from keys on the left size of the keyboard)

These words can be added to the file: /usr/local/share/dict/cracklib and they will also be rejected when the pam_cracklib dictionary is rebuilt overnight.

Bottom line: pam_cracklib can improve your system security and reduce the impact of worms. (You can see other pam_cracklib features at The Linux-PAM System Administrators’ Guide, section 6.2. pam_cracklib – checks the password against dictionary words.)

As a special treat, some members of IBM’s Linux Technology Center security team have agreed to be guest bloggers for the Open Source Security Blog. You can expect to hear interesting, insightful, educational and just plan fun ideas on eCryptfs, labeled IPSec, trusted computing, PKCS#11, and general Linux security topics. I’m happy to announce the following line up of guest bloggers coming soon!

  • Bryan Jacobson
  • Debbie Velarde
  • George Wilson
  • Joy Latten
  • Klaus Kiwi
  • Rajiv Andrade
  • Robert Sisk
  • Tyler Hicks

I’d like to extend a hearty welcome and thanks! I can’t wait to read what you have to say.

Currently, the best source of information on eCryptfs performance is by Phoronix Global using the phoronix test suite. The phoronix test suite is included in Ubuntu 9.04 Jaunty and the results for for eCryptfs in Jaunty beta are posted on the phoronix website. The results are surprisingly good for the compilation and encoding tests. The IOzone write test shows some pain.