Mike Rothman, the man behind Security Incite, has posted yet another excellent post on his blog called Revisiting Big is The New Small. It is an excellent piece loaded with sharp insight and a very good sense of humor.

Anyone interested in the security market and how people contend with nonsensical sales pitch from the security vendors while all they want is good enough security (which doesn’t mean that this is an ideal situation) from big companies should definitely read that post. Here are some chosen quotes:

[...] the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

BAM! Reload, shoot:

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

Want some more?

without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Imaginons que vous deviez envoyer des dumps de trafic réseau à un partenaire/fournisseur/whatchmacallit et imaginons que vous avez besoin de nettoyer ces traces d'éléments identificateurs (oui parce que vous vous ennuyez et vous n'avez rien trouvé de mieux à faire de la journée à part faire votre paranoiaque de la sécurité). Et là, vous vous dites ... Mais comment faire ?

Il m’est arrivé plusieurs fois de me poser la question et à part prendre des traces en PCAP, les transformer en texte et utiliser ce cher sed parci-parlà, je n’avais jamais été plus loin.



Et voilà que PktAnon entre en scène. Cet outil hautement configurable (en XML, vous vous en doutiez car c’est la mode) permet de modifier un fichier de traces réseau au format PCAP afin de répondre à des exigences de pseudonymat (ou de paranoïa pour celles et ceux qui croient encore aux Bisounours).

PktAnon n’est pour l’instant toujours pas disponible en application tierce pré-packagée pour mes OS habituels (FreeBSD, OpenBSD, Mac OS X). Je vais donc attendre un peu avant de le tester. Si vous avez de votre côté réalisé des tests, n’hésitez pas à me faire part de vos impressions.

Bana, a fellow DocIslander, told me about an IBM DeveloperWorks titled Anatomy of Security-Enhanced Linux (SELinux). Bana pointed me to the following excerpt:

GNU/Linux is very secure, but it's also very dynamic: changes can appear that open holes into the operating system that can then be exploited. Although considerable attention is paid to preventing unauthorized access, what happens after an entry has occurred?

Good! Oh, hang on a sec. Don't you smell something really fishy in the first sentence? Let me me help you out a bit:

GNU/Linux is very secure, but it's also very dynamic...

I let my mind chew on these memes and I came to the conclusion that this basically boils down to saying something similar to the following:

Have no fear chap, you can sleep assured that no burglar will enter your house. Look at the door. It's made of bulletproof metal, 6 inch thick with 17 different locks, retina scan and ADN sampler. Oh, by the way, it's a very dynamic design that's why we are destroying the surrounding walls and rebuilding them from the ground up.

... And that's why we need something as mind-bogglingly complex as SELinux to secure the very secure.

J'ai effectué un compte-rendu des conférences du FOSDEM 2008 axées autour de la sécurité informatique pour la Lettre Techniques De l'Ingénieur (Sécurité des Systèmes d'Information). Il a été publié dans le numéro 14 (Avril 2008).

Contrairement à l'édition précédente, il y a eu peu de présentations autour de la sécurité. Ce ne sont pas les orateurs ou les sujets qui manquent pourtant... Seules deux présentations ont su retenir mon attention : une présentation de SELinux dans CentOS et une présentation/démonstration de WebScarab-NG du projet OWASP.

J'ai assez récemment rédigé un article ayant pour sujet le développement sécurisé pour la Lettre Techniques De l'Ingénieur (Sécurité des Systèmes d'Information). Il a été publié dans le numéro 13 (Mars 2008). Intitulé Vers une approche pragmatique du développement sécurisé d'applications, il décrit 6 points destinés à ancrer la sécurité au sein d'un cycle de développement logiciel pour aboutir à un SDL (Secure Development Lifecycle).

Cette approche est très largement inspirée de l'approche proposée par Gary McGraw dans son excellent ouvrage Software Security dont je recommande la lecture à toute personne s'intéressant de près au développement sécurisé. Je me suis contenté de simplifier l'approche initialement proposée par ce dernier et de survoler les points d'ancrage afin de fournir une vue d'ensemble de l'approche et des étapes nécessaires pour la mettre en musique.

Le numéro 37 (mai/juin 2008) du magazine MISC vient de paraître. Si vous y êtes abonné, vous avez du recevoir ce numéro dans votre boîte aux lettres sinon vous le trouverez très prochainement en kiosque. Vous retrouverez page 60 un article intitulé A la découverte de ModSecurity 2, que j'ai co-écrit avec mon collègue et ami de longue date Jérôme Léonard. J'ai pris beaucoup de plaisir à travailler avec quelqu'un dont je partage certaines convictions et une vision similaire de la sécurité informatique.



Comme son titre l'indique, nous vous proposons de découvrir à travers cette fiche technique le pare-feu applicatif ModSecurity 2 (que je m'étais promis d'essayer) en quelques pages. Nous y décrivons les fonctionnalités principales de la version 2 de ce produit destiné à augmenter le niveau de sécurité de vos applications Web. Et comme d'habitude, vous y retrouverez quelques petites notes d'humour destinées à rendre votre lecture plus agréable sans oublier de vous fournir les informations essentielles vous permettant de décider de l'éventuelle adéquation de ce produit par rapport à vos besoins.

Nous penchons du côté de l'approche par liste noire (interdire les URLs suspicieuses) qui nous paraît plus pragmatique et plus adaptée à la complexité des applications Web actuelles. Je n'en dirais pas plus ! Je vous invite à lire l'article et à nous soumettre vos commentaires et vos questions par email ou en utilisant le système de commentaires de ce blog. Votre retour est précieux et nous permet d'améliorer la qualité de notre travail.

Tel que précisé dans un autre billet, j'ai effectué une présentation sur des nouveautés d'OpenSSH (directives Match et ChrootDirectory principalement) et un tour d'horizon de quelques principes de durcissement présents dans des documents de durcissement de ce logiciel et généralement rédigés par des maîtrises d'ouvrage ou d'oeuvre mais dont l'applicabilité est improbable.

Pour vous donner un exemple, prenons les clés d'authentification. Il est généralement de bon ton de demander l'abandon pur et simple de l'authentification par mots de passe et de passer à une authentification par clés. Mais c'est beaucoup plus simple à dire qu'à faire. Comment gérer leur génération (est-ce qu'il y a bien une passphrase, la passphrase choisie est bien conforme à la politique de sécurité en vigueur) ? Leur diffusion, leur mise à jour (notamment de la passphrase avec une modification tous les N jours pour rester conforme à la politique de sécurité), ....

Les outils et les contrôles traditionnellement utilisés pour aider à générer des mots de passe de qualité et de contrôler cette dite qualité dans le temps etc. ne sont pas utilisables tels quels pour les passphrases des clés ou pour les clés elles-même.

Les clés facilitent énormément la vie (pensez ssh-add/ssh-agent), on en génère seulement quelques unes au plus si on est "pragmatique" et on en change très rarement voire jamais la passphrase. Mais est-ce pour autant un problème de sécurité ? Ce n'est pas plutôt à la politique de sécurité de savoir gérer des exceptions ? J'ai pointé le problème du doigt, je vous laisse réfléchir à toutes ses facettes.

En attendant, vous pourrez télécharger les slides au format PDF à l'adresse suivante : http://saad.docisland.org/docs/files/openssh-nah-sur20080311.pdf.

Edité pour ajouter : le lien de téléchargement affichait le nom d'une autre présentation, bien qu'il pointait là où il fallait. C'est désormais corrigé. Merci à Nicolas Legrand pour avoir relevé la coquille.

La prochaine réunion du groupe SUR aura lieu le mardi 11 mars. J'y présenterais en seconde partie de réunion les nouveautés d'OpenSSH et quelques principes de durcissement à appliquer pour augmenter le niveau de sécurité de cet outil ô combien essentiel de nos jours.

En ce qui concerne les nouveautés, je parlerais principalement des nouvelles directives de chroot en natif (et par utilisateur) ainsi que des directives Match.

Les réunions du groupe SUR étant gratuites et d'entrée libre, je vous invite à y participer. Et si vous avez des idées de présentation ou des salles à nous proposer, n'hésitez pas à me contacter.

Tel que je l'avais indiqué dans le billet OpenBSD, FreeBSD et Solutions Linux 2008, j'ai effectué une présentation de la fonctionnalité jail de FreeBSD le mercredi 30 janvier matin. C'est une mise à jour de la présentation précédemment effectuée en 2006 dans le cadre du groupe SUR de l'OSSIR.

Vous pouvez consulter les slides au format PDF : http://saad.docisland.org/docs/files/sl2008-jail.pdf.

Solutions Linux 2008 was a wonderful edition. Save for a few hours on the 2nd day (during which I gave a talk on FreeBSD's jail), I was at the OpenBSD booth with the gang. Besides the usual suspects (Wim Vandeputte, Marc Espie, and Miod Vallat), many other French OpenBSD developers showed up: Antoine Jacoutot (the so-called TagDiff'er), Gilles Chehade, Landry Breuil, and Charles Longeau. Eric Faurot, Wim's Friend, was also there. Last but not least, I had the pleasure to finally meet Wim' girlfriend (Machtelt, you rock!). Their help was very welcome since we had many visitors during those three days. Every evening, after closing the booth we went downtown to have a drink and some awesome dinners. The first night, we went to Les Galopins in Bastille. The next to Chez Denise, La Tour De Montlhéry and the last one to Hokkaido, a wonderful Japanese restaurant that I "bookmarked" (thanks Marc!).

GCU Squad made an impressive show and I had a very nice chat with the guys of RubyFrance, I also met some old acquaintances I haven't seen in eons. I am pretty tired after all this but I don't regret it at all.

If you'd like to see the OpenBSD gang soon, come to Brussels for FOSDEM! In the meantime, check out the pictures.

Je serais cette année sur le stand du projet OpenBSD à Solutions Linux 2008, salon dédié (si on peut dire) au monde du logiciel libre. J'ai prévu d'y être durant toute la durée de l'événement, soit du 29 au 31 janvier inclus. Le stand sera tenu par votre serviteur ainsi que de nombreux autres membres du projet tels que Wim et Marc Espie. Venez donc nous rendre visite et nous faire part de vos idées, questions et commentaires concernant notre projet.

En principe, je m'absenterais le mercredi 30 janvier matin car je ferais une présentation intitulée Virtualisation et sécurité avec jail dans le track Sécurité des conférences payantes. Lors de cette présentation, je couvrirais la fonctionnalité jail du système d'exploitation FreeBSD et les nouveautés introduites par la version 7.0 de cet OS (qui est en RC1 à l'heure où j'écris ces lignes).

En tant qu'intervenant, j'ai la possibilité d'inviter deux personnes à cette présentation payante. Si vous lisez ce billet et que vous souhaitez assister à ma présentation gratuitement, je vous prie de m'envoyer un courriel à mon adresse email (que vous trouverez derrière le hyperlien Contact de la présente page). Les premiers arrivés seront les premiers servis.

I gave an account of the hack.lu 2007 security conference during the SUR (Sécurité Unix et Réseaux) group of OSSIR in December with co-worker and fellow DocIslander Jérôme Léonard a.k.a. Mitch. There were many interesting presentations and a few boring ones. But the funniest and the weirdest was Injecting RDS-TMC Traffic Information Signals by Andrea Barisani and Daniele Bianco, two Italian hackers from Inverse Path. The hack.lu slides are not available yet. But this presentation was already given in other security conferences around the World such as CanSecWest for which the slides have been published.

This is a perfect illustration of Alternative Thinking.

If you read French, make sure to check our detailed account of this presentation and all the others we found interesting.

J'ai assisté à la conférence Hack.lu 2007 au Grand Duché du Luxembourg en décembre dernier avec mon collègue et ami Jérôme Léonard. HAPSIS, notre employeur, nous a permis d'y participer et l'OSSIR nous a sponsorisé pour une partie des frais engagés pour le déplacement. A cet effet, nous avons présenté un compte-rendu de cette sympathique conférence sécurité lors de la réunion du groupe SUR du mardi 08 janvier 2008. Les slides de la présentation sont disponibles en ligne sur le site de l'OSSIR. Vous y trouverez aussi un compte-rendu détaillé de l'événement. Je vous en recommande vivement la lecture.

Je tiens encore à remercier HAPSIS et l'OSSIR.

A friend sent me the following URL which illustrates an "old" trick for bypassing AV detection:
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/

This reminds me that I wanted to give you a small account of The Death Of Defense In Depth? Revisiting AV Software, an excellent presentation performed by Thierry Zoller and Sergio Alvarez during the hack.lu 2007 security conference which I attended. Note that I'll be giving a full account of the conference during the SUR group meeting next december. The account will be co-presented by my colleague and friend Jérôme Léonard a.k.a. Mitch. I'll put the slides online after the meeting.

Thierry and Sergio have demonstrated how the Defense-in-depth principle is badly implemented to/by AV software. Generally, you tend to multiply AV software between the Wild Wild Internet and your desktop. So you have one AV on the mail gateway, another one at the mailbox server and yet another one on the desktop etc. Well, you get the "depth" part of the defense. However, Thierry and Sergio argued that this significantly increases your exposure to vulnerabilities because AV software is not developed following secure development guidelines and their attack surface is huge (think of how many file formats they need to parse). They showed how, by exploiting a parsing bug, they could bypass a tremendous number of different AV.

Another simple example demonstrated how by adding a string to a PE file (Hello Luxembourg in this case) bypasses the AV. In yet another example, Thierry simply changed the contents of the version field of a ZIP archive and this confused a truckload of AV. In the meantime, Winzip could still open the archive without breaking a sweat.

According to the speakers, one of the main problems of AV software is that they tend to consider what they cannot parse as being safe. It is rather a weird implementation of the Defense-in-depth principle. To their knowledge, only Kaspersky blocks what it cannot parse successfully.

As a result, Thierry discovered more than 800 ways for bypassing AV! And Sergio discovered 80 vulnerabilities out of which only 30 have been patched. At times, Sergio saw the vulnerability patched silently without giving him due credit for reporting it first...

They have also shown some funny responses they got from the AV vendors to their vulnerability reports. In one case, Thierry sent a malicious RAR archive that bypasses Symantec AV. Symantec responded by saying that the archive is not properly constructed ... If only they have opened it with WinRAR and not with their own parsing engine they would realize the problem!

Last but not least, Sergio showed a 0-day in eTrust exploiting a heap overflow. The same exploit worked on Windows XP, 2003 and ASLR-enabled Vista (According to Wikipedia, Microsoft Windows Vista has ASLR enabled by default, although only for executables which are specifically linked to be ASLR enabled so maybe eTrust is not linked to it)!

Thierry and Sergio nicely summed up their presentation by saying that "the more you protect yourself, the more you are vulnerable". Give some alternative thinking to this.

I.T. security is all about trade-offs. And sound trade-offs mean you have a good balance between your security strategy and your business posture. Making sound trade-offs mean that you have an idea of the threats and risks (at least perceived ones) you are facing. Betabug pointed me to a wonderful collection of crazy CAPTCHAs. Some of those have very questionable content but most are either unreadable even with a truckload of good will or require lots of mind wrestling to get right. What are the goals of the designers? Prevent SPAM or account abuse while completely disgusting their users? Sure! No users, no SPAM/abuse. If I was an attacker, why the hell would I want to 0wn your assets without a good motivation? If you turn off your users, there's a good chance you turn me off too! What's the trade-off? Turning something that was designed to distinguish between humans and computers into something that put everyone in the same bag: the exclusion one.


Just one more example of bad security...

Reading John And John #619 (warning, very crude/explicit content ... you've been warned) reminded me of one of the key skills that hackers have and which is very important for security practitioners to acquire or at least fully understand. It's their ability to think "out of the box". What I call "Alternative Thinking" or as the Perl motto goes: there's more than one way to do it. The John And John #619 is a perfect illustration of this skill. One of the Johns has simply found out a new -disgusting but very effective- way for checking whether a seemingly dead person is really dead or not. No "normal", "socially behaving" person would think or do something like that. But it works! And this is what counts at the end.

When you are setting up your security architecture, what are you protecting against? Perceived (as opposed to real) risk? Known (as opposed to unknown) threats? Or are you just throwing together a bunch of security products (remember that security is a process right?) according to some "best" practices and hoping for the best? I don't believe that you can defend efficiently something that you don't fully understand. Without complete understanding of the e-commerce application the developers throw in your hands for protection, you won't be able to practice "Alternative Thinking" and come up with sound attack scenarios and misuse cases. And you won't make the right trade-offs for balancing security and business objectives.

Give this some "Alternative Thinking" time.

Si vous êtes un lecteur régulier de ce blog, vous devez savoir que je fais assez fréquemment des présentations aux réunions du groupe SUR de l'OSSIR. Je suis aussi co-animateur du groupe avec Hervé Schauer.

Comme vous pouvez le voir dans le calendrier des présentations du groupe, Nous avons défini le programme des trois prochaines réunions (octobre, novembre et décembre). Je vais en principe effectuer un compte-rendu de la conférence Hack.lu 2007 avec mon ami et collègue Jérôme Leonard lors de la réunion de décembre. Je tiens à vous rappeler que la participation aux réunions du groupe SUR est gratuite et, sauf dans de très rares cas, il n'y a pas d'inscription préalable.

Le programme des réunions ainsi que la date et le lieu sont annoncés en priorité sur la liste de diffusion du groupe (sec@ossir.org). Je vous conseille vivement de vous y abonner. Le trafic y est relativement faible et les discussions (trolls inclus) sont de qualité ;-). La liste est modérée, vous ne serez en principe pas exposé à plus de pourriel à l'exception peut-être des messages automatiques de notification d'absence que des utilisateurs d'Outlook et d'autres MUA ne manquent pas de positionner (pour des raisons justifiées ou pas). Les modérateurs, dont je fais partie, peuvent certaines fois désabonner les utilisateurs émettant de tels messages. Pour cela, Il suffit de nous en informer. Consultez la page dédiée aux Listes Electroniques de l'OSSIR si vous souhaitez vous y abonner.

J'ai écrit un article intitulé Un cadriciel puissant : Metasploit pour La Lettre Techniques De L'Ingénieur (numéro d'août 2007). C'est une publication payante. Dans cet article, j'aborde (à peu de choses près) les éléments figurant dans la présentation que j'ai effectué lors de la réunion du groupe SUR en décembre 2006.

Le numéro 33 de MISC, un magazine français dédié à la sécurité informatique, est paru il y a quelques jours de cela. Il est habituellement vendu en kiosque en France, Belgique, Maroc et certainement d'autres pays francophones. Il y a même une édition en Allemand.

Ce numéro contient une fiche pratique pour le durcissement d'un DNS primaire sous BIND 9 rédigée par votre humble bloggeur. J'ai essayé de la rendre aussi didactique (et amusante) que possible, dans un pur esprit "Edutainement".

Si vous avez l'occasion de la lire, je serais intéressé par vos commentaires.

I have finally devoted some precious time to update my resume. If you are interested, you can look at the English and/or French version (PDF) available from the new Resume page. Other formats available on request.

J'ai aussi complètement oublié de mentionner que DocIsland s'est encore aggrandi et avec un membre de qualité. Claire Vignot, première fille de notre groupe nous a rejoint il y a quelques semaines déjà ! DocIsland est donc constitué de 13 personnes ... Les supertitieux diront que ce chiffre porte malheur. Eh bien, il n'y a plus qu'à trouver un quatorzième.



Ceci dit en passant, l'air de rien, le site Web de DocIsland a eu son ravalement de façade tant attendu et avec le logo en plus.

J'ai complètement oublié de mentionner que j'ai écrit un article sur les SPAM images ainsi qu'un compte-rendu des présentations sécurité effectuées lors de FOSDEM 2007. Ces articles sont parus dans La Lettre Techniques De L'Ingénieur (numéro d'avril 2007). Le lien pointe vers un fichier PDF qui présente cette publication (payante) en deuxième page.

Depuis que j'ai écrit cet article, une évolution intéressante des SPAM images est à noter : les SPAM "PDF". Ce sujet a été discuté sur la liste de diffusion du groupe SUR (OSSIR). Voici ce que j'en pense, dans les grandes lignes :

On Jun 26, 2007, at 11:09 AM, Guillaume Arcas wrote:

> En marge de la discussion initiée sur les Spam Images puis Signal-SPAM,
> une petite question : j'ai reçu ce matin mon premier Spam PDF, un mail
> avec un fichier PDF en pièce jointe, fichier contenant une pub pour les
> produits pharmaceutiques habituels.

> Je n'avais pas noté ce genre de Spam avant : je suis passé à côté ou
> bien c'est une nouvelle tendance ?

Nouvelle tendance. Une petite recherche sur Google donne pas mal de resultats sympathiques dont [1] (en Anglais). Ca ne parait pas completement deconnant par rapport aux objectifs du SPAM image classique. Le cout de generation de PDF est relativement faible. De plus, ce n'est pas un format d'image du coup pas mal d'anti-SPAMs (tous ?) ne saurent pas l'analyser. Cependant, la faiblesse actuelle de cette technique est la similitude des fichiers envoyes. Un filtrage par checksum devrait avoir de bons resultats de detection ... en attendant qu'ils se mettent a la generation a la volee.

Just my 0.02 cents.
--
[1] http://www.heise-security.co.uk/news/91523

Vous voulez un exemple ? Il n'y a qu'à demander :



Depuis, Guillaume Arcas a fait quelques expérimentations de son côté et il semblerait que les spammeurs soient déjà passés à la génération à la volée :

Bonjour.

Suite à la petite discussion entamée tantôt sur les Spams PDF, et
notamment sur le filtrage par checksum des pièces jointes, un petit
aperçu de ce que j'ai reçu ces derniers jours :

$ md5sum *.pdf
0d2383bd94dd51b7f872dd806da69c8e Article.nyavquxas.pdf
11c984b8aa663ea0d297155302643370 Journal_32e186e535d0.pdf
158f0e99ce49cd02d5a52c613ac9f62f Request.QCYBBCUPV.pdf
19625aba199381dfaf134b2d4e3c3b37 text.pdf
1c371c91a289f6a8a4c96d0ac7b0ec3b alert_d30866bc5.pdf
2fa8d2128d53c2fa9da4810dfec5bf0e bill_180c2de7.pdf
301659c7eeaf160a71529590f1c975c7 Alert-ZICXPWTJWXLL.pdf
30c1c296d27ba31cc981e094a92ccc95 Mail-1182865134682.pdf
4a30f8f4342228fdac201f7086d024f7 text_xhhfnbp.pdf
581f809315c513241eca7ced8143979b message.pdf
9bf62f3df4f912b0363faef711283138 Report.pdf
9e94383792e4d25bb0a6fdc5d2b39abf Bill.e7182ec5857e2c.pdf
b35cf39041b38c87e58d8f5896d8fb80 mail.EUAWV.pdf
c7344de1a368091ea075dd8d5f858a25 advertisement-ZTLOHSIRRSNNAC.pdf
ca3c8353a6fed30c5c934b9b36f4e852 Bulletin-8c1b0c74.pdf
e3bd639a87e4668e644bfcb78d942a51 article_cosfqqbpxtpl.pdf
ede79b2e6c261ce6121a7d7145869752 readme.pdf
fc33c0b10969957207b15819a6138e0c Message-GHAXCPUNEF.pdf
ff607fbb076e539aca5b53a6af561548 Invoice-iow.pdf

Bref, pour la checksum, c'est pas gagné...

Ces PDF ne présentent pas le même contenu mais concernent la même cible
(achat d'actions de deux sociétés). On peut noter que si le nom de la
société est bien entendu le même, le contenu diffère quant au prix de
l'action ou le taux de progression supposé. Ce qui plaiderait pour une
génération à la volée du PDF.

Je n'ai par contre pas pris le temps de regarder les en-têtes.

Cordialement,

Merci Guillaume !

Sometimes ago, I started experiencing a crippling problem with email rendering (and particularly HTML email) in Outlook 2003. Before you cry fool, my regular MUA is Apple's Mail.app. But I do use Outlook 2003 for some customer-related mailboxes I have aside from my normal mailbox.

I have all the latest and greatest (hum...) patches installed and I really wondered what caused such a slowdown. Whenever I click on a message in the panel or start replying to an HTML mail, it takes a lot of time. Entering the right keywords in Google and "strolling" past the stupidity of some of the advices (uninstall security patch bla, modify this registry key and pray for a better world...) brought me the answer:

Sandi - Microsoft MVP
Please don't uninstall the security update. Try this instead.

This problem is often caused by a "protective" protocol that I do not
support or recommend, that is, loading down the registry by adding a slew of
sites to IE's Restricted Sites zone - sometimes tens of thousands of URLs.
Products that "protect" you by loading down the registry in such a way
include Spybot, IE-Spyad and Spyware Blaster.

IE7 has made changes to the way that the rendering engine interacts with the
Restricted Sites zone - the end result is that if you are using Outlook (not
2007), have IE7 installed and use HTML as your email format, then when you
type an email the IE rendering engine will check the registry for entries in
IE's Restricted Sites zone **every time you type a character***.

FIXES:

Remove all of those entries in the Restricted Sites Zone - a quick way to do
this is to reset Internet Explorer's settings (Tools, Internet Options,
Advanced tab)

I do use Spybot S&D and Spyware Blaster and I found many URLs in the Restricted Sites Zone. Since I rarely use IE as a browser, I removed the entries as advised. And Outlook started working normally again. Quick and clean. Thanks Sandi!

I also deactivated the Spybot BHO so that next time, it won't block URLs and cripple Outlook again.

Les slides de la présentation Bro : un NIDS pas comme les autres ? effectuée le 16 janvier 2007 dans le cadre de la réunion du groupe SUR (OSSIR), en collaboration avec Guillaume Arcas, sont disponibles au format PDF. Guillaume s'est chargé de faire la présentation, en prenant en compte les remarques très intéressantes de Franck Debieve, JP. Luiggi, et mes quelques remarques "cosmétiques". Je me suis chargé d'une démonstration de Bro 1.2.1 en me plaçant du point de vue d'un utilisateur qui connaît bien Unix (la plate-forme utilisée pour la démonstration est FreeBSD 6.2-PRERELEASE) et Snort et en essayant de clairement montrer que Bro, bien que très intéressant, reste encore incomplet du point de vue du "packaging" (configuration après installation, outils de gestion, ...) et au niveau de la documentation.

Dans le cadre de mon travail, je crée et j'assure des formations autour de la sécurité et des réseaux informatiques. J'ai développé et je maintiens une formation sur le système d'exploitation libre OpenBSD, qui est maintenu par le projet éponyme; projet dont je fais partie en tant que traducteur en langue française et coordinateur principal de l'effort de traduction principalement.

Cette formation, que j'assure sur 4~5 jours habituellement en intra/inter-site couvre les sujets suivants:

• Vue d’ensemble
  
• Utilisation basique
  
• Aperçu des services disponibles
  
• Gestion des utilisateurs
  
• Gestion du réseau
  
• Ports et packages
  
• Système de fichiers
  
• Cron et gestion des logs
  
• Apache
  
• OpenSSH
  
• Packet Filter (PF)
  
• IPsec
  
• Maintenance et mise à jour
  

HAPSIS, mon employeur, a mis à disposition sous licence BSD les slides (PDF) d'une ancienne version de cette formation qui traite de la version 3.7 d'OpenBSD (aujourd'hui nous sommes en 4.0). Même si cette version date un peu, la plupart des informations y figurant restent pertinentes.

Je tiens à remercier Fabrice Frade d'avoir aussi rapidement accepté ma proposition de mettre à disposition ces slides.

When reading technical books, I use a variation of Richard Bejtlich's reading method. Please take the time to read his post before continuing with this one.

As far as I can tell, my method takes more time but it allows me to fully understand key material and "engrave" it on memory. I use a combination of post-it flags and plain, bright yellow highlighters and three reading passes:

• First pass of reading. Usually not very mentally taxing. Flag key ideas with the post-it flags. I usually do this during my daily commute (currently 1h15 * 2 approx) in the public transportation.
  
• Second pass of reading. Give more concentration juice to the flagged items. Highlight the parts that need to be fully understood and remembered. Take notes using a pencil when applicable. I usually do this either at home/work or while commuting.
  
• Third pass of reading. This is done sometimes later (after reading two/three other books for example). Skim over the text and reread the flagged/highlighted items. Take note using a text editor, wiki or something like that. I currently use VoodooPad. Enter important URLs in bookmarks (in a special "Analyze this" folder) and/or in del.icio.us (using a special tag). I usually do this at home/work.
  

I've been to the groupe SUR monthly meeting in Paris (which I co-supervise with Hervé Schauer) this afternoon. As usual, there were two talks. While I gave the second talk with my friend Guillaume Arcas on Metasploit (the slides, in French, are online), the first was given by Marty Roesch, creator of Snort and founder of Sourcefire. The topic of his talk was The History and Future of Snort.

Marty started with the history of Snort. How it all started back in 1998 as an OSS pet project of his, how Snort gained momentum, how he started developing full-time and founded Sourcefire. I started playing with Snort on and off since version 1.5 and this part of the talk was quite nice. It helped understand how Snort got where it is now with version 2.6.1.2. But things started getting much interesting when Marty started speaking about the future of Snort and what features might be integrated in Snort 3.0, the next major version of this popular NIDS:

• Auto-tuning
  
• Auto anti-evasion (for layers 3 &4)
  
• Auto-prioritization of events
  
• No stopping to change configuration
  
• Taking advantage of multi-core processors
  

The three first features (auto-tuning, auto anti-evasion, and auto-prioritization) revolve around the same concept, called target-aware processing. Basically, if the NIDS can have confidence in what the attacked endpoint is (operating system, targeted application ...), it will be able to:

• Feed just the right policies (sets of detection rules) to the detection engine, thus eliminating unnecessary and often painful tuning (which is seldom done if any) and achieving the auto-tuning goal. Note that this is different from the current RNA (Real-time Network Awareness) product sold by Sourcefire. The detection engine in Snort 2.x is not aware of the RNA and all the intelligence (that is, the correlation of the NIDS and the RNA data) is done on the Defense Center, the central management software sold by Sourcefire.
  
• Model the target in such a way that the NIDS knows how to reassemble TCP packets or defragment IP packets and mimic the target. Marty said that evasion is a big issue and a very hard problem to solve. At least with knowledge gained on the target, Snort could become harder to evade in layers 3 & 4.
  
• Auto-prioritize events given knowledge on the target. Again, this is not RNA. The knowledge is gained somehow and fed right into the sensor so that when it sees an attack and it knows that the target might be vulnerable to it, it helps the analyst by giving that attack a higher priority that should be acted upon right away.
  

The fourth feature deals with the current necessity to stop Snort for changing the configuration. In Snort 3.0, you wouldn't need to stop the detection engine and lose context while doing so through the use of threads and data sources. A data source will implement data acquisition and decoding before handing the network data to the detection engine through an API which is implemented as a thread. If we need to change configuration, we would create a new thread and migrate the data source to it without context loss. As a beneficial side effect, it would be possible to have fail-over and load balancing between detection engines. A Snort daemon will be used as an interface between the administrator (who issues commands through a Cisco-like "shell" implemented in Lua) and the detection engine.

As for the fifth and last feature, Snort doesn't support currently the multi-core architecture of modern x86/x64 processors and Snort 3.0 needs to solve this.

All in all, it was a very interesting talk. Marty concluded by saying that many of these new features (such as threads and data sources) have been implemented in prototypes or are in the design phase. Since Snort 3.0 represents such a drastic change from the current Snort version, Sourcefire will be releasing subsystem alphas to the community for testing.

Edited to Add (20061213): On a side note, Guillaume Arcas and I will be giving a talk (in French) about the Bro IDS during the next groupe SUR monthly meeting (2007.01.16). Feel free to show up. Attendance is free. And we are also looking for a second talk for this meeting. If you are interested, drop me an email.

Edited to Add (20061218): According to Ureleet, IPv6 decoding will be native in Snort 3.0. Thanks for the update.

Les slides de la présentation Metasploit pour tous ou presque... effectuée cet après-midi dans le cadre de la réunion du groupe SUR (OSSIR), en collaboration avec Guillaume Arcas, sont disponibles au format PDF.

Guillaume Arcas, ami de longue date et consultant sécurité indépendant va effectuer avec moi une présentation intituée Metasploit pour tous ou presque... dans le cadre de la réunion du groupe SUR prévue demain mardi 12 décembre 2006 à partir de 14h00 à l'adresse suivante :

ENSAM (Ecole Nationale Supérieure des Arts et Métiers)
Salle L4/L5
151 Boulevard de l'Hôpital, 75013 Paris.
Métro : Place d'Italie (lignes 6 & 7) ou Campo Fermio (ligne 5).

Notre présentation débutera après la présentation de Marty Roesch, créateur de Snort et fondateur de Sourcefire, qui aura pour sujet Snort 3.x, la prochaine version de cet IDS.

L'objectif que nous recherchons à travers notre présentation est de sensibiliser le public du groupe SUR aux frameworks d'exploit et en particulier à Metasploit, démonstration à l'appui. Le sujet est abordé sous l'angle de l'administrateur sécurité désireux de tester la sécurité du S.I. sous sa responsabilité.

Les slides de la présentation seront mis à disposition après la réunion sur http://saad.docisland.org/docs/.

Je vous rappelle que la participation aux réunions de l'OSSIR est libre et gratuite.

Le numéro 28 de MISC, un magazine français dédié à la sécurité informatique, est paru il y a quelques jours de cela. Il est habituellement vendu en kiosque en France, Belgique, Maroc et certainement d'autres pays francophones. Et depuis quelques mois, il y a même une édition en Allemand.

Ce numéro contient deux fiches pratiques que j'ai écrites. La première fiche pratique traite les jails sous FreeBSD. La seconde traite des Zones de Solaris 10. Ces deux fonctionnalités sécurité sont très intéressantes pour le cloisonnement d'applications. J'avais déjà effectué une présentation des jails dans le cadre du groupe SUR de l'OSSIR.

Si vous avez l'occasion de lire ces deux articles, je serais intéressé par vos commentaires (constructifs bien entendu).

Federico Biancuzzi interviewed Ivan Ristic, ModSecurity developer and author of the Apache Security book (check the review from Richard Bejtlich), a few days ago about the new 2.0 version of this interesting OSS WAF (Web Application Firewall. buzzwords keep flowing these days). It runs as an Apache module and protects your web applications according to policies that you specify.

Version 2.0 is a complete rewrite of the code base and while it is still available today only as an Apache module, it's been rewritten with portability in mind and Ivan is hoping to release a IIS compatible version in the not too distant future.

The new version also looks very interesting on the functionality side. Among the major improvements on this side, here is what took my attention (excerpt from the interview):

• Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
  
• Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
  
• Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
  
• Support for web applications and session IDs.
  
• Regular Expression back-references (allows one to create custom variables using transaction content).
  

Even better (depends on whom is using the product): a GUI is available (it doesn't look like OSS though).

Read the full transcript for more details. I plan to test it as soon as I can. If you already did, let me know what you think.

portsnap is one of the most interesting tools of FreeBSD dealing with the ports collection. portsnap, developed by Colin Percival, the current FreeBSD Security Officer, allows you to initially fetch a ports tree for your system and keep it updated. For those who don't need CVS logs or don't want to deal with cvsup and the other ports/src tree fetching methods, portsnap is an ideal solution that connects to web servers for its operation and has an extremely simple syntax that is very clearly outlined in the manpage.

However, you may need to use portsnap through a proxy that requires basic authentication. To do this, you have to define two environment variables: HTTP_PROXY and HTTP_PROXY_AUTH.


$ echo $SHELL
/usr/local/bin/zsh
$ sudo export HTTP_PROXY=http://proxyip:proxyport/
$ sudo export HTTP_PROXY_AUTH=basic:*:username:password


Some readers might be used to the more "traditional" way of specifying authentication credentials right into HTTP_PROXY:

$ sudo export HTTP_PROXY=http://username:password@proxyip:proxyport/


Sadly, this doesn't work with portsnap even though it is valid according to fetch(3).

Another case of "security" that is getting us nowhere as reported by The Internet Storm Center:

Kaspersky's blog, always a great read, is reporting that there are some "epidemic level" MSN-Worms [...] that "spread using links to .PIF files.". They go on to say;

"But some of you might remember that Microsoft blocked messages containing ".pif"?

Yes they have, but... the MS block is case sensitive!

So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".

Hopefully, that was easy to fix (taken today from Kaspersky's blog):

Microsoft has fixed the .PIF 'vulnerabilty' in their MSN network filters as described in the previous blogpost.

So that's one less thing to worry about.

One's left to wonder how did such a trivia thing slipped under the Microsoft security radar...

|

Excellent video about Trusted Computing. Check it out!

J'ai présenté la solution de sécurité et de virtualisation (enfin, presque) jail lors de la réunion du groupe SUR du 11.04.2006. Les slides de cette présentation sont disponibles au format PDF à l'adresse http://saad.docisland.org/docs/files/sur20060411-jail.pdf.

Si vous avez des questions ou des commentaires, n'hésitez pas à m'en faire part par courriel : saad at docisland dot org.

eWeek has a very interesting article on what Microsoft thinks of malware and what shall its customers do in case of infection. Let's get down to the conclusion: once you get infected, Microsoft thinks that it becomes impossible to recover. So they are advising their customers to investigate in automated processes to wipe the hard drives of the infected machines and reinstall everything.

Sound advice but how to exclude the infection vector from the reinstallation process while keeping the operating system and the applications running smoothly? Or do we just reinstall and protect our machines with Holy Water(tm) until the Patch Day if there is a patch in the first place then wait at least 15 days to check that the patch doesn't break business before deploying it?

Oh you said user education? Good, let's see how the average user will cope with stuff such as ActiveX controls, Browser Helper Objects, DCOM and such. Don't get me wrong. User education is very important but it ain't no magic bullet, particularly if the system and applications they are using are screwed. For instance, what do we teach to users regarding the latest Internet Explorer 0day? We tell them once more to stop using Internet Explorer and use FireFox? C'mon! Think about it. Will we end up with a huge list of "applications : alternatives" couples and switch to this or that whenever a vulnerability shows up? Don't you think something smells really really bad here?

According to eWeek, Mike Danseglio, program manager in the Security Solutions group at Microsoft said:

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

100% true. So what does Microsoft do about it? Is this an externality to them? Does it impact in any way shareholder's value?

And about targeted attacks:

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past.

So much for penetrate&patch.

But the software is not the only one to blame here:

"Social engineering is a very, very effective technique. We have statistics that show significant infection rates for the social engineering malware. Phishing is a major problem because there really is no patch for human stupidity," he said.

So far, so bad. Microsoft won't do anything really significant about it as long as this doesn't significantly impact shareholder's value. Every advice M. Danseglio gave incurs investments from the customers. No news, it's an externality for Microsoft.

Pre-orders of CD sets of the next version of OpenBSD, 3.9, are now open. OpenBSD 3.9 will be released in May 1, 2006. The CD sets will be shipped around this date.

If you want to support the OpenBSD project, please pre-order the CD sets. The money we get from the CD sales allow us to further develop the operating system and the associated projects such as OpenSSH, OpenNTPD, and OpenBGPD.

European users can order directly from Wim, a fellow OpenBSD developer located in Belgium. Other users should use the International site.

According to ZDNet, a Swedish man set up a challenge inviting people to hack a Mac Mini. The challenge was over shortly after since someone succesfully gained root access to the machine and he did so, the report said, in 30 minutes.

If I stop here without giving you real meat to chew on, you'd end up thinking that Mac OS X is not secure and you'll be ill-witted to use this operating system for hosting your valuable data. But MacWorld gave a few more, very interesting details:

Anyone that wanted to hack the machine was given access to the machine through a local account (which could be accessed via SSH), so the Mac mini wasn’t hacked from outside — root access was actually gained from a local user account.


Aha! That's interesting. Anyone working in the I.T. Security field knows that, most of the time, when someone gain local access it's game over. Local exploits are often much more powerful and deadly than remote ones. That's why we have layered network security, security by default, and such. It's like giving access to as many strangers as possible to a besieged castle without knowing if they are enemies or foes. If only one stranger heads for the king's lair (which might not be that secret) and slays the poor man, what good would do your 2-mile thick walls, 250.000 soldiers, and all the other _external_ security measures you have put in place? If I were the stranger who slew the king, first thing I'd do is behead the security officer of the castle.

Mac OS X has reasonable protections against outsiders. But when you punch holes through these protections and let outsiders become insiders, what do you expect? How many operating systems are there that will do better?

I think the challenge was a very stupid move to attract attention. But it spreads FUD (Fear, Uncertainty and Doubt) as a side, maybe wanted, effect.

I finally took the time to install the latest release of Solaris Express (02/06, build 31a) for testing purposes. My U10 not being exactly a speedrunner, I installed only Core System Support. That's about 869MB according to the Solaris installer; the Entire Distribution is 5438MB.

The installation went smoothly. And upon login, here is what I can see:

Sun Microsystems Inc. SunOS 5.11 snv_31 October 2007

Warning Will Robinson! Danger ahead! This made me check the clock thrice using independant sources. It appears that Sun Microsystems is way ahead of the competition. Besides DTrace, containers, self-healing and other technologies, it successfully integrated Future Jump(tm) to the latest release of Solaris. What an achievement!

OK, let's see how Future Jump(tm) works by trying to read a file:

# id
uid=0(root) gid=0(root)
# cd /etc
# ls -l ftp*
total 14
-rw-r--r-- 1 root sys 1518 Jan 3 10:01 ftpaccess
-rw-r--r-- 1 root sys 946 Jan 3 10:01 ftpconversions
-rw-r--r-- 1 root sys 104 Jan 3 10:01 ftpgroups
-rw-r--r-- 1 root sys 108 Jan 3 10:01 ftphosts
-rw-r--r-- 1 root sys 114 Jan 3 10:01 ftpservers
-rw-r--r-- 1 root sys 198 Jan 3 10:01 ftpusers

Good! Let's read ftpusers:

# more ftpusers
ftpusers: No such file or directory

Future Jump(tm) prevents root (the almighty root!) from reading /etc/ftpusers which according to ls exists and contains 198 bytes of data. But Future Jump(tm) sees through the future and it knows that this file won't exist anymore starting from October 2007. So why bother reading a file that won't exist anymore in a year and a half? Maybe because the Good Guys at Sun engineering didn't bother integrating an SSH service out of the box in Core System Support so we have to stick to ol' daddy ftpd and that we would like to do so as root?

Le numéro de Mars 2006 de PC Expert, un magazine informatique français, contient un dossier fourni sur les virus.

Philippe Roure, co-auteur du dossier m'a consulté sur un certain nombre de sujets et notamment les IDS/IPS, les débordements de tampon et de tas, la qualité des logiciels, et la rétroconception binaire utilisée pour créer très rapidement des exploits à partir de correctifs de vulnérabilité. Je suis cité à deux reprises pages 56 et 57.

Ceci est ma deuxième contribution auprès de ce magazine.

After 6 hours of excellent sleep, I woke up to the World with the joyful and playful tone of Thierry Deval's children. These little guys are affable. Thierry's daughter reminds me a lot of my own.

After a good breakfast, we drove to ULB (Université Libre de Bruxelles) where the FOSDEM is held and we arrived around 12:15PM. Too late to see Xavier Santolaria who left for his hockey game 15 minutes earlier. So no shot of the pimp coder of fuxor.pl this year (no it's not in the OpenBSD tree, If it was, cvs.openbsd.org would have been subject to erratic network disruptions).

For those of you who have been to France but not to Belgium, note that pain au chocolat is called couque there. And for all the time I've been going to Belgium, couques taste slightly better. They might have either good baking schools, some unnamed chemical component added to the food or both. Whatever it is, I really like this kind of food.


Anyways, Sunday was far more productive than Saturday or so it seems. We had many visitors but we could cope with them while keeping working. Maybe it's due to the excellent stability of the Internet connection. Wim showed up some Soekris boxes as well as some prototypes that needed some hardware hacking (with a saw) to assemble correctly. And Reyk Flöter gave a talk on OpenBSD and WLANs. He mentioned the problems our FreeBSD neighbors had with their Atheros-based AP. He didn't understand why they didn't import his fixes into their tree.

Then it was about time to leave. Matthieu Herrb and Marc Balmer left earlier. Uwe Stühler, Reyk, Alexandre Anriot and me followed an hour or so later. We left the booth in the good hands of Wim and Nikolay Sturm.

I've taken close-ups of the developers and the finger^Whardware hacking skills of Wim.

Overall, it was nice to hang on with the gang and talk with the visitors, some of whom are FOSDEM regulars. Once more, I didn't have the motivation to go to the talks I hoped to see. So next year, I won't get a look at the schedule. That'll spare me some useless key pressing to fill my calendar.

Updated to add:
It seems I have a bit wrong on the couque side. According to Xavier Santolaria:

xsa: btw saad, "couques" != "pain au chocolat", "couques" is a generic meaning for such stuffs, coz you can have "couque a la creme", or "couque au raisin", etc... so it'd be "couque au chocolat" ;)

Thanks Xavier!

The OpenBSD booth ran smoothly this afternoon with numerous people coming to see us and all our posters were gone.

We had less technical questions than last year. One guy was having a bad time with his PF configuration. IIRC, he told us that he needed to open a port X on the firewall to be able to forward port X to port Y of a machine behind it. Uwe and Marc helped him with his ruleset and showed him that he was wrong. From that point, they parsed the ruleset in more details and gave him some optimization and security advices.

I also had about the same questions I had every year or so:

• What's the differences among Net, Free and OpenBSD?
  
• How do I install third-party applications under OpenBSD?
  
• Does Net, Free and OpenBSD use the same kernel?
  
• What optimizations are used in the Linux kernel used by OpenBSD? (*new entry*)
  

The Internet connection, while it kept coming and going from time to time, was far better than this morning. Thanks to Reyk and a Soekris, we had a stable wireless AP unlike the (censored) one. As a result, some slackers morphed into hackers and got some work done.

My initial plan was to attend the DTrace and Xen talks but I enjoyed the company of my fellow developers and didn't attend.

Later in the afternoon, we cleaned the booth and took the cars to go take the traditional OpenBSD dinner somewhere in the outskirts of Brussels.

We had a nice time together and the meal was good. Too bad the waitress forgot some of the orders and gave Wim chicken instead of the seafood he ordered. No worries, beer helped the mood.

I've uploaded today's remaining pictures. You might find them with the other FOSDEM 2006 pictures.

Everything went smoothly after our arrival to Brussels Midi. Well almost. At 12:30PM, there is still no stable Internet connection. Let's face it: the FOSDEM staff haven't learned anything from the previous years.

Every year, we hope we'll have an Internet connection upon our arrival. Every year we grow frustrated. Hell! This is an Open Source and free software meeting and all the projects here rely heavily on the Internet to get things done. And yet, it didn't sink in with the FOSDEM staff. Even after all these years. It's simply beyond my understanding.

On the OpenBSD booth front, there a few developers: Reyk Flöter, Uwe Stühler, Nikolay Sturm, Thierry Deval, Matthieu Herrb (who disappeared soon after we arrived), Marc Balmer, Alexandre Anriot, Xavier Santolaria (who went to play hockey for the afternoon), Otto Moerbeek, and -of course- Wim. Dimitar, our official beer supplier, also showed up for a few minutes.


I've taken pictures and I will upload them as soon as I get .... a stable Internet connection.

I've been attending FOSDEM since 2001 and this year is no exception. Fellow OpenBSD developer Alexandre Anriot (who, besides nifty chop-socky porting skills, helps me a lot on the translation effort) arrived yesterday night.


We woke up early this morning to take the Thalys train to Brussels Midi railway station where Xavier Santolaria will pick us up and give us a ride along with Nikolay Sturm, Matthieu Herrb and Marc Balmer to ULB (Université Libre de Bruxelles) where FOSDEM is held. We will join the OpenBSD crowd there.

I sincerly hope hat we will have a better booth space than last year (we had two tables in front of drink machines so people were always going back and forth and it was really annoying).

Looking at the FOSDEM schedule, there a some talks that look interesting which I would like to attend. I hope I won't slack too much on the OpenBSD booth and go learn something useful thay I may share with you.

Yesterday night I was performing maintenance on wax, a multi-purpose machine I use for development, file serving, backup and routing for the rest of my home network. wax is a Dell Dimension 4550 machine that runs OpenBSD and has something like 600GB worth of disk. The maintenance consisted of upgrading the OS version and updating most of the applications I use through the OpenBSD ports collection.

The upgrade went very well and I started building the latest versions of my favorite applications from the ports collection. During the build process, I was enjoying some great music on my PowerBook and reading the latest issue of MacWorld in electronic form. You could say I was relaxed and confident that I was going to get to bed (soon) in a happy mood.

Sadly, Mr. Murphy, the most dreaded man on Earth, thought otherwise. He and his Law decided to pay me a visit.

I started to smell a nasty odor. Fried electronics! Oh, no! Using the Nose(tm), I began tracking it down. Is it coming from my PowerBook? From the cable modem? From the KVM switch? ... S***, it's wax's fan! It doesn't work anymore!!!

In a big hurry, fearing the loss of more than a fan I stopped all the builds and halted the machine. Once I untangled and yanked all the cables, I opened the box to assess the damage. I was relieved to see that there was no other problem. The trouble now consists of finding a similar fan since the Dell box's warranty has expired 3 months ago. I wrote Dell an email hoping that they sell spare parts. If you sell (or know someone who sells) a JMC Datech 92x92x32 (12V, 0.85A, 83.1 CFM) fan or a similar one, please send me an email even if it's used or refurbished.

I thought I was done with Mr. Murphy for the night. So I started cleaning up my desk and preparing my backpack for tomorrow's ride to work. But Mr. Murphy is an insidious man who enjoys hospitality. The fan of kaboo, a Dell Dimension 8400 workstation, started to make weird noises. Please Mr. Murphy, don't tell me that a second fan is going to pass away.

I repeated the previous procedure: untangle cables, yank them, shut down and open the box. Phew, the fan seems to be OK. The noise is due to two damaged rubber clips that no longer hold the fan. As a result, when the fan is rotating it hits from time to time the plastic enclosure. kaboo is still covered by warranty so no worries!

Lessons learned:

• Mr. Murphy is as strong as ever (did I tell you that last week my iPod Photo ceased to work so I had to call AppleCare to the rescue?).
  
• If you have important data, back it up now and make sure you do it regularly and you have properly documented the backup procedure. Better be safe than sorry!
  
• The server that hosts the important data must be covered by a strong warrranty. In my 5y+ experience with Dell, their warranty and support are very good.
  
• What do you do when your backup server dies and Mr. Murphy decides to stay, lurking inside your dear workstation or laptop that holds all your electronic life?
  

Who said I.T. is fun?

J'ai effectué deux présentations lors de la réunion du groupe SUR du 10.01.2006 :

• Faille WMF : cette présentation a porté principalement sur la première faille WMF découverte dans le moteur GDI de Windows le 27.12.2005 dernier, avec quelques informations sur la nouvelle faille WMF découverte le 09.01.2006. Les slides de cette présentation sont disponibles au format PDF à l'adresse http://saad.docisland.org/docs/files/sur20060110-faille_wmf.pdf.
• Multiplexage sous OpenSSH : cette présentation a porté sur la fonction de multiplexage disponible dans OpenSSH depuis la version 3.9 et nettement améliorée et stabilisée par les versions récentes. Les slides de cette présentation sont disponibles au format PDF à l'adresse http://saad.docisland.org/docs/files/sur20060110-mux_openssh.pdf.

Si vous avez des questions ou des commentaires, n'hésitez pas à m'en faire part par courriel : saad at docisland dot org.

Une nouvelle vulnérabilité WMF a été découverte dans le moteur d'affichage GDI de Windows. Techniquement, ce sont en fait deux vulnérabilités dans les fonctions ExtCodeRegion et ExtEscape
de gdi32.dll.

Ces deux vulnérabilités causent une corruption de mémoire au niveau des applications utilisatrices du format d'images WMF. Un code d'exploitation de type Proof-of-Concept a été publié. Ce code exploite cette vulnérabilité pour causer un déni de service. D'après SecurityFocus et l'ISC, une exécution de code arbitraire n'est pas loin même si Microsoft ne voit que des problèmes de performances dans cette vulnérabilité.

Espérons que Microsoft ait raison.

Microsoft a finalement sorti un correctif pour la faille critique WMF 5 jours avant la date prévue. F-Secure pense que les tests du Microsoft se sont achevés plus tôt que prévu. Pour ma part, je dirais que la menace est si grande et la pression de leurs gros clients si importante qu'ils se sont décidés à réagir. Tant mieux !

Au passage, notez que Microsoft ne préconisait pas le correctif non officiel fourni par Ilfak Guilfanov et étrangement, leur correctif est fonctionnellement identique à celui d'Ilfak.

L'Internet Storm Center fournit des instructions détaillées (en Anglais) pour installer proprement ce correctif, surtout si vous avez installé le correctif non officiel d'Ilfak Guilfanov.

Vu l'importance et la criticité de la faille WMF des systèmes d'exploitation Windows, l'ISC (Internet Storm Center) a écrit une très bonne FAQ à ce sujet.

J'ai traduit cette FAQ en Français. Vous pourrez la lire à l'adresse suivante :

http://www.docisland.org/~saad/ISC_wmf_faq_fr.html


Le problème est très sérieux. N'attendez pas pour agir.

Votre entreprise a décidé de sauter le pas technologique et a cédé au FUD (Fear, Uncertainty and Doubt