February 26, 2008

Platespin acquired by Novell

Virtualization.info blogged yesterday about Novell acquiring platesping.
According to Perilli, it seems Novell is interested in Platespins's Forge, its new Disaster Recovery solutions. I've blogged before about the role of virtualization in disaster recovery techniques and this is just another fact supporting my thesis. Even before everything goes virtual (which in time will happen) most disaster recovery solutions will be virtualized.

February 25, 2008

Linkedin goes mobile

Linkedin announced the availability of a mobile version of its popular professional oriented social network.
Ok, it's an improvement - now you don't need to actually exchange business card anymore. No mere: "Nice to meet you, Tom, here you are my business card".
Finally you can do something like "Nice to meet you Tom","Sure Paul, wait a minute please.. let it connect..." "I'm waiting" "..sure, just a second, here we are, logging in.." "I'm still waiting" "..and now tapping here and there and here I should be finally able to add you to.. where are you going Paul?".
You build a mobile version of a social network and still you don't embed a simple contact exchange protocol between phones? Am I asking too much for this century?

VMware shared folder vulnerability

Here we are again. Core just published an advisory about a directory traversal vulnerability in VMware's implementation of shared folders. That is, users from the Guests can read and write ANY directory in the file system of the Host.

I've blogged a lot in the past about the importance of patching and here we are again.

The infrastructure is gone, you can't have security if you don't patch the second you can, not a moment later.
And I remember somebody telling the story that the hypervisor and the infrastructure around it were so simple it's almost impossible they could have security bugs...

February 24, 2008

IPhone SDK and the importance of community developers

So, the IPhone SDK has been delayed once more. By itself it's not big news: the SDK was announced by Steve in October and it's still not here, so a couple of weeks more won't hurt that much.

I think there's space for some thoughts here, on the importance of community-powered development. Some years ago, looking at the iPhone, the only thought of any sensible person would have been: great!. And that's it. But now - mind you, it's still a "great" before anything else - a lot of people will start wondering: ok, but can I install those nifty little free apps I've grown accustomed to? What else can I do with the device/technology/platform ?

Consider recent news: the Android open SDK, Microsoft interoperability announcement, even consoles are opening to community games, something unbelievable only a few months ago. And did I mention the hundreds of wii hacks around?

Lesson learned: customers, even enterprises, do care about a platform's openess, and the possibility to develope, customize and hack will be more and more important in the future. Apple and Microsoft already got the hint.

February 21, 2008

DRAM like an elephant: breaking disk encryption

FileVault, BitLocker and TrueCrypt are widely used disk encryption technologies: we used to think about them as "rather secure" solutions, since once the computer is turned off the whole disk is encrypted and there is no way to get it back (yet).

We have even seen some esoterical devices meant to let you grab a pc without having to turn it off and thus firing disk encryption, but now the attack is on a whole new level.

It seems researcher at Princeton have succesfully retrieved the content of common DRAMs seconds to minute after the computer was turned off. No, it seems that the Gutmann's effect is not involved at all.
They have built a single purpose operating system meant to be able to collect data from ram looking for disk encryption keys, and have demonstrated they can break the encryption. Actually, once you have access to RAM there are a lot of interesting things to be found, including passwords, usernames and so on.

While the attack is actually very difficult to execute - since the attacker would need physical access to the machine seconds after it was turned off or throw it into the fridge - it is nevertheless very interesting.

More informations can be found at the Lest We Remember website.

February 20, 2008

Updating the infrastructure

The infrastructure isn't infrastructure anymore, let's face it. Infrastructure should be something you do work into: it's not supposed to change as fast as what it contains. That's what we once had.
Routers should be able to go on for years, firewalls should not need continuous patching, switches should be something you buy, deploy and forget.
This is not true anymore,and the sooner we realize it the better.
We have firewalls based on stock operating systems, and they need patching or face hacking. We have manageable switches with 802.1x interoperability, and they need updates too. We have Windows based NAS servers, which - no surprise - need patching.
Some weeks ago, Oglesby and Pianfetti posted an insightful article on virtualization.info about VMware patching. I agree with most of the article: hypervisors are not rock solid items with no need for patching. But, I add, there is not such thing as "evergoing infrastructure" anymore.

As the boundary between "infrastructure" and "application level stuff" gets thinner and thinner and the number of functionalities offered skyrockets we have to think about patching and updating everything in IT. Take a look at the exploits in bugtraq concerning switches, firewalls and routers and you get the picture.

Long gone is the time where you could afford to deploy things and go on with work. As complexity grows, we need new approaches at patching management.

Virtualization can do great things on the server side, but network and infrastructure virtualization is still in its childhood (despite the stories vendors tell). Even patch management in servers is a long way to go (even if some interesting tools like VMTS patch manager, xVM Ops Center and Update Manager are showing up. Until then, we'll have to rely on vendor-specific infrastructure update tools.

Many layers of infrastructure = many vendors.
1 tool per vendor + many vendors = a big mess.
We badly need a new way to think about updating: what about a centralized tracking tool able to manage, issue warning and push updates in the whole infrastructure? Does something like that exist? Let me know, or drop me a line if you want to start developing it.

The next time you build an infrastructure, be sure to ask yourself "How am I going to patch and manage this?".

February 12, 2008

Cutting the phishing rod

These days I've been involved in developing some countermeasures against an intensive phishing attack. The IT team of the offended bank is rather skilled when it comes to security, but was simply helpless against such an attack. It seems there are no defenses, since they're hitting the user, the soft spot. But yet, we had to think of some way to, at least, mitigate the attack.
So, here you are some ideas for proactive "server side" (not involving client interaction) defenses against phishing: I've got a couple more, but I have to develope them a little.

  • Pollute aggressor's data: we generated thousands of fake credentials from hundreds of proxies. The attackers will have an hard time filtering out the fakes, since they're not even logging the ip the request came from.

  • Lay traps:if you manage to have the attackers take the bait and use a fake login, you can modify your application and try to mine useful informations from their browser. Things like javascript local IP grabbing, evil java applets and such can help against the anonymous proxy they will likely be using

  • Do content tampering: if the attackers left some images with src pointing to your website, change the links in your website and switch their pictures in something else to warn the user. A huge red alert banner will do. If they were clever enough to download the images too, change yours. It won't be a huge gain, but every little bit...

  • Do image proofing: have an artist design 365 small images, one for every day. It is not easy to copy someone' style, and if the users are used to see something changing in a regular fashion they will be able to spot anomalies easily. The point is: most banks (and big stores too) websites are static in content, thus an easy prey for phishers.

The next thing I'm thinking about is automatic detection of phishing websites using a proxy. Imagine a squid component able to warn you whenever you hit a phishing site... without the need to mantain a blacklist. Blacklists are a quick, easy way out. Unfrotunately, they just don't work: most hits will take place in the hours close to the phishing attempt, when the blacklist won't be updated.That's why we need more creative, out of the box solutions.

February 05, 2008

A Linux stack on Solaris: Nexenta

I have to admit I've been somewhat skeptical about the actual uselfulness of OpenSolaris. Yes, Solaris is one of the most advanced operating system in the market with quite a huge installation base, but yet it was hard for me to see where OpenSolaris could acually fit in the open source landscape.
Some days ago I found project nexenta and I have to admit I'm impressed. Long story short, Nexenta is a comunity driven attempt to build around the open solaris kernel a nice Debian based environment... and it actually works pretty well.
Open Solaris is a very interesting product by itself, but until today I could not see how - in a world where application portability is by far more important than, say, a strong kernel - one could do without the entire Linux ecosystem.
You can maybe recompile any Linux application under OSX, but it makes no sense to do so: the same goes for Solaris.
Back to Nexenta, I have to admit that ZFS alone is worth the price of admission, allowing for transactional upgrades in a well-known Debian environment.
Next time you build any Debian (or Ubuntu, that is) based server, you should really consider Nexenta: performances are, according to my quick benchmarks, impressive, and you still are in the familiar and cost effective apt-get world.
As a side note, nexenta's commercial project (Nexenta Storage Appliance) seems very interesting too, able to run on stock hardware with all the power of ZFS and all the usual administration panels.