www. S D Linux.com » Uncategorized

E-voting machines compromised

pacneil — Fri, 14 Aug 2009 23:11:57 +0000

Researchers at University of California San Diego, Princeton University and University of Michigan have demonstrated a method to compromise and alter the tallies of Sequoia AVC Advantage voting machines. They presented their results at the Usenix 2009 Electronic Voting Workshop, held in Montreal this week. They used a method called return-oriented programming to modify voting tallies on the machines. The did this without access to the source code or the hardware designs.

Quoting from an article in The Register:

Sequoia and manufacturers of other brands of e-voting machines frequently discount vulnerability research into their products by pointing out that the underlying source code is closely guarded. Researchers in many studies, they argue, have unrealistic access to the devices’ inner workings.

“What we have shown or what I hope we have shown in this paper is that that criticism in untrue,” Hovav Shacham a professor at UC San Diego, told The Register. “It might take a little more work if we don’t have the source, but nevertheless we’re able to find vulnerabilities and exploit them in useful ways in machines where the only access we have is the physical artifacts themselves.”

The same method has demonstrated to defeat security measures in Linux, OpenBSD and Solaris. In return-oriented programming snippets of benign code are combined to produce malicious behaviour. The researchers were even able to demonstrate that they could alter the outcome of elections, using this method.

The development, certification and procurement cycle for voting machines is slow. The design of the Sequia AVC Advantage dates back to the early 80′s and many are still used in New Jersey, Louisiana, and elsewhere. The machines used to develop and test the exploit were bought at a Buncombe County North Carolina government surplus auction web site.

Using bright lights, magnifying glasses, a low voltage continuity tester and data sheets for the components, team members were able to develop a circuit diagram of the hardware of the voting machine. From that they were able to deduce how the unit worked. Then they used a disassembler to fill in the remaining details.

Joshua Herback used the hardware functional specifications to develop a simulator, which other team members then improved upon. The exploit was completely developed on the simulator, returning to the actual hardware only to verify the exploit. The exploit worked the first time they tried it.

The researchers have demonstrated that newly developed methods for exploiting systems put otherwise secure systems at risk.

XML Flaws disclosed

pacneil — Fri, 07 Aug 2009 20:04:39 +0000

One of the core components of interactive web services was found to have serious programming flaws. An exploit of these flaws has the potential for anything from denial of service to sending of malicious documents to seize control of users computers. XML is used in all types of web services, including banking, desktop programs and cloud computing applications. Extensible Markup Language is the markup system that allows applications to exchange data.

Researchers at Codenomicon Ltd., a security testing company from Oulu, Finland, say they found multiple critical flaws in XML libraries, code that is used and re-used to process XML data. They used CROSS, or Codenomicon Robust Open Source Software, to test libraries failure modes. By inputting manipulated data into XML libraries Codnomicon tested their ability to contend with corrupted data. The results were disconcerting.

The Codenomicon researches said:

Early this year (2009) we released some of our first XML-based tools to the market and used XML fuzzing technology against a set of open source XML implementations. The result was that once again, everything broke.

These XML libraries are used in cloud computing services, 3-dimensional programs, and a wide range of business software. RSS feeds, openoffice documents and all types of programs that exchange data, use these libraries. XML libraries are linked both statically and dynamically. XML is coded directly into applications and parsers are implemented directly in application software. Parsers and applications coded in the C language are especially vulnerable, since stack overflow errors in C are not uncommon. There may be millions of applications using XML and XML parsers.

The XML flaws can be attacked both locally and remotely. Malformed network requests could cause application to go into loop and become unavailable. When remote communication is involved remote exploits are possible. Social networking sites and nearly all interactive web sites use some type of XML. Malicious code can be embedded inside documents, web sites or even data streams.

Nearly every sector of the economy is effected by this flaw. Banking, Manufacturing, Retail, Health Care, Government, Electric/Gas/Water Network Companies all use XML for data interchange and communication.

Sun Microsystems, Apache Software Foundation and Python Software Foundation have all announced patches and fixes for found vulnerabilities in their software.

Codenomicon said:

We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only.

Are Corporations Co-opting Open Source?

pacneil — Wed, 22 Jul 2009 19:59:40 +0000

The recent announcements by Adobe and Microsoft of source code releases under FOSS licenses are attempts to co-opt free software.

Microsoft announced this week that they are releasing source code for Linux drivers that allow it to interact better with Windows, where Windows is the host OS and Linux is running as a guest OS. This is great PR for Microsoft but really does nothing to improve Linux. Now if Microsoft added hooks to their OS that allowed it to better operate as a guest OS in a Linux host, that might be something to report. However, there are rumors that Microsoft has taken exactly the opposite tact. It has been reported that Windows Vista and Windows 7 refuse to run as virtual machines.

On the other hand, Microsoft has not backed down from patent threats against Linux, claiming it contains source code that violates intellectual property rights. Steve Balmer claims that “People who use Red Hat, at least with respect to our intellectual property, in a sense have an obligation to compensate us,” However, Microsoft has never disclosed which source code or applications violate it’s “intellectual property” rights. Many in the Linux community, including me, consider this to be a simple case FUD and attempted extortion. Novell agreed to license Microsoft’s intellectual property in exchange for a patent pledge to users of Novell’s SuSE Linux. In other words, they succumbed to the extortion. Red Hat refused. Many long time Linux users are now boycotting SuSE as a result.

Adobe announced at OSCON two new “Open Source Initiatives”. The products are Text Layer Format and Open Source Media Framework. To quote Dana Blankenhorn “Adobe is delivering an open source project so that open source, as a concept, can live in its world of corporate media.” Text Layer Format is an Action Script layer that adds typographical features to the Adobe Flash Player. Open Source Media Framework is an attempt to inhibit the use of the tag in HMTL-5 and the inclusion of Ogg-Theora open source video player as a part of that specification. By announcing the release of these “Open Source” initiatives, Adobe is attempting to preempt any criticisms against it’s proprietary product Flash, by being able to claim that it too is “open source”.

Microsoft and Adobe are pursuing the same divide and conquer Public Relations strategy. Big splashy announcements about “Open Source” while pursuing a strategy of market dominance with proprietary closed source products. HTML5 and the inclusion of the tag threatens both Microsoft Silverlight and Adobe Flash. Expect to hear more FUD from both in order to prevent the inclusion of truly open standards in HTML5.

Automate backups on Linux

pacneil — Sun, 19 Jul 2009 21:22:30 +0000

Here’s an excellent article on automating backups on Linux systems. I use many of these same scripts to archive data to my backup server, nightly. If you haven’t already started using automated backups, I strongly urge you to do so. Remember if it’s not backed up, it must not be important. — Neil

No excuses: do-it-yourself, secure, distributed network backups made easy

Carlos Justiniano, Software Architect, Ecuity Inc.

Summary: The loss of critical data can prove devastating. Still, millions of professionals ignore backing up their data. While individual reasons vary, one of the most common explanations is that performing routine backups can be a real chore. Because machines excel at mundane and repetitive tasks, the key to reducing the inherent drudgery and the natural human tendency for procrastination, is to automate the backup process.

If you use Linux, you already have access to extremely powerful tools for creating custom backup solutions. The solutions in this article can help you perform simple to more advanced and secure network backups using open source tools that are part of nearly every Linux distribution.

Wasn’t Twitter was Google Apps that was hacked

pacneil — Sat, 18 Jul 2009 21:25:58 +0000

I’ll not rewrite what Gary Barnett has to say, except to reprint his abstract. I think it’s a thoughtful criticism of what’s been written about the Twitter fiasco, as well as cloud computing and security.

If you’re busy, here’s the abstract:

It wasn’t twitter that was hacked – it was Google Apps
Please don’t confuse “network” with “cloud” – it’s embarrassing to read and makes you look stupid
This is not a story about cloud computing, it’s a story about security
The moment you make a computer accessible via the internet you have a security challenge
Security is an important issue for cloud computing – So instead of hyping it, or denying it, we need to deal with it
The good the bad and the ugly – Some of the articles/blog posts I’ve seen on this topic

Gary Barnett’s blog post ……

North Korean attack command server found in the UK

pacneil — Fri, 17 Jul 2009 21:17:30 +0000

On Tuesday a Vietnamese security company Bach Khoa Internetwork Security reportedly identified the IP address of the master server that directed the attacks from North Korea against targets in the U.S. and South Korea.

The IP (Internet Protocol) address is alleged to belong to Global Digital Broadcast, an IP TV technology company based in Brighton, England. According to a spokesman for Global Digital Broadcast, the server is in Miami.

The machines used in the attack are reported to be 166,908 compromised machines located in 74 countries. These computers that get their instructions from eight command-and-control servers.

The Vietnamese security company was able to analyze data supplied by South Korean Computer Emergency Response Team to identify and seize two of the command-and-control servers. By analyzing log files from those servers they were able to identify the IP address of the master server.

Investigators believe discovery of the master server moves them closer to discovering the perpetrators and shutting down the botnet.

Lazy Linux: 10 essential tricks for admins

admin — Thu, 16 Jul 2009 17:08:33 +0000

Summary: Learn these 10 tricks and you’ll be the most powerful Linux® systems administrator in the universe…well, maybe not the universe, but you will need these tips to play in the big leagues. Learn about SSH tunnels, VNC, password recovery, console spying, and more. Examples accompany each trick, so you can duplicate them on your own systems.

Integrate Creative Commons Licensing into your content with ccREL

admin — Thu, 16 Jul 2009 16:35:59 +0000

Summary: With Web 2.0, Cloud, and SOA, it’s more important than ever to have a clear understanding of who owns information and what you are permitted to do with it. The Creative Commons License contains a mechanism for providing more open usage rights without giving up ownership. The Creative Commons (CC) Rights Expression Language (ccREL) allows you to embed this information into Web content so that information owners and information users can clearly see the rights granted and choose accordingly, even through automation. Learn more about these techniques, and see how to use them in your own applications.

The Linux operating system as a managed object

admin — Wed, 15 Jul 2009 19:07:54 +0000

Summary: Organizations today face two major challenges: deployment of an increasingly rich service mix and managing the associated massive base of computing platforms. In this article, discover a new(ish) means of viewing a key component of the organizational architecture—treating operating systems themselves as individual managed objects.

Few can argue with the success of modern computing technology. For better or worse, the global proliferation of computing access is historically without precedent. So too are the consequences; witness the advent of spam and online fraud as more and more people go online. However, there are a great many positive aspects to global computerization, such as access to information and a well-informed, flexible global workforce.

Underpinning the success of modern computing is the not-so-well-known data center in which vast numbers of servers and other hardware reside. The demand for computing services has grown to such an extent that many data centers are rapidly approaching (or have already exceeded) physical limits in relation to size and power consumption.