Sony’s Tale of Woe

 Computing, Security  No Responses »
Dec 272014
 

What with North Korea’s latest explosion of bile, Sony is having a network security issue that will be used as an example of how bad things can get for probably decades. The phrase “I’m in the middle of a Sony” will be regularly used within the industry for the worst types of incidents.

It is not clear just what happened to Sony during the incident, and it will quite possibly never be clear. There are rumours that it may be something as simple as a phishing attack, and the FBI has claimed it has recovered code with similarities to code used in previous attacks against targets the North Koreans would wish to target.

It seems pretty certain that the North Koreans were involved in the attack against Sony; in addition to the code fragments, the North Koreans have gone out of their way to claim the attack was orchestrated by themselves. Yes they denied the attacks, but in the same way that a little kid denies having stolen the cake with all the evidence on his face.

Normally a corporation under attack from a state actor can be forgiven for getting opened up like a can of peaches, but this is Sony and a bunch of idiots who if they hadn’t lucked out by being in charge of North Korea would have trouble getting a job flipping burgers.

So Sony Pictures needs to have a good long look at it’s security. Two big tips for Sony:

First of all, change the name of the security team to the insecurity team. That is not a criticism of the team that does security at Sony right now, but because there is an assumption that the security team handles security and the rest of us doesn’t have to bother.

In reality, security is everyone’s responsibility.

Secondly take a second look at every recommendation that your security team has ever made and you have said No to. And reconsider.

Tinkering With The Yubikey

 Computing, Working Notes  No Responses »
Dec 222014
 

This is a series of working notes on the Yubikey which is an interesting device used to supplement passwords to make two-factor authentication easier. It is essentially a hardware security token device that pretends to your computer to be a keyboard and enters a one-time only password that can be used to verify your identity – much like a password, but much more secure.

Well perhaps "easier" only if someone does all the configuration for you, although I am inclined to look a bit deeper into such things for my own amusement. My own key is a Yubikey NEO, but much of what follows also applies to the other Yubikey models.

Observations

This is the spot for observations on using the Yubikey over time.

  1. For some reason the Yubikey doesn't always "light up" on my workstation at work. It works fine at home – the green light always turns on ready for a key press – but at work it often seems to flicker and stay out. Not sure what causes this, but it always seems to be persistent when you really need to use it! 

Configuration

… is to some extent unnecessary, but under Linux there are three bits of software that can be installed to configure additional features of the Yubikey :-

  1. The library: https://developers.yubico.com/libykneomgr/
  2. The command-line tool: https://developers.yubico.com/yubikey-personalization/
  3. The GUI: https://developers.yubico.com/yubikey-personalization-gui/

All three build easily from the instructions given. Just make sure to remember to copy the udev rules from yubikey-personalization to /etc/udev/rules.d/ and run udevadm trigger to enable them. This will make sure you can access your yubikey as a console user, so you don't have to become root.

Enabling Linux Authentication

This was all done with a Linux container (LXC), so it could be relatively easily thrown away and restarted. The first step was to install the relevant PAM module :- 

# apt-get install libpam-yubico

This pulls in a ton of other required packages.

The next is to grab the unchanging part of your Yubikey token. This is the first 12 characters of what you get when you activate it. Whilst you have it to hand, now would be a good time to create the mapping file – /etc/yubikey-mappings :- 

# Yubikey ID mappings
# Format:
#       user-id:yubikey-id:yubikey-id:...
# (But usually only one)
user-id:ccccccsomeid

Next step is to add a little something to one of the pam files. For testing (assuming you have console) access, the relevant file might be /etc/pam.d/sshd but once you have things working, /etc/pam.d/common-auth might be a better choice. Right at the top of the file add :- 

auth       sufficient   pam_yubico.so debug id=16 authfile=/etc/yubikey-mappings
#       Added for Yubikey authentication.

Because these things always have problems when you first try them, it makes sense to set up the debugging log :- 

touch /var/run/pam-debug.log
chmod a+w /var/run/pam-debug.log

At this point, assuming everything works as expected :-

  1. You will be able to authenticate using ssh using either your Yubikey, or your password.
  2. This assumes your server is able to communicate with the Yubi Cloud.

There are further improvements to be made … and we'll get to those shortly.

But That's Not Two-Factor Authentication!

Indeed not, so we'll fix that right now.

Firstly remove the line we previously added to /etc/pam.d/sshd; because of the way that Debian configures pam, it is less disruptive (i.e. fewer changes) to make the change to /etc/pam.d/common-auth :- 

auth       requisite     pam_yubico.so id=16 debug authfile=/etc/yubikey-mappings
#       Yubikey configuration added.
auth    [success=1 default=ignore]      pam_unix.so nullok_secure use_first_pass

But before restarting sshd (you have been doing that haven't you?), you will need to add a Yubikey ID to /etc/yubikey-mappings for the root user.

At this point, you will only be able to authenticate if you enter your username, followed by both your Unix password and activate your Yubikey at the password prompt. Entering both at the same prompt is a little weird especially when you consider that there is no indications anywhere that Yubikey authentication is required.

But we can fix that. First of all, one small change to common-auth – remove the use_first_pass phrase.

Next edit the file /etc/ssh/sshd_config and find the ChallengeResponseAuthentication phrase and set to "Yes" :- 

ChallengeResponseAuthentication yes

And after a quick reboot, the log in process works in a sensible way :- 

» ssh chagers
Yubikey for `mike': (Press YubiKey)
Password: (Enter Unix password)
Linux chagers 3.14-0.bpo.1-amd64 #1 SMP Debian 3.14.12-1~bpo70+1 (2014-07-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 15:37:05 2014
...
</pre>

Special Treatment for Former Members of the Armed Services?

 General, Politics  No Responses »
Dec 212014
 

Yes.

But why? Apparently there is something special about serving in the armed forces – special enough for the mythical (it has no legal basis and so is in fact not a covenant at all) Military Covenant to be a popular phrase. And even a factor in determining government policy.

But why does someone who has served 20 years in the Army catering corp deserve more and/or better services than an NHS nurse who has “fought in the trenches” (including volunteering for work in the Ebola-stricken countries in West Africa)? And who is most likely to suffer from PTSD? A nurse up to his arms in blood and gore? Or an Army cook who is up to her arms in spuds?

And when you come down to it, anyone who suffers PTSD – even a banker who has smashed up his Ferrari – needs special treatment.

Perhaps those who have been in the armed services should be first in the queue for specialist treatments but those programmes should be open to all who need them.

And perhaps the “Military Covenant” should be extended into a “Public Services Covenant” to include those other public servants whose jobs put them in harm’s way – the police, fireman, ambulance drivers, nurses, etc.

Muting Smartphones

 Computing, General, iPhone  No Responses »
Dec 182014
 

Today I happened to come across a story about a priest who uses a signal blocker to stop phones from shrieking, bleeping, or blurting during church services. Very possibly illegal, although it’s quite understandable.

After all a church service is just like a theatrical performance and the distraction of phones is likely to put people off. We need more quiet at times – such as in the theatre, church, the quiet carriage in a train, or even a meeting room.

But a signal blocker is going too far – if there is an emergency, we need to be able to use our phones. And asking people does not work – there are always a few people who won’t bother to silence their phones. Not necessarily because they don’t care, but sometimes simply because they don’t think of it.

Rather than blocking phones, we need to tell phones to silent themselves automatically.

And it could be quite easy to do. In quiet zones, simply broadcast a well accepted SSID (“QUIETPLACE” perhaps?) and configure phones to automatically mute themselves when they see such an SSID. It would require support from phone manufacturers as most of us wouldn’t bother if we have to set something up – or even just install an App to do it, but it’s certainly possible.

Robin Knox Johnston: He’s Old. So What?

 General, Media  No Responses »
Dec 142014
 

Recently, Robin Knox Johnston took part in a sailing race, and the BBC spent some time interviewing him and highlighting his progress throughout the race.

Fair enough, but why was it necessary to keep banging on about how old he is? Yes he’s old enough – after all he completed his around the world voyage in the year I was born – but it’s probably the least interesting thing about him and what he was doing.

(Image obtained from http://www.robinknox-johnston.co.uk/)

In practically every interview with him the BBC did, his age came up … and many times it came up more than once. Anyone would think the BBC is under the impression that old people should be sitting in a rocking chair with a blanket on their knees drooling gently.

 

 Older Entries  Newer Entries