agoraphobia

the little blog of agoracon. it's about sharing knowledge.

Manually Patch OS X 10.9 SSL Vulnerability

This is how to apply the “experimental” binary patch for Security.Framework (64bit only) in OS X 10.9 patching the SSL Key Exchange Verification Vulnerability (CVE-2014-1266).

In case you don’t know what I’m talking about, you wont need it since you don’t use Internet.

Be careful! Damaging the Security binary file will break you machine immediatelly (see below for a possible rescue action).

Ok, let’s fix the problem:

Dowload the patch from SektionEins web site (many thanks to SektionEins).

Check if it looks like my version:

$ shasum ~/Downloads/APPLE_SSL_SECURITY_FRAMEWORK_QUICK_AND_DIRTY_64BIT_FIX.bspatch 
ad2df815503ccece32e7bb7127d9958dd6ee96c7 /Users/horst/Downloads/APPLE_SSL_SECURITY_FRAMEWORK_QUICK_AND_DIRTY_64BIT_FIX.bspatch

Now we change to the binary file, create a backup and a working version.

$ cd /System/Library/Frameworks/Security.framework/Versions/A
$ sudo cp Security Security.backup
$ sudo cp Security Security.unpatched

We are gonna patch the working copy and make it executable.

$ sudo bspatch Security.unpatched Security.patched ~/Download/APPLE_SSL_SECURITY_FRAMEWORK_QUICK_AND_DIRTY_64BIT_FIX.bspatch
$ sudo chmod +x Security.patched

Now replace the original file with the patched one.

$ sudo cp Security.patched Security

Now we open the test site to verify our actions. Congratulations, mission complete.

However, this has only patched the 64 bit version, the 32 bit one is still vulnerable!

An official Apple patch will hopefully be released within the next days. Use that one to replace the workaround we’ve created now.

Rescue actions

No problem, everything is fine (as long as you have got a backup of the original Security file). Switch off your computer and start in single user mode (press Cmd-S while booting).

Now test the file system integrity:

/sbin/fsck -fy

Mount the root partition for write with

/sbin/mount -uw /

and replace the mentioned file with your backup copy.

When you are done reboot your system with exit.

Configs Like Comments

There are times you deliver procedures or source code to people with certain allergies. I am thinking of allergies making them feel bad or uncomfortable when seeing modern approaches or technologies.

Referencing to lists of big enterprises using this method doesn’t help, but should make you realize this technology is already more evergreen than modern… (enterprises).

However, let’s not loose our happiness and sustain the mean creativity phase for some minutes to make the best with accepted building blocks.

Deployment without Puppet & Chef

…or building blocks you can use, also with Puppet & Co later anyway.

That’s even less a pain after you’ve realized pure puppet is neither good for some sequencial but complicated deployment areas.

But we start with an area, that definitely is core puppet area: system configuration.

s1-config-sys.shGist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/bash

# Installation script for Oracle Identity and Access Management
# 
# This procedure will create the root script to execute before the
#+software installation.  You need to modify etc/configs.sh to
#+your needs.  Content of the root scripts:
#+ * user and group
#+ * base directory
#+ * system packages for fedora/redhat.
#
_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
. ${_DIR}/config/files.sh
. ${_DIR}/lib/deployers.sh

FEDORA_EPEL="${MISC_DIR}/epel-release-6-8.noarch.rpm"

echo "#!/usr/bin/env bash"
echo "#  execute script output as root user"
echo

# groups     name       id
create_group 'oinstall' 6001
create_group 'dba'      6002
create_group 'idm'      6003
create_group 'iam'      6004

create_user  'oracle' 5001  '6002'  '6001'       # database
create_user  'idm'    5002  '6003'  '6001'       # oid, ovd
create_user  'iam'    5003  '6004'  '6001'       # oam, oim

sudo_for     'oracle'

dir_for      '/appl/dbs'        'oracle:dba'
dir_for      '/appl/idm'        'idm:idm'
dir_for      '/appl/iam'        'iam:iam'
dir_for      '/appl/logs/dbs'   'oracle:dba'
dir_for      '/appl/logs/idm'   'idm:idm'
dir_for      '/appl/logs/iam'   'iam:iam'

set_sysctl   'kernel.msgmnb'                 '65536'
set_sysctl   'kernel.msgmnb'                 '65536'
set_sysctl   'kernel.msgmax'                 '65536'
set_sysctl   'kernel.shmmax'                 '2588483584'
set_sysctl   'kernel.shmall'                 '2097152'
set_sysctl   'kernel.shmmni'                 '4096'
set_sysctl   'kernel.sem'                    '250 32000 100 128'

set_sysctl   'fs.file-max'                   '6815744'
set_sysctl   'fs.aio-max-nr'                 '1048576'

set_sysctl   'net.ipv4.tcp_keepalive_time'   '1800'
set_sysctl   'net.ipv4.tcp_keepalive_intvl'  '30'
set_sysctl   'net.ipv4.tcp_keepalive_probes' '5'
set_sysctl   'net.ipv4.tcp_fin_timeout'      '30'
set_sysctl   'net.ipv4.ip_local_port_range'  '9000 65500'

set_sysctl   'net.core.rmem_default'         '262144'
set_sysctl   'net.core.rmem_max'             '4194304'
set_sysctl   'net.core.wmem_default'         '262144'
set_sysctl   'net.core.wmem_max'             '1048576'

activate_sysctl

set_limit    '*          soft    nofile      2048'
set_limit    '*          hard    nofile      8192'
set_limit    '@oracle    soft    nofile      65536'
set_limit    '@oracle    hard    nofile      65536'
set_limit    '@oracle    soft    nproc       2048'
set_limit    '@oracle    hard    nproc       16384'
set_limit    '@oracle    soft    stack       10240'

packs=(
    binutils.x86_64
    compat-libcap1.x86_64
    compat-libstdc++-33.i686
    compat-libstdc++-33.x86_64
    elfutils-libelf-devel.x86_64
    gcc-c++.x86_64
    gcc.x86_64
    glibc-devel.i686
    glibc-devel.x86_64
    glibc.x86_64
    glibc.i686
    ksh.x86_64
    libaio-devel.i686
    libaio-devel.x86_64
    libaio.x86_64
    libaio.i686
    libgcc.x86_64
    libstdc++-devel.i686
    libstdc++-devel.x86_64
    libstdc++.i686
    libstdc++.x86_64
    libXext.i686
    libXtst.i686
    libXi.i686
    make.x86_64
    openmotif.x86_64
    openmotif22.x86_64
    redhat-lsb-core.x86_64
    sysstat.x86_64
    unixODBC-devel
    unzip
    rlwrap )

add_epel_rpm ${FEDORA_EPEL}

add_packages packs

disable_service   'iptables'
disable_service   'ip6tables'

exit 0

Funtion lib: deployer.sh

Just an idea – applying a domain specific language (DSL) approach with shell scripting, while trying not to get to complex.

There’s some kind of beauty – even done in bash, isn’t it?

no comment section available…

Cryptography Now!

Die bösartigen Hacker “malicious hacker” der staatlichen Dienste nerven kräftig (Zitat Apple). Eine saubere und konsistente Lösung des Problems wäre die Auflösung aller Nachrichtendienste. Nachdem es zu einer so rationellen Entscheidung auf globaler Ebene wohl nicht kommen wird, muss man selber ein wenig Aufwand treiben und sich mit Verschlüsselung beschäftigen.

Kryptographie ist auch ein spannendes Thema, sozusagen Mathematik am Rande der Legalität. Beispiel Frankreich: an Kryptographie zu arbeiten war nicht nur verboten sondern wurde gleich mal mit Gefängnisstrafe belohnt. Nur der Staat solle sich da auskennen, dem Volk war die Rolle des Objekts zugedacht.

Einen interessanten und unterhaltsamen Podcast dazu haben Frank Rieger und fefe (beide vom Chaos Computer Club) gemacht: Alternativlos, Folge 30.

Was aktuell verwendet werden soll und was nicht mehr, gibts hier zum ansehen und hören (Vorträge vom 30c3 in Hamburg):

Natürlich sind auch alle anderen Vortäge der Veranstaltung sehenswert. Neben der technologischen Aufarbeitung von Jakob Appelbaum und Co. gibts vom EFF Stoff der sogar aus einem Kakanier einen Aktivisten kann…

Ach ja, den Titel habe ich mir ausgeborgt.

Collecting Credentials

Sorry, the password you tried is already being used by Dorthy, please try something else. — http://nadh.in/docs/geek_jokes/

Login pages with user name and password are not the preferred authentication method in enterprises. Still we need one, at least as a fall back solution or when clients or a certain deployment method demand it.

If you are using Oracle Access Manager (formerly know as Oblix CoreID, NetPoint) you probably know that it my be easier to find water in the dessert than a good piece of documentation for that application.

Therefore we will post some solutions we’ve built or collected working on OAM projects.

Here are login pages that you can use in DCC or ECC mode. It’s important to mention the login page needs to implement the GET and POST methods. It will be called with a POST by WebGate (not by the browser) when the user enters an invalid password.

The pages can be deployed e.g. in the DMZ as a stand alone application (DCC) or with the access server on the same J2EE container like WebLogic (ECC).

You can also extend it to be used as a more friendly user interface for Identity Manager transactions. We’ve used that approach for password pages and other OIM self service areas when you don’t want to use the more heavy Fusion pages.

Install Our Application

Do you like to install needless and gratuitous software on your machine? No…? Even not when it constantly shows you ads and perhaps sends data to other servers…?

note "?db???..." 2

No, still not. I don’t understand why I should install an application for using 3rd party USB modems to connect via UMTS.

! ---- Hang up and reset DCE ----

Still it was not easy to find “drivers” for the common ZTE USB modems, used in several European countries.

write "ATZ\13"

After some investigation it seems quite easy to implement: all you need is a modem script that talks properly to the device. Then you can use standard OS features for connecting, etc.

Modem Scripts at Github

Password Management for Teams

We’ve been looking for a proper password management tool for our team quite some time. Even if we focus on Single-Sing-On wherever possible, you have a good collection of service users or privileged users.

Our requirements (beside security) were

  • usability
  • no shared passwords
  • access control
  • easy to integrate in our work flows

Based on our style of work we were searching exclusively for command line tools.

You are right – since I write this blog post we’ve already found our password management tool: pass

1
$ brew install pass  # Depends on: xz, pwgen, tree, gnu-getopt, gnupg2

Pass is based on GnuPG, so you encrypt, decrypt and trust based on your GPG keyrings. The documentation of pass shows the usage for a single user workflow. The most simple adaption for teams is to use GPG groups.

Per default GPG groups are defined in the local configuration file. So if you don’t changed your team members often this perhaps convenient enough for you. If not I would search for a way to use includes in the configuration file, where you put the fragment itself in the repository.

1
$ gpg2 --gen-key     # in case you need a new or separate keyring

If you are located behind a firewall that blocks port 11371/tcp you should change the GnuPG keyserver communication to port 80/tcp:

1
2
3
4
5
$ grep ^keyserv ~/.gnupg/gpg.conf
keyserver  hkp://p80.pool.sks-keyservers.net:80

$ gpg2 --send-keys <keyid>
$ gpg2 --search-keys <team-members>

After the typical key signing and the group setup we are ready to create the password repository.

1
2
3
$ pass init <gpg_group_name>
$ pass git init
$ pass git remote add origin myserver.net:pass-store

Now you can store and retrieve keys with pass. Have a look at the man pages or the web site.

Let me know if you like this approach or you decided to go for another one – feedback welcome.

Links

Job Postings and Technology

Sample job postings of companies without legacy systems:

Leading Music Video Platform
Key Skills Required 2 x Mid-Senior Level Developers
Rails, RSpec, Cucumber, .JS, Chef, Puppet, API’s, Redis, Cassandra, NoSQL, TDD. BDD, GIT

Top Video Hosting Platform
Key Skills Required 1 x Mid-Level Developer 1 x Senior Developer
Rails, JS, NoSQL, HTML5 Mongo, AWS (Beneficial) TDD, BDD, GIT

Streaming Content Specialist
Key Skills Required 1x Mid-Level Developer 1 x Senior/Lead Developer
Rails, Sinatra, HTML5 RSpec, Coffeescript, GIT, Redmine, RabbitMQ, Capistrano, API’s, TDD, BDD

Leading Niche Travel Specialist
Key Skills Required 2 x Mid-Level Developer 2 x Senior Level Developers
Rails, MongoDB, CouchDB, GIT, TDD, BDD

Oracle 11.2 OS X Instant Client

Better late than never: Last Thursday (Jan 31 2013), Oracle released the Mac OS X version of the database instant client version 11.2 (11gR2).

Before there was only a client for version 10.2 available.

Oracle 10.2 was released in 2005, version 11.2 in 09/2009.

I call the Instant Client the real client for Oracle RDBMS, in terms of what a client really needs (while Oracle calls it the other way round). Just the fundamental libraries, a few binaries, and optional an SDK. No installer and no Oracle home path.

On an Oracle blog Christopher Jones asks for feedback in case you use the client. Oracle needs to justify the resources for the OS X bundle.

While their company aquisitions mainly seem to be customer-base than technology driven decisions, their knowledge on own customers is so limited?

I don’t think so – Oracle knows quite well what their customers are using. Even without market researches or surveys: the Oracle user groups, conferences, support sites, etc.

Anyway, I wrote Christopher an email telling him I’m happy with the new client…

ONCE-THE.ROCKETS-ARE.UP…HOW.TO.SURVIVE

I missed it.
I missed it again.
But – this time was the last time.
Next year I will be there.
For sure.

The Chaos Communication Congress, the annual congress of the Chaos Computer Club.

“Not my department” was the title this time, pushing the event in a slighty more political direction, after “Behind enemy lines”, “We come in peace”, or “Here be dragons”.

You can find the congress archives here.

Since C3 is a hackers and security congress, there might be a good chance hackers will be around too. And there is a free and open WLAN…

So be prepared.

The good folks from CCC have compiled a preparation list that’s good for the conference but also good for the rest of the time.

29C/3 – How to survive

It covers the main client operating systems (Linux, BSD, OS X, MS-Windows) telling you how to ensure basic security on your system.

Keep in mind: every system can be hacked. It just depends on the effort others are willing to spend…

RBAC Security Model for Organizations

Since several months we are working on designs and implementations of identity management (IdM), a discipline increasing security and UX in the IT landscape of organizations.

IdM is quite an interesting area, you need to touch and use a big set of technologies and a bunch of already existing security standards. And you need to talk to many people in an organization.

Here are some tips and rules you should follow, independent of products you may use.

Note: We are talking here about role based access control (RBAC), which is the most prevalent authorization model. Other models can easily connect to this design.

So let’s start

No matter where your central point of structure or truth is located, either an application or more common, a directory service, the design of this area is the key.

A recent talk I did in a customer project: Directory Structure

Implementing organizational hierarchies in IT systems usually gives you headache and a lot of work, since those hierarchies tend to change frequently in large organizations. But we don’t like frequent changes of our structure and security base. So we need a clever design here: allow the data to change, not the structure.

In IT we always start with a layer model, even if we don’t need one – it sounds good in presentations :–)

Our model or how we see this world

  • Layer one: identities (also called persons, users)
  • Layer two: organizational units (teams, departments, etc.)
  • Layer three: organizational roles (enterprise roles)
  • Layer four: application specific roles (groups)

Where the first one is a flat list of identities, the second one usually will be needed to implement a certain form of hierarchy and membership.

Talking in LDAP: use “member of” for memberships. It’s easy to browse up the hierarchy. Optionally you may implement a second list “members” for comfortably browsing down the hierarchy, in case the directory server does not automatically offer this. You should be aware this is data redundancy, but often very useful.

The third layer is a flat list without inheritance, each role describing a certain general role in your organization. Keep this one more business/organizational related and don’t stick it to used applications or products.

The last one is a long, flat list of already existing, application defined roles or groups. Those may be technical or business roles, it doesn’t matter since the applications are the master of those data. They need to maintain the mapping to their low-level application permissions.

What’s an application?

Well every kind of system we deal with is an application. It may be your CRM system, an trouble-ticket system, an physical access control, and your intranet system. And yes, your file server and mail server are applications too.

Wow, a lot of data here!

That’s true, but we won’t enter it manually. See below…

So, how to use this?

Everything we do then is to create and maintain relations between elements of those layers.

You won’t map from layer one (identities) directly to layer four (app-roles), this is like shooting yourself in the foot. Abstraction means in our case to link via layer three, our organization roles.

Please serve yourself

A self-service application may be used to create new relations or end-date existing ones. In general that’s a good idea, already medium sized organizations deal with a huge set of entries and relations.

Changes on those relations can be provisioned directly or as an approval workflow. You can even use both methods, depending on who captures this change.

Request and approval permissions should be mapped again to enterprise roles or in that special case to the owner of the involved objects (in LDAP represented with the owner field).

An example

We decided to create a new organizational role for finance controllers, since their responsibilities are already too distinct from finance agents, the role we used up to now. Our ERP team has already implemented a new ERP role erp-controller, covering their needs in a better way.

We will create this new organizational role finance controller and then request to map this role to the ERP application role erp-controller. This request shall be approved by the responsible team, in this case the ERP security team.

We know this, because the organizational role security-erp is the owner of application role erp-controller (like for all other ERP application roles). Three persons are currently in security-erp, and we hope not all of them are currently on vacation. An email has been sent to notify them we need their approval.

I hope you get the point…

Who is feeding this system?

Identities and organizational units

Changes on persons and organizational groups (layer one and two) and relations between those should come from the HR team. In case there is an HR system in place, an interface to this system is the way to go.

Creation of new persons (new employees) and retirements are straight forward to implement. Moving a person from one department to another means deprovision the direct relations of the person and assign it to the new team. Roles defined via the team will already be available to the person, direct assignments to certain enterprise roles need to be requested.

Application roles

For large implementations an automatically exchange of app roles to the individual applications is worth the effort. Usually the way from the app to the IDM system is the more important one.

How are those rules enforced?

Nowadays almost all applications support directory services by LDAP integration. It’s important to use this integration for authentication and authorization.

Authentication

Authentication can be done by an LDAP call (ldapbind, ldapcompare) or offering single sign on (SSO). There are several options you can use for SSO. A common way for access within an intranet (or using VPN) is to implement Kerberos).

If you want to support access coming from Internet you need another technology, e.g. own implementation with a common cookie, OpenID, or other central authentication services.

Authorization

Systems using the directory service will retrieve the application role the user has been assigned to.

For legacy systems not offering a directory integration you need to provision this data (user and assigned app role). Data exchange in both ways gives you the knowledge what rules are really in place (hacked into the end system).

Huh, this post was getting longer than I thought.

Let me know your experience or opinion…