BIT ENGINE // BLOG

Digital freedom fighters, EFF, are running a neat study on browser “uniqueness” to see how many different combinations of browser identification bits are out there and how easy it might be to fingerprint and track them. The theory goes that bad guys can use this information to track innocent people without their knowledge.

From the EFF’s brower tracking message,

“When you visit a website, you are allowing that site to access a lot of information about your computer. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. But how effective would this kind of online tracking be?

EFF is running an experiment to find out. Visit http://panopticlick.eff.org to learn how unique your browser is and if you can be tracked.”

It takes literally 30 seconds or less to visit EFF’s survey site, “personally identifiable information” is not logged, and it’s one more step toward digital freedom so go ahead and participate!

With 10,000 laptops stolen from airports alone each year, data encryption is an absolute must. What happens, then, if your fully encrypted  system crashes and won’t boot? Here, we’re going to cover how you would go about recovering that data if it is encrypted with LUKS.

LUKS is an encryption standard most commonly used on Linux but can be used on other systems. It is the basis of Ubuntu/Debian’s (as well as others’) filesystem encryption, which can be installed using the alternate installation disc.

What you need:

The LUKS passphrase (Without that, you are out of  [ahem] luck. Otherwise, what would be the point of encryption.)  

Something to copy your data to like a USB drive or another machine on your network. I recommend this even if you are planning on fixing/rescuing your OS. This way your data is backed-up and safe no matter what happens afterwards.

A “live CD” like the Ubuntu desktop installation disc or a Debian installation disc.

The process:

- Boot the crashed machine with a “live CD” such as Ubuntu 4.09 or the Debian installation disc in recovery mode. When I did this on my own drive, I used an Ubuntu live CD. If you are using the Debian installation media, boot into rescue mode.

Become root to simplify things more:

sudo su -     (if using the Ubuntu CD)

su -                (if using pretty much anything else)

Install the needed LVM and encryption tools:

apt-get update
apt-get install cryptsetup

Check to see what your device names are:

fdisk -l

You’ll see something like:

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x41ab2316

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       18701   150215751   83  Linux
/dev/sda2           18702       19457     6072570    5  Extended
/dev/sda5           18702       19457     6072538+  82  Linux swap / Solaris

Take a look at your LUKS header information here to ensure you’re going after the right one:

cryptsetup -v luksDump /dev/sda1

The first several lines of output should look something like this:

LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 2056
MK bits:        256

If you ran luksDump on a partition not encrypted with LUKS, you’ll get a message like, “Command failed: /dev/sda1 is not a LUKS partition”

If that’s the right device, then go ahead and unlock it:

cryptsetup -v luksOpen /dev/sda1 sda1_crypt

The system should prompt you for a password and after entering it, you should see something like:

key slot 0 unlocked.
Command successful.

See which volumes are available:

lvdisplay

Enable your logical volume. It is probably the same as the machine’s host name:

vgchange -a y volumename

Mount your filesystem:

mount -t ext4 /dev/volumename/root /mnt

Hopefully you can read your file system at this stage. If so, grab your files and back them up.

If the filesystem is corrupt and you can’t mount it, you can try the following. Your data may be lost if the filesystem is wrecked but it’s worth trying a few things to retrieve it.

Be sure the filesystem is not mounted when you do this. Also be sure to use the proper type of fsck (fsck or fsck.ext4) for your filesystem type. BIT ENGINE takes absolutely no responsibility for what happens when you perform these tasks — even if you follow them exactly as specified.

To identify where back-up superblocks are

dumpe2fs /dev/devicename | grep superblock

If your filesystem type is ext2 or ext3:

fsck -b 32768 /dev/devicename  (substitute 32768 for a back-up superblock in the list from the output of the previous line)

If your filesystem type is ext4:

fsck.ext4 -b 32768 -y /dev/devicename

Hopefully, that fixes any errors. Try mounting again:

mount -t ext4 /dev/volumename/root /mnt

If your journal is messed, you can try:

tune2fs -j

Then try mounting again:

mount -t ext4 /dev/volumename/root /mnt

In my situation, my filesystem and journal were corrupt. After running fsck.ext4 (I run ext4, obviously) and tune2fs -j, I was able to mount it and search /mnt/lost+found for files (find /mnt/lost+found/ -name *.odf should get you there, substituting odf for whichever file type you need). Fortunately for me, all my important data was backed up and I was going through this as a test run in case I needed to do it in the future.

The biggest lesson here is one that can not be overstated: always back-up your critical data! Keep back-ups current and to a secure medium.

This how-to was created with a lot of help from this document and a little help from this one.

From the man page, “ngrep  strives  to provide most of GNU grep’s common features, applying them to the network layer.  ngrep is a pcap-aware tool that will allow you  to specify extended regular expressions to match against data pay?loads of packets.  It currently recognizes TCP,  UDP  and  ICMP  across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common  packet  sniffing  tools, such as tcpdump(8) and snoop(1).”

Perhaps the most significant difference between ngrep and tcpdump is that ngrep can analyze packet payloads whereas tcpdump only looks at packet headers and such.

ngrep is incredibly powerful and useful in finding out what’s happening on your network. The best way to show you want ngrep can do and how it’s done is by example. See some below.

Watching all traffic on the default interface:

ngrep -itq -W byline

Watching all traffic on eth1:

ngrep -d eth1 -itq -W byline

Watching all traffic on the default interface while searching for the string “testing”.

ngrep -itq -W byline testing

Watching all traffic on the default interface originating from 192.168.1.1:

ngrep -itq -W byline src 192.168.1.1

Watching all traffic on the default interface destined for 192.168.1.2:

ngrep -itq -W byline dst 192.168.1.2

Watching all traffic on the default interface with the gateway of 192.168.1.100

ngrep -itq -W byline gateway 192.168.1.100

See more examples at http://ngrep.sourceforge.net/usage.html

Also check the man page for many more neat possibilities.

tcpdump is an advanced command-line based packet sniffer. It is another one of those standard Unix utilities that really comes in handy when troubleshooting (it has greatly helped me many times) network issues and can teach you a good bit on how networking works.

tcpdump is installed on most Unix machines. If not, you can easily get it using the system’s package manager (i.e. up2date tcpdump, yum install tcpdump, or apt-get install tcpdump).

Also, you’ll probably need to be the root user when running tcpdump.

From the man page: “Tcpdump  prints  out a description of the contents of packets on a network interface that match the boolean expression.”

Here, we’ll go over some basic operations and brifly explain them.

The most simple operation is probably:

tcpdump -i eth0

Where the i argument specifies the interface to listen on, which is in this case, eth0. This type of scan is very broad and basically says, “report all traffic passing though eth0.” So using tcpdump like this we can see everything on all ports going to or from our local machine on eth0.

That’s pretty nice but to make tcpdump really useful, we need more:

tcpdump -i eth0 host hostname.domain.com

With the above line, we can see the same traffic but filtered by host. In this case we’d be seeing traffic to and from hostname.domain.com on all ports of eth0. You can use IP addresses instead of host names as well.

But what if we’re only interested in one port? Then:

tcpdump -i eth0 host hostname.domain.com and port 21

or

tcpdump eth0 host hostname.domain.com and port ftp

But what if we’re interested in all ports except one port?! Then:

tcpdump -i eth0 host hostname.domain.com not port 22

The above line might be useful if you are ssh’d into a machine you want to see traffic on — the ssh traffic would really muddy the output unless you filtered it out.

You can also get even more fine-grained and fancy by doing something like

tcpdump -i eth0 host src hostname.domain.com and dst host2.domain.com and port 21

As you probably guessed, src means observe data sent from the specified node and dst means observe data recieved by the specified node.

In troubleshooting, it’s often helpful to see the link-level headers, which includes MAC addresses of those in on the conversation (-e argument). I usually also put the verbosity at -v or -vv (even more verbosity for the -vv option). So a line with those options might look like this:

tcpdump -vv -e -i eth0 host hostname.domain.com

Sometimes, you will need to save the output of tcpdump to a file. This is easy since you can do all the usual Unix operations with tcpdump:

tcpdump -i eth0 host hostname.domain.com > filename

You can use grep as well:

tcpdump -i eth0 host hostname.domain.com | grep expression > filename

Using the -w argument is another way of writing output to a file.

Hopefully that is a good start. There are many more options and uses for this outstanding networking staple. Experiment and check the man page to see lots of other really cool stuff.

The tcpdump man page and http://www.hep.ucl.ac.uk/~ytl/monitoring/tcpdump_01.html were used as reference for writing this article.

Note: tcpdump only displays information about packets and traffic and packet headers. To see packet payloads, try tcpflow or wireshark.

There has been a lot of talk in Canada and elsewhere about our copyright law and if/how it should be changed. I recently responded to the federal government’s request for public input. I would have liked to say more to them about this but I thought it best not to turn the consultation to a dissertation.   They posed five questions pertaining to issues of copyright. See my answers below and if you have an opinion on this, you can even weigh in by visiting http://copyright.econsultation.ca/topics-sujets/show-montrer/18 and submitting your answers to the questions there via the e-mail address provided.

How do Canada’s copyright laws affect you? How should existing laws be modernized?

First, I am not yet convinced such laws need to be changed. Canada’s copyright laws affect all Canadians. We all read books, visit web sites, enjoy music, films, and so forth. If laws do need to be changed in any way, it should be though feedback from Canadian consumers (as with this survey and other forms of feedback); artists, and authors, as well as experts on copyright, such as Michael Geist (www.michaelgeist.ca). Copyright law should not be written or changed according to any demands from CRIA, the RIAA, MPAA, or the US government but rather exclusively according to the best interests of Canadian consumers.

Based on Canadian values and interests, how should copyright changes be made in order to withstand the test of time?

Unfortunately, it is likely impossible copyright laws can be written to still be relevant many years from now. Times change and legislation needs revisiting from time to time. Thirty years ago, who could have predicted the mass adoption of technologies present today such as the Internet (in its present form), digital media, and MP3 players, and the capabilities they bring to people?

What sorts of copyright changes do you believe would best foster innovation and creativity in Canada?

I believe an open and flexible system with an emphasis on Creative Commons (or similar) (http://creativecommons.ca/ , http://creativecommons.org/) licensing. Prices should be kept low, restrictions on material, such as DRM should be discouraged or outlawed, and consumer rights such as fair use should be tantamount.

What sorts of copyright changes do you believe would best foster competition and investment in Canada?

We must create a climate where information is easily and cheaply available and available in the forms consumers would like to use it in. Technology should be embraced — not fought — as the new, efficient medium for storing and transmitting media such as music and film. Thanks to the power of the Internet, artists no longer need to be discovered and “get signed.” They can now publish their own music themselves and keep more of the proceeds than if they entered a contract with a record label. Most importantly, artists retain all the rights to their work when they publish content themselves instead of turning ownership of their material over to a record company. If the entertainment industries are permitted to continue on their current trajectory as I suggest, artists will earn more money and rights, consumers will have better quality, cheaper products and more rights, the marketplace will have much needed healthy competition, and there will be many small yet successful businesses involved instead of a few giant ones. Corporate record and film companies know this and that is why they are fighting tooth and nail to eliminate competition and innovation as much as they can. Their continued dominance depends on continued use of an obsolete monopolistic system where they hold all the power. The major record labels have run into problems lately not because of a lack of tools available to them but because of a failure to leverage the ones they had. The market fundamentally changed and they failed to act and meet market demands. When they did act, they did horribly — how could a practise of suing your customers (as was done by the RIAA in the US) not end badly?

What kinds of changes would best position Canada as a leader in the global, digital economy?

To be a leader in the global, digital economy, we must embrace current and innovate new technology; completely embrace freedom for individual people and operate according to their best interests (not those of corporations or their interest groups); and we need to be in touch with consumer needs and trends so we can continue to lead in the future by accommodating those needs.

Mike

I went ahead and upgraded KDE on my Kubuntu 9.04 work machine a few weeks ago and am pretty sure we can finally safely say the new KDE is ready for prime time. I’ve had some problems with the older releases in the 4.x series (even 4.2) and all the major issues appear to be gone. I’m even running 4.3 regularly on an alpha build of Kubuntu 9.10 and honestly can’t think of any desktop-related quirks at all on either system! Take a look for yourself — http://www.kde.org/announcements/4.3/index.php

Great work KDE team!

-Mike

SELinux is a great framework for securing systems but sometimes it can really get in the way of making things work properly if it’s not set up just so. Often, it’s a good idea to at least set SELinux to permissive (not enforcing) mode if you are troubleshooting a problem potentially caused by its operation. When in permissive mode, SELinux will not interrupt anything on the system at all, it will only log breaches of it’s set policies.

This document is just for the absolute basics of SELinux and particularly, how to set it to permissive mode or disable it if you wish. More information can be found at http://fedoraproject.org/wiki/SELinux

To see the status of SELinux:

sestatus

You’ll see something like this:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

The mode, enforcing, means that it is enforcing SELinux policy.

You can change the mode by using the setenforce command.

To disable enforcement:

setenforce 0

To enable enforcement:

setenforce 1

Once enforcement is disabled, SELinux will no longer actively operate on the system. It will only warn in a log file when the set policy is violated so it should not interfere with the normal operation of the machine while in this state.

To completely disable SELinux, edit /etc/selinux/config and set the SELINUX= parameter to disabled. There are some comments in that file to provide hints on this. After editing the file, you must reboot for it to take effect.

Project description at insecure.org, “A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.”

Installing and Running Paros

No installation is necessary since Paros is a full Java application. Just download it (http://www.parosproxy.org/download.shtml) and run the jar file. In Unix, just do this:

java -jar paros.jar

In Windows, you can just double-click on it or do whatever it is you Windows people do.    

Disclaimer: Only run Paros on systems you own or have permission to scan! You have been warned — don’t blame us if you get in trouble doing something you shouldn’t.

Using Paros

Once you start up the application, you will be presented with a Java GUI. Paros, like ratproxy, WebScarab, Burp Suite, and others, uses its own proxy server to capture and analyze traffic going back and forth between the client and server. Paros’ proxy runs on port 8080. I (Mike) have an entry in my FoxyProxy firefox add-on for Burp and Paros proxies since they use the same host and port. I highly recommend using FoxyProxy when using Paros or any of these proxy-based tools.

• Start Paros.
• Start Firefox.
• Set your web browser to use the Paros proxy server.
• Visit the site you want to scan in your web browser.
• A tree with the target site should appear in the Sites pane of the Paros window.
• Right-click on your target site.
• Click Spider.
• Click OK.
• Wait for the Paros spider to crawl the site
• Once the spider is done, Click on the target site in the Sites pane to select it.
• Click Analyse > Scan (*not* Scan All!)
• Once the analyser is done, you will get a dialogue box stating it is complete. A report might automatically appear on screen but it never happens for me so go to the directory that “analysis complete” box specifies to see the scan results.

Examining the Results

Paros will generate an HTML report after it performs an analysis. Open the report in a web browser to see the output, which is fairly self-explanatory.

At the top of the report will be a summary of alerts telling the reader how many of each risk/ severity level issues it has found. Below this summary, will be the list of security items with high-risk items appearing closer to the top. Each item has a brief description; a URL where the issue may be reproduced; parameters passed to the application (if applicable); “other information,” which can be a sort of type the issue may be, such as “SQL;” a list of possible solutions or suggestions; and some external references to check for more information.

Additional Paros Tools

Paros also contains the following tools:

• A very slick filter that can log GET and POST requests, watch for cookies and set-cookie strings (may favourite feature), change HTTP headers and bodies, and more.
• An encoder/ decoder, useful for decoding/ encoding cookies, and possibly other hashed data (even that captured with other tools). Click Tools > Encode/ Decode.
• A manual request editor so you can manipulate and inject data into requests made by Paros.
• An updating tool.

Further Reading

Official documentation can be downloaded at http://www.parosproxy.org/download.shtml. There is a good amount of information on Paros elsewhere on the web, found with a quick Google search.

There is great news for those of us who have to log into Office Communications Server (formerly Live Communications Server) at work — the SIPE project has resumed and has released a very functional version (now at 1.5).

SIPE is a plug-in for Pidgin, allowing it to log in and exchange messages on an LCS server (Communicator server).

https://sourceforge.net/projects/sipe/

Installing SIPE is more of an “advanced user” operation as it currently must be compiled. Lucky Ubuntu 9.04 (Jaunty) users can install SIPE simply by running “sudo apt-get install pidgin-sipe) at the command line. I believe packages for Red Hat/Fedora/CentOS are not yet available in their yum repositories.

Visit the SIPE project page and forums (https://sourceforge.net/forum/forum.php?forum_id=688534) for more information as well as installation instructions.

Basically, the install procedure is like this:

sudo apt-get install pkg-config libglib2.0-dev libgtk2.0-dev pidgin-dev libpurple-dev libtool intltool comerr-dev

Then do the following:
tar -xjvf pidgin-sipe-*.tar.bz2
cd pidgin-sipe-*
./configure –prefix=/usr
make

sudo make install or run make install as root.

I’m quite sure you also need the build-essential meta package to compile the code if using Ubuntu or similar.

If you have any questions or need any more information, post to the SIPE forum (after reading all the readmes and information already provided of course. ). http://sipe.sourceforge.net/install/ has more installation instructions, including those using the developer’s unofficial Ubuntu repository and installing from the latest git commits.