Muffetted

Goodbye PAL01 ... oh, wait...

I've only ever made 6 postings to this blog, largely because I was always concerned about the risk of losing access to it... and now so I shall.

So, as a reminder, you are invited to read my more regular stream of thinkage at http://www.crypticide.com/dropsafe/.

Best wishes all.

- alec

Posted by alecm [General] ( August 30, 2009 07:48 AM ) Permalink | Comments[0]

The Solaris 10 Security Feature Checklist / FAQ

... is now posted at http://blogs.sun.com/roller/resources/alecm/s10-checklist.html

Posted by alecm [General] ( June 02, 2005 12:41 PM ) Permalink | Comments[0]

Cafeteria Observation...

It's almost curious; I'm just back from a rather decent lunch in the cafeteria - roasted cajun chicken, cauliflower gratin, peas and sweetcorn drizzled with pesto dressing, followed by a chocolate cheesecakey thing - and was taken by quite the mood of optimism that did pervade the tables. A lot of people chatting, throwing their heads back and laughing, talking about "new opportunities" and "fresh air". It's all rather invigorating.

Posted by alecm [General] ( May 17, 2005 12:19 PM ) Permalink | Comments[0]

Webservers that still have a Sun logo for their favicon.ico

I am accruing a list of "webservers that still have a Sun logo for their favicon.ico" over at my other weblog - and someone's just pointed out that this includes all of the US "senate.gov" websites...

Posted by alecm [General] ( May 03, 2005 02:59 PM ) Permalink | Comments[4]

Solaris 10 Security Feature Checklist

So this is something I created and have been editor of for some while, and which has been used often as a quick reference for security features of Solaris; I don't consider it definitive, nor complete, nor error-free, but I do try and keep it up to date and accurate on a best-efforts basis, and it could probably benefit from a wider audience.

I'll post it here the once, and later (for future updates) upload it as a file so that it is browsable without swamping those people reading from aggregators.

But do please skim it just the once. It might open your eyes. And do please let me know of any bugs...

- alec 8-)

[ this posting elided in favour of the version posted at http://blogs.sun.com/roller/resources/alecm/s10-checklist.html ]

Posted by alecm [Security] ( May 03, 2005 01:38 PM ) Permalink | Comments[1]

"Three-Strikes" Password Security Considered Antiquated, Hazardous, Stupid and Wrong.

Here's a mildly-edited question which I was recently asked:

I'm getting grief from boss that our application which runs on Solaris7 does not have sufficient logical access controls.
In particular:
1. password aging.
2. locking account after three unsuccessful log-in attempts.
3. lexical complexity (e.g. needs to be 8 chars with 2 numeric etc)

...and my response:

Solaris 7 is an old operating system from the perspective of security - it was released in 1998, for heaven's sake - and a lot of features have since evolved into the current release, Solaris 10. This is an effect of changing technology, customer demand, and (to be honest) Sun's corporate culture.
Looking at your points in specific:

"Password aging" of the "your password expires in two days time" has basically been around since Solaris 2.0 or earlier, it came in with the password-shadowing scheme when Solaris merged with AT&T SystemV. Earlier revs of Solaris had this feature available via an alternative method, so in short: it's been available since the 1980s. Check the manual pages for "shadow" and "passwd"

Native "three strikes" password lockout is something that has only recently been added to Solaris 10, and that only in response to customer demand.
This is because modern security geeks (myself included) tend to view "three-strikes" as a horrible, complicated, messy, stupid security risk, irrespective of the number of stuck-in-the-1980s VAX-VMS-based / IBM-mainframe-based customer security operations documents that demand it.
The problems of "three-strikes" in the modern enterprise environment are legion: in modern distributed authentication directories - NIS, LDAP, etc - there is no typically no central authority who is counting the number of failed authentication attempts, generally for technical reasons. For example: LDAP is deeply sub-optimal for poking little bits of data like that back to a central place, for immediate propagation to all replicas. No immediacy == no security.
Even if there were a central authority that brokered this sort of information it would be subject to flooding attacks by miscreants who could tie-up that one service and thereby prevent anyone from authenticating in your enterpise, with significant business impact.
You cannot architect around this risk by including a "timeout" or other "we've tried checking whether the user has struck-out but got no reply, so we'll let him in anyway" mechanism, because that defeats the whole point of the policy.
Anyway - what merits being called "authentication" nowadays? Would you like it if you changed your system password, and then - having walked away for a coffee - your automatic IMAP-enabled mail client goofed-up three authentications and locked you out of your own system because you forgot to update the client?
Typically, the answer to that one is "no"; on the other hand, if your three-strikes system does not cover IMAP, then someone will write an IMAP-based password cracker.
Another implementational issue is that of "locking" - if you implement three-strikes checking because you're worried about password-guessing attempts, then I'll write a distributed program that establish several thousand authentication attempts in parallel and simultaneously - so that unless your implementation is very clever / heavily locked / rather fragile and complicated, I will get one single shot at making seven thousand guesses.
That's generally adequate.
Further, three-strikes leads to weak operational security thinking: when I was a (quite wussy) university hacker back in the 1980s we did make sure only to try two attempts when probing for accounts where the password was the same as the username (eg: user: sysdiag ; password: sysdiag) because less than three failures would not be audited and we'd stay off the sysadmin's radar.
So: in Solaris 10, Sun finally caved and implemented the functionality for non-root users (else I could try logging in as "root" with the (wrong) password "sesame" three times, and lock you out of your own system) and only for users where non-distributed, "files"-based directory services are being used.
Anything else would just be stupid.
Plus: frankly, it still is a greater business risk than it solves. If a hacker could get ahold of (or just guess) a list of all usernames on all systems in your enterprise, he could just go and poll each system, logging into each user three times with the (wrong) password "sesame", and lock all of your users out of all your machines.
Verb Sap.

In Solaris7, the following password construction restrictions are built-in / hardwired to the system:
Extract taken from [docs.sun.com]

Passwords must be constructed to meet the following requirements:
Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Only the first eight characters are significant.
Each password must contain at least two alphabetic characters and at least one numeric or special character. In this case, "alphabetic" refers to all upper or lower case letters.
Each password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.

...and the wise system administrator shall no doubt have improved upon these PASSLENGTH (etc) security settings by investigating the possibilities afforded to him in the Solaris Security Hardening Toolkit, available at [www.sun.com]
In Solaris 10 (of course) this has been significantly upgraded with a PAM module that can do comprehensive checking of the plaintext for "I am Paris Hilton and nobody will ever guess my dog's name" syndrome.

- alec

Posted by alecm [Security] ( May 03, 2005 12:07 PM ) Permalink | Comments[2]

normal service will be resumed very shortly...

Due to a temporary condition on PlanetSun, articles from dropsafe have been missing from the feed since late January; in order to prove that I am not actually dead (yet) or something, here's a short set of links to what you've all been missing:

Ego? Perhaps, but my daily hitrate has dropped from 7500-ish to 5000-ish over the last couple of weeks, so there must be a fairly significant influence from Planet Sun.

Posted by alecm [General] ( February 21, 2005 12:01 AM ) Permalink | Comments[0]

PlanetSun never seems to get advertised...

PlanetSun never seems to get advertised... let's fix that...

Much, much earlier this year, before blogs.sun.com was created, a brave soul named David Edmondson took it upon himself to create an aggregator for the blogs of all Sun employees, and he named it http://www.planetsun.org/

It still exists.

Moreover, unlike blogs.sun.com it aggregates all those, *plus* the blogs of a significant number employees who choose to host their blogs elsewhere - and further it provides (I think) a nicer aggregate feed than does blogs.sun.com, what with titling articles with the name of the author, and other nifty features like that.

Also the HTML looks nicely minimalist.

If you're not aware of it, and/or are reading blogs.sun.com via RSS, then I do recommend you to go look.

http://www.planetsun.org/

Posted by alecm [General] ( December 14, 2004 08:29 PM ) Permalink | Comments[2]

Mon	Tue	Wed	Thu	Fri	Sat	Sun
« November 2009
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30
Today