08 May 2006 Security Sun Alert Feed
Sun publishes Sun Alerts to warn users about product issues. A Security Sun Alert is published for every security vulnerability found in supported Sun products.

You can subscribe to a weekly summary email of all Sun Alerts. Hoping that an RSS feed is one way to propagate the news on the net, I wrote a small web-scarping script that looks at the SunSolve Sun Alerts page on an hourly basis, and posts a summary of all recently published or updated Security Sun Alerts to the Sun security blog (http://blogs.sun.com/security)

Apart from Sun Alerts you may also find notes about product security issues (like the AMD64 FPU issue, to which Linux and BSD were vulnerable, but not Solaris!)

See also alertpool which is aggregating security alerts from major vendors and sites.

Link |

25 Mar 2006 Parsing Sun Alerts
If you wanted to parse a Sun Alert to get meta data like its synopsis, product, state etc., here is something more than plain old regular expressions. It is a XSLT transform, that reads a Sun Alert html file and just prints the metadata in plain text format.

Use xsltproc(1) to process the Sun Alert this way:

$ /opt/csw/bin/xsltproc --html saplain.xsl 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-102262-1' 2>/dev/null
Sun Alert ID: 102262
Synopsis: Security Vulnerability in sendmail(1M) Versions Prior to 8.13.6
Category: Security
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System
BugIDs: 6397275
Avoidance: Workaround
State: Workaround
Date Released: 22-Mar-2006
Date Closed:
Date Modified: 24-Mar-2006

The intent is to channel this metadata to an RSS feed, so those who prefer a RSS feed for Sun Alerts can get them that way. Watch this space for more to come.

Link | Comments [3]

16 Dec 2005 Security Ideas for Solaris University Challenge Contest
Here are some security ideas that come to my mind to suggest for Solaris 10 University Challenge Contest.

1. Come up with an exploit prevention mechanism, may be using DTrace. For eg. assume a new security vulnerability is discovered in Apache, before patches are available for Apache, your mechanism would prevent Apache from being exploited, if there is an attempted exploit. You may use some "Process Destructive Actions" in DTrace or you may do something more innovate and less harmful.
2. Write a modern fuzz for OpenSolaris, that may parse SGML man pages, automatically figures out command line args, environmental variables, or use DTarce to dynamically find these. It could also fuzz library calls and system calls. It could do many more tests like giving large arguments, large environments, large and random files as input. Whether you win the university challenge or not, you will certainly be hero in the eyes of security community. You would also get a totally worthless but sincere acknowledgment in our Security Sun Alerts.
3. Use the concepts of LiveSystem to visualize security roles, profiles(1) auths(1) user_attr(4) and privileges(5) and other security features in Solaris 10. This configuration is currently spread over multiple files and difficult to get the big picture.
4. Create a "system integrity verification OpenSolaris liveCD" that, boots from a CD, detects any Solaris 10 instances on the hard disk, then verifies the Solaris ELF signatures of system binaries using elfsign(1) verify, and reports a summary if it found anything tampered. Could be useful if you suspect your system was compromised


More later as I dig through my notes and home directory...

Link | Comments [3]

02 Dec 2005 The "pop-up blocker myth"
While A friend of mine was using his windows laptop, I noticed that there were Internet explorer windows popping up once in a while. And he would just close them or ignore them. It never occurred to him that those were Spy-wares or ad-wares and other Trojans (malware), which might be doing anything from capturing his keystrokes, to implanting backdoors for more adwares to occupy his machine.

I asked him to download and run Microsoft malware removal tool from Microsoft, and detected dozens of Trojans and malware. (Thank you Microsoft!)

Thinking about this I realize that there is a myth about "Pop-up-Blockers" - a misconception created by advertisements of ISPs or browsers. People think that pop-ups are some sort of pests inherent to using Internet. You need to buy XYZ or some pop-up-blocking service to get rid of them. They are like mosquitoes, you need some mosquito repellent stuff to get rid of them, but it is not much of a harm if you can live with them..

Searching for "pop up blocker" does show many advertisements that fuel this misconception.

Get the facts clear, if there are windows popping up - it means your system is hacked and something terribly bad has happened! and you should format your windows partition, either install something secure like Solaris or reinstall Windows, upgrade to latest patches..

BTW, notice the search results in google for "pop up blocker" there is a bug in google results. The very first hit does not even contain the words popup or blocker but gets ranked as number one hit!

Link | Comments [1]

15 Nov 2005 Second FIRST VendorSIG
I am at the FIRST Technical Colloquium in North America this week. Derrick will be discussing about Responsible Security Coordination with Open Source in the second meeting of FIRST Product Security Teams aka VendorSIG, focusing mainly on how we still do responsible security vulnerability handling with OpenSolaris.

Monday was the plenary session, including a dinner at TGIF on El Camino. Once again, these FIRST gatherings are a great place to meet heros who fight the criminal underworld, who safe guard the Internet and the global computing infrastructure, working together across countries and companies.

Link |

16 Sep 2005 Maintaining Passwords
Referring to Sara's post, here is how manage my passwords. I have three classes of passwords:

• A. really important passwords: These change often. used for corporate accounts, bank accounts etc.,
  1. I use one or two silly phrases whenever I have to generate them. for eg. "Alice stole Bobs tarts". Phrase can be in any language and need not be gramatically correct. Longer the better.
  2. For each different account I add one or two words. For Bank of America it becomes "Alice stole Boa tarts" For CitiBank "Alice stole Bobs tarts in the city".
  3. I then distill or transform the phrase to a 8 or more character word: AlStBoaTts or a(s*TBoTacty. The transformation method is known only to me and I might use special random characters in between. Since I apply this method often, I remember it well.
  4. I then make a note of the phrase in some encrypted file (using vault)
  5. When I change password for one account I change them all
• B. important passwords: These change rarely; root passwords, user passwords, etc. Again transformed and long silly phrase, different for each account. The phrase is noted down in an encrypted file (using vault)
• C. unimportant passwords these never change - for websites that require a password for the sake of a password) I use one of four or five of my regularly reused passwords. (like abcd1234)
(Ooops did I give away too much information about my passwords :-)

Link |

16 Sep 2005 Solaris crypto + zenity
Here is a small perl GUI/zenity script in my ~/bin named vault (25 comment + 100 perl lines) that demos vault like feature to store snippets of important information encrypted on disk (or your home directory).

To use it you must have a key file in /etc/keys/username and make sure it is not readable by anyone else.

Usage is simple: vault file

It can also decrypt files encrpted by GPG.

Advantages: it manages the decrypted plain text files in safely created directories in /tmp and cleans them when you exit. So you dont have to leave the plain text files on disk or on terminal window.
Tags: Security Encryption OpenSolaris

Link |