Category: MeetUps and Presentations

Operation WTF Hackathon by cyberstorm.mu – Day 2

  05/16/2016       Nitin J Mutkawoa      Add Comment

After having set up our network environment for the operation WTF, cyberstorm.mu team started working on several vulnerabilities around WordPress content management system. It started on Saturday the 14th of May where several proofs of concept (POC) were established. I was shocked to see how come it is easy to exploit a WordPress website. For security purpose, we have to blank parts of  URLs before posting on social networks. No wonder, Loganaden Velvindron of cyberstorm.mu did not hesitate to give his opinion on Medium.com“Many bloggers use it, because it is both easy to set up, and there is a rich ecosystem of WordPress plugins. WordPress has often been criticized due to its security record. What is more worrying is the varying quality of the WordPress plugins.” 

POC - Vulnerability found !
POC – Vulnerability found !

Operation WTF – WordPress Tiny flaws end up on Sunday the 15th of May 2016 after lines of codes were fixed up from many WordPress plugins. We can also notice how dangerous it is if a proper audit is not carried out on WordPress before putting a website to production. Here is another example where the /etc/passwd was retrieved by hackers Mauritius.

CiZlRQFXEAA7Qbq

Patches were also written to fix up bugs. However, it is to be noted that for security reasons patches are not disclosed for the time being as at cyberstorm.mu we follow ethical rules and the aim to stay within the grey line is of paramount importance. 


   MeetUps and Presentations, Security      , ,

Operation WTF Hackathon by cyberstorm.mu – Day1

  05/13/2016       Nitin J Mutkawoa      Add Comment

If you have been following the recent activities of cyberstorm.mu those days, you would surely notice a new hackathon organized by the same team – Operation WTF with the aim to hack around WordPress security vulnerabilities. The event happened at Pereybere.

Though we did not have any network connection, the guys started with the setting up of the network cables. We used the Emtel WIFI Plus. The team set up the Antenna on top of the building as we did have a DNS issue. We then used a router with OpenWRT to boost our connection and a WIFI extender to boost the signal.

Screenshot from 2016-04-22 21-30-38At the time I am writing this article, the hackathon is still going on. Keep in touch to follow our activities.


   MeetUps and Presentations      , ,

Hackathon in Mauritius – Operation SAD

  04/29/2016       Nitin J Mutkawoa      Add Comment

We did it! The hackathon in Mauritius with title Operation SAD – Search and Destroy is a success. Who are the cyberstorm.mu winning team? Well, its a group of Linux developers residing in Mauritius who are happily improving the security of Linux An audit is first performed on the Linux platform and several security vulnerabilities are fixed. That is how the name “Search and Destroy” gets its name. It was proudly hosted by ISVTEC, a Linux firm operating in Mauritius.

DAY 0 – A briefing was carried out. We started at around 09.30 hrs setting our laptops. I always feel the need for a second screen to save time. The briefing was carried quickly on a whiteboard. I am happy how all the necessary tools were provided at the ISVTEC conference room. More details on this link by LoganOperation SAD – DAY 0

DAY 1 – The hacking team were so fast. Everyone reached ISVTEC more early. It was so intense that I almost forgot lunchtime. All codes were submitted and some reviews were extremely fast. A whiteboard was of great help as soon as a project is completed we are moving to the other one. You can check out another article for Day 1 by Logan – Operation SAD – Day 1

A debrief session was carried out by Logan after the patches were submitted. I would sincerely thank Cyril and of course the staff of ISVTEC who has welcomed us since the very first day of the Hackathon. Indeed, an immense success from the winning team.

As announced some days back, cyberstorm Mauritius team will be at Flying DODO Bagatelle conference room as from 13:00 hrs to give a resume about the work done. We have the pleasure to hear from Avinash Meetoo, CEO of Knowledge7 for a superb speech.


   MeetUps and Presentations      ,

Hackathon Mauritius 2016

  04/08/2016       Nitin J Mutkawoa      Add Comment

Cyberstorm.mu, a rebranded name from another group due to trademark issue is the first Linux and Open source developers team in Mauritius. A hackathon with the theme – SAD “Search and Destroy” will be organized for 2 consecutive days. Members of Cyberstorm Mauritius will have to fix up the maximum possible bugs on several opensource software including OpenSUSE Linuxther linux distributions.

It takes place on Thurday 28th and Friday 29th of April 2016 hosted by ISVTEC at its own office.

Operation SAD
  • What is operation S.A.D?

Operation S.A.D nick named, search and destroy, is the first Linux hackathon we will be holding in Mauritius to massively fix some security issues in some Opensource software right now, we’ll be dealing with some crypto code which many enterprise, users and embedded appliances are relying upon daily.

  • What is a hackathon?

“In June of 1999, OpenBSD held the first hackathon. In the months leading up to this, either Theo or Niels Provos had coined this new word “hackathon”. “Here also we wish to adhere to that same idea of a hackathon.

  • Is everybody invited in a Hackathon?

Quoting from the ones who coined the word hackathon:“Hackathons attendees come by invitation only. Some new people in the community who show promise are sometimes invited to see if they have what it takes. However, hackathons are not developer training events.”

In 3 days we have to focus in fixing the maximum bugs that we can. Remember this is hopefully going to make some burst of patches from our small island, which is kinda cool 🙂

Next time somebody says that we didn’t invite the whole world to participate in the hackathon, you can reference to this. Ever wondered how many lines of code you can write if you need to focus on getting others up to speed? If you are a developer and reading this, you will know, this is not about your technical knowledge, but mostly about the entire procedures to get code from nothing up to production. There will be the time for the walk throughs also, but that will be for another project.

  • Why an event when no one is invited to participate?

Not at all, on the 30th of April, we shall have a presentation openned to the public, to talk a bit about what we did during the hackathon, how opensource software development contribution works in general AND forget not, the new changes that have been submitted upstream. We will bring this in a form that Mauritian tech people can understand it.

  • Prizes?

Yes, despite there are rumors by some people who do not quite understand how a hackathon works, we are actually offering some prizes to 3 people who can actually solve a set of challenge we are making. The top 3 highschool students who manages to do them based on our criteria set, will get a small walk-through with us first, and will get each a seat for the hackathon. We are targeting youngsters here, but the learning process, that skillset or instinct needed to make someone a hacker needs to be built with passion and the perfect age is when one is young enough.

  • Who is invited on the 30th?

Members of the IT community in Mauritius or elsewhere is invited to join in on Saturday the 30th of April. We shall update you with the correct information as we go along.

  • More information will be posted
  • Sponsors

All of our thanks goes to ISVTEC who is going to host our hackathon. We can truly recommend ISVTEC for all your managed services needs (please visit their website for details about the long list of services provided). Many thanks to silent sponsors of cyberstorm.mu also who wishes to remain silent


   MeetUps and Presentations     

MariaDB and improved security features presentation

  02/27/2016       Nitin J Mutkawoa      3 Comments

If you have been following the MSCC – Mauritius Software Craftsmanship Community some weeks back, you would have noticed a forthcoming meetup on MariaDB and improved security features spoken by Joffrey Michaie from OceanDBA and Codarren Velvindron from the cyberstorm Mauritius. Thanks to Jochen Kirstätter (joki) founder of the MSCC who proudly sponsored the event.

mariadb

12784250_10153937032372365_1053507839_n

Joffrey at the MariaDB meet up

1915707_190175371353387_934013232802437990_n

Some craftsmans at the Meet up

1935103_190175328020058_3787078129675559662_n

Codarren explaining Glibc

12801299_190175304686727_3455294414280043217_n

Logan and me from hackers Mauritius

10399406_190175258020065_1829899531834394151_n

Codarren and me from hackers Mauritius

12718230_190175168020074_27057020749688372_n

Can you spot where am i ?

Screenshot from 2016-02-28 00-06-47

Jochen. founder of MSCC

Loading image...Loading image...Loading image...Loading image...Loading image...Loading image...Loading image...

The first part of the presentation started with Joffrey who gave a brief introduction of MariaDB and the importance of its security features. He also laid heavy emphasis on the backup concepts that DBA need to go through. What are most interesting are that there seem two additional services that are coming on from OceanDBA – Backup as a Service and DB as a service.

Other points raised up concerning the importance of backups are to start a clustering solutions, to perform analysis and several tests on the Pre-production or staging servers. Database backups also need to be tested as there can be corrupted zip files. Another interesting issue raised up is about the locking table mechanisms during backups. Other backup strategy and concept were also explained such as:

  • Cold backups – The downtime issues were raised up which according to me does not look practicable unless there is really a specific reason
  • Hot backups – Usually carried out by the MySQLDUMP utility by everyone.
  • Logical backups – Data that are usually backup as tables, views, indexes etc.. and they are mostly human readable statements. logical backups can be performed at the level of database and table.
  • A tool that is completely new to me is the mydumper which can be used to backup terabytes of data. Some interesting arguments raised up are –lock-all-tables –skip-lock-tables and –master-data
  • Binary backups – The binary backup which is the copy of the actual database structure and requires a file system or disk subsystem access. It is one the fastest method to backup and very compatible for mixed MYISAM and INNODB tables.
  • HA (High availability) as the backup – Usually used in clusters and in Galera replication. However, to ensure that there is no data loss, a SAN replication was also recommended for data centers.
  • Time delay replication – This was explained by taking an example, say a one hour delay backup based on the risk management that has been carried out.
  • The Percona tools which can be used alongside MariaDB for backup Analysis.

On the second part of the presentation, Codarren lays emphasis on the security aspects concerning MariaDB in the context of whether to use Glibc or MUSL. Glibc libraries are used on mail servers, SQL servers, forms etc.. Back to the Glibc Ghost vulnerability, an explanation was given by taking a web-based form application where a particular field when filled with malicious information can be used to make calls to Glibc library with the intention to return a specific value. To re-mediate at that situation, same was patched using the function getaddressinfo() This patch lead to another vulnerability. Since today, we can deduce that though Glibc has gone through the various patch, yet, there are more bugs that have been discovered.

A solution was thus proposed to adopt the MUSL library infrastructure. We can see that the MUSL has a clean code policy compared to Glibc. Coddarren laid emphasis on the Alpine Linux operating system which is naturally based on MUSL. The size of Alpine compared to CentOS, Ubuntu, Debian are much smaller. Other issues raised are on the Grsecurity aspect which though is not widely spread are a very important aspect to take into consideration. MUSL looks to be very promising compared to GLIBC. Another analogy is taken from the Docker technology where companies are adapting Alpine Linux in the production environment to escape Glibc.

ice_logo-5dcea9e47b780ff52f75c3c3304d54827f56211e

The third part of the presentation was continued on by Joffrey on the Galera clustering solution. An explanation is given using a schema how replication is being done at the cluster level. Several particular Database schemas were taken for example where a node with a cluster which is slow in terms of network or infrastructure issue where the other servers will have to wait for the request to reach its destinations. Other points mentioned are:

  • Split brain in Galera where human interactions are needed especially where the ratio of the number of nodes have different data from other nodes within the same cluster. 
  • The importance of having applications built-in with retrying logic.
  • Galera conflict diagnostic. For example cert.log which is used to log and monitor conflict transactions.
  • Features such as auto-commit mode.
  • Galera load balancing using Haproxy – custom monitoring on cluster size.
  • MariaDB Maxscale which operate at layer 7 persistent connection.
  • Maxadmin command line utility to list servers that are in the cluster

Jochen has also laid emphasis on future meetups and the proposal for members if they could find other suitable environments to carry out more interesting meetups in days to come. No one could deny that they have not learned anything. Indeed, the meet up was really interesting and fruitful. Some stickers were shared having the MariaDB logo which I have already pasted at the back of my Laptop 🙂


   Database Systems, Linux Application, MeetUps and Presentations, Security