Tag: security

Tunnelix.com is now IPv6 ready! Are you?

Validated by IPV6-test.com, Tunnelix.com is now IPV6 ready. Woohoo.. I now have the IPv6 validation button 🙂 Can you spot it?

So, what is exactly IPV6-test.comIPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser’s protocol of choice when both v6 and v4 are available. 

How I got an IPv6 address?

If you are running a low-cost budget blog, I would recommend you to try out Cloudflare to have made maximum use of the free IPV6 address that you can activate on the network tab. The IPv6 compatibility option is not activated by default.

Screenshot from 2016-07-17 10-55-06

Cloudflare provide both free and paid service for CDN service, security, DDOS protection etc… However, the IPv6 address is a free one. 

Why you might need to start moving towards IPv6 ?

Loganaden Velvindron of cyberstorm.mu recently shed some light in his Medium blog after attending the National Innovation Framework in Mauritius “The other issue that I think is strongly lacking are the remaining IPv4 resources left in our region to be able to make Internet of things a reality. There are currently 26.4 million of IPv4 addresses left, and it keeps shrinking at a frightening rate.” The world is running out of IPv4 addresses. I think we need to move on quickly on the IPv6 world because of Internet of Things (IoT) will depend on IPv6.

What is an IPv6? What are the parts of an IPv6 ?

Lets now get on the technical parts. As you should know already IPv4 use 32 bits infrastructure whilst an IPv6 use 128-bits which makes an IPv6 a lot more longer. Here is an idea of a representation of an IPv6 adress.

Photo credits: zeusdb.com
Photo credits: zeusdb.com

As you can see IPv6 address is composed of 8 segments of 4 hexadecimal strings. A simple math is by multiplying 8×4=32 then 32×4= 128 bits. When representing IPv6 addresses, zeroes are compressed and leading zeroes are further compressed by representing it with “: :” . See picture above.

The internet might run out of room

Since 2012, Vint Cerf, Chief Internet Evangelist at Google, and a founding father of the Internet, discussed the next version of the Internet, IPv6, and why we need it. Just as phones use a system of phone numbers in order to place calls, every Internet-connected device gets a unique number known as an “IP address” that connects it to the global online network. Watch out the video

 

 

Operation Prison Break by cyberstorm.mu – Sandboxing and Firejail

This is yet another successful hackathon carried out under the umbrella of cyberstorm.mu. Branded by the theme “Operation PB – Prison Break”, members of cyberstorm.mu shows skills of security innovations. We have also Rahul who is our proud newest member has created Sandboxing on  Strings

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Photo credits: skycure.com
Photo credits: skycure.com

Our task was to find out vulnerabilities in a linux application and create a Firejail environment. Firejailing is the art of using a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount tableFirejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”.

I decided to chose the CPIO, a tool to copy files to and from archives which recently was find to be vulnerable to DOS attack. Cvedetails.com explained the CVE-2016-2037 vulnerability where the cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file. In brief, when a user is going to decompress a file, a user will be able to pass out file for the purpose of the attack. This has been achieved by QuickFuzz.

To sandbox the CPIO tools when decompressing files, Firejail application was used to isolate the program by making use of the syscalls. Here is the firejail environment :

You need to watch this video to understand firejail before reading the Profile 🙂

include /usr/local/etc/firejail/server.profile
include /usr/local/etc/firejail/disable-common.inc
include /usr/local/etc/firejail/disable-programs.inc
include /usr/local/etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp write,read,open,close,execve,access,brk,umask,munmap,fchmod,mprotect,mmap2,lstat64,fstat64,geteuid32,fchown32,set_thread_are,prctl,setresuid32,getgid32,setgroups32,setgid32,getuid32,setuid32,fcntl64,clone,rt_sigaction,nanosleep

Here are what participants in the hackathon are saying:

To prevent further vulnerabilities such as shown below from being used to target users, this firejail profile has been made. https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1670/GNU-Gzip.html – Yash

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Decompressing .xz file within a sandboxing environment is just fascinating – Akhil

Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running /usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout – something that is very unlikely to put you at any risk. – Rahul

Previous hackathons carried out by cyberstorm Mauritius are as follows:

Activating MariaDB Audit log

“The purpose of the MariaDB Audit Plugin is to log the server’s activity. Records about who connected to the server, what queries ran and what tables were touched can be stored to the rotating log file or sent to the local syslogd.”MariaDB. The MariaDB  Audit Plugin works for MariaDB, MySQL and Percona server.

Photo Credits: MariaDB
Photo Credits: MariaDB

Links and Basics

Let’s see how to install the MariaDB audit plugin to retrieve all activity on the database server. I am actually testing it on a MariaDB 5.5 series database. You can use a 10.1 series if you want. For MariaDB installation there are articles which i have posted some times back such as MariaDB Galera cluster installation, MariaDB and its improved security features, Master-Master replication on MariaDB and a Master-Slave replication on MariaDB. I think those articles are pretty straight forward to dive into the installation procedures. Imagine having so many users connected on a database performing so many queries. One on the way to trace those requests are through the binlogs or by activating the MariaDB audit log. Let’s see how to activate the MariaDB Audit log.

Verification and Prerequisites

After installing your Database server, get into the console and launch the following command SHOW GLOBAL VARIABLES LIKE ‘plugin_dir’ ; It should prompt you something like this:

Screenshot from 2016-05-30 08-26-50

If you are using a 32-bit system if would be found in /usr/lib/mysql/plugin. Get into that directory and checked if you got a file called server_audit.so By default, on new MariaDB, its already available. However, if you are using MySQL-Server, or an old MariaDB or Percona server you would need to install the server_audit plugin. Download it from this link: http://www.skysql.com/downloads/mariadb-audit-plugin-beta Once downloaded, extract it and copy the file server_audit.so to the plugin dir value path [See screenshot above].

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

This does not means its already activated. You can verify it using the following commands SELECT * FROM information_schema.plugins WHERE plugin_name=’server_audit’; If it returns an emply set, it means its not yet activated otherwise you should have something like this:

Screenshot from 2016-05-30 08-37-56

Activating the Plugin

To activate the plugin, you can restart the service. However, there is another option to prevent any MySQL downtime by launching this command INSTALL PLUGIN server_audit SONAME ‘server_audit.so’;

Screenshot from 2016-05-30 08-42-33

Plugin configuration

After activating the plugin and if you are going to launch the command SHOW GLOBAL VARIABLES LIKE ‘server_audit%’; by default it would output you the following parameters.

Screenshot from 2016-05-30 08-51-03

These default values would normally create a log file called server_audit.log in the data directory. The values are self explicit. For example the parameter server_audit_file_rotate_size with value 1000000 means that when the size of the log is going to reach 1000000 bytes, its going to be rotated and nine files will be used before the log file will be overwritten. You also need to choose which type of events you want to log. Here is an example when activating all CONNECT, QUERY and TABLE event. If you want to audit only the CONNECT even, do set the variable to CONNECT only.

Screenshot from 2016-05-30 09-02-51

You can also turn off the plugin using the command SET GLOBAL server_audit_logging=OFF; As mentioned previously, the logs are saved at /var/lib/mysql/server_audit.log Here is an example of a log.

[google_ad data_ad_slot=” data_ad_format=’rectangle’]

Screenshot from 2016-05-30 09-08-30

Here are some of the most important variables:

  • server_audit_logging – Enables audit logging; if it’s not set to ON, audit events will not be recorded and the audit plugin will not do anything.
  • server_audit_events – Specifies the events you wish to have in the log. By default the value is empty, which means that all events are recorded. The options are: CONNECTION (users connecting and disconnecting), QUERY (queries and their result), and TABLE (which tables are affected by the queries).
  • server_audit_excl_users, server_audit_incl_users – These variables specify which users’ activity should be excluded from or included in the audit. server_audit_incl_users has the higher priority. By default, all users’ activity is recorded.
  • server_audit_output_type – By default auditing output is sent to a file. The other option is syslog, meaning all entries go to the syslog facility.
  • server_audit_syslog_facility, server_audit_syslog_priority – Specifies the syslog facility and the priority of the events that should go to syslog.

Log File Examination

Log file can also be examined. The audit is performed in such a way that if even one user connect and disconnect the the MySQL it would be easily detected. A connect and disconnect would usually appears as this:

Screenshot from 2016-05-30 09-22-42

Queries woud look like this. Even if there are errors on the query, it would keep it in the log

Screenshot from 2016-05-30 09-25-22

The server_audit_events variable specifies which of the five events to log, taking a comma-separated list of the event types as an argument. There are six types of log records:

Photo Credits: MariaDB
Photo Credits: MariaDB

The audit log format looks like this:

[timestamp],[serverhost],[username],[host],[connectionid],
[queryid],[operation],[database],[object],[retcode]

Other Tips and Tricks

  • To avoid a heavy load on the machine, you can exclude a specific user using the parameter server_audit_excl_users=test,toto 
  • If the server_audit_output_type variable is set to SYSLOG instead of the default, FILE, the audit log file format will be as follows:
    [timestamp][syslog_host][syslog_ident]:[syslog_info][serverhost],[username],[host],
    [connectionid],[queryid],[operation],[database],[object],[retcode]
  • Be aware, though, that passwords given with functions PASSWORD() or OLD_PASSWORD() in DML statements will still be logged as plain text in queries. Key strings used with encrypt functions likeENCODE() and AES_ENCRYPT() are also still logged in plain text.
  • DDL and DML statements can also be audited.

Operation WTF Hackathon by cyberstorm.mu – Day 2

After having set up our network environment for the operation WTF, cyberstorm.mu team started working on several vulnerabilities around WordPress content management system. It started on Saturday the 14th of May where several proofs of concept (POC) were established. I was shocked to see how come it is easy to exploit a WordPress website. For security purpose, we have to blank parts of  URLs before posting on social networks. No wonder, Loganaden Velvindron of cyberstorm.mu did not hesitate to give his opinion on Medium.com“Many bloggers use it, because it is both easy to set up, and there is a rich ecosystem of WordPress plugins. WordPress has often been criticized due to its security record. What is more worrying is the varying quality of the WordPress plugins.” 

POC - Vulnerability found !
POC – Vulnerability found !

Operation WTF – WordPress Tiny flaws end up on Sunday the 15th of May 2016 after lines of codes were fixed up from many WordPress plugins. We can also notice how dangerous it is if a proper audit is not carried out on WordPress before putting a website to production. Here is another example where the /etc/passwd was retrieved by hackers Mauritius.

CiZlRQFXEAA7Qbq

Patches were also written to fix up bugs. However, it is to be noted that for security reasons patches are not disclosed for the time being as at cyberstorm.mu we follow ethical rules and the aim to stay within the grey line is of paramount importance. 

Hackathon in Mauritius – Operation SAD

We did it! The hackathon in Mauritius with title Operation SAD – Search and Destroy is a success. Who are the cyberstorm.mu winning team? Well, its a group of Linux developers residing in Mauritius who are happily improving the security of Linux An audit is first performed on the Linux platform and several security vulnerabilities are fixed. That is how the name “Search and Destroy” gets its name. It was proudly hosted by ISVTEC, a Linux firm operating in Mauritius.

Hackathon in Mauritius - Operation SAD 1

DAY 0 – A briefing was carried out. We started at around 09.30 hrs setting our laptops. I always feel the need for a second screen to save time. The briefing was carried quickly on a whiteboard. I am happy how all the necessary tools were provided at the ISVTEC conference room. More details on this link by LoganOperation SAD – DAY 0

DAY 1 – The hacking team were so fast. Everyone reached ISVTEC more early. It was so intense that I almost forgot lunchtime. All codes were submitted and some reviews were extremely fast. A whiteboard was of great help as soon as a project is completed we are moving to the other one. You can check out another article for Day 1 by Logan – Operation SAD – Day 1

A debrief session was carried out by Logan after the patches were submitted. I would sincerely thank Cyril and of course the staff of ISVTEC who has welcomed us since the very first day of the Hackathon. Indeed, an immense success from the winning team.

As announced some days back, cyberstorm Mauritius team will be at Flying DODO Bagatelle conference room as from 13:00 hrs to give a resume about the work done. We have the pleasure to hear from Avinash Meetoo, CEO of Knowledge7 for a superb speech.