Shell's TechBlabber

…ShelLuser blogs about stuff ;)

Computer security is NOT a product

At the time of writing I can’t access one of my favorite tech fora, which is the FreeBSD forum, because their certificate has expired. Seems somewhat sloppy indeed. However, what really upset me here was learning how my browser of choice (Opera) was now treating me like some sort of idiot.

It refused to give me access to the website because it deemed it “not private”. Which is not necessarily true because even an expired certificate can still be used for setting up an encrypted connection. But because the website opted for “HSTS” (which stands for HTTPS Strict Transport Security) it is impossible to access it anymore because most major browsers have opted to remove the feature which allows us to override this.

Which I think is utterly stupid. In fact: I think this nonsense can easily have the opposite effect of what was intended. I believe we’re in a period where many people seem to have a complete misconception about what security actually is and how it is achieved and maintained.

Disinformation leads to Insecurity

The problem which I have with current developments is that it gives the users a false sense of security. This way users are taught to rely on the system (the browser in this case) to keep them safe. So the next time they end up on a credit card scamming site and their browser doesn’t give them any warnings then surely that should mean that the website is legit, right? THAT is the other side of this medal; when users rely too much on the software which they use then this only opens up even more possibilities for abuse.

What to think about viruses such as ransomware?

Sure; trying to open an attachment from an unknown source is about the dumbest thing you can do. But can you really blame someone not familiar with all this? They have a virus scanner installed, right? So that should keep them safe. And well; since their browser (Firefox in this example) warns them about all nasty things and their email program (Thunderbird) came from the same authors (Mozilla) then surely it will also keep them safe from nasty e-mails. But of course it doesn’t… This was a real example which I’ve witnessed.

Instead of treating users as if they were stupid it might be a much better idea to do the opposite: try to educate them. Sure, incidents can happen. But shouldn’t that be the responsibility of the users themselves?

Undocumented features?

Because Opera is build upon Chromium I started digging into ways to get Chrome to ignore all this of this certificate idiocy. And guess what? I found it! But I can’t say that I’m very happy with my discovery, because I believe that it has the potential to cause even MORE damage.

See, if you start Chrome (or Opera, or any other Chromium based browsers) with this command line parameter: –ignore-certificate-errors, then it will ignore every certificate error it comes across with. Now it won’t warn you at all anymore, it simply continues as if there’s nothing wrong (but if you check the website details then it will mention this issue).

Why I consider this a problem? Simple. How would you add such a command line parameter on Windows? Most people will right click on the icon they normally use, add the parameter to the properties and then start their browser as usual. So what is going to happen if they forget to remove this and the setting remains active from there on?

Is that really a safer situation than simply allowing us users to override the security warning on a per-website basis? I sure don’t think so…

Don’t rely on the system, rely on yourself!

Ever since Sun got overrun by Oracle and the quality of Solaris support basically went into the trashcan (read: pay a triple fee for less supportive features) I jumped off the bandwagon and started focusing on FreeBSD, which is my all time favorite Unix-like operating system today.

And it surprises me how many users set up complex solutions for themselves in an attempt to keep their systems more security while totally ignoring the most simple problems out there.

For example… My all time favorite firewall as of today (pf, as used on OpenBSD) uses a default configuration file called /etc/pf.conf. If you check the FreeBSD default settings (you’ll find those in /etc/defaults/rc.conf) then you can see this for yourself:

peter@zefiris:/etc/defaults $ grep pf_ rc.conf
pf_enable=”NO”                  # Set to YES to enable packet filter (pf)
pf_rules=”/etc/pf.conf”         # rules definition file for pf
pf_program=”/sbin/pfctl”        # where the pfctl program lives
pf_flags=””                     # additional flags for pfctl

Now, I’m only focusing on pf here but the same applies to the other two firewalls on FreeBSD (ipfw, and ipf). See the pf_rules entry there? It clearly tells me that the default config file is /etc/pf.conf. There’s more; if you don’t have access to this (because you don’t use FreeBSD for example) then not to worry, you can even find this information online. For example, by checking out the FreeBSD handbook on PF.

As such many people will simply create and edit /etc/pf.conf for their firewall rules and that’s the end of that. Or, in case of the other firewalls: /etc/rc.firewall and of course: /etc/ipf.rules. An interesting detail is that many of these files are readable for the entire world by default. rc.firewall already exists and has a permission of 644 for example. And if you create a file as root using vi it will most likely also get 644 as its permission as well.

What’s my point you ask?

Simple really: If I knew you were using the pf firewall on FreeBSD then my first attempt at learning its contents would be to try and gain access to /etc/pf.conf. And if that doesn’t work I might try accessing /etc/rc.conf to try and learn a bit more. The problem is that many people did not secure these files, and all it takes is one fluke web service which can drop me to a shell and I’ll have a good chance of learning all this.

Something which could be easily avoided by using a customized ruleset. And I don’t refer to custom rules, but to a custom location for those rules. A location which isn’t already known by the whole world up front.

Just because it looks safe doesn’t mean it IS safe!

I sometimes really get the impression that so many people seriously stop to think about their environment and the way we work…

A while ago I had a discussion online about general security and someone told me how they felt that single user mode on Linux was much more secure than those on Free and/or Open-BSD because it asked you for a password. At those moments I can only sigh…

What is single user mode?

Yeah, just in case you haven’t heard of this… Single User Mode is a state on Unix systems where it no longer performs multi-user tasks. So basically it will have only 1 user logged onto the system (“root”, which is the administrator) and no one else. In most cases every other process has also been stopped, including network services.

Basically you’ll be logged onto the computer using a keyboard and a monitor, and it’ll be you yourself and you 🙂

So isn’t using a password more secure?

No it isn’t.

Because such a password is extremely easy to bypass. All it takes is simply booting the PC from another medium such as an USB stick or rescue CD, then accessing the OS. Then I can simply wipe out the password, reboot, and I’m in. If I even want to reboot that is, because at that point I already got access anyway.

See, what these people are ignoring is that physical access to a computer is where it all ends. From that point on the rulebook goes out of the window. Passwords set up on the OS won’t stop anyone anymore.

I’m secure, I encrypted my filesystem!

Encryption is definitely a step in the right direction to prevent abuse like the above. Just too bad that most people don’t want a server which they can’t reboot from a remote location. As such the encryption key is often stored on the HD itself, and that effectively cancels out all your advantages again. If your bootloader can find the key, then so can an attacker. Because that part of the configuration won’t be encrypted. It can’t be; otherwise the bootloader wouldn’t be able to.. well, boot it 😛

Security isn’t a product!

Just encrypting your filesystem(s) does not make you more secure, just setting up a password: idemditto.

Security isn’t a product, it’s not something you install after which you can pat yourself on the back and consider yourself to be safe.

Security is an ongoing process which starts with having a good basic understanding of whatever it is you’re working on. And part of that process is the ability to stop and think about possible threats. For example those default firewall config files I spoke above.

Most of all the realization that security problems can start small and eventually escalate and grow into something bigger. Never brush something off as “insignificant so it won’t be a threat”. Just because you can’t see any danger doesn’t mean that there also isn’t any.

Stay safe!

June 15, 2018 - Posted by | Editorial, InterNet, Security | , , ,

Sorry, the comment form is closed at this time.

%d bloggers like this: