Adding Hardware Monitoring to RHEL 4 WS

Part of Information Security is making sure your data is protected against loss, regardless of how the loss occurs. Any properly written Information Security policy will have a section about Business Continuity, which documents what to do in major disasters. But in addition, business continuity means making sure you’ve got regular backups of all your critical data and applications.

As an extension of this sort of policy, one should engage in routine hardware monitoring to try and detect hardware failures, before they can cascade into bigger failures. In this article, I’ll describe the technical steps on how to install and configure hardware monitoring on a Red Hat Enterprise Linux 4 Workstation. In theory, these steps would be the same for the Advanced Server version.
(more…)

Annual Identity Checks

Updated: 1/23/09

Added information about Innovis, a fourth credit reporting agency. Added information about TeleCheck. Expanded information about ChoicePoint/ChoiceTrust reports. Normalized formatting and other minor tweaks.

Wake-up! Time to get to work. Go get all your identity reports, make sure nothing has appeared that is bogus or suspicious. With the US economy in the same state as your average mushroom farm, getting credit of any sort is exceptionally difficult now. And thieves are going to be taking advantage of the situation any way they can. It’s more important than ever before to keep on your toes! This year I’ve added details on a fourth credit reporting agency called Innovis Data Solutions, and re-verified all the other information is correct and accurate. Get to it!

Updated: 3/28/08

Updated several links and removed the link for stolenidsearch.com as it is now defunct. Added additional introductory paragraph about current year.

2008 is here and our long-promised bounty of money from the government will be sent out in just over a month. Be cautious about any offers on websites or in e-mail about advances on your government IRS rebate, or statements that you need to pay processing fees or other nonsense.

Oh, and it’s past time to do another annual identity check! If you did one of these last year in 2007, you’ll have the extra bonus of being able to compare your reports side-by-side and see any changes. In addition to protecting your identity and your finances, you may even find some ways to save money. So let’s get on with the original article, shall we?

  (more…)

You’re Not as Private as You Think You Are

Privacy concerns are riding high in the media currently, thanks to the high-profile data breach cases with the Veterans Association, AOL, AT&T and others. I’ll just note quickly here that these events aren’t really new, its just general public awareness is increasing. Which is good.

Privacy is a fickle thing in the United States. Unlike many other first world countries, we have no explicit guarantee of privacy rights, though many interpret parts of the constitution as such. Courts all over the land are involved in cases that (re)define privacy rights and law in the USA.

The single biggest issue with privacy rights in the US is having a clear definition of what privacy is. What sort of actions, information or things
can be said to be private? Privacy is deeply tied to social morés and subjective opinions. Often we Americans will go about our daily business with the assumption certain aspects of our lives are private, and others may not know about them. Yet in reality those parts of our lives are publically accessible. Once enough little pieces of information are put together and correlated, a surprisingly personal view of someone’s life can be presented.

OK, that’s enough musing, let’s get into the fun stuff!
(more…)

How to get NTLM authentication in Apache 2.0

This is a quick-and-dirty method for kludging NTLM authentication (aka ActiveDirectory) into Apache 2, for purposes of doing HTTP authentication. Assuming you can get it running after following the steps below, you should be able to configure access files under Apache that will direct the webserver to authenticate HTTP users against a domain of your choosing. The server does not  have to be joined to the domain.

  1. Checkout latest mod_ntlm module from the SourceForge CVS repository:
    cvs -d:pserver:anonymous@cvs.sf.net:/cvsroot/m<wbr>odntlm checkout mod_ntlm
  2. Change to the  mod_ntlm directory created by the checkout process
  3. Edit configure.in so that the “/usr/include/apache2” directory points to where you have your Apache 2.0 header files located.
    HINT: You’ll either need to have the Apache 2.0 source installed, or have an httpd-devel-* RPM of some sort installed.
  4. Also modify configure.in so that the path for apxs is correct. The default of “/usr/sbin/apxs2” is probably not correct, but Your Mileage May Vary.
  5. Run autogen.sh and cross your fingers (If first run of autogen.sh fails with a syntax error on line 33, remove trailing backslash from the “for” loop on the line above. Re-run the autogen.sh script)
  6. Assuming the autogen.sh script has succesfully run all the way, you should have a bunch of new files in your mod_ntlm directory, including a current Makefile
  7. Run make and watch some warning messages float by
  8. Look in the .libs directory and see if you now have mod_ntlm.so
  9. Copy the mod_ntlm.so from the .libs directory into the main mod_ntlm directory
  10. Do a make install
  11. If make install fails, manually install module
  12. copy mod_ntlm.so to your Apache 2.0 modules directory (/usr/include/httpd/modules)
  13. chmod 755 mod_ntlm.so (in it’s new location)
  14. Edit Apache 2.0 configure file to include a loadmodules line for this new module: LoadModule ntlm_module modules/mod_ntlm.so
  15. Restart apache (apachectl reload)

And that about does it. Of course NTLM authentication isn’t secure, but you can try doing it over HTTPS. Except it won’t work with Internet Explorer under HTTPS. But it does with Firefox. Why am I not surprised?

Only real disappointment is the lack of ability to do NTLM group authentication. Oh well…

Ethical Hacks: How to find the site admin password for Mercury Interactive’s TestDirector v7.6

IMPORTANT NOTE:The information presented here is to be used only for legitimate cases of access loss. Using these instructions to gain access to a system without permission is a violation of both state and Federal law.

At one of my old jobs as a security engineer, I was asked to find the admin password for an application (seems the company had managed to lay off everyone who actually knew it). This is an example of an “ethical hack”, where techniques used by malicious people have legitimate application in the real world

TestDirector 7.6 stores all it’s usernames, passwords, groups, and other metadata in MS Access databases. Now the standard database for the users is usually something like “Testdir.mdb” somewhere in the directory tree of the application suite. However, the admin password is usually stored in a database called “doms.mdb” which you should find in “c:program filescommon filesmercury interactiveDomsinfo”.
(more…)