HOWTO defend databases from SQL attacks with GreenSQL
UPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order. Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going. It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.
I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty. Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs. For this reason MySQL is just as vulnerable, after all, bad code is bad code. While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars, I knew there had to be cheaper/better ways to address this kind of vulnerability. One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database. The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door. This approach is what the folks over at GreenSQL have done, and it’s very impressive. They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.” (more…)
HOWTO build your own open source Dropbox clone
UPDATE: Thanks to everyone who has contributed to this, and the Reddit thread, as it has provided some great ideas building off of my concept. I’m starting to rethink about how we could have version control on top of things, and I’ll update things when I have more to share. Also, does anyone have iFolder (thanks for the proper link working? It looks like you need SUSE Linux, which I don’t have access to, plus I know most Novell projects need a *ton* of Mono dependencies installed to have any of their stuff working, at least on the server side; but it sounds like they have Mac, Linux and Windows clients, which is encouraging. While for my needs something a bit more ‘close to the bone’ (as below) might be better for the server side, having it be inter-operable with something like iFolder could provide a lot more functionality for others.
First off, if you haven’t tried Dropbox, you should check it out; sync all of your computers via the Dropbox servers, their basic free service gives you 2Gigs of space and works cross-platform (Windows, Mac, Linux). I use it daily at home and work, and just having a live backup of my main data for my work workstation, my home netbook, and any other computer I need to login to is a huge win. Plus, I have various ’shared’ folders that distribute certain data to certain users that I’ve granted access to, this means work details can be updated and automatically distributed to the folks I want to review/use the data. I recommend everyone try it out, and see how useful it is, it’s turned into a game changer for me. So a few months ago they made headlines on supporting Linux as they released the client as open source. While this got hopes up for many, it was only the client that was open source, the server is still proprietary. While slightly disappointing, this is fine, they’re a company trying to make money. I don’t fault them for this, it’s just that a free, portable service like that would be a killer app. (more…)
HOWTO: serve jpeg2000 images with a scalable infrastructure
At the Biodiversity Heritage Library, we have replaced a proprietary jpeg2000 image server, that was straining under the load, with a new, open source jpeg2000 server, djatoka. Chris Freeland and Chris Moyers cover the background in far more detail on the BHL Blog, so here I’ll cover my rationale and decisions I made to provide a scalable, stable infrastructure to provide the images as efficiently as possible.
When I started sketching out how I wanted to run djatoka, I knew I wanted it to provide security, caching for performance and scalability and fault tolerance. Our server runs Tomcat, which I didn’t want to be public facing. Because of this I proxy Tomcat requests through Apache with the use of ajp_proxy, the successor to the old mod_jk. Initially I was using nginx in place of Apache, but after reading about all the functionality and performance improvements ajp_proxy offered, it was a no brainier; this is how to present Tomcat in a production environment.
Distributing biodiversity data globally
My current project at work will take me far into next year, and that’s good because I’m facing an unprecedented amount of data, that will only continue to grow. Because of this I’m finally getting to put my money where my mouth is. For years I’ve talked about my ideas and theories about how I could network disparate systems together and have them leverage each other to keep everything in sync. So, while working with Open Source to push boundaries I seem to find more ways to do more complex things. One basic idea that I’m working on now is that data sets are huge, and are only going to get huger (and hugerer) as time goes on, how to handle this has been solved a few different ways. Usually it’s someone like the Internet Archive who have 1000s of computers networked together to share the data (they are using some parts of hadoop for the distributed file system, and then nutch for search indexing) – but it’s still working from one central point of failure. I started doing research to find out how this has been solved before, and if my idea of building a BitTorrent network was sound – and I found some great information to build on. As I’m setting up my demo BitTorrent tracker in Debian, this info keeps me thinking of the best ways to implement my ideas. Much of my progress is due to the very helpful advice of Paul at Geograph Torrent Archive, a project that has somewhat similar goals. (more…)
How to become a hacker
The Glider: A Universal Hacker Emblem
There has long been a movement in the geek community to expunge the negative thoughts attached to the word hacker, the image to the right The Glider, being one of the latest and most visible. In the beginning there were hackers (people who worked on computers, programmed and made things work) and crackers (people who would use computers for nefarious purposes, crimes, viruses, etc), these were two distinct camps, with some miscreants jumping the fence back and forth to confuse the issue. Regardless, somewhere along the way popular culture (movies, news, your teachers probably) began to equate hacking as being the bad, crime ridden activity that cracker was supposed to cover. I think it’s a moot point now, as even my Dad was shocked when he learned my annual DefCon trip is billed as “largest hacking conference in the world”. I gave him the above explanation, but I’m unsure if he really believes it. Regardless, the original “How to become a hacker” paper written by Eric S Raymond is always cited as the quintessential word on the use of the word hacker. I found it mirrored online, and it’s a worthwhile read if you have any interest in the topic, or want to cement your own views of your hobby. For now, if you don’t want to read the entire verbiage, here’s the intro to learn and take with you. (more…)
Black Hat and Defcon: all the drama you’ve been craving
This is great, Defcon16 is a mere few days away, but already, the drama has started! Of course there’s the excitement about security guru/celebrity Dan Kaminsky discovering the DNS flaw a few months back that will be revealed this week (so that folks won’t be able to reverse-engineer them to exploit the vulnerability…ahead of time at least), but now there’s a reneg by Apple that’s sure to raise a few feathers, as well as highlight how they weren’t the most forthcoming with their DNS fix (which hasn’t hit yet even though all other vendors have released patches). In an interview, Kaminsky talks about the ‘bug’ he found in DNS, “We got lucky in this particular bug, because it’s a design flaw,” Kaminsky said in an interview. “It shows up in everyone’s network, but the fix is a design fix that doesn’t point directly at what we’re improving.” After peer review it was deemed this was indeed a huge deal, and even the original developer of BIND (the dns software in question) urged everyone to patch. “It took a couple of hours to find the bug,” said Kaminsky, “and a couple of months to fix it.” Kaminsky said he stumbled across the hole in the so-called DNS system for steering people to the websites they are seeking “by complete and total accident.” Smaller DNS flaws have been used before to “poison” the servers that send people to the numerical address of the website name they enter. [...] “This is about the integrity of the Web, this is about the integrity of e-mail,” Kaminsky said. “It’s more, but I can’t talk about how much more.” So learning more about that exploit will be very interesting, and should lead to more people investigating and deploying DNSSEC, a DNS option built with security in mind from the ground up. So there’s that, but now there’s something even more fun because it deals with a companies lack of openness in regards to their security methods. A talk at Black Hat yesterday was scrubbed at the last minute by folks over in marketing at Apple. It seems that they blocked the scheduled presentation that was, “…to give an inside look at the ultra-secretive company’s security response team. “Marketing got wind of it, and nobody at Apple is ever allowed to speak publicly about anything without marketing approval,” a Black Hat organizer told IDG News.” This is unfortunate for Apple, who are reeling after a week of beatings in the ‘blogosphere’ over their handling, or non-handling, of their update for the DNS flaw we mentioned above! “Apple’s policy of saying next to nothing about how it goes about protecting its users from escalating threats is, to say the least, unfortunate. Just last week, the company said it had patched its software from a serious flaw in the net’s address lookup system. Three days after two separate researchers warned Mac clients are still vulnerable to the flaw, Apple hasn’t uttered a word, an omission that generates confusion and doubt in those who depend on the vendor. Apple’s tight-lipped policy.” Come on Apple, you preach about how you’re ‘Open Source’, but then continue along the path of the old school hide and seek ways. Hell, people are already pointing out how their methods are less open than Microsoft’s in releasing information about security. What are they so afraid of? Ah, but we’ll learn more come Thursday, I’ll be in Vegas for my third Defcon and can’t wait. Watch for updates here, or more timely ones over at our Twitter profile.
Chat on Skype via Pidgin on Linux (or Adium on Mac)
This is a big deal for me, I played with Skype back in the day, but never really used it much since it required a second client, and I have always used Gaim (which is now Pidgin) to consolidate all of my accounts into one client and didn’t want to break out of that mold, but now I don’t have to. Using the Skype API, Eion Robb has created a Pidgin plugin called Skype API plugin for Pidgin/libpurple/Adium. Now I just add my user to the Pidgin accounts tab and I can now chat via Skype in Pidgin just like I chat with all my other contacts. Note that you can’t do the video of Skype on Pidgin. Mac users note that you can use this on Adium (my fav OS X chat client), which uses libpurple, which is the backend for Pidgin, on Mac. So now I’m using Skype again, which is a propreitary app, thanks to them providing an API for the Open Source community to latch on to. Ah, the circle of life…
Open Source is good for you
A recent study by a tech group talks about not only there being a positive monetary benefit for IT workers to know Open Source, but a more fulfilling sense of purpose as well. While this tells me nothing I don’t already know, it’s something that’s important as the next wave of IT geeks start knocking on the doors. “Want to make more money as an enterprise application developer? You’re in luck–if you know open source. According to a recent report from Bluewolf Consulting, enterprises increasingly deploy open-source software, and look to specialized application development on top of it, to drive business value:
The rise of open-source software in application development puts developers with a specialization in those technologies in a position to ask for a 30 (percent) or 40 percent pay increase, Kirven says. “We’ve gotten more requests from our permanent-placement division for open-source developers in the last six months than in the last five or six years combined,” he says. “It’s not as easy as getting free software; someone has to get it up and running. LAMP is everywhere now–these types of technologies no one heard of 18 months ago are all the sudden becoming a hot commodity.”
Indeed. Not only does open source bring developers more money, but it also apparently brings them more satisfaction. Jon Williams, chief technology officer of test preparation company Kaplan, made it very clear in an Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser. a month ago that open source is one of his best retention tools. Let people do interesting work, and they stick around. Make them mindlessly monitor that Windows machine, and they’ll bolt
Software support must evolve with Open Source
As a IT contractor I’m enjoying giving my opinion when asked, and sometimes even when I’m not asked; I have the confidence to be open and honest with everyone and want them to know that. Because of this I’ve been getting to do things I otherwise would not have since they would not have known I was interested or experienced in such things. One of the things I was hired for was to setup Apache on Linux to work with their web instances. It’s been fun, and while I’ve used Apache for over 10 years, there’s always new things to learn. Recently they asked for my opinion on ’support’ options for Apache. Keeping in mind, they already have support for the hardware and support for the Linux distribution, they still think they need another support channel for Apache. To me this a big waste of money and have somewhat made my case to them. While I understand their position that this support is a way to cover themselves if Apache ‘breaks’, the fact that this software is Open Source has to change the way they have traditionally considered support.
Hi, I'm fak3r and I've been online for over 15 years, blogging for 10. I work with open source software, various hardware and whatever else that I can hack on. I enjoy learning by doing, painting infrequently and listening to more music than the law allows. Feel free to follow me and comment on my thoughts and ideas; we're all in it together kid.
