DDG Tech Notes

H D Morre has announced the release of Metasploit v 3.2 (http://www.metasploit.com/) - and a new license for the popular security testing framework.  According to the main web page:

The Metasploit development team is happy to announce the immediate availability of version 3.2 of the Metasploit Framework. This release is the first version of Metasploit to be provided under a true open source license (BSD) and represents over ten months of work by the development team.

Currently available from the web site are the distributions for the normal cast of OSes (Mac, Linux, etc.) plus a binary windows installer.

I’ve not yet seen any Debian or Ubuntu packages.  I’ll be putting some together myself and make them available here until such time as a maintained package becomes available (sorry, but I do not currently have the time to commit to this long term.)

This time, it is some college students that dared to attempt to present their research findings at Black Hat…

As picked up by ABC News:

A federal court order that prevented three MIT students from telling a hackers conference how they were able to break into Boston’s subway fare collection system has backfired.

Hmmm.  OK - that’s the major news organization’s headline.  But we have to be very careful in how we interpret anything put together by our major news organizations these days.  Really, you should go read their article before reading this post further.

Ok.  Now that you’ve read it…

…Have you really read it?

Looks like the real question here is, did they do their research without breaking any laws?  If so, case precedent would show that the students (specifically, Zack Anderson, “Rusty” Ryan, and the Italian Allessandro Chiesa) should have no direct legal threat from their opposition.  On the face of the text presented in the article alone, this is left somewhat ambiguous.  Consider the statement:

The injunction was meant to block discussion of how the students figured out how to evade the comuter system’s security to change a $1.25 fare card to a $100 fare card.

So which was it.  Did they figure out how to do it?  Or did they do it?  While the distinction may be subtle, it is still huge.  Figuring out how to do something is not a crime in and of itself.  However, if they figured out how to do it by actually doing it we’ve got an entirely different legal landscape.  Even more ambiguous, what if they did figure out how to do it by actually modifying their own card in some way?  Have they committed a crime?  What if they destroyed the card, without using it, after figuring out how?  Are they committing a crime by telling others how it could be done?  What if they tell how to do it, and encourage others to do the same thing and actually use them?

This is a steep, slippery slope.  And unfortunately it is on that any security researcher finds themselves traversing all of the time.  There are never clear-cut answers in our current legal environment where digital signals are continually shoe-horned into legal wording that treats them like physical property.

As an analogy to consider as a thought experiment, imagine an automobile manufacturer.  They may make two different models of cars, one with a top speed of 90 MPH, and one with a top speed of 160 MPH.

So what happens if I use my knowledge of cars to modify my purchased 90 MPH model.  I tweak on it, tune it, apply aftermarket parts until I figure out how to make it go 160 MPH.  Have I deprived the auto manufacturer of their legal claim to the price differential between the 90 and 160 MPH cars?

Like I said - it is a crude analogy.  Just think about it.

Or - if you are looking for a more direct analogy to consider, check out the original presentation materials - while you still can.

I’ve been questioned a couple of times about what the DDG in DDG Tech Notes stands for.  Well, it can mean a lot of things.  Here are just a few I’ve run into:

• Data Dissemination Grid (what the heck is that, and how do I get one?)
• Guided Missile Destroyer (I know, the acronym doesn’t fit, but apparently the Australian, United States and other navies have a different idea.)
• Stock Symbol for Proshares Trust
• DDG Inc. - a corporate entity somehow associated with Tubular Services LP

I’m sure there are more.

But mostly it stands for Del Duca Group (as in the url of this site, http://delducagroup.com).

Or Drop Dead Gorgeous.

Now that I think about it, I’ll bet it mostly stands for drop dead gorgeous…

I’ve been a fan of Beryl for some time - using in on my Ubuntu, Debian Etch and Slackware distro machines.  (see my article Desktop Time Wasters for images of my original Debian box with beryl.)  I’ve always done this with source compiles on Slackware, and packages on Ubuntu and Debian.

Some time ago (more specifically, some package upgrades ago) I ran into a dependency issue on my Debian box that rendered Berly unusable.  I can recall giving it some time, trying to work it out, but eventually giving up.

At the time (prior to the breakage) I was installing Beryl from the third-party repository (specifically, deb http://debian.beryl-project.org etch main for those interested).

In the time after my Debian machine’s beryl install broke, I reinstalled a Ubuntu (Hardy Heron) on my IBM X41 (related articles here and here.)  I didn’t pay much attention at the time (it was late, I may have been drinking, etc.) but at the end of the install I had what I thought was beryl controlling the Ubuntu desktop on my IBM X41.

I didn’t pay it much attention, until I finally became annoyed by the fact that my Debian box no longer looked like l wanted it to.  I decided it was time to compare what I had (working) on my Ubuntu box to what was (not working) on my debian box.  That was the Rosetta Stone that finally made it all click in my mind.

The trouble I was having all stemmed from a change in the packaging names of what I called Beryl in both Ubuntu and Debian.  In fact, an open-source (re)convergence had occurred between Beryl (the eye candy, and a window manager) and compiz (the compositing window manager) that created an entirely new line of packages, Compiz Fusion.

While you can easily add the appropriate entry into /etc/apt/sources.list, both the Debian etch/sid and Ubuntu hardy main repositories (i.e. the repositories that you should already have configured after an install) have access to the packages you should need.  Granted, in neither case will the packages be the bleeding edge of latest development that you can get from either the beryl or fusion maintained repositories (complete with svn checkout branches.)  However, both will provide you with the coolest, cpu-consuming desktop graphic effects that will keep all but the most eye-candy addicted among us happy.  So how do we make this work?

First off, if you (like me on my Debian box) are a former beryl repository user, you’ll first want to move those packages.  These steps should work out for either Debian or Ubuntu systems.

I suggest using Synaptic package manger, and removing packages related to the following search terms:

• beryl
• compiz
• emerald

After that, remove any of the beryl references from your /etc/apt/sources.lst file and running sudo apt-get update.  Or, if you are more inclined towards Synaptic Package Manager, open it up and select Settings–>Repositories–>Third party software and remove the appropriate entry (or entries).

Now it’s time to add in the new stuff.  There a few different packages required to make this all work together.  I haven’t yet identified any one specific package that has all of these as a dependency (and thus would make this all work by simply selecting that one specific package.)  Readers, if you know of one (or few) that will accomplish this, please leave a comment so it can be shared with the rest of us! I do know for sure that, at the end of the day, I needed the following packages to make this all come together:

• mesa-utils
• libcompizconfig0
• compiz-gtk
• libdecoration0
• compizconfig-backend-gconf
• compiz-fusion-bcop
• compiz-plugins
• compizconfig-settings-manager
• python-compizconfig
• fusion-icon
• compiz-fusion-plugins-extra
• compiz-fusion-plugins-unsupported
• compiz-core
• compiz-fusion-plugins-main
• compiz-gnome

After making sure that all of these packages are installed, your first step should be to simply restart X.  The “sure fire” way to do this would be to restart the whole box.  If you’re more adventurous, then either you’ve already set your gdm (gnome display manager) to restart at every login, or you can kill gdm and restart it as root from the command line.

Either way, if all went magically well, you should see the “Fusion Icon” appear in your tray on your task bar (see image at left.)  This seemed to “just work” for my Ubuntu install, but required a couple of extra steps on my Debian system.

The couple of extra steps

For my Debian laptop, I had to manually add it to my Startup Programs.  Go to System–>Preferences–>Sessions.  Under the “Startup Programs” tab, click on “Add”.  Give it a name, and ‘/usr/bin/fusion-icon’ as the command:

This end is only the beginning!

You should now have Compiz Fusion active on your desktop.  So now what?  Right-click on the Fusion icon in your tray and check out some of the options.  You can change the window manager on the fly, and (depending on what you have installed) you may be able to change your window decorator as well.  Finally, take a look at the ‘Settings Manager.’  In the next Compiz Fusion post, I’ll walk through some of the cooler features of Compiz Fusion - things like Window transparencies, neat visual effects, etc.

Until then…

Every want to use your Ubuntu distribution to obliterate the data on a disk volume? It may be easier than you think!

First thing - the disclaimer. I’m very conscious about not misrepresenting myself to my blog aggregators regarding what my posts are actually about. On the other hand, after looking at my blog stats, search queries have turned up my site for searches roughly along the lines “Ubuntu Wipe Disk” at a rate that I did not expect. So why this disclaimer?

All of the methods that I am about to present are not really Ubuntu specific. However, as a good blogger, I have an obligation to provide information pertinent to what my readers are looking for.

Also note that any method below that deals with disk partitions can be used equally for swap partitions - arguably one of the most critical partitions to wipe on any system.

And, with the exception of the section below regarding specific disk eradication software, you can perform pretty much any of these steps even with a “Live” Linux CD - which can save you the hassle of physically connecting the hard drive to your Ubuntu machine.

So, here goes…

So, you want to wipe a disk so that no one else can read what you might have written there?

While that sounds like a fairly simple task, there are really some assumptions built into the question that you must consider first:

1. What exactly do you want to wipe? Is it an entire disk, or just a partition on the disk?
2. Who is the “no one” that you want to protect your data from?
3. Are you performing this action in response to your own needs, or the needs of you company or corporation?
4. If you are performing these actions for your company, are there any particular regulatory requirements that you must meet?

With out question framed properly, we can move forward with an actual plan to meet your requirements. Here goes:

What exactly do you want to wipe?

For most methods presented in this article, the what you want to wipe doesn’t really change the method used to wipe it, except for the parameters passed to the specific tools.

Identifying where to perform your wipe.

OK. So you’ve either booted up the target machine with a Live CD, or you’ve attached the drive to your current workstation. How do you know which device it is? Well, here’s a little background. Those of you familiar with Linux device names and identifying attached hard drives will probably want to skip ahead.

Any attached hard drive can be accessed, as if it were a normal file, under the /dev tree. Generally speaking (there are definitely some exceptions to this) IDE type drives follow the naming convention /dev/hdX - where X is a letter a, b, c etc., and other non-IDE type drives (including SCSI, SATA, etc.) are identified as /dev/sdX.

So, for example, the first detected IDE drive (IDE Disk 1 on channel 1 of the first controller) would be at /dev/hda, which the second would be at /dev/hdb.

Likewise, SCSI drives follow a similar patters. The first drive (or LUN, if it is an array) on the first channel of the first detected SCSI controller would be identified as /dev/sda, the second /dev/sdb, etc.

So what do I mean by “first detected”? This is (again, generally speaking) the order in which the kernel module drivers for the devices are loaded.

OK - so that’s how to identify the drive. What about partitions? Those are assigned to a different point under the /dev tree, with a numeric indicator of the partition number (in sequential order.) For example, the first partition of the first IDE drive will be /dev/hda1, and the second /dev/hda2. As you might expect, the partitions of the first SCSI drive would be /dev/sda1, /dev/sda2, etc.

However, things get a little more interesting if you involve the Logical Volume Manager.

I won’t go into the details of how the Logical Volume Manager (LVM) relates to partition numbers. If you are faced with this situation and don’t quite understand which partition means what, I’d actually recommend just wiping the entire disk.

Performing the wipe the quick-n-dirty way.

This method is not entirely secure (meaning a determined person could potentially recover data even after this) but it will protect you against all reasonable, common attempts to scavenge data from the drive.

The core of all of this stems from the fact that deletes on pretty much all file system types don’t actually delete. Generally, they overwrite pointers on the disk that point to were actual data resides. With the pointers gone, the operating system (Linux, Windows, whatever) has no idea of how to read the data.  But, the data is still physically on the disk, and can be retrieved almost trivially with a little knowledge and commonly available tools such as Foremost (ubuntu package: ‘foremost’ - Forensics application to recover data)

So, what we want to do is actually overwrite all of the old data. (Note: if you are going to wipe a disk or a partition using these methods, there is no benefit to deleting stuff prior to the operation. Save yourself some time)

Also, for the methods below, it really makes no difference what operating system created the data in the first place.  If you can get the drive attached to you machine (or access it booting with a Live CD) you can easily erase a Windows, Mac OS X, MS-DOS or whatever drive.

So, here we go.

If all you want to do is overwrite the data, then the simple command line tool ‘dd’ is your friend. dd stands for ‘Direct Dump’ and it does just that - directly dump data to a file. Only in this case, our “file” will be the device link to a disk or partition.

dd has kind of a funny syntax (funny in the UNIX or Linux world, at least) for specifying command line parameters. It is <param>=<value>. To start off, there are only two that we need to worry about. These are ‘if’ (for input file) and ‘of’ (for output file). So, let’s say we want to wipe the first partition of the first SCSI drive in our system. That’s easy! just use:

dd if=/dev/zero of=/dev/sda1

of=/dev/sda1 tells dd to write all data to /dev/sda1, or the first partition of the first SCSI drive.

if=/dev/zero may seem a little strange if you’ve never seen it before. The device /dev/zero is essentially a pseudo-device that dumps out a continual string of zeros. So, dd will continually read from it’s input file (if=) and write that same data to it’s output file (of=) until…

Well, basically, until it gets an error that the disk is full. Which is exactly what we want in this situation, a disk full of zero bit data, or a completely erased disk.

If you want to be a little cooler with your use of dd parameters, you can utilize the bs= and count= parameters.  bs= designates the block size, and count= is the number of bs chunks of data (i.e. the number of blocks) of data that will be written.  If you are not familiar with how to determine the block size and block count of your disk drive, I’d highly recommend just using the method described above.

So that erased my disk!  Great, what else could I have to worry about?

Well, that depends on either 1) how paranoid you are, or 2) what your application is.

For the really paranoid, always remember remnance!

So what the heck is remnance?  Basically, you can think of this as leftovers in the process of writing data to magnetic media.  At a very high level, writing to magnetic media is basically applying a magnetic field to a region of the media to change the “pole” or “charge” of that region.  For simplicity sake, think of the two poles of a magnet north (N) and south (S).  No imagine that all N regions represent a 0 (zero) and all S regions represent a 1.  You’ve got a simple formula for representing your binary data on your magnetic media.

Since this is a process of changing the magnetic orientation of a region of media, things can change over time.  Fluctuations in the space between the write head and the media due to heat variations, humidity, etc, as well as changes in the media itself over time can effect the way the media responds to this reorientation process.

Or, as another analogy, imagine that you are standing in front of a wall with a bunch of balloons filled with either red or green paint.  Assuming you can always throw the balloon at the exact spot on the wall, tiny differences in the wind at the time it is thrown or whatever will result in slightly different patterns splattered on the wall.  While the center of the region will always obviously be either red or green after each throw, there will be remnants of previous throws around the rim of where they hit.  And, if you threw a green balloon last time, and a red balloon this time, the outer area of the “splatter” will show more green than red.

This is basically what happens with your magnetic media.  Tiny tell-tale signs are left on the periphery of the regions that can give clues to data that was written there previously.  Processes - such as Magnetic Force Microscopy - can then be run on the media itself to lift this information from the disk and deduce - if not outright read - what was previously there.  In other words, simply overwriting your magnetic media with all zeros as above doesn’t completely remove all traces of the data on the disk!

Minimizing remnance via software

It is very important to note that, while software based methods can significantly reduce the possibility of data recovery using magnetic remnance, it can never completely eliminate it.  Again, this is one of those things where you have to consider what your requirements are.  Do we just want to make sure that no one can reasonable pull our tax return from our hard drive after we sell it on EBay?  If so, the software solution below is probably very reasonable.  Are you trying to eradicate data from the hard drive that has the super-secret pictures of the alien autopsy performed at Area 51?  Well, then, software won’t cut it (and you’re hopefully not looking for advice from my blog anyhow!)

The general idea behind a software based approach to addressing remnance is to not simple overwrite the data once, but to repeatedly ‘flip’ the bit.  That is, write all zeros to the disk, followed by all ones, followed again by all zeros.  By using this method, you can scramble the data available from remnance, and make it much harder for anyone to pull anything useful from the drive.  The more times you consecutively ‘flip’ the bit, the better off you are.

Unfortunately, there is no really easy way to stream a series of bits of ones the way that /dev/zero streams bits of zeros.  For that, you’ll need some other piece of software.

xFlip

One options is xFlip (more details and downloads are available on the xFlip page) written by yours truly.  With xFlip, you can choose any combination of:

• Overwrite the data with random bits
• Overwrite the data with all zeros
• Overwrite the data with all ones
• ‘Flip’ all bits to their opposite (technically, XOR each byte with 255)

And you can repeat any combination of these steps an arbitrary number of times.  Currently, I’ve not yet created a Ubuntu package for this - either it’s source or a binary form.  However, if you are reasonable comfortable with gcc or your favorite ANSI C compiler, the source code is pretty small and basic.  If there is enough demand, I’ll gladly put the time into packaging this for Hardy, for whatever platforms I can get my hands on.

xFlip has its limitations too, however.  For example, any sectors that have been marked as “bad” by the disk will not be touched, and could potentially leak data that was originally written to them.

Wipe

The Ubuntu package wipe (sudo apt-get install wipe, or via synaptic package manager) is primarily focused on removing individual files.  However, it will happily work with full disk devices or partitions by addressing them with the same /dev tree locations described in the ‘dd’ method above.  You’ll probably have to manually install it when using a Live CD, however.

Secure Deletion Toolkit

The Secure deletion toolkit (Ubuntu package secure-delete) is another tool primarily targeting specific files.  Again, you’ll not likely find it on most Live CD distributions.

Actually, it is a collection of tools, including:

• srm - Effectively wiping all of the data from a file, instead of just removing the pointers
• sfill - fills (scrambles) all of the free space on a drive.  This will obfuscate any data left laying around from files previously deleted on your disk.
• smem - wipes data from memory in a secure way.  This may seem silly, until you consider the proliferation of solid state memory devices
• sswap - Wiping swap space.

It may seem odd, but if this is your toolkit of choice, sswap can actually be used to successfully eradicate the data (with the limitation describe above) from a hard disk or partition.  It’s kind of a hack, but here is the idea:

First, identify your target drive as describe in the ‘dd’ method above.  Then, after mounting the drive on your Ubuntu system, or operating off of a live CD, first initialize the disk or partition as swap space (however, see notes below.)  For, say, the first IDE drive, you would use the command:

mkswap /dev/hda

Similarly, the first partition on the second SCSI disk would be:

mkswap /dev/sda1

In fact, the mkswap command may not be necessary.  This is not my preferred method or software, so I haven’t tried it without the mkswap command.

Then, simply:

sswap {device}

and replace {device} with the /dev path to you hard drive or partition, and you’re good to go.

Further Methods

The only other options for data destruction above and beyond this are all physical based methods.  Obviously physical methods can not be accomplished from your workstation, but I include them for completeness:

• Passing the physical disk through a very strong magnetic field.  This is referred to as degaussing.
• Incineration.  But, you better make it really really hot.
• Shredding.  Even more important than with paper, though (due to the small ‘region’ size on high density hard drives) the size of the chunks coming out of a disk shredder are extremely important.

You’ll find a multitude of commercial services offering any of the above.  If you work for an organization that is serious about data destruction, but wants to keep it in-house for policy, compliance, or other reasons, commercial degaussers are probably the best bet.

So there ya have it!

In truth, if you are just the average person, the ‘dd’ method described above will likely be plenty for protecting the normal user data from any reasonable attempt to extract it.  It doesn’t take much more to go the next step and use a tool like xFlip, wipe, or sswap to eradicate the data in a way that would protect you from all but the most determined and money-rich government, investigative agency of contracted digital forensics firm.

As reported in the New York Times Technology site, among others:

Looks like EMC decided it was time to dump the founder (and until recently CEO) of virtualization software giant VMWare.  Replacing Diane Greene is an old Microsoft cronnie named Paul Maritz.

From rumours on the web and through the proverbial grape vine, it appears that Diane Greene was keen on pushing a spinoff of VMWare in the short term.  So, does this mean that EMC has no intentions of releasing VMWare on its own?  Can’t say, I’m not in the boardrooms.  But, Wall Street seems to have had an opinion about it.  Again, quoting the New York Times writeup:

After the announcement that Ms. Greene had been ousted, VMware shares fell 24 percent to $40.19, down $13. EMC shares dropped nearly 12 percent on the news, or $1.75, closing at $13.39.

Not sure what to make of this myself.  I’ve been a user of VMWare software for some time (both professionally and personally) and had many interactions with EMC for storage solutions in my professional career.  EMC does seem to have moved it’s long-term product strategy from one of development, to one of aquisition.  For example, did you know that they picked up RSA some time back?  Now why would a storage company want a data encryption unit?  Hmmm…  And why would a centralized storage company be all excited about virtualized machines and infrastructure?  Hmmm again.

I use WINE on an almost daily basis to run Windows binaries right in my Linux environment.  It is a requirement of my job, and virtual machines such as VMWare (or here), VirtualBox, etc.  just seemed like overkill.

However, I was recently surprised to discover that many people are not familiar with WINE, what it does, or how easy it can be to make it do it.  That, coupled with the recent post-beta, stable release of WINE itself, pushed me to help get the word out.

So, let’s start with a couple of questions:

What is WINE?

The answer from the WINE website is:

Wine is an Open Source implementation of the Windows API on top of X, OpenGL, and Unix.

Think of Wine as a compatibility layer for running Windows programs. Wine does not require Microsoft Windows, as it is a completely free alternative implementation of the Windows API consisting of 100% non-Microsoft code, however Wine can optionally use native Windows DLLs if they are available.

OK - so what does that mean?  It means that for a good number of Windows applications, you can simply get the EXE file (or COM, or accompanying DLLs) on your Linux-based computer and run them right in Linux.  That’s right - no rebooting your dual-boot system, no starting a virtual machine - just run it and have it integrated into your Linux/Ubuntu desktop environment.  Slick…

Why is it called WINE?

WINE is a recursive acronym for Wine Is Not an Emulator. It refers specifically to the fact that WINE is not intended to emulate a machine running a full install of Windows.  Instead, it is a rewrite of the native Windows API in an open-source format, without reliance on Windows native (and proprietary) code.  The whole idea is that Windows (like most operating systems) relies on calls to an underlying library of system calls.  If you know the system calls and what they are expected to do, you can easily (well, not so easily in practice) create libraries for any operating system or platform by simply accepting the same inputs (function parameters) and performing the appropriate operations to produce the expected output.

Enough with the techno-mumbo-jumbo.  What do I need to do to run a Windows application on my Ubuntu box?

Well, the answer is, that depends.  Ubuntu has long had packaged support for WINE (search for it in Synaptic) but as of this writing, it had not yet picked up version 1.0 (I’ve got 0.9.59 visible in my standard hardy repo currently). However, the fine folks at WINEHq have provided packages th