Category Archives: Linux

Linux related posts

The recent “cyber attack” and the implications on the healthcare industry.

As you all now know, a recent “cyber attack” has affected many computers around the world, including, most prominently, the NHS. In this article I will ask the question, “what implications does this have on future IT services for the healthcare industry?”

Firstly, this incident was not a “cyber attack”. No targeted attack against the NHS took place. In fact, whether it is an attack at all is open to debate. The incident was in fact caused by a piece of “ransomware” which takes the form of an Internet worm. Worms are self-replicating pieces of code which spread from computer to computer using networks. They usually exploit a vulnerability in target software or operating system code to gain access and/or elevated privileges on the target system. Once infected, the real purpose of the worm, termed the payload, activates. The payload can range from something benign to something more sinister. In the case of ransomware, the usual modus operandi is to encrypt data on the target computer’s hard-drive and then offer to decrypt it  in return for the payment of a ransom.

So, having established what happened, how did it happen and why was the impact so significant? The answer to this lies in the exploit used. This particular exploit  leveraged a vulnerability which, according to Microsoft, was not known to them. In fact, it was developed by the NSA, who kept quiet about the vulnerability so they could use it against their targets. Recently a group leaked a set of NSA exploits, including one which used this vulnerability. Because the exploit was not discovered, disclosed to the vendor and patched, as is the normal way these issues are dealt with, Microsoft did not have an immediate fix. This type of exploit is termed a “zero-day exploit” in the industry. In fact, this is the worst kind of vulnerability. It was not just a theoretical vulnerability but a tried and tested working exploit.  Because Microsoft was now on the back foot, coders managed to release a worm that used this exploit before a security fix could be released. In fact, they had little hope of stopping a determined coder in time. So, this worm is more a direct result of the cracking activity of the NSA and by extension GCHQ as they are very closely linked. Is this something we should be concerned about? Absolutely! Could it have been handled better, most definitely!

Having established what happened and why, what lessons can we learn from this? Well, firstly, the standard response to this type of threat is to ensure your software patching schedule and methodology ensures your operating systems and software are kept up to date. However, in this circumstance, this would have done nothing to mitigate the risk. There are things that could have helped to protect important data, however. I will deal with these below.

The first question that springs to my mind is why is raw data is accessible from a terminal in the first place? If files are not directly accessible, they cannot be encrypted. This means that, even if a terminal is affected, a simple re-image will get you up and running again. If we take this a step further and look at network boot, thin client environments, the risk can be greatly mitigated and the recovery time greatly reduced.

Coupled with this we must look at how our data is accessed and presented. Placing our data in the cloud would help to mitigate against this type of attack. If our data is hosted on a highly secure system and accessed, for example, using HTTPS or XMLRPC  then our data would be safe even if the terminal was compromised. Data could continue to be accessed and it could not be held to ransom. We must also be mindful of correct backup procedure and cold storage, so that any data that is compromised could be restored intact. Placing data in the cloud provides a unique opportunity to protect ourselves from local network attack, so the only element at direct risk from attack vectors such as the one used by this worm is the access layer to our data. Cloud computing allows us to treat our local and wide-area networks as we should treat them; hostile, untrusted environments. It is obvious from the impact on the NHS that both the NHS National Network (N3) and local NHS Trust networks were heavily involved in the propagation of this worm and should not be treated as trusted networks. Perhaps the existing paradigm, where N3 is widely considered safe to pass patient data should be under heavy scrutiny and more controls should be applied to data transiting this network.

When we consider N3 as an untrusted network, we realise that our second line of defence, beyond our firewalls and security procedures is very simple. Isolate, contain, eliminate. We must be prepared to pull the plug on our links to the outside world when threats such as this take place in order to protect the integrity of our local networks and our data. Commonly, a loss of connectivity is considered an undesirable event. However, IT managers must consider a controlled disconnection as one of the tools in their arsenal to protect their network. This approach, however, presents unique challenges to business continuity, particularly around the access to services and data. These challenges are more apparent when we move towards a cloud-enabled data model. It is this specific area that my company, iCoriolis, is working on innovative solutions to ensure data is still accessible even when disconnected from the WAN and by extension the cloud, whether this event is controlled or an incident.

Lastly and possibly most important in my mind are the choices made by IT managers about the software and operating systems they choose for terminals and servers. This incident has shown us that Microsoft, despite considerable effort, cannot predict the future. They simply cannot fix an unknown vulnerability fast enough in these circumstances. This is not inherently their fault as they rely on the security community to identify and report vulnerabilities; no one company can discover everything. This is where Open Source software really shows its advantage. It’s not that Open Source developers are better (although some are). It’s not an ideological issue. It’s simply that because the code of Open Source software is made freely available and the community constantly peer reviews and improves it. Vulnerabilities are discovered, shared, discussed  and fixed. Rather than this time-bomb hanging around for years, it could have been fixed in a short amount of time. With these facts in mind, putting my personal preference for Open Source software and my dislike of Windows for a moment, I find it difficult to understand how anyone can now trust a closed-source operating system for critical data. Indeed, governments seem to agree, with the NSA and GCHQ widely using and recommending Open Source software. Whilst Open Source software is not a magic bullet, in my mind, this is certainly a case of “better the devil you know”.

The progression of the police state

“A society of free people will always have crime, violence and social disruption. It will never be completely safe. The alternative is a police state. A police state can give you safe streets, but only at the price of your human spirit. ”

These are the words of Alexander Shulgin in 1991, a name you may know as an expert in psychopharmacology. The full text of the lecture that this quote was taken from is linked below. I urge you to read it. He’s talking about the US war on drugs, but his words are strikingly relevant to the current “war on terror”. I do not post this for it’s words on drugs but rather as a mirror held up to the progression of society which is equally as applicable today as in 1991 when this was written.

Today, right now, our “leaders” are making an attack on our privacy, our right to expression, our right to communicate. David Cameron is seriously suggesting that the UK outlaw encryption and allow open monitoring of any and all of our communications, without the requirement for a court order. Does that fit the definition of a police state?

Don’t get me wrong, I understand that the security services need the ability to monitor, surveil, spy in the interest of national security, but not to offer the protection to the freedoms of the individual by requiring a court order to do so does, in my opinion cross the line into a police state and is disproportionate and dangerous, particularly if we allow politicians to decide who is surveiled and when. Politicians should only wield so much power and there should be protection against them using this power for their own gain.

There are so many parts of this text which are quote-worthy, but I will leave you with this.

“Let me ask each of you this simple question. What indicators would you accept as a definition of a police state, if it were to quietly materialize about you? I mean, a state that you could not tolerate.”

RIP Alexander Shulgin, 1925 – 2014.

http://www.psychedelic-library.org/shulgin2.htm

Diaspora* – a new social media platform

Many of you use Facebook. However, with decreasing privacy and the fact that FB own your personal data, many are looking for a new social media platform where control can be retained over your data. Enter Diaspora*.

Diaspora* is a new social media platform based on a federated architecture. This means that you can host your data on any one of many public servers, or run your own. The network handles distribution of posts to your friends in much the same way as email; your posts are delivered to your friend’s server directly, there is no central system. This is great for resilience and it is also great for privacy as only the data you specifically allow to leave your server ever does.

There is no advertising on Diaspora*. It features a nice clean, simple web interface and also a mobile site, Android and iPhone apps, just like Facebook does.

I am currently testing a new community Diaspora* server (or Pod, as they are known) with the view of offering access to it to all my friends so we can all start the migration away from Facebook together. Don’t worry though, Diaspora* allows you to cross-post your status to Facebook, Twitter and Tumblr automatically, if you like. This makes the transition easy to manage as your friends who have not yet made the switch can still see your posts.

If course, you’re welcome to use another Pod. One such public Pod is joindiaspora.com, which is run by the founders of Diaspora*.

The first step towards avoiding internet censorship and control (alternative DNS Roots, opennic and why you should care)

As governments and corporations look to exert more control over the internet the issue of avoiding internet censorship and promoting freedom of speech has become a central issue in shaping our internet for the future. To ensure that information is both free and uncensored it is imperative that political and economical forces are not able to unfairly modify the internet architecture for their own purposes. At the centre of this is issue is the Domain Name Service (DNS).

DNS is a directory of computers and their associated names, much like a ‘phone book. When you type an address in to your browser (for example, www.google.co.uk) your computer asks the DNS service to find the IP address that is associated with this address so your computer knows where to connect to to get the page you have requested. The DNS is a hierachical structure, made up of a number of Top Level Domains (TLDs). These TLDs are the right-most part of the adrress, like the .com, .net, .co.uk etc that we all know.

Anyone can run a DNS server. However, to resolve the domains we all know, your server needs to talk to the top-level or root servers. These servers are run by corporations and are distributed around the world. The overall administration of the DNS and IP addressing falls to an organisation called Internet Corporation for Assigned Names and Numbers (ICANN). ICANN is a non-profit organisation which was set up by the US Federal Government to control DNS, which was previously within US Federal remit. The US federal government has retained influence over ICANN, not least because ICANN is operated within US jurisdiction. ICANN charges a large amount of money for the privilege of setting up a TLD or being a reseller for domains within a TLD, which used to be free when the internet was first created.

DNS can also be used to track your internet access. This is because every site you visit generates a DNS request, which can be logged, leaving a record of all of the hosts on the internet that you connect to. DNS can also be used to censor your access; if a domain is removed or blocked from DNS, you cannot resolve the domain name to the IP address on which it is hosted, thus stopping access to the domain. Censorship using DNS blocking has already been implemented in many countries.

However, there is a solution to this invasion of your privacy. Alternate DNS root systems can be used which do not have such censorship. This also provide an added bonus: free to register domains and TLDs, thus making DNS free, open and globally distributed, as it was always intended to be.

One such alternative root provider is opennic. Opennic allows you to resolve a host of new TLDs whilst still allowing access to the existing, ICANN administered domains. It’s easy to use, it just takes a simple configuration change on your PC to benefit. Click this link for more discussion on why this is a good idea and to find out how to make the simple change.

So there we are. Object to censorship, control and artificial costs. Join me in using opennic now and keep internet freedom alive.

IPv6 is here to stay but are vendors taking it seriously?

World IPv6 day has come and gone and many companies worldwide now have a permanent IPv6 presence. ISP’s are now rolling out IPv6 to customers and are restricting the number of IPv4 addresses offered. These moves are welcome to those ready to adopt IPv6 but are vendors stepping up to provide IPv6 enabled devices? My personal experience says that they are not.

I recently contacted Siemens to see if my Giagset VoIP DECT phone would recieve a firmware update enabling it for IPv6. The answer I got was a definite no. This is hardly surprising, the device is a couple of years old. However, the email which i received went on to say that Siemens currently have no DECT VoIP bases that provide IPv6 functionality at all.

In the consumer router market, the story is much the same. There are still only a small number of routers that can suppport IPv6 and those that do often suffer from buggy, incomplete or non-compliant implementations. This makes the IPv6 path a frustrating one for early adopters such as myself. I don’t get the feeling that vendors are seeing IPv6 as important at the moment. I really hope this changes soon.

Qsmtp – all new, improved qmail.

I recently embarked on a mission to make Qmail work with IPv6. I succeeded, in part, with the qmail-jms1 patched version of qmail. Overall, however, I was not completely happy with the jms1 approach. The author of this patch had added some slightly unusual functionality and most importantly this patch did does not appear to be compatible with the qmail-spp patch, which I used to perform valid user checks before accepting mail.

Recently. however, I discovered Qsmtp (http://opensource.sf-tec.de/Qsmtp/).

Qsmtp provides a drop in replacement for qmail-smtp and qmail-remote which provides advanced anti-spam features like SPF, DNS RBL, MAIL FROM validation, vpopmail user validation and more.

It also provides full IPv6 support.

For a Gentoo system, it’s as simple as adding the author’s overlay in layman and emerging netmail-Qsmtp.

This seems to work flawlessly. I’m impressed.

IPv6 switchover – are corporates taking it seriously?

In the IT world, most people have heard of IPv6 by now. Many Internet-centric companies already have IPv6 connectivity and an IPv6 web presence. Many ISPs are set to start the roll-out of IPv6 to end-users this year. Outside of these companies, however, people seem to have little understanding about IPv6.

In my work as an IT Architect, I see many proposed solutions. Worryingly, it seems many companies are still designing IPv4 only networks to be deployed in 2012 and 2013 with no consideration of how they will provide IPv6 capability, both internally and for internet-facing services. Failing to provide IPv6 capability at the outset could result in a whole host if problems.

Deploying an IPv4-only network now could result in the requirement to re-design in less time than was originally planned for, introducing more cost and work. For companies whose web presence is core to their business, as IPv6-based connections to home users become the norm, loss of revenue could result. Most companies consider email an essential service nowadays. As more organisations switch to IPv6 there may be issues with mail routing. IPv4 addresses will become more expensive and less available in the near future, in fact this process has already started. Growing an IPv4 deployment may become increasingly expensive and difficult because of this.

This issue does not just affect Internet-facing services either. Although it is possible to run a mixed environment, this tends to work better if client PCs run native IPv6 stacks rather than doing translation at the network layer. This means reconfiguring many machines to support dual-stack working or switching to an IPv6 only network internally. All of the main operating systems can handle this fine, it’s embedded devices like network printers and IP ‘phones which may struggle without a firmware update. Many vendors of these type of devices seem to be seeing the IPv6 switchover as a method to force clients to upgrade to newer versions of these devices and hence are not offering firmware updates to provide IPv6 support.

In summary then, companies would do well to consider their roadmap to IPv6 capability sooner rather than later. Indeed, those companies which take this on board now could use this as a strategic edge over their competitors.

Qmail update.

In my quest to IPv6-ify all my equipment, I’ve finally found a viable patch to enable IPv6 in Qmail. I’m going to apply this tonight. Once this is done, my DNS, SMTP, HTTP and IMAP services will all be IPv6 capable.