A few years ago I worked with the lead developer of RJS Software’s WebDocs-iSeries document management solution to see whether we could use authorization lists to provide a standardized method for securing WebDocs-iSeries objects on the iSeries.
You see, the iSeries is strange in that it has two file systems that are both “native”, and WebDocs-iSeries uses both. The first and the original, is the library/object model that has been around since the early System/36 days. A master library, QSYS, contains system objects and all other libraries, which may themselves contain objects but not libraries. This produces a very flat file structure, with any object being fully specified simply by naming the library it is contained within and its object type.
Later, a UNIX-like file system was added (IFS or Integrated File System) but without removing the old file system; instead, libraries appear as UNIX directories with objects appearing as files and object types their extensions. Native applications were blissfully ignorant of the change, and I’ve actually spoken to administrators who were similarly ignorant. In addition, many iSeries applications do not explicitly work with the IFS.
With V5R3, IBM switched from using its own web server on the iSeries to using the popular Apache web server. Before that WebDocs-iSeries had been storing the actual documents uploaded to it in the IFS, so any comprehensive security solution was going to have to accommodate the library/object model as well as the files and directories in the IFS. Authorization lists fit the bill perfectly.
Or so we thought. Ultimately, they proved too cumbersome for our customers and their real-world utility was minimal. But along the way I stumbled across an odd mismatch between the level of authorization that was theoretically required for Apache in IBM’s Redbook and what was actually required.
Apache on the iSeries has two primary user profiles it uses: QTMHHTTP and QMTHHTP1. The former is used for accessing the web site pages under /www for a given Apache instance, while the latter is used for executing CGI programs. Since the same iSeries job may be used for both operations, Apache switches the user profile of the job when it runs CGI programs.
What this implies is that the only files QTMHHTTP should ever need access to are those in /www. But, in fact, it traverses the directory structure of the IFS to check whether a given CGI program is present before the job switches users. Since our CGI program object is in the RJSIMAGE library, QTMHHTTP needed read access to /QSYS.LIB/RJSIMAGE.LIB/* before it would perform the switch and allow QTMHHTP1 to run the program.
While unexpected, this mismatch between expectations and actuality isn’t necessarily a problem. But paying attention to such mismatches can be educational. The Linux From Scratch project has actually made a sort of perverse game of this form of pedagogy, with their “User Based Package Management” approach. It looks masochistic because it is, but it’s also enlightening: verifying security is all about attention to such details.
Last I checked, V7R1 behaves the same way, and the Redbook still hasn’t been updated. So it goes …
If you were like me and a beta tester, you might not have noticed that Facebook Graph Search is now open to all users. But, it is. Everyone from your former high school classmates to your co-workers to your mom’s neighbor has access to Facebook’s powerful search engine.
In case you weren’t able to attend Secure360 this year, you can catch the presentation that Josh More gave entitled “Security Metaphors” right here.
Here’s the original description of the presentation:
There is a divide between the so-called “security/technical” people and the “business” people. We’ve all heard about how we need to “speak the language of business” and “get soft skills” to succeed. However, even after decades of trying, the divide still exists. Why does it seem that we never make progress? Are we truly not improving? Is the goal receding as we chase it?
This presentation posits that we’ve been making a fundamental error in trying to explain things to people outside our field. One thing that people-oriented people do naturally, and technically-oriented people do not, is communicate with others using the target’s metaphors. By taking this approach and translating issues into different frames of reference, more time is spent exploring the issue instead of arguing over why it matters.
By focusing first on being understood and second on the specific issues, rapport can be built and, over time, you can get the resources you need to win more battles.
As many of you who read this blog know, in addition to doing security, I also like to go to zoos and take photos. (You can see my work here.) It is rare that this hobby overlaps with my life in security, but once in a while, it does. In May, I was in Washington, D.C. for a Sophos conference. After the conference (as one does), I went to the National Zoo.
I got there before opening and was taking photos. I saw these signs…
… and made a quick joke about the zoo not wanting people jumping in to pet the tigers. Then, however, I saw this, and everything changed:
Ben Lincoln posted on his blog today some interesting facts he happened to stumble upon when troubleshooting an Exchange Active-sync setup with his Motorola Droid X2 cell phone. Turns out that Motorola is gathering ALL his log on credentials for third party sites/services and photos he’s taken with his phone, and passing quite a bit of that data unencrypted over HTTP.
In layman’s terms: all that data is interceptable by third parties, in fact, that’s how Lincoln initially discovered it.
We talked quite a bit about a similar issue with HTC and “Carrier IQ” being pushed to all their phones through an over-the-air update. Fortunately, Trevor Eckhart discovered that little gem and put in a lot of valuable time and effort into making it known: Eckhart pointed it out to the XDA ROM modding community and swift steps were taken to purge it from all custom ROMs. The resulting backlash against HTC was huge to the point that their stock and market share tumbled during 2012 and in 2013.
When you break the trust of your customer’s it is really hard to recover.
HTC licked their wounds and released out the HTC One, which has been aptly named since it’s their one last effort to salvage the company. I picked up the One this spring on vacation, rooted it a day later and installed a custom ROM that I know has been stripped of any carrier and manufacturer bloat and spyware.
Do I feel any more secure? Not really since the NSA is digging through all my email and phone traffic regardless of personal security steps I take.
Maybe it’s time to take a Jack Reacher approach and just unplug from everything and step entirely off of the grid …
Unlike you, attackers are not limited by resources, budgets, laws or ethics. They can launch any number
of attacks from anytime or anywhere. This means you have to maintain a strategic balance between defense and response. Learn More
Always stay a move ahead of your opponent.
If you are constantly focused on reacting, you are not taking the time to learn and adjust your security
strategy based on your experiences. Your attackers are constantly evolving, so you must, too … just a little faster. Learn More
Make better use of what you already have.
Before you invest in yet another expensive security project, fine-tune the security products you have in place.
Are your defense systems fully-patched? Have you turned on all the necessary bells and whistles that came with your original product? Learn More
The right security strategy for right now.
The days of defining and executing a rigid multi-year security plan are over. Since attackers are incentivized
for rapid change, you must also adapt to the always-evolving threat landscape. An inflexible security plan will create holes
quicker than you can fill them. Learn More
Part of your team, not instead of your team.
Without a highly-skilled and experienced staff of security experts, it is extremely difficult to remain unscathed
from the many possible attacks waged against your organization each day. Thus, it is sometimes necessary to leverage the knowledge
of others. Learn More
A smart investment for smart growth.
Once your internal operations are working well and you are effectively using what you have, it's time to grow.
But before you purchase another layer of protection, first identify what really matters to your business and create goals you
can measure to see if your next project will indeed be a success. Learn More
About RJS Security
RJS Software provides information management solutions that allow businesses
to improve productivity, make better decisions and save money. Our software helps organizations
streamline data collection, digitize and manage documents, automate work processes and optimize