OpenVPN chroot and crl.pem

At my job, we've been debugging a really annoying/frustrating issue where OpenVPN refused to read the crl.pem in the chroot directory:

openvpn[32275]: 192.168.1.24:2420 CRL: cannot read: crl.pem: Permission denied (errno=13)

OpenVPN would drop permissions after the chroot to nobody, but even with full read access permissions on the file and SELinux turned off, this error still occurred. Turns out, the chroot directory had 700 permissions:

drwx------ 4 root root 4096 Aug 29 19:49 /etc/openvpn/chroot

Changing these permissions to 755 (or ownership to nobody) fixed the issue.

Hope this helps.

SANS 2009 in Orlando, Florida March 2-9

In much the same fashion as Las Vegas in Jan., I expect to be at the SANS conference in Orlando early Mar. Drop me a note if you will be attending, and let's meet up.

Join us once again in the Magic Kingdom for SANS 2009, March 2-9, where
you can receive the best in network and computer security training!
There is a great need for people with deep, technical skills in network
security in today's world. At SANS 2009, you can gain the training that
will ensure that you have those skills.

Timing is great. Flights to Orlando are typically inexpensive, and SANS
has discounted rates on hotel rooms. Register by January 21 to get a
$350 tuition discount. Start making your travel plans now!

SANS top-rated instructors, the 'Voices That Matter,' will be on hand
at this outstanding annual event. Choose from 35 courses that are packed
with immediately-useful techniques and tools! See our Event-At-A-Glance
page (http://www.sans.org/info/35639) for a complete list of courses
including several that are in alignment with DoD Directive 8570
requirements for Baseline IA Certifications. For more information see
http://www.sans.org/info/35644.

"SANS courses are hands-down the best security courses in the
industry." - Scott Hilts, Bruce Power

"SANS offers the real world experience that other training venues
can't." - Tom Boyd, Medco

"Thorough and current material, great presentation, real world
examples." - Jason White, University of Maryland

No SANS national event would be complete without our SANS@Night Series
featuring presentations on the most current topics in information
security by some of the best speakers in the industry.

Part of the package, as always, is an extensive Vendor Tools Expo &
Reception where you'll see live demonstrations of cutting-edge
technologies. Numerous SANS Lunch & Learn presentations and Cocktail
Briefs will help you find the right mix of tools and solutions for your
company's unique challenges.

At SANS 2009, you'll learn more than you can imagine and have countless
opportunities to expand your network of security experts and friends.
There's fun for the entire family, too, as this event takes place right
on the Disney property, minutes from EPCOT and Disney-MGM studios.
(http://www.disneyworld.com) This year, SANS 2009 coincides with ESPN
Weekend, which will feature live ESPN telecasts, motorcades, interview
sessions with famous athletes, and an interactive sports zone.

SANS has arranged discounted room rates at Walt Disney World Swan and
Dolphin Resorts which includes high-speed Internet access in your room.
Make your reservations now as this special deal is based on space
availability. (http://www.sans.org/info/35634)

Now is the best time to invest in your own deep, technical skills - an
investment that helps to ensure your future in uncertain times! So,
register today for SANS 2009. I look forward to sharing both the magic
of Disney and SANS training with you in Orlando!
(http://www.sans.org/info/35629)

Computer Security Training: SANS Security 504 Training in Denver, Colorado

I'm running a local mentor class of SANS Security 504, starting on Jan. 15th, here's the info (take note of the Apple promotion):

SANS is bringing Security 504: SANS Hacker Techniques, Exploits and
Incident Handling to your local community in our popular Mentor hands-on
format! Beginning on January 15, SANS Mentor Richard Fifarek will be
leading this class in Denver, Colorado. For complete course details,
please click on http://www.sans.org/info/34234.

SANS END OF YEAR APPLE GIFT CARD PROMOTION: For a limited time SANS is
offering a $200 Apple gift card for registering and paying for this
class prior to December 31. Looking to try the new iPhone? Here is your
chance! Simply enter the word "Apple" in the comments box on the second
registration screen and make payment by December 31 to receive a $200
Apple gift card.

Why Choose the Mentor Program?

The Mentor Program, http://www.sans.org/info/34239, consists of small,
locally run, 10 week classes utilizing the same great SANS courseware
presented at the larger conferences. This unique program opens SANS
training up to students with family or work commitments necessitating a
more flexible option. Mentored students report several major benefits
of this format including: cost savings, time to digest the material,
convenient evening classes, small groups, a Mentor "coach", and
community networking.

COST SAVINGS: Is the slowing economy resulting in reduced training
budgets? With the SANS Mentor program, you save 25% off the regular
SANS tuition fee with the ability to save even more with group discounts
(see below). No need to spend money on travel and living expenses or
spend a week away from the family.

PACED STUDY: Take 10 weeks to work through and understand
the material. Past students report that the slower pace allows them to
absorb and apply the information. Each session provides you the
opportunity to apply the materials the next day when you return to the
office!

EVENING CLASSES: The Mentor program provides a method for learning the
SANS materials and working towards a GIAC certification without taking
time off from work.

COMMUNITY NETWORKING: The Mentor program allows you to work with local
security professionals in an open discussion format. This community
networking has been identified by students as a major benefit of the
Mentor program.

One recent Mentor student commented, "I thought that the class was
great. I would consider taking another SANS Mentor Program class. It
was much more convenient than traveling and I had the ability to review
material at my own pace." Clint Barnett - Computer & Information
Security Forensics Examiner

A SANS Institute course delivered locally in Denver, Colorado, by an
experienced SANS Mentor who will lead you over a comfortable and
convenient schedule, saving you money, while giving you the opportunity
to network with local security professionals. What a great
combination!! Plus SANS promises you will be able to use what you learn
in the classroom as soon as you return to the office.

TUITION DISCOUNTS!
SANS offers group registration discounts for 2 or more students who
register from the same organization. To obtain the Group Discount
fee and Registration Code offered for this course, contact Miranda
Ruddick at mentor@sans.org PRIOR to registering, and provide the
names and e-mail addresses of all the students registering within
your organization.

Does this sound like the kind of training that would help
you be more effective in your job? Then register today at
http://www.sans.org/info/34234 and see for yourself the excellent
value of SANS training and GIAC certification!

If you have any questions about this course offering, please contact
mentor@sans.org.

Metasploit Anti-Forensics Project (MAFIA) - Slacker.exe

One of the tools in the Metasploit arsenal is slacker.exe, which allows an attacker to hide data in the slack space of NTFS. Recently, I've been playing with this scary awesome tool, and wanted to share what I found:

When a file system allocates space for a file, it allocates that space in a predetermined size data container, referred to as “blocks on Linux/Unix systems, and clusters on Windows systems.” (http://www.wikistc.org/wiki/Slack_space_data) As a file is written, blocks or clusters will be allocated to store the contents of the file, and each block or cluster will either be completely full or partially full. However, the size of most files will not be an even multiple of the block or cluster size. For example, a 1KB file is created and written to a file system with a 4KB block or cluster size. The file system can not allocate anything less than 4KB, thus when the file is written, 3KBs of the block or cluster is left unused. This unused space is referred to as slack space. Since this slack space is allocated but unused, it presents an appealing target for attackers to hide data.

As part of the Metasploit Anti-Forensic Investigation Arsenal (MAFIA), the Slacker tool is the first “tool that allows you to hide files within the slack space of the NTFS file system.” (http://www.metasploit.net/research/projects/antiforensics/) Slacker is a command line tool, here’s the help menu:



To hide a file with slacker.exe, one must choose a directory structure within which to select files to hide the data in ( {path} ), how deep to descend into the directory tree ( {levels} ), a file to store metadata for tracking information ( {metadata} ), a password to encrypt the metadata file ( {password} ), and options for how slack space is selected, data is obfuscated or not, and if you wish to use a file as an XOR key. For the purposes of the following example, the file to be stored in slack space was Salary.xls, a directory containing JPEG image files was used as slack space files (C:\Demo), a high resolution JPEG was used as the metadata file (C:\image.jpg), and the password used was “hide”:



To reverse the process, point slacker.exe at the metadata image file (in this case, C:\image.jpg) and supply the password and a filename for the extracted data:



Md5sum shows the extracted file and the original to be identical:



Looking at one of the files that were used for slack space to store the data and the original file, md5sum shows them to appear as identical as well:



which is the expected behavior, since slacker.exe will reset the file pointer to the original location after it completes it’s work. The same applies to the metadata file:



The only attribute that noticeably changes on either the slack space file or the metadata file is the “Date Modified” attribute, which can be reverted back using another tool in the MAFIA toolkit, timestomp.exe, discussed later. The data stored in the slack space files is unencrypted, but the metadata file information is stored in the slack space encrypted, thus preventing a forensic analysis from easily locating and retrieving the list of files that slacker.exe wrote the data out to. Without a tool that can read raw disk sectors, this type of data hiding would be easily missed, and with such a tool, tedious and very time consuming to locate.

Computer Security Training in Las Vegas, NV

I'm scheduled to be in Las Vegas, NV this coming Jan. for SANS Security West, January 24 - February 1. If any of you reading this will be there, give me a shout, and let's meet up!

SANS is offering it's usual collection of top notch training classes:

- SEC401: SANS Security Essentials Bootcamp Style
- SEC504: Hacker Techniques, Exploits and Incident Handling
- SEC508: Computer Forensics, Investigation, and Response
- SEC560: Network Penetration Testing and Ethical Hacking
- MGT512: SANS Security Leadership Essentials for Managers with Knowledge Compression(tm)
- SEC501: Advanced Security Essentials -- Enclave Defender - NEW
- MGT414: SANS(r) +S(tm) Training Program for the CISSP(r) Certification Exam
- SEC502: Perimeter Protection In-Depth
- SEC503: Intrusion Detection In--Depth
- LEG523: Legal Issues in Information Technology and Information Security

They also have a great lineup of evening talks for attendees:

- Hot Trends 2009-2010 - Stephen Northcutt
- Crypto: The Pain Killer of Choice - Eric Cole
- Client Side Attacks: Forget 0-day, time for 0-exploit - Kevin Johnson
- Electronic Records Out of Control - Ben Wright
- State of the Hack: The Chinese Threat - Rob Lee

Hope to see you there!