Thursday, January 31, 2013

UPnP security issues

This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.

The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new.

Security Flaws in Universal Plug and Play: Unplug, Don't Play (via TechSpot).

I've never had any luck with UPnP on my now rather ancient router, which is certainly "no longer shipping", but it was enabled. I've disabled it as advised.


Friday, January 18, 2013

Java security issues

Java seems to have some security issues affecting Linux as well as other operating systems. The issues specifically affects the Java browser plugin, not the Java installation. I haven't used a Java website for ages, and in fact when I checked, I didn't have the plugin installed in this installation (Debian Wheezy). Worth checking if you do have the vulnerable plugin installed, and either disabling it or restricting use to sites that absolutely require it. Brian Krebs has the details, but here are some useful links.

Check to see if you have the plugin installed.

How do I disable Java in my web browser?

Firefox: Protecting Users Against Java Vulnerability

Friday, January 11, 2013

Can't update Iceweasel from Experimental on Wheezy

I use the Debian Experimental repository to update Iceweasel to the latest Firefox release version provided by the Debian Mozilla team.

Trying to update to Iceweasel 18 produces this message:
Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies: iceweasel: Depends: xulrunner-18.0 (>= 18.0-1) but it is not going to be installed E: Unable to correct problems, you have held broken packages. 
It seems Iceweasel 18 depends on xulrunner-18.0 which depends on Libnss3 2.3.14, which isn't in Testing or Experimental.

 The problem is described here and here.

Thursday, January 10, 2013

Can't mount external drives or shutdown in XFCE on Debian Wheezy Live

As I mentioned in my review of XFCE Live on Debian Wheezy, I wasn't able to access external drives or shut the computer down properly. Plugging in and trying to access a USB drive produced this message.
Failed to mount [drive] not authorized
There are many posts about this problem on the internet. Reading around, it seems the problem is caused by the display manager not passing the required permissions to security services which control access and shutdown. I saw LightDM suggested in several places, but it was already installed.

In the end I found that dropping out of the desktop environment to the command line and running LightDM as root fixed the problem: XFCE started with access enabled.


To do this, press Ctrl+Alt+F1, then Ctrl+Alt+F2 to get a command prompt, then enter:
Sudo lightdm
It's quite possible that if XFCE is installed, LightDM will be set up to run and this problem won't exist, but I've only run XFCE from a Live USB, so I can't confirm this.


Wednesday, January 9, 2013

Printing multiple photos on a page in Gnome

One of the things I miss about Windows is the way you could select several photos while viewing a folder, and then print them on one page. This is not possible in Gnome. (It looks like KDE has a plug in for this.)

There are a couple of applications that will print multiple photos on a page. Both have an easy drag and drop GUI.

One is gnome-photo-printer. Here photos are dragged to a list.

After which you can select the image size required.

And do a print preview.

The other application I looked at is PhotoPrint. Here you choose how many rows and columns you want on the page, and drag photos to cells.

Obviously if you're looking to print photos in a standard format, gnome-photo-printer looks like a good choice, whereas if you just want six photos on a page printer as large as possible, PhotoPrint is the easier option.

Tuesday, January 8, 2013

A look at XFCE in Debian Wheezy

The computer I'm writing this on came with Windows XP. It probably wouldn't run Windows 7, so is it reasonable to expect it to run the latest Linux desktops? Gnome 3 and KDE may need fairly recent hardware to run (well) but there are Linux desktops designed to run on older, less powerful hardware. I've looked at Crunchbang before which is indeed nippy on my older laptop, ten years old this year. Today I've been trying out XFCE 4.8 on Debian Wheezy from a Live USB. It zips along even from the USB, so I have no doubt it would be fast if installed- just about ideal for this or any other XP era machine.

The only real drawback with XFCE is that it is a 20th century desktop paradigm. Some see limitations in that paradigm, others comfort. The limitations are a potential dog's breakfast in the notification area, redundant icons with duplicated functionality, inefficient use of screen space, and inefficiency in a cluttered window switching mechanism.

It seems XFCE has tried to get away from the Windows 95 paradigm with the main panel now positioned at the top of the screen, and a second panel acting as an application launcher at the bottom of the screen.


The desktop is still very much menu driven.


With a full screen window open, the bottom panel restricts the space available: set it to auto hide.


I got rid of the bottom panel because of the redundancy issue mentioned previously: you can't switch applications using the icons in the bottom panel, so they have to appear again in the top panel as window buttons. If you really want the Apple look, a real dock like Docky might be a good idea- it works with XFCE compositing.

It's very easy to change the look of XFCE. Here's what I did, first with the BSM simple theme.


A bit of a Windows 7 look here with buttons only for windows switching, and programs automatically grouped.


The old fashioned window switching method in XFCE handles the GIMPs modal windows well.


Here's a full screen application, not quite as efficient as Epiphany in Gnome 3: the title bar takes up space unnecessarily. It doesn't seem to be possible to undecorate the window as it is in Openbox.


Here's another theme, my own modification of the Axiom theme, going for a Gnome 3/Adwaita look, but without any extra theme engine dependencies- this is supposed to be a light desktop.


Unlike Gnome 3, menu driven of course.


A full screen application again.


I've kept the notification area in these screenshots very minimal, but it is possible to put just about anything you'd want there: weather, email notification, kitchen sink...

In summary, XFCE is a great desktop for slightly older computers, or computer users who prefer a slightly older paradigm. With a bit of effort, it's possible to give it a more modern look and feel.

The only drawback to mention is a fairly serious bug which prevents removable media like USB drives being mounted, and the computer being shutdown normally. With Wheezy coming up to release soon, this bug will have to be fixed, so if you're thinking of installing, it might be worth waiting for a few months.

UPDATE: I found a solution to the above problem.

Monday, January 7, 2013

A look at KDE in Debian Wheezy

I don't think anybody who likes the minimalism of Gnome is going to feel entirely at home in the configuration heaven of KDE, and the other way round. However, this is a matter of taste: I prefer Gnome's minimalism, but if you enjoy configuration options, you'll enjoy KDE. I've been trying the latest Debian beta version from a Debian Wheezy Live USB available now.

The last time I tried KDE, the Task Manager icon previews were not working with my graphics card; now they are. This was the main feature I wanted to take a look at.

I've been using Windows 7 quite a bit recently, and the similarity is obvious. In KDE the default setting is not to group windows, but this can easily be more changed. I like this way of switching between windows. The GIMP's modal windows don't behave well with Task Manger- they go off and do their own thing, which is annoying, but Libre Office behaves well.


The main menu will also be familiar to Windows users.


The default theme looks good, although Iceweasel need the Oxygen theme to blend in.


This is certainly a desktop I could live with. It will appeal to anybody familiar with Windows 7, as well as Linux users looking for a very configurable desktop.

I have to say, it doesn't seem like a very lightweight desktop environment. I can run a Live USB session of Crunchbang and hardly notice I'm not running from the hard drive, but with KDE the laptop fan was blowing frequently, and the computer locked up a couple of times. I don't know what it would be like installed, but I suspect not too zippy on this laptop's meager 1G of RAM; should be fine on more modern machines.

A more lightweight desktop for older machines (perhaps more appropriate for this computer) is XFCE. I've been using the Squeeze Live USB recently and have just downloaded the Wheezy version, which I'll be comparing and reviewing tomorrow.

Thursday, January 3, 2013

Meanwhile, in Windows land...

"Vulnerability in Internet Explorer Could Allow Remote Code Execution."

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8."

Microsoft Security Advisory (2794220)

I noticed this story on KrebsonSecurity, which has more details of the nature of the targeted attack:
...this is another example of a “watering hole” attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate.
Users of affected Windows software are advised to run along and get the fix. Off you go. Now.

Desktop Linux users can put the previous story in context.

Update: The fix has been bypassed. Windows users with a fully patched system are at risk.

Trojan Horse for Linux?

I came across this post on the avast! forum recently. Trojan Horse for Linux, it declares. OK, it's Symantec that called it a Trojan Horse, but wrong: it's a malicious Apache Module.

Yes, Linux malware does exist. Who should be worried? In this case, administrators of Linux servers, as the attack vector of this malware is unknown, and it seems to have been placed on servers with good security.

This is not a Trojan Horse that desktop users of Linux are going to have to worry about downloading from the internet.

I recently wrote that Desktop Linux needs anti-virus like a fish needs a bicycle. I'm glad I put that "Desktop" in there. Virus programs like Symantec and ESET do detect this malware. This VirusTotal result I found suggested that the detection rate among anti-virus programs is pretty good. An anti-virus scan of a server may pick up a hack like this.

But I'm writing for users of Desktop Linux. The existence of a targeted hack against Linux servers or the existence of Linux malware on servers is not reason for desktop Linux users to worry.

When it is time to worry, you'll read it here.

MP4 video doesn't play in Totem on Debian Wheezy

This is an issue I noted when I first tried Debian Wheezy. Tonight my daughter was fixated on watching "Five Little Monkeys", which of course just happened to be an MP4 file. Totem wouldn't play it. I downloaded VLC and that would, but later I decided to see if I could track down the problem.

I found this post on the Ubuntu forum pointing to a Launchpad bug: it seems the problem has been fixed in Ubuntu. I don't know how quickly bug fixes make their way from Ubuntu to Debian, but at least there are some workarounds available: the easiest one obviously being to install VLC.


Wednesday, January 2, 2013

Static IP address in Gnome on Debian Wheezy

DHCP makes connecting to a router easy, but it does have drawbacks. I have the router set up with port forwarding for Transmission, Amule and now Skype, which I recently installed. I was trying to connect with Skype the other day but couldn't. Later I remembered that my brother had visited recently and used his iPhone and laptop on the network, and my computer's IP address had changed. I don't know for sure if this is why Skype didn't work, but I think it might be.

My printer has had a static IP address for a while now, so I thought it was time to move the wired laptop connection to a static IP address. Network Manager makes it easy: change the connection method to manual and enter the address, netmask and gateway (the router address). The static IP address has to be outside the DHCP "pool". (The pool range and netmask address should be available by accessing the router configuration page.)


I made the changes, and Network Manager established a new connection, using the existing DNS address, previously forwarded to Network Manager by DHCP: 8.8.8.8- the Google DNS server.

Everything  seemed to work fine. I could view web pages. But then web pages stopped loaded with a "Looking up..." notification, which suggested a DNS problem to me. Rebooting the router fixed the problem for a few minutes, then it started again.

In the end I found a solution, as visible in the screenshot above: I set the DNS address to the router address, and DNS requests are handled by the router. I have no idea why DNS server addresses in Network Manager don't work for me, or rather why they work for a short time, then stop working. I've been looking for an answer all day, but haven't found one, so maybe a kind reader (if I have one) who knows the reason will leave a comment.