Information Security

Posted on August 14, 2008
Filed Under Corporations' security, Security and Development | Leave a Comment

The international standard ISO / IEC 17799 (Code of practice for information security management) defines the security of information as:

Information is an asset that, like other important business assets, is essential to an organization’s
business and consequently needs to be suitably protected. This is especially important in the
increasingly interconnected business environment. As a result of this increasing interconnectivity,
information is now exposed to a growing number and a wider variety of threats and vulnerabilities
(see also OECD Guidelines for the Security of Information Systems and Networks).
Information can exist in many forms. It can be printed or written on paper, stored electronically,
transmitted by post or by using electronic means, shown on films, or spoken in conversation.
Whatever form the information takes, or means by which it is shared or stored, it should always be
appropriately protected.

The security of information here is characterized as the preservation of:
a) confidentiality: ensuring that information is accessible only to those authorized to have access;
b) integrity: safeguarding the accuracy and completeness of the information and methods of processing;
c) availability: ensuring that authorized users have access to information and active members when necessary.

 According to the text above, I am starting an Open Source project that aims to meet the items “a” and “c” of information stored electronically. The differential for existing solutions, I believe to be the challenge of providing open source in the control of access to enterprise environments supporting various technologies from legacy and facilitate the work of the developer until the administrator of the systems.
I will keep the blog updated with the releases of the project.

Arnaldo Nascimento.

Grails and Netbeans 6.5 M1

Posted on July 21, 2008
Filed Under java | Leave a Comment

I create this video based in Geertjan’s Blog post, Grails: This Time With Tools to show a fast CRUD creation with NetBeans 6.5 M1 and Grails. You can download the original file at Grails and NetBeans

Security management in Apache Tomcat (Analysis)

Posted on July 16, 2008
Filed Under Security and Development | Leave a Comment

This is the first post of a series of posts about of access control frameworks.
I’d like to start with the Tomcat´s “container  security managed”.        
I do not want to extend in configurations details, i will keep the focus on other aspects like manageability. I used the version 6.0 for reference.

Before starting, I would like to open a parenthesis

Some people appoint  softwares for access control as “security software”, the Apache Tomcat do this appointing the access control feauture how “container  security managed”. I personally think that is more correct to say “Container Access Control Managed” because the word “security” makes me think of something well beyond what simply Authenticate, authorize and encrypt passwords.

Well, let’s start by Realms. What is the term Realm in the context of Tomcat?
A Realm is a database of users, passwords and roles.
Access control systems may include credentials more sophisticated than usernane/password to validate a user.
A role contains all the resources that an authorized user can access on a web and
a user can be associated with various roles.

Here an important resource provided by the Tomcat, the interface: org.apache.catalina.Realm

The  Servlet specification describes a mechanism for portable applications that declare their safety and their security requirements (in a descriptor web.xml)
Poor! Imagine manage an access control in a system with 1,000 users associated with various roles in a company, or users who have registered dynamically by a public web form and must be included in groups and roles etc… Poor Manageability :(

But there are 6 implementations of  the Realm interface that can minimize or even solve the problem of management.

To access the authentication and authorization credentials in a relational database:
The implementation JDBCRealm

To access the credentials of authentication and authorization using a DataSource:
The implementation  DataSourceRealm

To access the credentials of authentication and authorization using LDAP;
The implementation JNDIRealm

To access the credentials of authentication and authorization and storage in memory (initialized by an XML file for example)
The implementation MemoryRealm

And finally to access the credentials of authentication and authorization using JAAS:
The implementation JAASRealm

JAAS will be subject of a future post

I particularly think that the database’s solution can solve the problem of manageability. By eliminating the creation, new rules and association of users without having to reboot the server settings and without edit  XML files for example.

NOTE! Increasing ease of management can cause other problems, such as sync rules alterations and logged users. For example, if you remove a rule or remove a rule’s feature, this change will only be reflected when the login restarts. And there are environments where it is unwanted or unacceptable. But this is not a particular problem of JDBCRealm or DataSourceRealm.
(FORM-based authentication and BASIC authentication, have the same problem)

You can create your own implementation of Realm.

I do not know why, but the passwords implementations of standards Realm’s implementation  are saved in PLAIN TEXT :( Hopefully you can use the class org.apache.catalina.realm.RealmBase to encrypt the passwords using the supported standards: SHA, MD2 or MD5.

Conclusion
Small applications with a few users can use the Apache Tomcat access controle feature, but if you want something that meets a larger number of users and devices you need to extend the interface org.apache.catalina.realm.Realm and also use a smart (web or desktop) client for access managing.

Arnaldo Nascimento.

The Active Record pattern

Posted on July 8, 2008
Filed Under Patterns | Leave a Comment

When met on the pattern ActiveRecord by my colleague Leonardo Borges, began to discuss its implementation in java.

Indeed this pattern is quite simple, and I previously used a package of standards a little more complex (DTO or VO + Business Object + DAO) to do the same thing.

It was the Anemic Domain Model, where objects are just my data structures without behaviour and delegate its rules to other objects and there vai…

Well, the problem: I would like static methods that I could find something like:

Collection countriesOrderedByName = Country.findAll ( “name”);

This obliges me to have a DAO static. And according to a simple model that I did, meant that a single DAO should take into account the whole range of sub-classes of my system, carrying within it all “custom” queries (which were not purely INSERT, DELETE, UPDATE).

Putting all these queries in a single DAO? NO!! There are ways to resolve this and chose to maintain the initial idea, but in a way that I believe is elegant.

The method findByQueryNames

By using the JPA and its Annotations (@NamedQueries and @NamedQuerie). I can organize

my queries in their proper objects and so have my methods find static.

Below is a summary of the final code:

public class Entity implements java.io.Serializable {

}

public class ActiveRecord extends Entity {

 protected static DAO dao;

 static {
  HashMap params = new HashMap();
  params.put(JPADAO.UNIT_NAME, “JavaSismatPU”);
  dao = new JPADAO();
  dao.init(params);
 }

 public static ActiveRecord findByPrimaryKey(ActiveRecord record) throws DAOException {
  return (ActiveRecord) dao.findByPrimaryKey(record);
 }

 public void update() throws DAOException {
  dao.update(this);
 }

 public void remove() throws DAOException {
  dao.delete(this);
 }

 public void save() throws DAOException {
  dao.insert(this);
 }

 public void refresh() throws DAOException {
  dao.refresh(this);
 }

 public static Collection findByQueryName(String name, Object[] params)throws DAOException {
  return dao.findByQueryName(name, params);
 }
}

@Entity
@Table(name = “bairro”)
@NamedQueries({@NamedQuery(name = “Bairro.findAll”, query = “SELECT b FROM Bairro b order by b.descricao”)})
public class Bairro extends ActiveRecord {

 private static final long serialVersionUID = 1L;

 @Id
 @Column(name = “bairro_codigo”, nullable = false)
 private Integer bairroCodigo;

 @ManyToOne(fetch = FetchType.LAZY)
 @JoinColumn(referencedColumnName = “localidade_codigo”, name = “bairo_localidade_codigo”, nullable = false)
 private Localidade localidade;

 @Column(name = “bairro_descricao”)
 private String descricao;

 @Column(name = “bairro_abreviado”)
 private String abreviado;

 @Column(name = “bairro_uf_sigla”)
 private String uf;

 public Bairro() {

 }

 public Bairro(Integer bairroCodigo) {
  this.bairroCodigo = bairroCodigo;
 }

 public Bairro(Integer bairroCodigo, Localidade localidade) {
  this.bairroCodigo = bairroCodigo;
  this.localidade = localidade;
 }

 public Integer getBairroCodigo() {
  return bairroCodigo;
 }

 public void setBairroCodigo(Integer bairroCodigo) {
  this.bairroCodigo = bairroCodigo;
 }

 public Localidade getLocalidade() {
  return localidade;
 }

 public void setLocalidade(Localidade localidade) {
  this.localidade = localidade;
 }

}

Conclusion

My class Bairro now knows how to be persisted, as must be found and if any method of business (Bairro was not a happy example) they will be accessible directly it.

Something like: Bairrro.findByPrimaryKey (new Integer (1)). GetTotalDeLogradouros ();

By eliminating the need for the creation of DAOs specific to each entity and classes (BusinessObjects) to represent their behavior. ;-)

Domain Specific Languages (Introduction)

Posted on July 7, 2008
Filed Under System's architecture | Leave a Comment

I would like to start this post writing about a DSLs workshop that i saw in InfoQ. It’s a very interesting workshop with Martin Fowler, and based in the article Language Workbenches: The Killer-App for Domain Specific Languagesi.

Martin Fowler starts the workshop explaining about a style of programming (Language oriented programming) It’s the refers to a how build systems throught the multiple Domain Specific Languages, designed to a a especific kind of problem.

DSLs examples:

In his example, Martin Fowler develops a language without regard for general use. A language without the ability to express conditions, loops or any of the usual resources we know in terms of programming languages. But a language in order to solve a particular problem.
The goal is to extract and transform into objects, excerpts defined in different lines in a file. (Focus on a particular goal)

Martin Fowler also made two important observations on the DSLs:

- DSLs often (but not necessarily) are simple.

- DSLs are not meant to describe an entire system, because they are limited and must be combined with other languages.

The construction of a DSL can be divided into 2 styles.

External DSLs:

- Do not depend on a general purpose language (which we call the host language - Java, C #…), but need a compiler or an interpreter that run.

Internal DSLs:

- Are written in the body of a host language (Ruby, Lisp…)

- Conventional use of the subset of the syntax of the language host

Both styles have advantages and disadvantages. One of the disadvantages of construction of internal DSLs is that the language that will host it, imposes its limitations the construction of DSLs. These limitations vary with the host language (Ruby, Lisp…)

Already the external:

- Difficulty of integration with the main language;

- Need the complexity of the code or generators;

- Difficulty of integration with IDEs (Debug, code completion);


 Now is not the natural question: Do I need to learn 15 languages (DSLs) to a system rather than having to know only one (java for example)?

cacophony Language

The answer to this question, in reference to the problem called (Language cacophony). What Martin Fowler made a point of addressing a different way, not necessarily as a disadvantage.

If we developed a complete system in a language like Java, we need not learn the 10 or 15 DSLs but we still have to learn about 10 or 15 APIs scattered by the libraries that we use. The difference of complexity in the use of DSL is the difference between a language and a custom API. Indeed there is a huge difference, the issue is a language that simplifies custom often an API, making DSL an alternative to an easy understanding of complex API. In practice, this is not enough to be a problem, because find the same situation where use APIs

Particularly, I (Arnaldo) do not want to use a lot of both XML and files of properties. Several files each with its format, tags and rules. There are initiatives that seek to circumvent this, but may also cause confusion. This is the case with Annotations.

A DSL in natural language can be a powerful mechanism to replace all these other “DSLs” being created in XML for example.

Another use that i can see is the generation of codes from rules set out in a language understood by the end user.

Martin Fowler

Martin Fowler

Martin Fowler Ă© Chief Scientist da ThoughtWorks

www.martinfowler.com.

Ruby on Rails Pagination

Posted on July 4, 2008
Filed Under Ruby on Rails | Leave a Comment

I am migrating an application from Java to Ruby. I’m using Netbeans 6.1 as IDE. Well… after running scaffold I realized that it does not create pagination layout automatically. I did the tests here and I will share the results here:

After searching the net, I came to the plugin will_paginate 2.2.2 - I have used the gems from inside the Netbeans. But it can also be installed by the command:

gem install mislav-will_paginate

To entitle it to your project Rails, hit it in config/environment.rb:

Rails:: Initializer.run of | config |

End
require ‘will_paginate’

Do not put it before or within the block Rails::Initializer because the framework Rails will not load it.

Done this change the controller as the example below:

Class PostsController <ApplicationController
# GET / posts
# GET / posts.xml
def Index
# @ = Post.find posts (: all)
@ = Post.paginate posts (: all,: page => params [: page],: per_page => 10)

respond_to of | Format |
format.html # index.html.erb
format.xml (render: xml => @ posts)
End
End

and in view:

<% For post in posts @%>

##############

<% End%>
# Render the links of paging with the command below

<% = @ Will_paginate posts%>

Oh! And in model set the method per_page

Post class <ActiveRecord:: Base
Def self.per_page
50
End
End

NOTE: Will the Paginate already set a default value of 30.

Well, one important tip is that by doing so in Netbeans 6.1 I gained a mistake that after veeerrry search, i discovered in a post-creator of Will Paginate it is a BUG of JRuby. To take the proof I swapped the platform of Ruby Netbeans of JRuby 1.1 for the Ruby 1.8.6-p111 and the problem really disappeared.

The full documentation on Will Paginate can be found in http://rock.errtheblog.com/will_paginate

Regards!

Room safe (interview)

Posted on July 2, 2008
Filed Under Security and Development | Leave a Comment

A Safe Room is a fortified room that can be installed in a residence or a company, providing a safe place for invasions and other threats. In the world of the IT a safe room usually contains equipment such as servers, databases, application servers, and private keys etc…

To learn more about the matter, I interviewed Mr. Carlos Dumard who participated in the deployment of a Safe Room in an important Brazil’s government institution, the interview follows:

Mr. Carlos what motivated the initiative of the room safe?

We were looking for greater reliability in providing the services, so we had the following requirements:
– Environment with physical access controlled by biometrics and cameras, and with resistance to bullets and possible leakage of water, trying to avoid any interruption manual or the falling reliability of information and interruption of services.
– Environment with reliable supply of energy and secondary, so we opt for a bank of the breaks and a generator with the operating time limit.
– Improved efficiency in refrigeration of machinery, thereby using a layout of corridors of hot air and cold, and thus a more efficient exchange of heat.

What are the security features of the room safe that met the business of the institution?

– Access physical controlled by biometrics and password
– Access shot 24 x 7
– Room of waterproof, resistant to water and fire
– Room with thickness of resistance to magnum’s bullets  of up to 44 and small explosions
– Supplies of energy side redundant and diverse, and break-in generator

And what was the time of construction of this room?

The installation time of the room to be fully operational was an average of 2 months.

What were the difficulties encountered in the implementation of the project?

We encountered problems returnable, or the size of the right-foot building to be 3 meters had to opt for a cooling system that did insuflagem the air between the space of 4 racks, or 4 racks and a unit of breath, more 4 racks and other equipment in air, and not below the floor or above the racks as usual.

What were the results expected?

High availability and greater reliability in the services provided.

There was training?

Yes

As was ?

The training is careful to use only the resources of the room safe, as fighting fire, gas, access control and control of energy, the latter encompassing the break and generator.

Were defined procedures for release of password? entry and exit procedures, procedures for retrieval in case of disaster?

The provision of passwords, methods and standards are the responsibility of the customer, as well as permissionamento of people who may or may not enter the room.

The training of disaster recovery and data are to case there is any fire, pollution from gases that can affect the equipment or people, flooding and possible intemperes, but it is always recommended that triggered the fire brigade in either case, that is fire the FM200 gas, which refresh the environment and break the triangle of items to the spread of flames and call the fire brigade. In the case of energy, which identify the entry of the break-in or let the team event of electrical maintenance, but all these teams may be advised by sensors installed in the room.

Well, I hope this interview enrich knowledge of you on the physical security of assets, as enriched for me and I thank Mr. Carlos by the attention.

The Session Hijacking Attack

Posted on June 26, 2008
Filed Under Security and Development | Leave a Comment

I would like to start the “Security and Development” categorie talking about a old-know attack named Session Hijacking. This kind of attack refers to catching a valid server session id and use to obtain non unauthorized access to a system’s services. All protocols that use a key to mantain state between two computers is vulnerable. In this post, i will talk about web attacks over the HTTP protocol.

Analisys
In websites that allow account managment, confidential data access, e-mails and etc…an identification (userID) and a password is required to authenticate the user. Stateless protocols like HTTP utilizam use session cookies identification tokens.
When authenticated, the user’s web browser receives a cookie that contains a unique ID. This ID will be resubmitted to the server at every system’s service request. The cookie is the key that identify the user and will allow access to the system’s services.

The attack
The attack occurs when the cookie is caught by the attacker. The attacker now can uses the cookie to make requests to a system.
There are many catch types: Session fixation, Cross-site scripting… But, is too common use a Network Sniffer to exploit HTTP headers containing cookie’s information.
Many servers use SSL only to login, exposing the cookies after the user’s authentication.

Preventing the attack

* Long session’s IDs can be random generated to avoid the attacker to catch via “brute-force” attack.
* Encryption. This is the best way to prevent a sniffer attack.
* Storing client’s information in the server session, to do a second check per requisition*
* Another technic is regenerate a session’s ID per request, but may cause some during the browser navigation.
* Regenerating the session’s ID after user’s authentication can avoid the cookie catch by the Session fixation attack.

* Storing client’s information and second check

Java

Authentication:

if (checkAutentication(request.getParameter(”usr”), request.getParameter(”pass”)) {
HttpSession session = request.getSession();
session.setAttribute(Conts.AUTENTICATED, new Boolean(true));
session.setAttribute(Conts.IP_ADDRESS, request.getRemoteAddr()); //Client’s remote address
//OS, Browser’s version information…
session.setAttribute(Consts.USER_AGENT, request,getHeader(”user-agent”));

}

Request validation:

HttpSession _session = request.getSession(false);
//is requested session Id valid in the server ?
if (_session != null && request.isRequestedSessionIdValid()) {
//authenticated client?
if (_session.getAttribute(Consts.AUTENTICATED)) != null) {
//second check
if(request.getRemoteAddr().equals(_session.getAttribute(Conts.IP_ADDRESS))) {
autenticated =(request.getHeader(”user-agent”).
equals(_session.getAttribute(Conts.USER_AGENT));

}
}
}

Peer-to-peer networks and corporations’ security

Posted on June 24, 2008
Filed Under Corporations' security | Leave a Comment

17.000 records. This is the amount of confidential data from employees of a big pharmaceutical industry what was leaked into a P2P network. An employee’s wife used a company’s laptop for download files with a P2P software. She could not see, but 2.300 files was exposed, including the employees’ confidential file.

It’s not a isolated case.At last year, a spreadsheet was leaked with accounts informations from 5.000 clients’ of a big group bank. The data was exposed by a ex-employee while using the P2P software BearShare at home.

The Dartmouth College study identified an increase in use of P2P networks.
P2P networks can be useful when used with care.
Some clients and protocols with centralized servers may be less dangerous.

Recomendations of the Dartmouth’s study for TI departments