I developed an authentication algorithm for user authentication as part of my masters thesis and implemented it in PHP. I intend to know how can I implement the algorithm for operating system login, in which language (for linux)? also where the code will reside because it will not be click and run code it will automatically load upon the starting of OS.
Thank you and I hope no down vote in haste.
PAM is the Pluggable Authentication Modules used in Linux. There is extensive documentation on writing new modules.
Related
New process builder concept or terminal emulator. Which one is to be used her
I believe Ayushi means LeanFT. LeanFT is a functional testing tool that used to be part of HP Enterprise's test tools product set that was sold to Micro Focus in 2017. Micro Focus renamed the product "UFT Developer."
"How to launch a mainframe application" is ambiguous, though. Mainframes are sophisticated, robust, high throughput servers that run a variety of operating systems and practically any/every application you can imagine. I'll attempt an answer, though.
If the application runs on z/OS, z/VSE, z/TPF, or z/VM CMS, if the application only (or predominantly) offers a "3270" terminal-oriented user interface, and if test user access authentication and authorization is permitted, then the application can be launched from Micro Focus UFT Developer via its terminal emulator functionality. Unfortunately this feature only works on UFT Developer for Windows. Documentation is available here:
https://admhelp.microfocus.com/uftdev/en/15.0/HelpCenter/Content/HowTo/TE_Addin_Overview.htm
This feature also evidently works with the previous version (LeanFT Version 14 for Windows). Please note that a 3270 terminal emulator for Windows will also be required since this UFT Developer feature uses "HLLAPI," an API that IBM introduced many years ago that many 3270 terminal emulators provide. The documentation describes several choices, such as IBM Personal Communications (i.e. the IBM Host Access Client Package). I strongly recommend configuring and using a TLS encrypted TN3270E connection as a basic security precaution.
That's certainly not the only way to "launch a mainframe application" and may not even be applicable, as mentioned above. As another example, z/OS includes the z/OS Management Facility (z/OSMF). z/OSMF provides an authorized jobs interface, a set of REST APIs that can accept job submissions (i.e. launch applications). As yet another example, mainframes run Linux (extremely well), so any/all application launching techniques that work with Linux work with Linux, including on mainframes.
I'm trying to build a Node.JS project that takes advantage of LDAP authorization so that existing user authentication information can be used. The catch is that all our machines are Windows machines. All the solutions I've found so far (node-LDAP, ldapjs, ldapauth, etc) are built for Linux, and npm install [some_package] fails on Windows. More scrounging yielded complicated solutions or required building Node.JS packages from Python/C++ source locally, which starts getting messy and leads to dependency hell, as in this solution:
http://tochedev.blogspot.be/2012/07/i-wanted-to-add-ldapjs-to-my-windows.html
Kudos to the author for putting that effort in and publishing his path to success but if that level of complexity is required in dependency, then the solution isn't appropriate for my application.
That leaves me with limited options: redesign architecture around a Linux VM just so I can have LDAP authentication, which isn't much simpler than the linked solution above; abandon entire Node.JS project and do everything in another language just to support LDAP; dive into dependency hell just so I can have LDAP authentication; give up on LDAP authentication. I would love there to be a fourth option, a straightforward method of LDAP authentication in Node.JS for Windows, but I haven't found one so far. Now I've spent enough time searching that I'm ready to beg for help.
Sorry if this question is on the wrong StackExchange, I'll repost if necessary, didn't know exactly where it fit.
In my experience, there aren't a lot of good ldap tools for node (period). One of the alternatives is using something like Stormpath to handle this. Basically, you'd have to create a Stormpath account, run their LDAP agent, and they'll basically sync your LDAP accounts into their REST API which you can then access via their Node libraries.
This is a nice way to do it as you can interact with the LDAP accounts using a simple Node library, without needing to talk to your LDAP server directly.
I am building a distributed application in which the software is installed by my company on our customer's hardware. The customer can therefore tamper with the software. I would like to know if a technique exists so that when the software running on customer hardware make a web request to our central server (i.e. totally under our control), that we can validate that the request is coming from an untampered version of our software.
I believe that this is referred to as "remote attestation." Web searches about remote attestation return a variety of results, from "it is not possible" to "use the TPM". But I have not been able to find a simple to understand example of how to code this in Windows.
So, my question is: Is remote attestation possible in Windows, and if so, is there a working example that I can use as the basis for implementation?
Note: Remote attestation is sometimes achieved through "obscuration" techniques such as embedding a "shared secret" into the application and then obscuring it in various ways to try and ensure that an attacker cannot easily extract that shared secret through de-compiling etc. I am not interested in such techniques and am looking for something that provides real security not security through obscurity.
In order to attestate a system you need 2 things:
A chain of trust from a root of trust up to every executed code and
Means to interpret and verify the obtained measurements on your server.
When using Windows you have neither.
Currently not even Windows itself is aware of its sate. However, that improved in Windows 8. Now you have measurements of the boot loader and drivers at least. But nothing that extends to user code.
In a recent security advisory, Microsoft warns that "Vulnerabilities in Gadgets Could Allow Remote Code Execution":
An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user.
(Microsoft Security Advisory 2719662)
I don't really understand the point. As far as I know, gadgets are (by design) HTML-based application running with full trust!
Full Trust
The choice to run a gadget is presented to the user in the same way that the choice to run any application downloaded from the Internet is presented. Information about the author of the gadget is displayed in a dialog box that indicates there is risk associated with this file. After the user accepts the warning, the gadget will run with all of the permissions associated with the user's login account.
(MSDN: Gadgets for Windows Sidebar Security)
For example, nothing prevents you from adding
<script language="VBScript">
Set shell = CreateObject("Wscript.Shell")
shell.Run "notepad.exe"
</script>
and executing arbitrary commands from your gadget. This works and it's by design.
Obviously, they can do everything that another application running in the local user's context can do. So, where is the vulnerability the MS Security Advisory is mentioning which "can be exploited"?
Well the "gadget vulnerability" is the problem that:
the risks that gadgets are exposed to are the same as those faced by any web-based
application, e.g. Man-In-The-Middle or code injection. Similar issues existed in earlier versions of most web browsers but modern browsers have specifically implemented controls to attempt to mitigate many of these issues. These controls have not been implemented in the Gadgets platform, leaving them vulnerable to well-known and thoroughly discussed attacks.
- We have you by the gadgets, black hat.
so you can see the main exploit is that there were no controls to limit the gadgets from running code with no restraint.
Another problem:
Microsoft has said that it has discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing
risk to the systems on which they’re run.
so indeed running arbitrary code is part of HTA's but because the sidebar and gadgets platform didn't mitigate it and were quite pessimistic, thinking that all gadget programmers would write safe code and wouldn't try to exploit or do things gadgets aren't suppose to do.
Hope it answered what you asked.
I still think the question is quite vague because you say: well they allow to run arbitrary code and it's part of the model and concept and they didn't mitigate it so what's the exploit? it's already exploited... - this is the whole idea :)
It can be asked about every flaw and attack and that's exactly the problem - it was by design a problem and wasn't secure it was discovered that since no mitigation and since you are really able to run and execute the malicious code with no problem these gadgets have a flaw.
Agreed, the Gadgets platform appears to be no more or less vulnerable than if the user executed an unsigned application.
Why the same system-level execution prevention, heuristic analysis & other methods applied to applications could not be applied to Gadgets is mystifying to me.
This smacks of laziness on the part of Microsoft: The Gadgets platform was not highly regarded or widely used (despite the potential of delivering an unprecedented level of capability and integration of web-features directly into the desktop), so rather than make any attempt whatsoever to safeguard the user from malicious Gadgets, they simply discontinued them.
With the direction the User Interfaces in Windows, Mac and Android are headed, the average user has less and less idea how an app (or plugin) actually does what it is doing, so the proliferation of needless, opportunistic or even malicious apps continues. I've been back and forth over the Gadgets specification, and as near as I can tell, it is no more insecure than the plugins system used by Chrome and FireFox.
Execution of ActiveX and Java within a Gadget is subject to the Security settings in Internet Explorer. If your security settings allow a Gadget to do something, most of those functions are exploitable within a plugin or Java app as well.
The analyst reports I've read indicate that these vulnerabilities have been patched in "most modern browsers" but that clearly isn't true of Internet Explorer, as every Gadget exploit I've seen can also be run within the IE browser.
In short it is the "toggle-switch" style handling of ActiveX, Java and other plugins which is at fault here. By trying to spare the user endless prompting and eliminating the requirement of making an informed decision, Microsoft continues to leave uninformed or careless users wide open to malicious web apps and plugins.
Trust certificates & security patches would have been vastly preferable to discontinuing the feature.
As I see it, I think the security issue is a smoke screen. These "security issues" exists across many vectors, and gadgets, if they were such a problem would have been addressed much sooner than the dawn of the release of Windows 8. My opinion is that gadgets were jettisoned because they are a power drain on a Windows 8 tablet. It reminds me of how the ribbon interface was "to expose deeply buried functionality" when I think in reality Microsoft was really planning for a touch interface. So, whatever "excuse" Microsoft gives for doing something, I tend to look for a deeper purpose. Hopefully this will change with the new management. Does anyone know if it is possible to install some sort of gadget platform on Windows 8.1? Thanks!
These attacks happen in this way:
An attacker would have to convince a user to install and enable a vulnerable Gadget
An attacker who successfully exploited a Gadget vulnerability could gain the same user rights as a logged-on user. If the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
as you see it is simple if you install a vulnerable gadget, now tell me who authorize your gadgets? in the world wild web there are many many fake gadgets..be careful.
also microsoft has a hotfix to disable sidebar and gadgets that you can find in this link :
microsoft advisory
and they killed gadgets and sidebar in windows 8
I appreciate you to find the exact details, here is the article presented in blackhat which made Microsoft disable gadgets:
We have you by the gadgets - Black Hat (pdf file)
I'm interested in writing a replacement login screen for Ubuntu that would present the user with a puzzle rather than prompt for a password. I'm looking for some advice on how to go about creating this. I'm a programmer by profession with years of experience, but am not familiar enough with Linux application programming to know how to begin this particular project. Thank you!
You could probably do this as an authentication module for PAM (Linux Pluggable Authentication Modules).
PAM is configured in configuration files in /etc/pam.d. Each file in this directory defines a PAM service by specifying a set of PAM modules and how they should work together. You could write a new authentication module and replace the current authentication module in the services where you want to use the new login scheme.
The "best" way to do this may be to create a PAM module. This is how things like fingerprint identification are implemented. It will allow you to keep the same login screen with all the features such as accessibility options, etc.
The "easiest" way to do it may be to modify an existing display manager. Ubuntu uses GDM (Gnome Display Manager) by default, but it's pretty complicated. SLiM is a simple display manager that you can probably modify without much difficulty.