Security: Android vs. iOS

I started working on getting my masters recently.  Here is a paper I wrote for my network security class.  I figured I’d be lazy and re-use it as a post.  I apologize for any weird formatting.  Hope you enjoy…

Security: Google Android vs. Apple iOS

Abstract

In this paper I will compare and contrast the security models of the Google Android and Apple iOS operating systems. Specifically I will examine how applications are developed and accepted, how permissions are granted, and what kind of threats are imminent to these operating systems. Then I will explore various defenses that are available to consumers now or that may be available in the future.

I. Android Security Model

The Android platform is built on the Linux kernel, and on top of the Linux kernel is a virtual machine called the Dalvik Virtual Machine. This virtual machine is what allows each Android application to run in a “sandbox,” meaning all applications are run in silos that can’t access other applications. Any application that needs to access system services, uses the built-in Android APIs to do so. Upon installation, each app is assigned a User ID that allows for standard Linux file access rights.

On top of all this, Android uses a permissions-based security model as another layer of security. When a user goes to download a certain app found in the Android Market, he will be prompted by the system to allow the app certain permissions. Android is supposed to follow a least-privilege security model.

However, even though a least-privilege model is used, the access permissions are left up to the developer, which can lead to unnecessary permissions being granted. Third-party developers are free to upload most apps to the Market without any review. Because Android permissions documentation is fairly limited, developers often give too many privileges to an app. Other reasons why apps might be over-privileged include the developer requesting permissions that merely sound liek they are necessary, even though they aren’t; some apps also request permissions that they don’t need because the systems uses the API to call dependent programs that already have the necessary permissions. In other occasions, developers request permissions that may have been necessary on older versions of Android, but are no longer needed.

Researchers have used a tool called Stowaway to find unnecessary privileges in a sample of applications downloaded from the Android Market. They found that about one third of apps were assigned unnecessary privileges. Although many of these privileges were deemed unnecessary, researchers know they won’t cause any harm or information leakage either.

Although Android does require user permission to install an app, it is an all-or-nothing scenario. There is no granularity in the permissions granted to the app. Thsi constant notification of whether to allow access to apps may condition the user to blindly accept the permissions without knowing what he has agreed to, thereby rendering permissions queries somewhat useless.

II. iOS Security Model

Apple iOS has basically taken the opposite route with its security model in comparison to Google Android. Instead of asking for user’s permission upon install of an app, iOS grants full access to all smartphone services by default.  iOS also has a Security Server that implements several security policies built in. The Security Server manages access to key chains and root certificate trust management.

Another way iOS manages security is by the app submittal process. A developer must submit his app for review by Apple developers. About 95% of all apps submitted to the app store that are approved, are given this status within a couple of weeks.  Apple rejects about 20% of apps upon their first submittal, mostly based on software bugs found by the reviewers.

Apple also has application guidelines and contracts developers must follow in order to have their apps published. For instance, Apple gives all the developers the same software suite to create their apps. Some other guidelines include:

• “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used. Apps that require users to share personal information … in order to function will be rejected.”

• “Developers who create apps that surreptitiously attempt to discover user password or other private data will be removed from the iOS Developer Program.”“App Store Review Guidelines.”

III. iOS vs. Android

It’s hard to compare the iOS and Android operating systems because they use seemingly opposite security models. Android gives the end user more control by using permissions notifications, and iOS boasts of (what they claim to be), rigorous reviews of apps that have been submitted by developers. One can cite evidence against these claims, however.

Recently a researcher was removed from the App Developer program for proving that it’s possible to get a trojan through the approval process and then notifying Apple of this exploit.  It can also be noted that Apple’s approval process is somewhat unclear. One can question how many checks could be put into place during the average two week review. It seems that reviewers could check the identity of the developer and find easily located software bugs, but can they really catch every piece of malware that might be hidden? Do they lose incentive to really search since these apps are submitted by people in the Developer Program? Especially because all apps downloaded from the app store have full access to the device, this could prove to be a major security flaw.

On the flip side, Android has a very open model; after all, it is based on Linux. Although they do utilize user permissions, Android users often ignore the warnings, and there are many over-privileged apps available. Android is also now the most widely used smartphone operating system, which makes it a larger target. Android malware is up about 427% in the last six months. Also, Android apps have no central certification authority (CA). All certificates come from the developer of an app, which could potentially be a self-signed certificate that is not security. Apple handles app certificates by using a centralized CA through iTunes.

Both Android and iPhone smartphones can be remotely wiped and/or encrypted. iPhone actually has built-in capabilities to do this, but an app can be downloaded for Android to have similar capabilities.

IV. Known Malware and Threats

Several malware instances have attacked Android phones (as noted earlier, malware is up 427% on Android), and one of the more prominent ones is the AnserverBot Trojan. The AnserverBot Trojan attaches to legitimate applications and rebuilds them. This trojan has several layers, one being that it can check the signature of the rebuilt packages, and it’s believed that this will make it impossible to tamper with or analyze the newly infected app. The AnserverBot can also detect some anti-virus software and disable it. It has two different payloads, and the second payload can make a call to the server to make the device part of a BotNet network.

iPhone has also seen security flaws in recent times. The instance mentioned earlier, regarding the researcher getting kicked out of the Developer Program, involved a seemingly benign app that allowed unsigned code in memory. This flaw was exploited to download and run unauthorized code throughout the system.  Another recent example is an app that was created to supposedly allow users to change their screen color. However, this app actually allowed users to circumvent the fee-based tethering option and their phones as access points for free. This app has since been pulled from the app store, but users who already downloaded it can still use it.

V. Possible Lines of Defense

Smartphone defense is very important, both to individuals and to companies that allow their users to access private information about clients or employees. One theory put forth to defend against malware is the CPMC (Community-Based Proximity Malware Coping). Because centralized control is not really feasible in smartphone networks, this scheme uses proximity to establish when communication should be rejected with nodes in another community by the use of signatures. This is short-term, as a timer is started when the signature is initially communicated. Eventually, communication will be allowed again. These short-term components will be stored in the history and analyzed in a long-term fashion that will help the device make communication decisions in the future. This strategy can defend against proximity malware such as CommWarrior,

A suggestion for defending against Android malware, specifically, is to create a new privacy mode that can provide more granular options for security permissions to the user. One such system is the TISSA (Taming Information-Stealing Smartphone Apps). This tool uses a small amount of resources and has a very small footprint so as not to slow down the device.

A similar suggestion is to implement AppFence.  This tool offers two ways to avoid sharing private information. The first is what’s called data shadowing. If an app needs to send private information, AppFence will substitute benign data in its place. The second is exfiltration blocking, which basically sends nothing if private information is requested. However, with these tools, it is possible that the app will not function as it was originally intended to.

A very interesting line of defense, especially for business users, is to create a virtual machine on your phone. VMware is currently working on a project, called Horizon Mobile, which will allow a user to keep his personal data completely separate from business data without forcing the user to carry around two physical phones. The project will also allow IT admins to backup and restore the entire phone somewhere on the network, which could lead to “off-phone” attack forensics. IT admins will also be able to easily wipe business data from the VM without having to go near the personal information.

An interesting bonus for virtualization is that the hardware verifies the integrity of the bootROM. Then the integrity of the virtualization microkernel is checked, which can then check the operating system image. If any of these verifications turn out to be false, the system can deny access to certain resources. As of now, virtualization is being performed only on Android. Its open model makes it easily available for development and testing. When virtualization is generally available, I believe Android will be the superior choice among business, and more specifically IT departments.

VI. Future Work

It seems that the major security issue with Android is the lack of review performed during the app-submittal process. I would like to see a peer-review process put into place that would work much like signed drivers from Microsoft. Although you could download any app you want, you might get a warning if the app hasn’t been peer-reviewed. There could be some trusted developers who would act as peer reviewers by putting their stamps of approval on certain apps. Though this is not fool-proof, it would add an additional layer of security to apps found in the Android Market. Because this is a peer review, and users can still download any app they want, Android would still uphold its open spirit.

Another idea, especially in a business setting, would be to somehow restrict your users to an Adroid Market that is known to be secure. Android has the flexibility to use other markets than the one offered up by Google. If you could somehow create a market that would have known secure apps it would add another layer of protection. For personal use, this would also be an added layer of security. Even though the user would have access to all other Android markets, if this user was particularly cautious he could choose to only download apps from this secure market.

VII. Conclusions

Android and iOS confront security issues in two very different ways. The Android OS puts permissions and access controls in the hands of the end user, but does almost nothing to vet out apps available in the Android Market. iOS insists on at app-submission program and having at least two Apple developers review an app before approving the submission. However, there is no way for users to know what access the app needs and to prevent it from installing if a user deems it unsafe.

Although more viruses, trojans, and worms attack the Android, iOS is not without its security flaws. It is likely that the attacks will continue to rise, as well. Androids allow for more third-party security software, making it possible to contorl Android smartphones more granularly. With iOS, although very secure, you are stuck using Apple’s tools.

References Felt, Adrienne Porter, Chin, E., Hanna, S., Song, D., and Wagner, D. “Android Permissions Demystified.” Web. <https://mail-attachment.googleusercontent.com/attachment?ui=2&ik=9124afd57f&view=att&th=133f57288b4714ca&attid=0.6&disp=inline&realattid=95dfd0efa1f09b0c_0.6&safe=1&zw&saduie=AG9B_P8ah4T00mCK6XtPFOVtfZGG&sadet=1323030489368&sads=U7aBIBB31q_qBfFXWyINJb7Op0Q&gt;.

References Delac, G., Silic, M., and Krolo, J. “Emerging Security Threats for Mobile Platforms.” Web. <https://bib.irb.hr/datoteka/518944.EmergingSecurityThreatsForMobilePlatforms.pdf&gt;.

References Napier, Rob. “IOS 5 Programming Pushing the Limits … – Rob Napier, Mugunth Kumar.”Google Books. Web. 04 Dec. 2011. <http://books.google.com/books?id=LFaxcuKxVf0C&gt;.

References Noyes, Katherine. “Why Android App Security Is Better Than for the IPhone | PCWorld Business Center.” Reviews and News on Tech Products, Software and Downloads | PCWorld. Web. 04 Dec. 2011. <http://www.pcworld.com/businesscenter/article/202758/why_android_app_security_is_better_than_for_the_iphone.html&gt;.

References Li, Feng, Yang, Y., and Wu, J. “CPMC: An Efficient Proximity Malware Coping Scheme in Smartphone-based Mobile Networks.” Web. https://mail-attachment.googleusercontent.com/attachment?ui=2&ik=9124afd57f&view=att&th=133f57288b4714ca&attid=0.1&disp=inline&realattid=95dfd0efa1f09b0c_0.1&safe=1&zw&saduie=AG9B_P8ah4T00mCK6XtPFOVtfZGG&sadet=1323031153723&sads=ntB2YrzS1Huw6Q9i3q_wFUV__Aw

References Wallach, Dan. “Smartphone Security: Trends and Predictions.” Web. <Delac, G., M. Silic, and J. Krolo. “Emerging Security Threats for Mobile Platforms.” Web. .>.

References Zhou, Y., Zhang, X., Jiang, X., and Freeh, V. “Tamin Information-Stealing Smartphone Applications (on Android).” Web. <https://mail-attachment.googleusercontent.com/attachment?ui=2&ik=9124afd57f&view=att&th=133f57288b4714ca&attid=0.5&disp=inline&realattid=95dfd0efa1f09b0c_0.5&safe=1&zw&saduie=AG9B_P8ah4T00mCK6XtPFOVtfZGG&sadet=1323031344808&sads=syCuilU05r42zDtnyvongq-mms0&gt;.

References Zhou, Yajin, and Jiang, X. “An Analysis of the AnserverBot Trojan.” Web. <https://mail-attachment.googleusercontent.com/attachment?ui=2&ik=9124afd57f&view=att&th=133f57288b4714ca&attid=0.7&disp=inline&realattid=95dfd0efa1f09b0c_0.7&safe=1&zw&saduie=AG9B_P8ah4T00mCK6XtPFOVtfZGG&sadet=1323031484967&sads=7vXuUhIxNBHHcgVCG3pdFv3GStU&gt;.

References Hornyack, Peter, Han, S., Jung, J., Schechter, S., and Wetherall, D. “The Aren’t the Droids You’re Looking For: Retrofitting Android to Protect Data from Imperious Applications.” Web. <https://mail-attachment.googleusercontent.com/attachment?ui=2&ik=9124afd57f&view=att&th=133f57288b4714ca&attid=0.8&disp=inline&realattid=95dfd0efa1f09b0c_0.8&safe=1&zw&saduie=AG9B_P8ah4T00mCK6XtPFOVtfZGG&sadet=1323031622552&sads=6-7hn7zE7jNsw2kGBaBf1qKym2E&gt;

References “Apple Answers the FCC’s Questions.” Apple. Web. 04 Dec. 2011. <http://www.apple.com/hotnews/apple-answers-fcc-questions/&gt;.

References “App Store Review Guidelines.” Web. <http://stadium.weblogsinc.com/engadget/files/app-store-guidelines.pdf&gt;.

References Slavov, Vlad. “Apple Kicks Researcher Out of IOS Developer Program for Exploiting Security Flaw, Microsoft Swoops In.” Web. <http://www.theverge.com/2011/11/8/2546435/researcher-who-exposed-an-ios-app-vulnerability-loses-his-developer&gt;.

References “Smartphone Security Smackdown: IPhone Vs. Android – Security – Mobile Security – Informationweek.” InformationWeek | Business Technology News, Reviews and Blogs. Web. 04 Dec. 2011. <http://www.informationweek.com/news/security/mobile/231000953&gt;.

References Roberts, Laura. “15 Year-old Boy Creates ‘Trojan’ IPhone App Which Connects to Internet for Free – Telegraph.” Telegraph.co.uk – Telegraph Online, Daily Telegraph and Sunday Telegraph – Telegraph. Web. 04 Dec. 2011. <http://www.telegraph.co.uk/technology/apple/7906118/15-year-old-boy-creates-Trojan-iPhone-app-which-connects-to-internet-for-free.html&gt;.

References McGarvey, Robert. “IOS vs. Android Security: And the Winner Is? – ESecurity Planet.”ESecurity Planet: Internet Security for IT Professionals. Web. 04 Dec. 2011. <http://www.esecurityplanet.com/mobile-security/ios-vs-android-security-and-the-winner-is.html&gt;.

References Shah, Rushang. “Android vs. IPhone for Business: 5 Questions to Answer – ZDNet.”Technology News, Analysis, Comments and Product Reviews for IT Professionals | ZDNet. Web. 04 Dec. 2011. <http://www.zdnet.com/news/android-vs-iphone-for-business-5-questions-to-answer/6205632&gt;.

References Cox, John. “Symantec Finds Big Differences in IOS, Android Security.” Network World. Web. 04 Dec. 2011. <http://www.networkworld.com/news/2011/062811-symantec-mobile-report.html?page=1&gt;.

References Brodkin, Jon. “VMware to Virtualize Android Smartphones for Business Users.” Network World. Web. 04 Dec. 2011. <http://www.networkworld.com/news/2010/120710-vmware-virtualizes-lg-android.html&gt;.

References Brodkin, Jon. “VMware’s Virtualized Android Phones Coming to Verizon.” Ars Technica. Web. 04 Dec. 2011. <http://arstechnica.com/business/news/2011/10/vmwares-virtualized-android-phones-coming-to-verizon.ars&gt;.

Advertisements

, , , , ,

Leave a comment

Automating File/Directory Transfer from Linux to Windows

Recently I was charged with the task of creating a script to copy some backup files from our mail server to a file server.  Now there’s a ton of information out there on various ways to do this.  You can use Samba, Likewise, FTP, etc., etc.  Samba/Likewise seem to be some of the more popular ways to do this, and it does seem to be pretty fool-proof once you’ve set it up, but I have had some issues with machine passwords changing and breaking the connection to the share.  So, I decided to go ahead and use the scripting options that come with WinSCP.

The WinSCP site does a pretty good job of putting various options out there, but I found that I still had to do a lot of trial and error to make this simple “download” work.  So, here is my, hopefully, very simple version of how to pull a file from a linux server to a windows server.

1.  Download WinSCP on your Windows file server if you haven’t already.

2.  Create a folder on the Windows server where you plan on keeping the files you’ve transferred.

3.  In the folder, create a new text document (example.txt)

4.  Edit that text file to look like this:

option batch abort

option confirm off

open root:password@ipaddress.of.linux.server

get /tmp/test*.* E:\store\

exit

This script basically says that you are opening a session as root, with your root password on the Linux server.  The get command will pull all files starting with the word “test” to your Windows machine and put it on the E drive in the Store directory.

5.  You can test the script by opening a command prompt and running:

winscp.com /script=E:\store\example.txt

If this is successful, you’re all set to create a scheduled task.  If you get a message saying that command doesn’t exist, make sure you’re in the WinSCP directory where winscp.com is stored.

6.  Open task scheduler and select Create a Basic Task on the right.  Schedule the task as you please and then select Start a Program.

7.  In the Program/Script field, browse to WinSCP.com and select that.  In the arguments field type:

/script=e:\store\example.txt

which is the location of your script.

8.  That’s pretty much it.  Make sure you have it set to run even when a user is not logged on and assign the proper credentials to run it.

, , , ,

Leave a comment

Duplicate Datastores After Upgrading to vSphere 5

I decided to become a somewhat early adopter of the vSphere 5 upgrade at a few of my sites.  At the first site (a very simple DR site) it went off without a hitch.  Did the upgrades in order, easily did some storage vMotions so I could create new VMFS 5 datastores…simple.

My next site upgrade did not go so well.  Don’t worry, there were no outages…definitely not a big deal.  However, apparently there is a small bug if you have View and/or SRM in the environment you’re upgrading.  So, when I finished upgrading the ESXi servers, all of a sudden I had duplicate datastores.  I had one called FCDatastore1 and all of a sudden another called FCDatastore1 (1) for every datastore…

Apparently, since I have View it left some orphaned replicas in those datastores so the upgrade could not automatically delete them (I specified that the upgrade should preserve my VMFS volumes).  I also had some templates that were seemingly orphaned in the datastores that didn’t really even exist anymore.

So, here’s how you fix it:

1.  Remove any templates from inventory.  They should be in the real/active datastores, so you shouldn’t lose them.

2.  Since VMware protects the replicas, you won’t be able to just remove these from inventory.  Follow this article to unprotect them: http://blogs.vmware.com/view/2009/01/view-composer-how-to-delete-orphaned-replicasource-entries-in-vcenter.html

Here’s what it says:

1. On the vCenter/View Composer server launch Start –> Run –> CMD
2. Browse to “C:\Program Files\VMware\VMware View Composer”
3. Type the command below replacing the default information with specific information for your environment.
SviConfig -operation=UnprotectEntity -VcUrl=https://my.vc/sdk -Username=User1 -Password=123 -InventoryPath=”/My Datacenter/vm/MyReplicaFolder” -Recursive=True

3.  Go back to vCenter and you should now be able to remove the replicas from inventory by right-clicking and selecting Remove from Inventory.

4.  The datastores that no long exist should automatically disappear and you can rename the new FCDatastore1 (1) to FCDatastore1 by just right-clicking on it and selecting Rename.

, ,

2 Comments

Don’t Trust, and Definitely Verify

This weekend I decided to update some firmware on some Dell layer 3 switches (PowerConnect 6248).  I only did it at one site to test before I updated the firmware on our production switches.  Before I updated those switches, I updated the firmware on a spare switch to be prepared in case one of the switches didn’t upgrade properly (it’s happened a couple times before).  Everything was great.  I came in on Saturday afternoon and updated the stack and everything seemed to go great (tip: make sure to turn off HA on all your ESXi servers before you do a network update).  After the update I tested internal email, external email, internal networking, internet, etc., etc., and so forth.

The one thing I didn’t test was the direct connection to our production site.  Low and behold I got a call at 11pm and found out that our support team was unable to connect to the production site.  The production site was up, everyone on the outside could get to it (I made sure to test the bread and butter of the operation…no SLA issues), but made the mistake of not testing the direct connection.  The configs were exactly the same, I spent two hours on the phone with Dell and they said everything looked good.  They had no idea what was causing the issue and insisted it was a routing problem.

At 1am the support person I was speaking with let me know that the night shift was basically a break/fix team and they wouldn’t be able to help me any further.  He would be sure to put it in the queue for the day shift who is more versed in how firmware updates may cause issues.  The probelm needed to be solved immediately, though.  At 1:30am I met my boss at work (a good half hour drive for both of us).  Immediately we saw the port that is used for our direct connection was down.  For some reason it was the only port that was down.  We did some troubleshooting and realized the config for that particular port was wrong.  Okay, great…we can just change the config.  I changed it to what it should be, applied the changes, and all of a sudden the whole stack just reloaded and set the port back to the incorrect settings.  Maybe it was a fluke, so I tried again, and again the whole switch reloaded.

A few minutes later, I rolled back the update and everything lit up (in a good way).  All connections were working properly.  Of course, I was regretting not just driving in at 11pm and doing that very thing, but who would have thought that every single thing was working besides that due to the update.

My point…make sure you test every possible scenario.  Make sure that there will be support, if possible, before you do such an upgrade (although it wasn’t even a full version upgrade).  Make sure your boss will still like you after you’ve made him come in to the office at 2am.  And, perhaps most important, when you are purchasing equipment, you know someone will be able to support you when you run into buggy software on a weekend or a night…you know…the times when you would be doing network upgrades.

, , , ,

1 Comment

vCenter Orchestrator – Using Workflow Loops to Create Snapshots On Multiple VMs

Okay, this is not a post for everyone.  If you have no idea what vCenter Orchestrator…or what VMware is for that matter, I would just stop reading now.  However, if you’re interested, please read on.  This is going to be a step-by-step on how to automate snapshot creation on multiple VMs (without them having to be in the same resource pool…read: you don’t have Enterprise licensing).

I would also like to thank Christophe and Burke in the VMware communities for helping me plug my way though this and being very patient with me.  I used this to get started: http://www.vcoteam.info/learn-vco/creating-workflow-loops.html, which I believe was written by Christophe, so he gets most of the credit for what I’m about to put out there.

1.  Open vCenter Orchestrator and login.  Click on the workflows tab on the left.  Click on the root of the tree and click Add Folder.  You can name the folder whatever you like.  I’ve named mine Automated Snapshots.

2.  Right click on the new folder you just created (ex: Automated Snapshots) and click on New Workflow.  You can name this workflow whatever you like as well.  I’ve named mine Windows Updates Snapshots.

3.  Right click on the new workflow you just created (ex: Windows Updates Snapshots) and click on Edit at the bottom.  This takes you to the general tab of your workflow editor.  Feel free to change the version as a good practice.

4.  Now click on the Inputs tab at the top.  Click the yellow arrow in the tool bar and that will put a generic parameter in there.  Click on the paramater name link listed under name (by default it is arg_in_0) and change it to vms.  Click under where it says Type (by default String) and choose Array then find VC:VirtualMachine and click on that.

5.  Now click on the Schema tab, then the Action and Workflow category on the left.  Drag and drop the Workflow element on to your schema.  In the filter field type Create a Snapshot and select it when it comes up.

6.  Click on the Generic category on the left and drag and drop Scriptable Task on to your schema.  With the Scriptable Task highlighted click on the Info tab in the bottom pane and change the name to Loop Setup.

7.  Click on the IN tab and click on the Bind to workflow parameter/attribute icon (on the left).  Select the vms parameter that we created before.

8.  Click on the OUT tab and click on the Bind icon.  Click the Create parameter/attribute workflow link and in the Name tab type vmNb.  This should be of type number and click OK.

9.  Click on the Scripting tab and type var vmNb  = vms.length;

This is what your visual binding should look like for the Loop Setup element so far:

10.  Now click on the Basic Category in the left pane.  Drag and drop Decrease counter on to your schema.  Click on the Visual Binding tab in the bottom pane.  From here you can click and hold the arrow next to vmNb in the In Attributes pane and drag that to the arrow next to Counter in the In pane of Decrease counter.  This is the same as binding it using the IN and OUT tabs.  Do the same for the arrow next to Counter in the OUT to the arrow next to vmNb in the Out attributes on the right.

11.  Click on the Generic tab again.  Drag and drop a new Scriptable Task on to your schema and rename it Set Current VM.  Click on the IN tab and click on the Bind to workflow paramater/attribute.  Select both the vms and the vmNb attributes we created (has to be done separately).

12.  Click on the OUT tab and click on the Bind icon again.  Click on Create parameter.  Next to Name type currentVM and put the type as VC:VirtualMachine.  Click OK.

13.  Click on the Scripting tab and type the following:  currentVM = vms [vmNb];

14.  Click on the Create a Snapshot element again.  Click on the IN tab in the bottom pane.  Under Source parameter next to name click on “not set.”  This brings up the parameter window again.  You can leave the Name as name and the type as string.  Next to value, specify the snapshot name such as Windows Updates.  Do the same for Description.  Memory and quiesce should be boolean values, so either select true or false.

15.  Now click on the Visual Binding tab.  Make sure currentVM is mapped to vm, if not, go ahead and click and drag from arrow to arrow.  The rest should also be mapped.

16.  Click on the Generic category in the left pane and drag and drop the Decision element on to your schema.  Rename it “VMs left” in the Info tab.  Click on the decision tab and click on the “not set (NULL)” link to change it to vmNb.  In the dropdown box next to it, select “greater” and in the field next to that type 0 (zero).

17.  At this point you should be able to add the End Workflow element and link them all together by doing a CTRL+left click and drag from element to element as in this screenshot.  Save and close the new workflow.

18.  You’ll now need to add the VMs that you would like to have snapshots.  You may want to validate your workflow first just to see if there are any issues.  If you get a warning about the “output parameter ‘snapshot’ you can safely ignore this.  Now right click on your workflow and click Start Workflow.  This will bring up a dialog box which will allow you set up your VMs.  Just select them from the tree, and it will save this information for future runs (or if you use the scheduler to schedule future runs).

On my first iteration of this workflow, I ran into some issues (admittedly they were most likely user error) and had to add a scriptable task between Set Current VM and Create a Snapshot in order to pass on the snapshot parameters correctly.  If you are getting an error indicating that the name is null or something like that, you might try doing the following.

1.  Drag a scriptable task on to your schema between Set Current VM and Create a Snapshot.

2. Click and highlight the Set Current VM element.  Click on the Scripting tab and type the following (below currentVM = vms[vmNb];)

name = “Windows Updates”;

description = “Snapshot before Windows Updates”

3.  Click on scriptable task and then click on the Visual Binding tab.  All of the parameters should be mapped as in the picture.

4.  Click on the Scripting tab and input the following:

System.log(“Source VM: “+currentVM.name);

System.log(“Snapshot Name: “+name);

System.log(“Description: “+description);

System.log(“Memory:  “+memory);

System.log(“Quiesce: “+quiesce);

This scriptable task should then pass all the parameters on to the Create a Snapshot workflow element and you should be all set.

If you get stuck, you can always visit the VMware Orchestrator community forum at www.vmware.com or the www.vcoteam.info site for videos, articles, howtos, etc.

Leave a comment

HOWTO – Dual Monitors Using a Fedora 14/15 Guest on VMware Workstation

I’ve just spent quite a few hours combing through how to get dual monitors working on a Fedora 14 and/or 15 VM guest.  It’s actually not that hard, as long as you get all of the updates and installs first!

Also, it’s apparently impossible to do a dual monitor remote session if you have a Fedora guest on vSphere…so this only applies to dual monitors using VMware workstation.  I used Workstation 7.x, as 6.5 wouldn’t work for me.  If anyone out there knows of how to make it work using vSPhere I’m all ears.  Also, this only seems to work with a new install.  So, for example, if you have exported the VM from vSphere and tried to open it in Workstation, it probably won’t work.

Here’s the process I followed:

1.From the command line do a sudo su – (if you’re not already logged in as root)

2. yum update

3. After yum update completes, reboot the computer

4.  yum install kernel-devel kernel-headers gcc mkinitrd xinetd perl make kernel-PAE kernel-PAE-devel

5.  yum groupinstall “Development Tools” “Legacy Software Development”

6. Click on VM and then click on Install VMware Tools

7. Back at the command line type:  mount /dev/cdrom /mnt

8. cd /tmp

9. tar zxpf /mnt/VMwareTools-[version].tar.gz

10. cd vmware-tools-distrib

11. ./vmware-install.pl

12. Go through the command line wizard that installs the tools, you can accept most of the defaults.

13.  Then do another restart of the guest

14.  Type CTRL ALT and ENTER to change to Full View

15.  Click on the Workstation icon on the top and make sure Autofit Guest is selected.

16.  Click on the Cycle Multiple Monitors button to start using dual monitors.

That should pretty much do it!  Fedora 15 seems to be a little more stable than 14, but I got them both working.  You may need to play around with your screen resolution.  For instance, I had Fedora 15 set to use 1280×1024 and that worked great.  For Fedora 14, though, I had to set it to 2560×1024.

All of the steps above, particularly all the installs may not be necessary for everyone…but this is the only way I got mine to work.  It’s pretty nice once you have it going.  Good luck!

, , , ,

4 Comments

Book Review – Practical Cryptography

I just finished reading the book Practical Cryptography by Niels Ferguson and Bruce Schneier.  It took me quite a while to get through it as it’s a bit of a dry topic.  This book is advertised as a kind of a prequel to Applied Cryptography also by Bruce Schneier.  It’s supposed to concentrate more on theory than the actual math that goes into cryptographic systems (which is apparently what Applied Cryptography does, though I haven’t read it).  The intended target audience is for those just kind of starting out in security and/or crytographic design.

It being one of the first security books I’ve read, besides the books I used to study for the Security+ certification, I was very interested to see what topics they would go into and what my level of understanding would be.  Since this book is  supposedly targeted at beginners, I thought it was a good pick.  There were definitely some interesting sub-topics in the beginning and the end, however, about half of the book was used to discuss the math that goes into creating cryptographic systems or breaking them.  There were symbols that I haven’t seen and definitely haven’t used since college and I was a math major…so I can only imagine what someone with very little mathematical background would think of these chapters.  For a theory book, I thought they spent way too much time on this.  Especially for a book geared towards people just getting into the security field.

It’s hard to decipher who their real target audience is.  The first few chapters go through such topics as how the AES standard was chosen.  The AES discussion was pretty interesting because it was actually a contest.  Bruce and Niels had a system that was up for AES, but apparently they didn’t win, and while they insist they aren’t bitter, it sure sounds like they are.  The book then goes on to talk about attacks on a pretty high level.  They eventually get into ciphers from there and that’s when the math starts coming at you.

At the end of the book, they go back to discussing topics at a high level.  They talk about things like how an attacker can set a system clock back, if a design is based on time expiry, to hack/crack into things.  I myself have used this method to troubleshoot VPN connections, etc.  They spend some time discussing Kerberos, PKI, CAs/certificates.  I found those topics really interesting.  Then, seemingly out of the blue, they start talking about patents.  Throughout the entire book they talk about how you should get experts to help you with your cryptography projects, and only use the standard ones that already exist, instead of making your own.  So, I’m not sure why the patent chapter was necessary at all.

Although the book had some great topics, and I’m basically happy that I read it, I thought the flow was kind of awkward.  There was way too much math and not enough detail on the theory stuff.  I have read some reviews saying that if you pair this book with it’s predecessor Applied Cryptography then it’s a pretty worthwhile read.  For my purposes, though, I’m glad I can move on to a new book now.  It was definitely meant for someone not looking for a high-level overview, but for someone who really wants to get started designing cryptographic systems.  I guess I would give it 3 out of 5 stars.

, , , , , ,

Leave a comment