Running RISC OS servers in 2018: is it secure?

posted in: Software | 5

Over the years, the blog has featured a few articles on running Internet-facing services on RISC OS, from web servers (WebJames and HTTPServ) to VNC and Samba shares. While those articles did go a little into the security of running those services on RISC OS in this day and age, they didn’t cover what you can expect if you open up your WebJames or Samba instance to the wider Internet.

While browsing the ROOL forums I came across a discussion about how secure it really is to run servers on RISC OS in this day and age – considering how old the majority of server applications are for RISC OS, and how creaky some parts of RISC OS’ networking stack are. That got me thinking, how secure really is it to run services that you care about on RISC OS, or maybe a service that you don’t particularly care about (e.g. a Samba share you never use) but it’s running on a system that you do want to protect.

So to understand what kind of threats there are out there today and how relevant it is to RISC OS, it’ll be first worth going over what the threat landscape is today for Internet-facing servers in general and how sophisticated (or not) threat actors are with their attempts to steal or break your cyber-stuffs.

Password attacks

So unsurprisingly the vast majority of attacks against servers on the Internet are attempts to guess their password, and a huge quantity of those are not very sophisticated at all. This is mainly down to it being so easy to get into systems on the Internet with incredibly weak passwords (if they even have one). Password cracking tools such as Hydra and John the Ripper do allow for complicated ways of getting at people’s passwords other than just going through a list of widely used passwords, but realistically, attackers just don’t need to go to that level of effort.

The Mirai malware, which enslaves Linux systems all over the world, took down a large portion of the world’s most popular websites for a while in 2016 through an enormous Denial of Service attack on DynDNS – a DNS provider that supports services such as Netflix, Twitter and GitHub – in turn taking those websites down. Mirai achieved this through scanning the entire Internet (it’s quicker and easier than you think) and attempting to login to the Telnet service at each IP address armed with a small set (about 20 or so) of default usernames and passwords that are known to be distributed with popular Internet-connected appliances such as CCTV cameras and Network Attached Storage (NAS) drives – ‘admin’ and ‘password123’ type stuff for the most part. After logging into these systems via Telnet, the malware would then get the infected machines to launch Denial of Service attacks at a target all at once.

To give you an idea of the kind of password login attempts an average server might see on the Internet. A server I administer received just under 18,000 login attempts via the SSH protocol in September, which boils down to about 235 unique IP addresses attempting on average 76 login attempts. This in itself shows that attackers generally aren’t trying every possible password connection to break into your system, instead their plowing through a list of common usernames and passwords. Below is an excerpt of the SSH access logs so you get an idea of the kind of behaviour to expect in a password attack.

Nov 20 15:09:48 Plankton sshd[46342]: Failed login for invalid user admin from 194.61.XX.XX port 55962  
Nov 20 15:43:54 Plankton sshd[47108]: Failed login for invalid user service from 194.61.XX.XX port 55962  
Nov 20 17:33:11 Plankton sshd[49591]: Failed login for invalid user monitor from 194.61.XX.XX port 55969  
Nov 20 18:10:33 Plankton sshd[50444]: Failed login for invalid user guest from 194.61.XX.XX port 50669  
Nov 20 18:49:03 Plankton sshd[51313]: Failed login for invalid user support from 194.61.XX.XX port 50669  
Nov 20 19:25:06 Plankton sshd[52182]: Failed login for invalid user test from 194.61.XX.XX port 50711  
Nov 20 20:01:25 Plankton sshd[52990]: Failed login for invalid user debian from 194.61.XX.XX port 50712  
Nov 20 20:39:15 Plankton sshd[53853]: Failed login for invalid user service from 194.61.XX.XX port 50712  
Nov 20 21:16:33 Plankton sshd[54720]: Failed login for invalid user ubuntu from 194.61.XX.XX port 57006  
Nov 20 21:54:46 Plankton sshd[55569]: Failed login for invalid user user from 194.61.XX.XX port 57006  
Nov 20 22:34:53 Plankton sshd[56508]: Failed login for invalid user ubnt from 194.61.XX.XX port 57006  
Nov 20 23:16:28 Plankton sshd[57460]: Failed login for invalid user pi from 194.61.XX.XX port 63389

So with all that in context. If you want to password-protect content on your RISC OS web server, Samba or VNC server – just set a reasonably secure password and don’t reuse that password elsewhere. This website lets you see roughly how long it might take for someone to brute-force crack your password, once you get to 8 characters or longer, a password containing a mix of uppercase and lowercase letters as well as numbers and special characters is pretty tricky to crack – most attackers would move on.

That said however, if someone with enough knowledge and determination is for some reason targeting you specifically, then you might want to stop using passwords to authenticate altogether. As far as I’m aware, this will mean you’ll need to use a non-RISC OS solution for Samba, VNC etc. as I’ve not come across a RISC OS application that supports key-based authentication yet.

Encryption attacks

If your server is going to be handling any data you don’t want others getting their grubby mitts on, for example your family photos or maybe a website visitor’s form submission, then you’ll want to be using a server solution that utilises encryption when receiving and sending data. Intercepting data being passed across the Internet using a protocol that doesn’t use encryption, for example HTTP, is trivial with the right tools.

Unfortunately for us, there are no VNC, Samba or Web server programs for RISC OS that support encryption – this includes HTTPserv and WebJames, which are HTTP only web servers.

That said, if you want to run a web server that only serves free software you’ve written to its visitors, or just some information that you don’t mind anyone seeing, then hosting it on RISC OS isn’t a terrible option.

An example of this would be my Raspbery Pi at home, it runs a WebJames instance that consists of one webpage that links to other services on my local network (my file server, media server etc.), so if someone was to sniff that connection, all they’d be able to see is links to other services, but there’s no real data being passed across.

Denial of Service

Denial of Service (DoS) attacks were making the news quite a lot a few years back but they’re still a popular method of attack today, especially for people with very limited computer skills looking to create some damage. A notable attack from the last few years was the time Sony’s Playstation Network went belly up on Christmas Day due to their servers being flooded by enormous amount of bogus traffic in order to ensure that no genuine users could log onto the online gaming network.

Coupled with RISC OS server applications being more susceptible to DoS attacks than most modern servers, the threat of huge amounts of data flooding your server to stop you or others from gaining access for a little while is a real possibility. Although it does raise the question of why, unless there’s a particular reason why someone would want to take your server down for a period of time then this isn’t something I’d be too worried about.

Vulnerability exploitation

Vulnerability exploitation is a very real threat to all web-facing servers around the world. New flaws that can be exploited into remotely exposing private data or allowing attackers to take access of the system in questions are occurring all the time. These are generally fixed by software vendors in the form of software updates once they’ve been made aware of a particular vulnerability.

There are some quite old and easy-to-exploit vulnerabilities that will be lurking in Samba and probably VNC server applications for RISC OS right now due to the age of the software or protocol versions they’re based on.

In the case of Samba, the latest version for RISC OS is 2.0.2-19990209, versions of Samba 3.6.3 and lower suffer serious security issues but given that RISC OS is an entirely different beast to the Unix/Linux and Windows systems that these exploits are designed for, I find it very unlikely that Samba on RISC OS will be exploitable unless someone goes to the extent of researching then coding a RISC OS specific exploit – incredibly unlikely unless you’ve seriously pissed off a nation state or something.

To sum up

So in the grand scheme of things, if you want to run a server from a RISC OS system and you don’t have any data that could be damaging to you or others should it fall into the wrongs hands, then there’s not really any huge red flags in your way. The possibility of someone exploiting the server software to get into your computer is incredibly small, and providing you don’t cheese off a load of teenage online gamers, then you’re probably not going to fall victim to a DoS attack either.

A look at the new Raspberry Pi 3 A+

posted in: Hardware | 2

A new member of the Raspberry Pi family was unveiled this week. The Raspberry Pi 3 model A+ features the same 1.4GHz ARMv8 Cortex-A53 processor as the existing Pi 3 model B+ – but instead is more focused on the embedded market, with a smaller form factor and 512MB of RAM instead of 1GB.

Bluetooth 4.2 is supported as well as 2.4GHz and 5Ghz b/g/n/ac Wi-Fi. Power is still taken in through a micro USB connector as well as graphics coming from the usual HDMI slot and storage via a micro SD. The GPIO header as well camera and touchscreen ports are still present.

There is only one USB 2.0 port with this board, which instantly makes it less attractive for the desktop user as you’d need a USB hub to use a mouse and keyboard in conjunction with it. The Ethernet port is gone too, although Internet connectivity should be achievable through a USB-to-Ethernet adapter providing you’re using an up-to-date version of RISC OS 5.

ROOL have confirmed that RISC OS 5.26 and above is already compatible with the board should you want to tinker about with it for a lower price of £23 instead of the £32 price point that the Pi 3 B+ goes for.

Probably not an ideal board for most RISC OS users unless you have a specific requirement for a cheap, small RISC OS system – but nevertheless, this board does offer a good amount of bang for your buck.

Specs:

  • Broadcom BCM2837B0, Cortex-A53 1.4GHz processor
  • 512MB LPDDR2 SDRAM
  • 2.4 GHz and 5 GHz IEE 802.11.b/g/n/ac wireless LAN
  • Bluetooth 4.2/BLE
  • Extended 40-pin GPIO header
  • 1 × full size HDMI port
  • MIPI DSI display port
  • MIPI CSI camera port
  • 4 pole stereo output and composite video port
  • Micro SD format for loading operating system and data storage
  • 5 V/2.5 A DC via micro USB connector

RISC OS gets the open source bug, finally!

posted in: Miscellaneous, Software | 0

Two decades since Acorn Computers packed its bags, RISC OS has become fully open source. This move marks a big step forward for the community as a whole by getting rid of the license restrictions that has limited parts of the operating system’s development in some form or another since Acorn parted ways with it back in 1998.

In a nutshell

RISC OS Developments Ltd, formed last year by R-Comp’s Andrew Rawnsley and Orpheus Internet’s Richard Brown, has acquired Castle Technology along with RISC OS itself – marking an end to the shared source initiative that allowed RISC OS Open Ltd. to develop RISC OS, with Castle Technology retaining ownership of the operating system.

It has since been announced that RISC OS 5 will be re-licensed as open source effectively immediately – allowing for RISC OS Open to continue development without any restrictions.

ROOL co-founder Steve Revill’s thoughts on the news:

This re-licensing represents the achievement of the primary goal RISC OS Open originally set out to achieve. It is a key milestone for an important part of British computing history and the fulfillment of my long-held personal ambition to enable anyone to use RISC OS freely and contribute openly to its future.

How we got here

It’s been a bumpy and quite long-winded road to get to where we are now.

The Acorn break-up in 1998 ended up with Pace (who later merged with Arris) taking ownership of RISC OS who wanted to use it for its range of set-top boxes and other embedded systems. The desktop version of RISC OS was licensed out to RISC OS Ltd. who developed RISC OS 4 and eventually 6 (but not 5). Their version of the OS was then supplied with the various post-Acorn 26-bit computers that emerged on the RISC OS market in the late 90s and early 2000s – namely the RiscStation ARM7500, MicroDigital Mico and the Acorn RiscPC and A7000 line that Castle Technology continued producing.

Castle later emerged with RISC OS 5, a 32-bit version of RISC OS that would be future proof for newer ARM processors hitting the market. Castle claimed it had the rights to release and develop this version of the OS based on an agreement they’d secured during the Acorn-Pace transition. RISC OS 5 was released with the Intel XScale based Iyonix PC in 2002.

After much debate and controversy between RISC OS Ltd. and Castle as well as the community itself, Castle ended up acquiring RISC OS 5 from Pace while RISC OS Ltd. could continue developing its own 26-bit flavor.

2006 saw Castle announce that the source code would be opened up to the public under a ‘shared source’ license, meaning you could basically use and improve it as you wanted for non-commercial purposes. It is thought this decision was made because production of the Iyonix PC was coming to an end and the size of the RISC OS market at the time wasn’t big enough to make another fully-fledged commercial system viable.

Despite some development from RISC OS Ltd. (now 3QD Developments), their variant (RO 4 & 6) has now pretty much completely halted and is only compatible for legacy 26-bit hardware (pre-Iyonix).

The shared source license allowed for the birth of RISC OS Open who’ve taken RISC OS 5 from strength to strength ever since, including porting RISC OS 5 to a number of new platforms, including the hugely successful Raspberry Pi, which RISC OS has been fortunate to have been riding wave with since the beginning, in turn opening up the OS to a huge market of potential users, something that I wouldn’t have dreamt of back in 2004/2005.

If the last decade is anything to go by, the next decade with RISC OS as an open source operating system is bound to be an exciting one.

Reading Manga from your RISC OS desktop

posted in: Software | 0

As someone who’s never been an avid manga reader in the past, I took a look at !Manga from Rick Murray out of curiosity more than anything.

I was expecting an offline reader that would take in some sort of file containing the manga book you want to view and then spit out the book at you in pages. How very wrong I was! Manga is actually a graphical interface and reader for all manga books hosted at mangareader.net – which gives you access to thousands of free manga titles.

Manga can be downloaded for free from the Pling Store. Installation is very straightforward, you unpack !Manga from its zip file and drop it to where you want on your system.

When run, an icon appears on the icon bar that when clicked it will bring up a menu that gives you access to a huge list of manga books that once selected, will be downloaded on the fly via an SSL connection to mangareader.net.

The main window will display details of the book, its author, what way the book is to be read (right-to-left usually with manga) and a few other details.

Flicking through pages is a little slow at times due to it pulling stuff from mangareader.net, but it’s definitely useable.

Rick has emphasised on this ROOL Forum thread that Manga is not complete yet, and does have some kinks to work out. Although from my time using it, it has only crashed once, so the program is definitely usable for reading manga for more than just a few minutes.

Compatibility-wise, Manga seems to work on most RISC OS machines you chuck at it. It works fine on my Raspberry Pi 2, it’s been reported to work fine on an ARMX6, Pandaboard and even a RiscPC running RISC OS 4.39.

Whether you’re into your manga or not, Manga is a pretty impressive project and is definitely worth checking out. It is still under development, you can keep tabs on how Rick is getting on with it on the ROOL Forums.

Under the Microscope: Passwords

posted in: Software | 1

A year ago I took a look at what password manager options there were out there for RISC OS, that article covered Passman from Kevin Wells as well as Qupzilla’s built-in password manager. I didn’t however cover !Passwords by John Peachey, who’s recently updated it to work on newer hardware such as the Raspberry Pi and Titanium – so without further ado, let’s take a look…

Passwords can be downloaded from John’s website, it requires the WBModule to run, which can also be downloaded from the same page.

Installation is as easy as you might expect for a small application like this, you unpack !Passwords from its zip file and drop it to where you want on your system.

When run, it opens up an icon on the icon bar, where you can click into the main password database or open up a configuration menu that allows you to hide the main window on display or to enable/disable the application’s ability to open up the password prompt to view your passwords when the application runs (by default you need to click on the icon bar menu to get a prompt to login to the password database and view/amend your passwords).

Adding, removing and amending passwords in the database once you’ve entered your password to login is as straightforward as you’d expect. There’s an option to name your password (i.e. Facebook login) and an option to add the username for that particular site/system, an optional comment and of course the password itself.

You’re given a default password to login to Passwords to begin with. You can change that password by clicking into the main passwords screen, middle-clicking and selecting ‘Change’. The password isn’t stored in plain-text within !Passwords or anywhere else on the system which is good.

The passwords themselves are stored in an encrypted format, although I can’t for the life of me identify what form of encryption has been used, they don’t appear to be hashed (MD5, SHA1 etc.) so I’m going to hazard a guess that they’re being compressed in some form or another. I wouldn’t bank on it being uncrackable but it gets the job done.

That’s all there is to tell really. Passwords is a nice, small little password manager that does exactly what it says on the tin, it stores your passwords safely.