Why hackers penetrating Software Build infrastructure?

Many recent cyber attacks on enterprise involved penetrating into their product build infrastructure. The motive here is either to stole code signing certificates or to access source code. Build machines are the hot spots which either holds source code, certificates or it will be having access to machines which are hosting source code or certificates. In the recent attacks, the certificates are stolen from these machines and they used it to sign their own malware with well known enterprise certificates. They may lure some other customers to install their malware. Customers believe it as a genuine software, since it is signed by branded enterprise.

Hence build infrastructure, code signing environments are the critical resources of the organization which needs to be guarded with utmost care to prevent these advanced threats. The build engineers, release engineers needs to be proactive and adapt to these challenging scenarios and contribute in prevention of these advanced threats. 

A lethargic build/release engineer may become hackers bunny. Any successful attack with certificates will bring down that enterprise trust in the industry.

Refer below stories which describes how they got attacked.
Adobe: http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html 
Bit9: https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
RSA: http://blogs.rsa.com/anatomy-of-an-attack/

http://krebsonsecurity.com/2011/05/advanced-persistent-tweets-zero-day-in-140-characters/
https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/

My first experience with GlassFish Application server

GlassFish is a open source application server started by Sun Microsystems and now sponsored by Oracle. As part a POC (proof of concept) project, I started exploring GlassFish.

Installation:
I opted to install GlassFish in a Linux (RHEL 5.4) server, since I'm more comfortable on Linux.
Download GlassFish from http://glassfish.java.net/public/downloadsindex.html .
There are couple of options. I selected Open Source Distribution -> Full Platform -> GUI-based installer for Linux. It comes with a executable shell script like glassfish-3.1.2.2-unix.sh.
Problems faced:
Since my Linux server was a VMware VM, the GUI display of installer was not fitting to the full screen of vSphere console. Basically the installer opens a xterm and accessing xterm from putty remote console is not a straight forward option.
To get rid of it, I enabled vncserver on Linux machine and accessed the vnc session using UltraVNCViewer.
Now installer xterm got displayed perfectly, I chose typical installation and selected to setup service (init scripts). It created a default domain (domain1) and installation completed smoothly.


GlassFish defaults.
    Administration console: https://localhost:4848/
    How to restart?
          /etc/init.d/GlassFish_domain1 start/stop/restart

    Other details
     -----------------------
     Domain Name: domain1
     Admin port: 4848
     Http port: 8080
     Username: admin
     Server Log: <glassfish-installation-root>/glassfish/domains/domain1/logs

     -----------------------

Start/stop/list domains
asadmin command will be available in installation directory. Add it to path.
    asadmin start-domain
    asadmin stop-domain
    asadmin list-domains


Starting and Stopping the Database Server  (not used at this moment)
  To start the JavaDB server from its default location: asadmin start-database --dbhome as-install-parent/javadb
  To Stop the Java DB Server: asadmin stop-database

Starting the Administration Console
  Access: http://localhost:4848 and login.

  Problem faced: When tried to login this URL from remote machine, it gave error

     Glassfish version 3.1.2: Secure Admin must be enabled to access the DAS remotely.

  Resolution: 

    Activate the secure admin by using the following command line and restart glassfish.

        asadmin --host [host] --port [port] enable-secure-admin

  

        The host is the host name or IP address of the Glassfish Server.

        The port is the target Glassfish Server port i.e. 4848.  


Deploying and Undeploying the Sample Application Fromthe CommandLine
  asadmin deploy myapp.war

Access the application by typing the following URL in your browser:
  http://localhost:8080/myapp

To List Deployed Applications Fromthe CommandLine:
   asadmin list-applications

To Undeploy the Sample Application Fromthe CommandLine
   asadmin undeploy myapp


Deploying and Undeploying Applications by using the Administration Console
 Launch the Administration Console by typing the following URL in your browser: http://localhost:4848
 Click Applications in the left column -> Click the Deploy button -> Select Packaged File -> Browse ->     Specify a description -> click OK
 Select the check box next to the myapp application and click the Launch link to run the application.
 Access the application using https://10.31.177.78:8181/myapp
 Similarly it can be undeployed using undeploy button

Problem faced: Linux firewall has blocked the 8080 & 8181 ports. Unblocked it.


To Deploy the Sample Application Automatically
  cp myapp.war as-install/domains/domain-name/autodeploy

To Undeploy the Sample Application Automatically
  cd as-install/domains/domain-name/autodeploy
  rm myapp.war

Extracting tar.xz and tar.bz2 files

Extracting tar.xz files
xz files are one of the archive format generated using XZ Utils. XZ Utils (previously LZMA Utils) is a set of free command-line loss less data compressors, including LZMA and xz.

Check if the command xz already available in your system by running `which xz` . If not available, then download it from http://tukaani.org/xz/  and extract the source (Ex: tar xvfz xz-5.0.4.tar.gz )

To compile the source, run below commands in sequence
1) ./configure
2) make
3) make install

Make sure xz is installed succesfully by running `which xz` .

Uncompress your xz file using '-d' option.
  Ex:   xz -d coreutils-8.12.tar.xz
 
Extracting tar.bz2 files
bz2 files are bzip2 archive files. Extracting it is straight fowrward. Provide 'j' option to your tar command.
  tar xvfj glibc-2.11.3-78856c5c73f74d.tar.bz2