Thursday, January 11, 2007
The break is over
Wednesday, April 26, 2006
Windows Vista Firewall
Wednesday, April 19, 2006
Oracle Critical Patch Update
Time to patch your Oracle Database, Grid Control, Application Server and more.
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html
Multiple vulnerabilities has been reported. Impacts vary from Unknown to
SQL injection attacks, and bypass of certain security restrictions.
Patches are available.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 15th day of January, April, July and October. The next four dates are:
* 18 July 2006
* 17 October 2006
* 16 January 2007
* 17 April 2007
Rootkit Hunter Unix Linux BSD
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use.
* No, not really 99.9%.. It's just another security layer
Rootkit can easily be run as cron job, and have the result mailed to you.
Tested on:
- AIX 4.1.5 / 4.3.3
- ALT Linux
- Aurora Linux
- CentOS 3.1 / 4.0
- Conectiva Linux 6.0
- Debian 3.x
- FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 / 4.10
- FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3
- Fedora Core 1 / Core 2 / Core 3
- Gentoo 1.4, 2004.0, 2004.1
- Macintosh OS 10.3.4-10.3.8
- Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 / 10.1
- OpenBSD 3.4 / 3.5
- Red Hat Linux 7.0-7.3 / 8 / 9
- Red Hat Enterprise Linux 2.1 / 3.0
- Slackware 9.0 / 9.1 / 10.0 / 10.1
- SME 6.0
- Solaris (SunOS)
- SuSE 7.3 / 8.0-8.2 / 9.0-9.2
- Ubuntu
- Yellow Dog Linux 3.0 / 3.01
Confirmed to work also on:
- DaNix (Debian clone)
- PCLinuxOS
- VectorLinux SOHO 3.2 / 4.0
- CPUBuilders Linux
- Virtuozzo (VPS)
Rootkit hunter will search for:
'Supported' rootkits/backdoors/LKM's/worms:
55808 Trojan - Variant A
ADM W0rm
AjaKit
aPa Kit
Apache Worm
Ambient (ark) Rootkit
Balaur Rootkit
BeastKit
beX2
BOBKit
CiNIK Worm (Slapper.B variant)
Danny-Boy's Abuse Kit
Devil RootKit
Dica
Dreams Rootkit
Duarawkz Rootkit
Flea Linux Rootkit
FreeBSD Rootkit
Fuck`it Rootkit
GasKit
Heroin LKM
HjC Rootkit
ignoKit
ImperalsS-FBRK
Irix Rootkit
Kitko
Knark
Li0n Worm
Lockit / LJK2
mod_rootme (Apache backdoor)
MRK
Ni0 Rootkit
NSDAP (RootKit for SunOS)
Optic Kit (Tux)
Oz Rootkit
Portacelo
R3dstorm Toolkit
RH-Sharpe's rootkit
RSHA's rootkit
Scalper Worm
Shutdown
SHV4 Rootkit
SHV5 Rootkit
Sin Rootkit
Slapper
Sneakin Rootkit
Suckit
SunOS Rootkit
Superkit
TBD (Telnet BackDoor)
TeLeKiT
T0rn Rootkit
Trojanit Kit
URK (Universal RootKit)
VcKit
Volc Rootkit
X-Org SunOS Rootkit
zaRwT.KiT Rootkit
Rootkit Developers Site http://www.rootkit.nl/
- 1.2.8 Latest release (MD5 (rkhunter-1.2.8.tar.gz) = 41122193b5006b617e03c637a17ae982)
Thursday, April 06, 2006
Talisker Computer Network Defense
The Talisker Computer Network Defense provides an excellent overview of the global internet security threat level. The Talisker Network Defense contains several nice feautes, like seperated informations block with the latest security news, security vulnerabilities, security tools, virus alerts, and links to all the nitty gritty technical details, if you like. IT-security controlboard one could say. Check it out.
It will give you the a flashback of "War Games" for sure. /Falcon
It is an excellent page to visit every now and then if you're interested in global IT security, and want to keep up on the global IT-security levels and that without having to read hundres of emails and web pages every day.
New installation, fresh new baby machine, security thoughts
The average time before a windows machine is infected by malicious code is down to minutes. What people need to realize is that you don't have to be using the internet with an internet application, such as Internet Explorer, Outlook, Skype, Firefox to get unwanted code. You are litteraly surrounded by infected machines the millisecond you receive your first packet. Why is that? Well, the malicious code, (read worms, trojans, viruses, spyware) is spread automatically, by other infected machines. The code looks for known and unknown vulnerabilities on different ports and services, and tries to automatically exploit a service and transfer a chunk of code. This technique has proven to be very successful, as it works day and night, without any human behind the keyboard. The code writer, can just sit down and play quake, and wait until he has enough hosts to use for another purpose. He might use your computer to attack other \"enemies\" on his favourite IRC channel, or if he or she is a disgruntled ex employee, he might run a DDoS attack against his ex companies website. The source address will be yours!. Something else that bothers me, is that users seem to belive that as they don't use their credit cards online, or buy anything for that matter online, that they are safe. Well, if you leave your CV with and personal info, such as your social security number you might be targeted for identity theft instead.
The scariest I have read so far, Is about a fella online poker player. He had his machine hacked, and the attacker gained unauthorized access to his webmail account. The attacker must have figured out a way to reset the targets poker client password. It's usually only a matter using a form on the poker site, and click forgot my password. A brand new password will be generated and e-mailed to the players e-mail account. Bah!
From there he got robbed, as the attacker transfered his bankroll of $67.000 USD. Yes, sixty-seven thousand dollars US. That quite a sum of money to lose this way. I haven't read any follow up on this case, but the forensic team should be able to catch some info about the attacker. It all depends on how sophisticated the attackers was in cleaning up the digital evidence. What's for sure, is that it will take time for the poor guy to get his money back, if he ever will. I'm not a lawyer, and I must admit that I haven't read the fineprint agreement before signing up for a poker site. I doubt they will compensate him though.
So fella bloggers, poker players, people, do that little extra work and patch your systems off-line. It will be worth it.
Countermeasures: 1) Patch and update your system, most of the system has a built in function for automatic update. 2) Issue an extra card, with a low credit limit, or just transfer the amount that you are going to shop for, from your bank account. Some banks can even issue a new card number everytime you want to go online shopping. 3) Check out password safe for keeping your pin codes encrypted and much safer that in word document.
Wednesday, April 05, 2006
Todays Security Book Black Hat, Attacking &Defending Physical Devices
It covers The Enveloping Paradigm, Inhereting Security Problems, Information Security, Mitigating Exposures, Monitoring Software Exposures, Authenticating People, Taking a Hard Look at Hardware, Notifying Systems, Factoring Source code.
You will find it at amazon.
Shoutcast Radio While Hacking Code
One thing though. You might want to have a spare keyboard as a redundancy, because you will hammer your day away.
Download a mp3 player with streaming radio capabilities, like Jet Audio, Winamp
and enjoy Chronix Agression Radio.
This morning's cast included
Song: "What Comes Around"
Album: Revolution - Revolución
Artist: Ill Niño
Label: Roadrunner Records
Song: "Stay"
Album: cultura 3
Artist: Agresion
Label: label name not provided
Song: "Crush"
Album: Best of Pro-Pain 2001
Artist: Pro-Pain
Label: Spitfire
Song: "last resort"
Album: RABAUTZ!
Artist: SUB DUB MICROMACHINE
Label:
Monday, March 27, 2006
Starting, stopping, flushing and saving firewall rules, Iptables/Netfilter
Iptables/Netfilter on Red Hat, Fedora, SuSE and many other Linux/Unix systems.
As user root (#)
Using Services commands, Internet network services list
As simple as running;
# service iptables stop
# service iptables start
# chkconfig --list iptables
# chkconfig iptables on (enable iptables firewall) adds symbolic links in /etc/rc[0-6].d
# chkconfig iptables off (disable iptables firewall) removes symbolic links.
Adding rules to iptables on the fly is easy, but be very sure that you know what you are doing. Don't apply new rules on a production environemnt and pray it will work.
To add let's say a drop rule for http access to our webserver for the hole Internet.
# iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j DROP
To add a rule for outgoing traffice, let say drop all outgoing ftp traffic.
# iptables -A OUTPUT -s 192.168.0.0/24 -p tcp --dport 21 -j DROP (specify your network with your correct netmask. /24 for private home network as an example.
Rules applied on the fly will not be saved automatically, you will have to save them
by running;
# service iptables save (appends the new rules to /etc/sysconfig/iptables file)
[root@mimir ~]# ls -lrt /etc/sysconfig/iptables
-rw------- 1 root root 314 Mar 27 14:38 /etc/sysconfig/iptables
[root@mimir ~]# more /etc/sysconfig/iptables
# Generated by iptables-save v1.2.11 on Mon Mar 27 14:38:15 2006
*filter
:INPUT ACCEPT [1491:174656]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [684:111318]
-A INPUT -p tcp -m tcp --dport 80 -j DROP
-A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 21 -j DROP
COMMIT
# Completed on Mon Mar 27 14:38:15 2006
List your iptables rules
# iptables -nL (for numeric)
# iptables -L (for alpha)
Monday, March 20, 2006
Pwdump6 (version 1.2 BETA) released.
The ever so popular LanMan password hash grabber has a new release.
Pwdump6, NTLM, LAnManWindows 2000/XP/2003 NTLM and LanMan Password Grabber.
Now with support for Blowfish encryption to secure data. This would make
it possible to evade some IDS signatures. 96-bit key generation scheme.
For those who never have used pwdump, pwdump is used to dump the password hashes
from with the help of DLL injection of the Local Security Authority Subsystem.
What to do with the hashes? Well, if you are doing a password audit, you could
run the hashes through John the Ripper, or @stake LopHtcrack LC3, LC4, to try and extract
weak cleartext passwords. A password with only A-Z characters and no special characters, such as
#!;-[]"# for example, will most likely be broken in a short period of time.
Sunday, March 19, 2006
Linux System Security, Enhancing Security In Linux
| Linux System Security | |
| Enhancing Security In Linux. SELinux http://www.nsa.gov/selinux/ SELinux stands for Security Enhanced Linux, and is an implementation of Linux Security Modules (LSM ) in a Linux kernel. SELinux for distributions SELinux for different distributions can be found here. SELinux Getting Started HOWTO http://www.lurking-grue.org/selinuxHOWTO.html AppArmor http://en.opensuse.org/Apparmor GrSecurity grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. It offers among many other features:
| |
Wednesday, March 08, 2006
Crackers never sleep
| Service Name | Port Number | 30 day history | Explanation |
|---|---|---|---|
| win-rpc | 1026 |  | Windows RPC |
| bittorrent | 6881 |  | Bit Torrent P2P |
| microsoft-ds | 445 |  | Win2k+ Server Message Block |
| smtp | 25 |  | Simple Mail Transfer |
| netbios-ssn | 139 |  | NETBIOS Session Service |
| --- | 41170 |  | |
| www | 80 |  | World Wide Web HTTP |
| --- | 5817 |  | |
| --- | 8227 |  | |
| --- | 42011 | |
Top Ten "Most Wanted?" Ports according to the great isc.sans.org
These guys are doing a superb job at storm center. Read the handlers diary and you will know
why. http://isc.sans.org/
Monday, March 06, 2006
Pen-test tools, Windows Environment.
During my years working with IT security, I have used hundreds and hundreds of tools for penetration test and security scans. The tools and scripts have been of varying quality, and the small list I have made here, is some of the top of the line tools, according to me. This is just a fraction of all the tools out there.
Port Scanning tools
nmap (network mapping)
Processes, Files, Operating Systems, System Calls etc.
Sysinternals
Excellent tools for digging in your operating system. Monitor processes, network, files. Psmon, PsExec,
PsTools, SDelete, PsInfo, PsLoggedOn, RootkitRevealer v1.7, ShareEnum v1.6 and much more. A goldmine for IT security people. Want to know what a virus, trojan or worms moves are? Check out
http://www.sysinternals.com/ for tools.
Vulnerability scanner
NessusWX Nessus win32 client.
This is a good start. Remember, these are just tools, and you will have to know TCP/IP and how an operating system works, to get the full value out of the tools. Read the README files and documentation,
before you start.
Encrypt and protect your files and data.
Well, that should be easy to determine. All you computerized work equipment for starters.
PDA (Personal Data Assistant) Palm, Pocket PC, Treo, your smartphone, laptop and workstation. Even your USB memory, flash cards and other portable storage devices you use. Imagine losing your laptop and PDA at the airport. The agony of not knowing what vital information you just left exposed to anyone that gets hold of your devices. Encrypt your data, and you will at least eliminate everyone from accessing your files and data. Encryption does not represent 100% security for your files and information, but it will make many times harder, even for professional IT security experts to force. And amateurs, will most likely not care to try, it just to hard.
One free product that I like, is TrueCrypt.
TrueCrypt
has been around for some years, and it is free as in opensource on-the-fly encryption.
Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography – more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.
Mode of operation: LRW (CBC supported as legacy).
Friday, February 17, 2006
Bluetooth Worm for Mac OS X
F-Secure Weblog
ISC Internet Storm Center
Technorati Tags:
bluetooth worm, mac os x, prof of concept, f-secure, internet storm center, sans, vulnerability, OBEX
Del.icio.us Tags:
bluetooth worm, mac os x, prof of concept, f-secure, internet storm center, sans, vulnerability, OBEX
Tuesday, February 07, 2006
Firefox users, update to 1.5.0.1
the wild by now. The exploit code is developed on the metasploit framework. So don't let the bad guy take over your box, so do yourself a favour and update now.
Thursday, February 02, 2006
Nmap 4.0 released. Brief review.
Nmap, one of the most popular, and best (my opinion) Network Mappers has reached version 4 today. Nmap is a free Network Mapper and has a range of nice pen-test features. Both as a traditional command line tool $ nmap -v -A target_host, and with a GUI (Graphical User Interface). I came in contact with nmap back in 1999, version 2.x something, and it's has been my companion ever since.
Nmap is perfect if you want to make certain what ports you are exposing, and what
services that are running. I always use nmap to make a last check before I plug a new
machine online. This is good common practice, even if you are only going online with your home office machine.
Installation example from a Linux box.
[user@mimir INCOMING]$ tar -zxvf nmap-4.00.tgz
(Extract the compressed tarball, the *.tgz is
gzip and tar:ed, so you will need the Z before gz, or gunzip the tarball first and the use # tar -xvf
to extract all the files.
Next step is to cd (change directory ) into the source dir of nmap.
[user@mimir INCOMING]$ cd nmap-4.00
[user@mimir INCOMING]$ ./configure (Run the configure script, using the default options first)
You will see a great deal of output echo:ed to your terminal.
If all goes well, you should be ready to compile nmap.
checking for pkg-config... /usr/bin/pkg-config
checking for GTK+ - version >= 2.0.0... yes (version 2.4.13)
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
configure: creating ./config.status
config.status: creating Makefile
[user@mimir INCOMING]$ make (make command to compile the source into executable binaries)
This can take some time, depending on your computers resources, but on 1 GHz with 512 RAM, about 3-4 minutes top.
If you want nmap to be installed in /usr/local/bin you will need root privileges.
If that is the case (congrats) you just type # make install as user root. ( su - command to switch to user root)
Here is sample output from an nmap scan of localhost (127.0.0.1) the loopback interface.
[user@mimir INCOMING]$ ./nmap -v -sT localhost
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-02-01 20:44 CET
Machine 127.0.0.1 MIGHT actually be listening on probe port 80
DNS resolution of 0 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 0, CN: 0]
Initiating Connect() Scan against localhost.localdomain (127.0.0.1) [1672 ports] at 20:44
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
The Connect() Scan took 0.46s to scan 1672 total ports.
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1667 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
3306/tcp open mysql
Nmap finished: 1 IP address (1 host up) scanned in 0.949 seconds
Remember!, Nmap is a powerful tool, and should be used with care. I have seen hosts ( I will not mention what OS) that has taken a nose dive, after being scanned by nmap. (This is of course not the purpose of nmap, but it could happen). So don't go off scanning a production environment before
you know for sure what will happen on the scanned hosts.
Ok, may nmap force be with you!
One final note. If you have seen Matrix 2, reloaded, you have seen nmap in action. Trinity used it to target some host in the movie.
Nmap is free and open source and source code for *nix, Windows and MacOS is available.
Download Nmap here
Technorati Tags:
nmap, network mapper, scan, port, tcp, udp, stealth, fyodor, insecure.org
http://nordstrommarna.mine.nu/article.php/nmap_version_4_review
Wednesday, February 01, 2006
Online pen-test tools
Online pen-test tools
find yourself asking, would it possible for me to do my own security test from
the outside/internet and in? Well yes, it is possible. Check the links, especially
Online Perimeter and Content Scanning. But hey!!, Use it with care, and only on your own machines. The guys behind the tool sites will most likely log everything.
Online Perimeter and Content Scanning
Lots of online tools, Use with care, abuse is and will not be tolerated.
Online port scanners, nessus scanners, dns scanners, apache scanners, firewall testers, open relay tests,
virus scanners and much more..
http://webscan.security-check
http://www.pcflank.com/exploits
More Online Tools
http://www.dirk-loss.de
Don't forget traceroute. Traceroute can be very useful. On Unix/Linux systems
you also get to chose if you wan't to trace with UDP or ICMP packets.
The ICMP traceroute option is excellent if there is some firewalls between you and the host, which accepts ICMP packets.
Online Traceroute can be found here
Technorati Tags:
traceroute, TIME_EXCEEDED, udp, icmp, tcp, elicit, ip, protocol, network, hops, router,
Tuesday, January 31, 2006
Blackworm CM-24. File deletion has begun according to F-Secure
(Disgruntled former co-worker?)
So dig out the blackworms before Februari 3, and keep your files intact. Most of the leading anti-virus software (updated ones) can clean this worm out or/and check out bitdefenders removal tools. Removal Tools
Technorati Tags:
Blackworm, Nyxem, Nyxem.A, Overwrite, DDoS
Extremely Critical Winamp Vulnerability Reported
If you have Winamp version 5 or lower, (Check the splash screen or about in on the players menu) you should really consider an upgrade immediately.
Secunia reports a Winamp Computer Name Handling Buffer Overflow Vulnerability.
Secunia
As the exploit (the code hackers use to attack systems) is out in the wild, and
is most likely being used as you read this. So upgrade now to version 5.13, if you don't want
any unwanted guests on your PC.
Winamp 5.13 Here
Go go go!
Specially crafted play list on malicious website might use this code to gain access/comprimise users systems.
Technorati Tags:
secunia, winamp, vulnerability, upgrade, exploit, remote access, 5.13,
Wednesday, January 25, 2006
Fwanalog, analys your firewall logs now!
find this tool alot more useful. So start parsing your firewall logs today!
fwanalog is a shell script that parses and summarizes firewall logfiles. It currently (version 0.6.9) understands logs from ipf (tested with OpenBSD 2.8's and 2.9's ipf, also FreeBSD, NetBSD and Solaris 8 with ipf (+ ipfw on FreeBSD)), OpenBSD 3.x pf, Linux 2.2 ipchains, Linux 2.4 iptables, some ZyXEL/NetGear routers and Cisco PIX, Watchguard Firebox, Firewall-One (not NG!), FreeBSD ipfw and Sonicwall firewalls.
(You might need to change the shebang line to bash on non-free Unixes that don't ship with a powerful enough /bin/sh.)
It can be easily extended for other logfile formats, all it takes is editing two regular expressions.
fwanalog uses the excellent log analysis program Analog (also free software) to create its reports. It does so by converting the firewall log into a fake web server log and calling Analog with a modified configuration.
Technorati Tags:
fwanalog, analog, parse, logs, analys, firewall, checkpoint, cisco pix, FreeBSD ipfw, Sonicwall firewalls
Spybot search and destroy. Get serious about protecting yourself against spyware.
As I am a huge fan of Unix/Linux and the opensource world and IT security, I rarely have had any good security products to recommend for Microsoft Windows, and especially on the client side. But over the last years, the security products protecting windows installations has been improved dramatically. When I think about Spyware protection, this magnificant peace of software comes to my mind.
Spyware Search and Destroy is free to install and use, however, you should consider donating a little money, if you find it useful, which I am almost convinced that you will.
Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer. Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. If you see new toolbars in your Internet Explorer that you didn't intentionally install, if your browser crashes, or if you browser start page has changed without your knowing, you most probably have spyware. But even if you don't see anything, you may be infected, because more and more spyware is emerging that is silently tracking your surfing behaviour to create a marketing profile of you that will be sold to advertisement companies. Spybot-S&D is free, so there's no harm in trying to see if something snooped into your computer, too :)
To see a list of threats that Spybot-S&D can remove, click on Support in the navigation bar at the left, and there on Threats. If you want an introduction how Spybot-S&D works, please read the tutorial. If you fear incompatibility with other software you are using, we can assure you that will not be the case. Still, we have created a compatibility overview listing some software that compatibility has been asked for before.
Spybot-S&D can also clean usage tracks, an interesting function if you share your computer with other users and don't want them to see what you worked on. And for professional users, it allows to fix some registry inconsistencies and extended reports. A list of features is available if you click on features.
Spybot Search and Destroy is a must have if you want to protect yourself against spyware. Runs on Microsoft windows 95, windows 98, windows NT, windows ME, windows 2000, windows XP, windows 2003, Tablet PC Edition and Windows PE.
http://www.safer-networking.org/en/index.html
Technorati Tags:
Spybot search and destroy, spyware, malware, Microsoft windows 95, windows 98, windows NT, windows ME, windows 2000, windows XP, windows 2003, Tablet PC Edition and Windows PE.
Friday, January 13, 2006
gpg: keyblock resource `/home/user': file open error
Key generation failed: file create error
gpg: can't create `/home/REPLACE_WITH_YOUR_USER/.gnupg/random_seed': No such file or directory
This problem occurs because the .gnupg directory isn't created by the time you generate your keys.
So you will have to create the directory by hand.
$ mkdir .gnugp
$ gpg --gen-key
[salt@mimir ~]$ ls .gnupg
pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg
Eh, voila, no rocket sience behind that gpg problem.
However, this is a very common mistake amongst experienced Unix users. We tend to spend 3 or or more
days testing than spend 5 minutes with the manual. Maybe that's why we become experts on the systems
eventually. Trial and error learning by doing.
ALX
Surf a lot safer method, a must read if you don't want spyware/adware and other junk.
paths and the virtual machine will boot up with the /usr/sbin/vmplayer command.
This should be very usefull for all sys admins who care about not catching malware while browsing with
admin rights on their machine. Especially Windows Administrators, would be able to drop the Terminal Server
workaround. Unix/Linux users would probably go home free anyway, but we don't know what the future of malicous code front will have to offer for the GNU world.
$ /usr/bin/vmplayer
A simple startup script for vmplayer could be located in /etc/rc.d/rc.local. Just add the line /usr/bin/vmplayer
before the line touch /var/lock/subsys/local. At every boot up, this script will run the vmplayer command, and start up the virtual machine.
Go get it now! Don't forget to read the manuals fella surfer.
http://www.vmware.com/products/player/
ALX
Wednesday, January 11, 2006
New PC = New installation, what to think about concerning client security
A few ideas about
it security
of XP, windows 2003, Linux or MacOS.
Before connecting to the internet, use a patched machine to download ALL the service
packs, and patches for your operating system. Don't even think about going online
before doing that. Especially if you're running windows, or a default installation of Linux.
The average time before a windows machine is infected by malicious code is down to minutes.
What people need to realize is that you don't have to be using the internet with an internet application, such as Internet Explorer, Outlook, Skype, Firefox to get unwanted code. You are litteraly surrounded by infected machines the millisecond you receive your first packet.
Why is that?
Well, the malicious code, (read worms, trojans, viruses, spyware) is spread
automatically, by other infected machines. The code looks for known and unknow
vulnerabilities on different ports and services, and tries to automatically exploit
a service and transfer and transfer a bunch of code. This technique has proven
to be very successful, as it works day and night, without any human behind the
keyboard. The code writer, can just sit down and play quake, and wait until
he has enough hosts to use for another purpose. He might use your computer
to attack other "enemies" on his favourite IRC channel, or if he or she is a
disgruntled ex employee, he might run a DDoS attack against his ex companies
website. The source address will be yours!.
Something else that bothers me, is that users seem to belive that as they don't
use their credit cards online, or buy anything for that matter online, that they
are safe. Well, if you leave your CV with and personal info, such as your social
security number you might be targeted for identity theft instead.
The scariest I have read so far, Is about a fella online poker player. He had his
machine hacked, and the attacker gained unauthorized access to his webmail account.
The attacker must have figured out a way to reset the targets poker client password.
It's usually only a matter using a form on the poker site, and click forgot my password.
A brand new password will be generated and e-mailed to the players e-mail account.
Bah!
From there he got robbed, as the attacker transfered his bankroll of $67.000 USD.
Yes, sixty-seven thousand dollars US. That quite a sum of money to lose this way.
I haven't read any follow up on this case, but the forensic team should be able to
catch some info about the attacker. It all depends on how sophisticated the attackers
was in cleaning up the digital evidence. What's for sure, is that it will take time
for the poor guy to get his money back, if he ever will. I'm not a lawyer, and I must
admit that I haven't read the fineprint agreement before signing up for a poker site.
I doubt they will compensate him though.
So fella bloggers, poker players, people, do that little extra work and patch your systems
off-line. It will be worth it.
Technorati Tags:
it security, identity theft, client security, poker, webmail, patch, hotfix
Countermeasures:
1) Patch and update your system, most of the system has a built in function for automatic update.
2) Issue an extra card, with a low credit limit, or just transfer the amount that you are going to shop for, from your bank account. Some banks can even issue a new card number everytime you want to go online shopping.
3) Check out password safe for keeping your pin codes encrypted and much safer that in word document.
PasswordSafe Open Source project
gpgdir Excellent perl script that takes full advantage of gpg
Check it out! http://www.cipherdyne.com/gpgdir/
gpgdir is a perl script that uses the CPAN GnuPG module to encrypt and decrypt directories using a gpg key specified in ~/.gpgdirrc.
gpgdir supports recursively descending through a directory in order to make sure it encrypts or decrypts every file in a directory and all of its subdirectories. In addition, gpgdir is careful not encrypt hidden files and directories.
http://www.cipherdyne.com/gpgdir/
Technorati Tags: gpg, crypto, pgp, script, cipher, cpan
A heavy flaw in WMF has been reported. Patch your windows systems asap!
The WMF vulnerability uses images (WMF images) to execute arbitrary
code. It will execute just by viewing the image. In most cases, you
don't have click anything. Even images stored on your system may cause
the exploit to be triggered if it is indexed by some indexing
software. Viewing a directory in Explorer with 'Icon size' images will
cause the exploit to be triggered as well. Microsoft announced that an
official patch will not be available before January 10th 2006 (next
regular update cycle). But there several workarounds available. This
is one of them. I haven't tested this Hotfix, so I can't guarantee
anything, but the guys at SANS usually know what they're doing.
MSI WMF Hotfix link http://handlers.sans.org/tliston/WMFHotfix-1.4.msi
More information about the WMF flaw can be found at isc.sans.org
Tuesday, January 10, 2006
Splunk review (free version)
(Splunk Server version 1.1 build 3772) to be exact and the first review concerns installation, look and feel.
I am an experienced Unix/Linux Sys Admin, but the installation was a just a kick, and the installation script gave me options with yes or no, which made it extremely easy to install. Just chmod splunk-Server-1.1-linux-installer.bin (chmod +x) so it's excecutable and start the install phase with # ./splunk-Server-1.1-linux-installer.bin.
Starting the Splunkserver was as easy. Run the splunk Bourne Shell Script as follows,
[root@mimir splunk]# /opt/splunk/bin/splunk start
== Checking prerequisites...
Version is Splunk Server
Checking http port [8000]: open
Checking https port [8001]: open
Checking mgmt port [8089]: open
Checking search port [9099]: open
== All checks passed
Starting splunkd [ OK ]
Starting splunkSearch [ OK ]
You might have a problem with the ports, as your local firewall, that you have enabled (yes, a must have) will not let you connect to these ports by default. If you're connecting thru localhost, this shouldn't be much of a problem.
Check out netfilter/iptables for localhost access otherwise. You are also able to choose other ports, that may suit your firewall needs better. Just be sure that the are not taken buy another service.
As I am an IT security freak, I don't want any ports to bind to my external face (internet) if avoidable, so I would recommend defending these ports with appropriate firewall rules, before playing around with the web interface.
So don't allow any internet sources to connect to port 8000/tcp, 8001/tcp, 8089/tcp 9099/tcp. You might need to open up them later, for communications with other syslog facilities. But wait until you've got familiar with Splunk, and how it works.
Connecting to the webserver interface is easy, just add the port 8000 to your URL, and you will land right on the Splunk user interface. You will be greeted with "Welcome to Splunk" and see some configuration options. So fire up firefox/IE against yourhost:8000 and browse.
To get started, click on Index a file now, and upload a file in syslog format, ex. /var/log/messages. The file will be indexed and viewable in a second. That depends on the size and the CPU power of course, but 40 MB of files was done in a flash with my workstation.
From here on, you can now browse all your log messages in a beautifully structured and intelligent way. Click on the file you let Splunk process, and have a look. Mmmm, a sys admins wet dream.
Ok, that's all for now, I will post part II later this week, when I have had the time to try it out with searches, tags and some of the advanced features it offers. Sure looks promising.
It might work with snort data aswell. I am going to check that out.
So for now, keep your /var/log/ in shape, and don't throw away any UDP with destination 514.
Splunk Official Website
ALX
Technorati Tags: splunk, syslog, firewall, ids, nids
Tuesday, December 27, 2005
IT Security books I recommend
. Truly a great book, full of explanations of how exploit code works, and how to write them. You should have at least a fair knowledge of programming in C or equivalent to grasp the content.Furtermore, check out the huge collection of IT security related books on amazon. Read the reviews, as they contain vital info on the quality of the book.
it security
Wednesday, December 14, 2005
It's about time
that I get to work. Well, I've been busy as nob going on a date this week. Tons of work to be finished before the christmas holidays.
I wish I could get back to the old me again. When I just didn't care about time and deadlines. But to pull a onemans show and fight this time stressed society is like riding a camel without a suspensoar. Your nuts will get crushed eventually.
So something inbetween laidback as fish on drugs and a monkey on speed is the concept that works. Finally you'll get burned out, divorced and become and old fart that complains about everything and everyone. Viva la optimism! :-)
Ok, one final word for the one reader besides me on this page.
Enjoy it while it last, because it never does.
Friday, December 09, 2005
iptables ground conf for client example
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT - Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT # open ftp server ports tcp/udp
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # open ssh server port
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT # open http server port
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP - Drop all other connection attempts
You can easily make this configuation into a script #!/bin/sh or perl, whatever suits your needs
best. If you run Red Hat => 2.6 you should be able to append all your iptables setting to /etc/syconfig/iptables by issuing the command # service iptables save
A simple perl script would also to the job, if you're not sure you want the iptables from /etc/sysconfig to be loaded from start.
This is a script I could use if I was running a few services on my workstation or server.
#!/usr/bin/perl -w
#
$ipt="/sbin/iptables";
system("$ipt -F"); # flush all rules
system("$ipt -A INPUT -i lo -p all -j ACCEPT"); # allow loopback access
system("$ipt -A OUTPUT -o lo -p all -j ACCEPT"); #
system("$ipt -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT");system("$ipt -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset");
system("$ipt -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT");
system("$ipt -A INPUT -p udp -i eth0 --dport 80 -j LOG");
system("$ipt -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT");
system("$ipt -P INPUT DROP");
That's all for tonight!
May your firewalls be with you, and your IDS:es run in proactive mode.
ALX
About Time you MONKEY up your FF
http://greasemonkey.mozdev.org/
Read the docs before you install, as usual. :-)
Thursday, December 08, 2005
Basic client security suggestion no 1
securityfocus.com. It's a much better article than mine, but the content is the same.
Activate a WORKING SPYWARE DESTROYER and ACTIVATE a FIREWALL before going online!!!
Man, I've been shouting this out LOUD for years now, and my friends that kept calling me because their computers where smidered/swarming with spysh-t, viruses and trojans are now lifting their hat, and actually
grasping the advises I give them. So common! For F-ck sake, install a working spyware destroyer, such as Bruce Schneirs Spybot search and Destroy. http://www.safer-networking.org/ (Open Source Project)
Activate a firewall, and yes, it will annoye you for a while, because the software firewall has to learn your surfing behaviours, but that's nothing compared how annoying a rebuild for your g-d d-mn machine is. I PROMISE! :-)
And ... Don't forget Anti Virus! BTW, did i mention, change your browser to Firefox?
Yes, there is vulnerabilities to Mozilla's Firefox, but they are realeasing patches to it, which is
far more than some other leading browser developers are.
Ok, for now, surf your way to enlightenment, and stay tuned for more rants.
Hiyaaa!
ALX
http://nordstrommarna.mine.nu/?postid=13
Java java java
I got to sleep in "my" office at home, right on the floor with only a madrass, me, the snoring device recorders/monitors and my machines.
When me and the doctor checked the spectra from my nights sleep, the pattern looked pretty good, alot better than I thought. I have a sleeping disorder for sure, because of apne, but It's very mild, the confident doctor told me. So I rest assured, that just loosing a few kilos, will increase
the quaility of my and my families sleep. :-)
For now,
Keep those blogs up and running fella bloggers, they help
someone people in urgent need of anti boring kicks.
Wednesday, December 07, 2005
Important Xpdf update
which could give someone a remote access to your beloved system, and you don't want that.
It wouldn't suprise me if others distros of Linux are effected too. Most likely.
Read more at Red Hat's superb security pages.
https://rhn.redhat.com/errata/RHSA-2005-840.html
Tuesday, December 06, 2005
New AIM worm in the wild
A user migth receive the following AIM message:
"This AIM user has sent you a Greetings Card, to open visit:
someurl.com?my_christmas_card.COM from which the user will download the worm.
The worm is callded SDBot and should be caught by your AV filter.
The .COM can also be .SCR.
So be safe, and always be paranoid when receiving mails with URL or even worse executable files.
Monday, December 05, 2005
Keystroke logging, keyloggers.
A Keylogger (KeyLogger, Key Logger, or Keystroke Logger) is a process/program that usually runs in the background, recording keystrokes. Even in the Unix/Linux world it's very plausible and easy to use, if you've got root, of course! :-)
One keylogger that I have tested, was a pice of PS2 harware, which you placed on the computers PS2 or nowdays USB port, right in the middle of the keyboard. I had a memory that was enought to collect thousands of keystrokes, and filter out what would be usernames and passwords. SCARY!! I mean, how many of you check your Office machines for keystroke loggers (hardware) on the back of your stationary PC? I do, but consider me an extremely paraonid freak! As this is in the field of my work, I am excused.
From what I have experienced, I came across several keyloggers while visting foreign countries Internet Cafe's. Watch out!!! Don't EVER DO any bank transactions or CREDIT CARDS buys on a non trusted public computer!! I will demonstrate later how easy we make it for criminals to take our hard earned money. So remember, be very sure if you're using a public internet connection, that you can trust that it's perfectly free of keylogging or other audtiting software.
Howoever, the field for using keyloggers are usually to spy on your loved ones, which must be considered very ugly at best. I could find a couple of reason where I personally would sanction them, but they are very few and rare.
On Microsoft or MacOS operatin machines keystrokes are logged, then hidden in the machine for later retrieval, or sent of to the attacker/s, for searches of passwords and usernames. Ugly!!
Ok fellas, take car out there, and surf safe, until next time.
ALX
Off topic. yahoo amazon msn cnn domains how much ?
Any suggestions on what a domain like yahoo.com amazon.com cnn.com would cost today, let me know!
A billion dollars ?
http://nordstrommarna.mine.nu/yahoo.html
Hmmm
This AIBO is so cool it hurts!
This AIBO is so cool it hurts!CPU 64-bit RISC Processor
CPU clock speed 576 MHz
RAM 64 MB
Program media Dedicated AIBO robot "Memory Stick™" media
Moveable parts Head - 3 degrees of freedom
Mouth - 1 degree of freedom
Legs - 3 degrees of freedom x 4
Ears - 1 degree of freedom x 2
Tail - 2 degrees of freedom
(Total 20 degrees of freedom)
Input section Charging contacts
Setting switches Volume control switch
Wireless LAN switch
Image input 350.000-pixel CMOS image sensor
Audio input Stereo microphones
Audio output Speaker 20.8mm, 500mW
Integrated sensors Infrared distance sensors x 2
Acceleration sensor
Vibration sensor
Input sensors Head sensor
Back sensor
Chin sensor
Paw sensors
Power consumption Approx. 7 W (in standard mode)
Operating time Approx. 1,5 hours (with fully charged ERA-7B1, in standard mode)
Dimensions Approx. 180 (w) x 278 (h) x 319 (d) mm
Weight 1.6 kg (including battery pack and "Memory Stick™" media)
Operating temperature 5°C to 35°C (41°F to 95°F)
Operating humidity 10% to 80% (no condensation)
Operating wet-bulb temperature Max. 29°C (84°F)
Storage temperature -10°C to 60°C (14°F to 140°F)
Storage humidity 10% to 90% (non condensation)
Storage wet-bulb temperature Max. 29°C (84°F)
Wireless LAN function Wireless LAN module (Wi-Fi certified)
Internal standard compatibility: IEEE 802.11b/IEEE 802.11
Frequency band: 2,4 GHz
Wireless channels: 1 – 11
Modulation : DS-SS (IEEE 802.11 – compliant)
Encryption : WEP 64 (40 bits), WEP 128 (104 bits)
Supplied items AIBO MIND 3 (software Memory Stick), WLAN Manager 3 & AIBO Entertainment Player Ver.2.0 (CD), Energy Station, Energy Station pole, AC adapter, Lithium ion battery pack ERA-7B2, pink ball, AIBOne, AIBO cards, documentation.
(*) The "User's Guide (PC Network)" for the AIBO ERS-7 robot and "User’s Guide (AIBO Entertainment Player)" for the AIBO ERS-7 robot are included on the supplied CD-ROM in PDF format.
http://www.eu.aibo.com/1_1_3_ers7_specifications.asp
