Security and risk

Robin Dreeke on building rapport - A new pill of wisdom from the SE podcast

noreply@blogger.com (always peace) — Tue, 31 Jan 2012 23:09:00 +0000

The Social-Engineer.org crew always provide really useful information on human behaviour. This time I highlight a podcast about how to build rapport, where they interview Robin Dreeke, FBI agent specialised on these powerful topics. If you have 77 free minutes, listen to the entire podcast. If you don't, at least browse through the bullet points below, they are a very personal summary of the interview (some topics repeat themselves given their importance).

Building rapport: You can't fake it. It needs to be real (minute 20).
Stay within reality, send a congruent message with your words and non-verbals (minute 20).
How to defeat anxiety and stress when talking in public? Think that you are doing it to help a friend (minute 21).
Pre-text yourself: Offer something that your audience (or your interlocutor) would enjoy and like. Imagine they are your friends and you would like to share something with them. Be ready to trigger a good feeling in them (minutes 22 and 23).
Focus on making your interlocutor feel very well while you are pursuing your goals (minute 23).
Key aspects to consider when talking to someone: Don't try to impress, suspend your ego, downplay yourself, use the technique of sympathy to elicit help and reciprocal altruism (minute 25).
Make a quick smile, a quick glance and then glance away. Don't stare at them! (minute 26).
Keep your tempo slow, don't over speak, don't over sell, be confident but remember, you are seeking help (minute 27).
Appeal to their sense of humanity, seek help, seek their opinions, let them know that you value their opinions, make them believe that they are experts on their topic, open up to them (minute 28).
Get people's shields down by talking about dates and birthdays. Prepare your pocket of things about yourself and share it with them. Once you are done, they will open up to you (minute 32).
Send out an artificial time constraint, verbally or even better, non verbally (e.g. talk to them over the shoulder - talking at an angle, your feet and hips should be pointed like your are going to leave, keep the chin a little bit down and mention that you only have a few minutes - minute 33).
Start threading on the context they give you as a response. Be patient.
Accept people for who they are and validate their choices. Don't be judgmental. Don't pass judgement.
How to do it when you don't agree? Be fascinated about them. Try to understand every aspect of their answer. Answer with "what an amazing thing you did!".
Constantly practice all the time, it is a muscle you need to train (minute 39). Talk to a stranger every day (get a little adrenalin rash).
People love talking about themselves. People don't care about you (hard but real fact).
Never argue with someone you try to social engineer. Ask them the question to them and let them answer.
Let the people filling the thoughts, the gaps in a conversation for you. Silence with little non-verbal confirmations are great.
Every generation has their own nuances.
If you don't have kids, reflect about friends who have them or even your own experiences when you were a kid.
If your interlocutor has a bad day, validate them and offer your help. People will start opening up (minute 49).
If you appear threatening, make a little joke and refer to that appearance in a critical way. Upper your chin a little bit.
People love the fact that you are trying to accommodate them.
As soon as you say "hey, I am not a bugger", people will believe. People take you at your face value.
Most people will go out a long way not to lie. Lying is a very uncomfortable thing to do. People generally don't want to lie.
Reciprocal altruism: Never try to impress but seek help. People are willing to help.

Thanks again to the Social Engineer crew!

Sides of human beings

Tweet this post to those in need of building rapport ;-)

Paella for hackers and security pros

noreply@blogger.com (always peace) — Sat, 31 Dec 2011 23:09:00 +0000

To celebrate the end of the sixth year of the securityandrisk blog, this time my post is an alternative post. Information security professionals, "hackers" and "itsecuriteers" need to explore IT systems but they also need to eat every now and then ;-). I share with all readers one of the most precious cooking recipes. A crown jewel: The recipe of a modest but tasty version of the well known Valencian Paella - a typical dish with rice from Valencia, Spain.

Ingredients per serving

2 portions of chicken

1 portion of rabbit (it can also be spare ribs)

a glass (250ml) of water

half a glass (125ml) of rice

a quarter of an onion

half a red pepper

Other ingredients (typically for 4 people)

some vegetables e.g. green beans and peas

some seafood e.g. squid, mussels and prawns

crushed tomatoes (125ml)

2 to 4 cloves of garlic

parsley

saffron (this is expensive, you can also find paella colouring - less pricey)

salt

olive oil

Directions

In a frying pan (or in the paella-pan, called paellera, if you have one) fry the salted portions of chicken and rabbit until they get a nice golden color. Once fried, place the fried portions on a plate nearby.

In the same frying pan, with the remaining oil, fry the chopped onions and peppers until they get slightly brown. Then, add the tomato and subsequently the selected vegetables and seafood. Once all those ingredients are lighthly brown, add the fried chicken and rabbit.

Mix the chopped garlic, salt and parsley in a wooden bowl with a wooden stick, if available. Otherwise, mix these spices as well as you can.

Add a glass of water (250 ml) per serving and the spice-mix until it starts boiling. Then, add 125 ml of rice per serving, well spread out through the paella-pan and finally the pinch of saffron. Cook all ingredients over a low heat for about 18 minutes and without a lid! Let the paella smell captivate you. Afterwards, turn off the heat, put the lid over the paella-pan and let it settle for 5 minutes.

You can now enjoy a paella for hackers and security pros!

Happy cooking and eating!

Security and cooking are human passions

Paella is a dish to share with people.
Tweet this post to those you will share the paella with!

SSL And The Future Of Authenticity: A talk by Moxie Marlinspike

noreply@blogger.com (always peace) — Wed, 30 Nov 2011 23:09:00 +0000

These lines are a subjective summary and collection of thoughts triggered by the presentation that Mr. Moxie Marlinspike, co-founder of the start-up whispersys (very recently acquired by twitter), offered at Black Hat USA 2011. The title of this talk was SSL And The Future Of Authenticity. It is still available on youtube (with more than 30000 views!). It is a security talk worth watching from both the content and the delivery viewpoints.

The beginning of the presentation is surprisingly not devoted to providing a long and boring bio of the presenter. Let's keep that in mind as a nice intro to a talk: Sharing an anecdote with the audience. They will pay more attention to that than to a long list of achievements. Human beings like stories, remember!

The first part of the presentation deals with the news of the Comodo hack. He remembers that more than a quarter of the Internet's certificates are Comodo's. And, after the hack, actually, nothing happened to Comodo. The cool point here is that Comodo published the IP address from which the attack was supposedly performed and Moxie could identity the same IP address in his servers' logs, a day after the attack, trying to download his tool sslsniff. Moreover, the HTTP referrers that that IP address left in his logs did not hint at all that it was a highly sophisticated State-sponsored attack the one behind Comodo's.

Anyway, the story of Comodo illustrates, according to Moxie, the problem we have today related to the use of SSL as a secure protocol to identify sites on the Internet. He mentions the 3 requirements that a protocol like that should have:

secrecy
integrity
authenticity (something that SSL does not really cater for)

Moxie refers to the inadequacy of SSL, designed in the 90s of the past Century, to solve our current challenges, with more than more than 2 million server certificates in the Internet and more than 600 certificate authorities out there. Worth mentioning is the SSL threat model from Ivan Ristic.

It is then when Moxie introduces the concept of trust agility, something that would enable users to shift trust much quicker than with the current SSL certs. Trust agility should:

be very easy to revise
let users decide where to place the trust

He then confronts the highly centralised trust model proposed by DNSSEC with the highly uncentralised trust model that certificates require. In a nutshell, that is the reason why he does not think that registrars, top level domain name administrators (e.g. Verisign) and country code domain name administrators will come to save us all. They all provide very reduced trust agility.

What does he proposed then? He revives a Carnegie Mellon proposal called perspectives. It is based on checking that the certificate in the secure site is the same that the one held by an authority, the notary. These notaries will build a constellation of trust. However, perspectives will only validate the initial connection.

Based on perspectives, Moxie expands it and introduces convergence. Convergence includes a new authentication (expandable) protocol and provides a firefox add-on. In convergence, the user initiates the communication to check the certificate and decides the level of trust given to each certificate. The added value that this initiative provide consist of:

no notary lag (local caching possibility)
no privacy issues (detaching the site name from the requester via a proxy - using notary bouncing)

The hiccups he identifies in the use of convergence are:

mega-sites using a hundred different ssl certs (they exist but they are rare)
captive portals (where a DNS query would help)

Finally, he poses to telling questions to the audience:

who do I have to trust and for how long?
a prescribed set of people, forever?

My 2 humble cents on this: I welcome initiatives such as perspectives and convergence. They clearly signpost the need for Internet-based economic activities to come up with something more resilient than our good old friend SSL. However, let's remember Betamax and VHS VCR systems example, where the solution conquering the market was not the most technically viable option. We need more than a good engineered proposal to conquer the secure site market, and sometimes we don't know where is (or will be) the tipping point.

Enjoy the secure browsing!

Where does SSL lead us to?

Book review: Social Engineer - The art of human hacking by Chris Hadnagy

noreply@blogger.com (always peace) — Mon, 31 Oct 2011 23:24:00 +0000

I wanted to post a personal review on a current social engineering reference book. Christopher Hadnagy's book, "the art of human hacking" deserves the label of reference book in the social engineering field.

I enjoyed reading the book. Those who listen to the social engineering podcast, in which the author takes part, will find in the book most of the topics dealt in the first 20 something podcast episodes. This book is the written witness of the spirit present in the social-engineer podcast.

SE book highlights

In this post, I fly over, following a very personal route, the main ideas that the 9 chapters of this book contain. The book is easy to read. Every chapter conveys some summary points plus a brief summary at the end. This facilitates the identification of the learning points.

The lessons learnt are applicable in almost every aspect of our lives. By no means this summary aims to replace the reading of the book. On the contrary, this is a book I recommend to read, not only to information security professionals, but also to anyone interested in knowing how human beings tick. This book is a valuable tool when modelling human behaviour. Actually, if there is intelligent life in outer space and they need to liaise with humans, this is one of the books that they need to read so that they can understand humans.

chapter 1 - introduction to social engineering
This first chapter describes the different types of social engineers. Interesting point: governments are also social engineering actors.

chapter 2 - information gathering
Chapter 2 mentions information gathering tools like BasKet and Dradis. There are also two telling examples, the USB example mixed with an encounter in a cafe and the stamp collector story. Some points that I highlight are the following:

Interesting their message that every one can have and have different personal realities (page 44).
Most of the time people want to help (page 52).

chapter 3 - elicitation
Elicitation is non-threatening and it is very successful (page 58). It is eye-opening to know that a simple light conversation is all it takes to get some of the best information out of many people (page 58).This chapter mentions the intricacies of elicitation, such as how preloading the target with info or ideas on how we wanted them to react to certain info is a good start (page 62). They mention an example related to "how to convince your partner to go for dinner to a steak house" (page 62) - it is worth-reading it - would that really work?

A basic way of elicitation is to start a conversation with "I would like to tell you a really funny story" (page 63).

The author also mentions the concept of preloading. From an social engineering (SE) viewpoint, "preloading involves knowing your goals before you start". Expressing a mutual interest is more powerful than appealing to someone's ego: another important learning point (page 67). More information on elicitation can be found in the social-engineer.org site.

Some of the elicitation techniques that the book mentions are:

Appealing to one's ego.
Expression of mutual interest.
Deliberate false statements.
Volunteering information.
Assumed knowledge.
The effects of alcohol (not a different technique but equally effective).
Open ended questions, what do you think of the weather today?

Let's define some concepts that the book presents:

Elicitation is the process of extracting information from something or someone. Read the definition on the social-engineer.org site.
Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action.
Preloading is influencing subjects before the event. Think about a movie's pre-release trailers. They use desired outcome words such as “The best film you have ever seen!” This technique works great when introducing anything. Preloading is a component of a social engineer attack.

Some of the techniques the author mentions are:

Use open-ended questions to obtain detailed information (page 70).
Closed-ended questions are appropriate to lead the target to a goal (page 72).
Asking people a leading question in order to manipulate their memory (page 73).
Assumptive questions - you need knowledge before hand so they need to be used with care (page 73).

chapter 4 - pretexting
The ideas mentioned around pretexting i.e. creating the background story that makes up the character you will be for the social engineering audit, rotate on these points:

On the Internet you can be anyone you want to be.
Create a scenario where people are comfortable with providing information they would normally not provide.
Practice makes a good pretext.
Self-confidence is always related to a situation.
Cognitive disonance: People have the tendency to seek consistency among beliefs, opinions and cognitions.
Dialect - you need to master the right pretexting dialect - at least spend some time listening to people in public talking to each other.
Play it back later (from the recorder) this is recommendable
Use an outline script.
Use sounds from e.g. thrivingoffice.com
Do not try to make the pretext elaborate
Keep yourself within the legal arena

chapter 5 - mind tricks
According to this chapter, we need to identify the target dominant's way of thinking. The author refers to Dr. Paul Ekman. He showed that emotions are universal across cultures and biological backgrounds. He worked with basic emotions through the microexpressions that show those emotions. However, these skilled people could show those microexpressions in a different time.

This chapter mentions a possible way to overcome the client's reluctance to communicate: We need to identify whether they are a fan of sight, hearing or feeling (the site www.examiner.com is mentioned as a source of info).

We also need to try to identify deception by identifying contradiction, hesitation and changes in behaviour and hand gestures. Some of the NLP language patterns to influence change on interlocutors have to do with the voice tone (site mentioned: planetnlp.com).

There is also a general recommendation to watch for a group of signs and not only one sign to determine the baseline of our interlocutor. A set of leads on which we have to focus are microexpressions, body language cues, changes in verb tense and person use. An example of anchoring is linking a statement of a like kind with a certain gesture.

An valuable fact: People retain less than 50% of what they hear. As smart interlocutors, we need to react to the message, not to the person. For example, a way to state something could be "it sounds to me like you are" rather that using "you are" alone.

While practicing all these techniques, we need to develop a genuine interest and let the other person talk about herself until she gets bored of it. Let's remember that people's fundamental needs are:

Love/connecting
Power/significance
Freedom/responsibility
Fun/learning
The effect of young star photos
Breathe at the same pace as your target
People like people who are like themselves
Human buffer overflow = law of expectation + mental padding + embedded roles

chapter 6 - influence: The power of perceptionThis chapter mentions concepts such as "kill them (verbally) with kindness", scarcity and concessions and again that
simply asking the target a question can lead to amazing results. We can manipulate attention through the use of scarcity. Let's remember that people are driven to desire that which is hard to obtain.

Chapter 6 lists these types of authority:

Legal authority.
Organisational authority.
Social authority (in western countries, clothing, cars and titles).

The author also describes the value of commitment and consistency with actions (e.g. people are more prone to help you when you leave a bag unattended if you previously ask someone to look after it) and some additional ideas such as:

Liking (people like people who like them).
People need to be liked, they change their behaviour to be liked by others.
Good-looking people succeed more than not good-looking people.
Humans attribute more good traits and skills to good-looking people.

chapter 7 - the tools of the social engineer
We can read about lock picking, intelligence gathering using public sources, tools like Maltego, SET and password profilers.

chapter 8 - case studies: Dissecting the social engineer
This chapter provides a valuable set of examples coming from the author and from Mr Mitnick himself.

chapter 9 - prevention and mitigation
The bottomline: Prevention and mitigation creating a personal security awareness culture and the importance of developing scripts and being aware of the criticality of the information you are dealing with.

Happy social engineering!
Congratulations Mr Hadnagy!

Hardening a wireless DSL router

noreply@blogger.com (always peace) — Fri, 30 Sep 2011 22:05:00 +0000

Avoid that someone else uses your wireless DSL router

Most homes in developed countries use a home wireless DSL router to connect to the Internet. Remember that, in an increasing number of countries, the owner of the router is legally responsible for the data coming in and out of that home network to the Internet. Avoid being in an unwanted legal case by preventing that your DSL router (and your Internet connection) is used by an intruder to commit any illegal action. Make your DSL router relatively secure with the following preventive (and a final one, detective) security measures:

- Change the private IP address that the router has by default. How many routers come with 192.168.1.1 or with 10.0.0.1? Please, let your router be other than 192.168.1.1.

- Change the default IP addressing schema of your home LAN (cable or wireless). There is no obligation to always use 192.168.1.x or 10.0.0.x. As long as it is a private IP address (see RFC 1918), dare trying with e.g. 172.16.x.x.

- Limit the mac addresses that can connect to your router. Find out the mac addresses of all the gadgets that connect to your wireless LAN and input them into your router's mac ACL.

- Use WPA2 with a long password, you can get it for example here.

- Make the admin interface only available to your internal LAN (avoid making it available through the Internet). Easy way to check this: Find out your public IP address (e.g. using myipaddress), try to reach that public IP address and the admin web page.

- Are you a hardliner? Then disable the DHCP server in your router. Add the IP addresses. routing gateway (your router) and DNS servers in each of your wireless clients manually. Use different DNS servers on each of the gadgets (so that no unique DNS server gets a complete idea of your browsing behaviour).

These measures follow a defense-in-depth approach. None of them constitute the silver bullet, but the entire set of measures is a valid starting point.

If you would like to check your router's threat exposure to the Internet:

- Find your public IP address here.

- Install nmap in your box and launch the following two lines:

$ sudo nmap -sT -n -v -T4 -O -p- --reason yourpublicaddress

$ sudo nmap -sV -n -v -T4 -O -open ports coming out from first command yourpublicaddress

The nmap command line usage help can be found here.
- Limit the services you offer to the Internet.

Nmap should produce an output similar to this one:

All 65535 scanned ports on are filtered because of 65350 no-responses and 185 host-unreaches. Too many fingerprints match this host to give specific OS details.

If the result shows some open ports, identified by the -sV option as UPnP, review the expert view of the admin interface in your router, it is probable that you allow some firmware update, or push service provision coming from your ISP or a specific server app. Just check that it corresponds to your needs (e.g. a VPN server, a file server... or maybe, nothing is published to the Internet).

Finally, a detective measure: Check your router's logs frequently. Most routers can send their logs regularly to an email address. Use this feature. It is priceless to identify abnormal uses.

Happy scanning and happy secure home DSL router!

p.s. The "--reason" is a suggestion coming from a network jedi ;-)

Avoid misuses of your DSL router while you are on the beach

Additional measure (inspired by a comment left by an anonymous reader left)

Broadcast (but as little as you need ;-)

Scan the wireless networks that surround your place, choose a wireless channel that is not used, or at least very little used. This will enable you to decrease the level of energy used by your wireless router when broadcasting its signal.

Fine tune the energy level so that the wireless signal is almost constrained to your place. This will definitely make a wireless attack to your network a little bit more "physically challenging". Here you are some command line tips to scan the wireless spectrum using aircrack-ng from a Linux box.

$ sudo apt-get install aircrack-ng
Information on aircrack-ng installation can be found here

Disconnect from your wireless network (keep the wireless driver working though)

$ sudo airmon-ng start wlan0

airmon will tell you the name of a wireless interface that can be used to scan (it will normally be mon0)

$ sudo airmon-ng start mon0

$ sudo airodump-ng mon0

and you will get a real-time list of active wireless networks (incluing channel numbers)

Thanks to the anonymous reader!

Hacking: The next generation by Dhanjani, Rios and Hardin - Book review

noreply@blogger.com (always peace) — Wed, 31 Aug 2011 22:01:00 +0000

The following is a brief [and biased] review of the pages of Hacking: The Next Generation. In one sentence, I would recommend it to an IT student thinking of getting closer to security as a first-time security flavour.

Disclaimer: These lines do not substitute the reading of the book. They are meant to provide a global overview of what the reader can find in the book. My kudos to the authors, writing a book is always a big effort. And even a greater effort if the books talks about a changing target as IT security.

The book: Hacking: The Next Generation.

The authors: Nitesh Dhanjani, Billy Rios, Brett Hardin.

Publication year: August 2009.

Publisher: O'Reilly Media.

Chapter 1 Intelligence gathering: peering through the windows to your organization

The first chapter gives some actual tips on social engineering and intelligence gathering. They mention the Google Hacking Database and the Search Engine Assessment Tool and the usefulness of metadata and social networks to collect information that for a future attack. Tools like theHarverster.py and metagoofil.py are also mentioned. Syntax in google such as resume filetype:doc "current projects" and even the simple use of public google calendars can also render nice results.

Chapter 2 inside-out attacks: the attacker is the insider

This chapter proposes an easy path to understand how currently an external threat becomes an internal one thanks to threat vectors such as xss and xsrf. After reading this chapter, you will not use the remember password functionality in a browser.

Flash and Java are also mentioned. Another learning point in this chapter is that we should only share documents we trust with people we trust. Difficult task!

Chapter 3 The way it works: There is no patch

A varied chapter. It starts with the traditional description of the insecurities of telnet and ftp, both clear-text protocols. They also mention tools such as wireshark and a little python script named goog-mail.py to carve out email addresses. The authors also suggest the use of a password brute-force attacker tool such as hydra and John the ripper.

This chapter also deals with session hijacking using tools such as hunt (to hijack clear-text TCP-based sessions). The fact that they are using private IP addresses makes sometimes some examples a little less realistic. On this topic, I miss a reference to the need to have a network card in promiscuous mode, also when we are trying to hijack session in a wireless network.

A basic description of SMTP snooping (with mail snarf) and spoofing is also part of this chapter. They finalise the chapter describing ARP poisoning with tools such as Cain&Abel and DNS Cache snooping with cache_snoop.pl.

Chapter 4 Blended threats: When applications exploit each other

The helicopter-view summary of this chapter is brief. Exploits currently constitute what authors name blended threats i.e. creating a big threat vector out of the combination, or beter said, chaining, of several harmless-looking vulnerabilities.

The key concept to understand is the application protocol handler: a way for two applications to interact using the operating system. They provide examples both in Windows and Mac OS.

Finally, the most flashy example of blended threats, conficker, with 9 million infected machines as of January 2009.

Chapter 5 Cloud insecurity: sharing the cloud with your enemy

This chapter presents the differences between cloud services offered by Amazon (based on what they call AMI - Amazon Machine Images) and Google (based on the Google App Engine). It is an eye-opener in the sense that insecurity now has a new meaning if we think of cloud services.

The apply common sense and present the two most visible vulnerability vectors i.e. misconfigured virtual machines and insecure management consoles.

Finally, they also present real vulnerabilities, already solved, (based on CSRF) that the authors discovered in Amazon Web Services.

Chapter 6 Abusing mobile devices: targeting our mobile workforce

These pages deal with ways to compromise corporate networks and information without even connecting ever to the corporate network. The rey resides in the threats targeted at mobile workforces.

First basic step to attack a corporate mobile force, spoof the MAC address of the attacking laptop. Second step, use a mix of common sense and social engineering. Certainly, also useful tools such as Burp Intruder and Cain & Abel. The first one useful to defeat easy entry portals and the second one excellent to get credentials used in services that do not use SSL permanently.

The authors also present man-in-the-middle attacks (e.g. although they don't mention it, they refer to a la ettercap-style attacks) and how easily users double click on any certificate warning appearing in their browsers.

The chapter ends with some words on metasploit, voicemail tapping and exploiting physical access to mobile devices.

Chapter 7 Infiltrating the phishing underground: learning from online criminals?

These pages deal with a real threat to our society and economy i.e. cybercrime and, more specifically, phishing (on page 177 I think there is a typo, when they refer to foreign companies, they really mean foreign countries. Some interesting facts they mention:

- phishing sites have a time to tlive (TTL) of just a few hours.

- www.phishtankcom publishes the URLs of phishing sites that are online. Very interesting for demo purposes!

- often an insecurely configured server becomes a phishing site for different phishers.

- all this points show the importance to securely configure any web server running on the Internet

The authors also mention a very useful tool for web testing, burp proxy and a skill that good phishers have: they know how to use different elements present on the Internet for their evil purposes (and they try to phish other phishers by inserting backdoors!).

They also talk about a phishing toolkit called the loot, offering phishing kits for many institutions, and about some phishing lingo such as "ReZultT" and "fullz" (all information required to steal someone's identity).

Chapter 8 Influencing your victims: do what we tell you, please

This chapter refers to human hacking. Rather than targeting a web application, sometimes accessing someone's calendar or eavesdropping a conference call (by knowing the conference ID) provide juicy information more easily.

The authors also mention the importance of social network in current hacking trends. For example, they created a fake identity in linkedin, or rather, they stole someone's identity and in several minutes this identity had received 82 incoming requests to be part of their network.

They also mention the evilness of the "forgot your password?" questions that some sites use to authenticate users, especially when complemented by facebook or linkedin information.

They complete this chapter with sentiment analysis based on tools such as Yahoo!Pipes, sites like wefeelfine.org and concepts such a a word cloud.

Chapter 9: Hacking executives: can your CEO spot a targeted attack?

This is the flashiest chapter. Easy to read and really implementable. The authors talk about how to construct personalised attacks, with little effort, against executives based on network analysis (note that network here is a set of acquaintances and not cables and switches). Why attacking executives? They are normally the most informed members of the organisation.

They mention two main motives: financial gains and vengeance. Regarding how to monetise an attack, the authors mention that it is more profitable to try to sell the information to the company that actually owned it rather than trying to go to the competitor.

Information gathering using public sites and social networks is the first step in the attack. The input gathered helps identifying the executive's trusted circle and, specially, those with the most influence over the executive. A little but interesting detail, probably family members will not be in that trusted circle. Another one, sending the attack to the executive's assistant provide promising results given the trust existing between both players.

The authors also mention useful sites such as www.tweetstats.com, namechk.com, the phyton script titled theharvester and the enticing USB data stealer named USB switchblade.

Chapter 10 Case studies: different perspectives

In this last chapter they present two case studies. The first one clearly shows the need to disable old accounts and to control who joins a teleconference.The second one claims the importance of hardening ssh servers, the need not to publish IT information related to a company in Internet and the beauty of XSS based exploits.

Happy next generation hacking reading!

Guest post: 7 Reasons to Monitor Internet Usage

noreply@blogger.com (always peace) — Tue, 16 Aug 2011 21:52:00 +0000

7 Reasons to Monitor Internet Usage

Monitoring internet usage is a popular issue for companies that use the internet irrespective of their size. There are various and valid reasons why a business should monitor internet usage. In this article we’ll discuss some of them and the benefits of doing so:

1. Security – Perhaps the most important reason for internet usage monitoring is to ensure data transferred to and from the internet does not contain malicious code or malware. This type of monitoring can protect your organization from potentially destructive malware infections and Trojan infections that could compromise the company’s intellectual property.

2. Productivity – While there are advantages in allowing people access to the internet, even if this means occasional periods of browsing for personal reasons, monitoring is essential to prevent excessive use by employees. Proper internet usage monitoring and control can work in an organization’s favor if usage is maintained at a level that promotes productivity, rather than a situation that results in multiple incidents of cyberslacking and unacceptable levels of internet usage.

3. Costs – Internet connectivity is not free; bandwidth costs money and there are additional costs if something goes wrong. If an organization monitors Internet usage these costs can be mitigated; proactively reducing unnecessary bandwidth usage and improve the security of internal networks.

4. Confidentiality – Giving employees access to use the internet also opens a door through which confidential information can be leaked, lost or stolen. Adequate monitoring of internet usage can prevent information theft – both intentional and accidental.

5. Legal Liability – There are many ways how an individual can use the internet to commit crime – from infringing on someone else’s intellectual property to actual hacking attempts. Monitor internet usage to prevent and identify such events as they occur and you’ll be able to stop them before they trigger a legal response.

6. Forensics – Monitoring also allows an organization to effectively investigate incidents. If an employee breaches company policy by engaging in prohibited internet activities, you will need the evidence to back up your position. If a workstation is compromised due to inappropriate internet usage, you will want to know what websites were accessed and led to that workstation being compromised. This information can be used to identify areas that needed increased security measures.

7. Reputation – Proper internet monitoring will help an organization to keep its reputation intact and prevent an employee’s actions from causing harm to the company through malware infections or illegal activity.

Each of the above points are strongly interlinked and together provide a robust and valid argument in favor of monitoring internet usage – each point merits equal attention and consideration. Monitor internet usage properly and efficiently to ensure your organization never suffers a fallout due to web threats. Prevention is always better then the cure.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on how to monitor internet usage.

All product and company names herein may be trademarks of their respective owners.

Monitoring filters complexity

Avoid arp poisoning in your LAN

noreply@blogger.com (always peace) — Sun, 31 Jul 2011 22:07:00 +0000

In Linux, rudimentary but effective:

Here you are some quick measures to make arp spoofing in a shared LAN a little bit more difficult. Note, however, that these measures will not protect you from firesheep (cookie-based mechanism to steal non-https sites' credentials).

1. Avoid that the arp protocol constantly asks for the mac address of your router. Add the following line to the /etc/rc.local file:
# arp -s ipaddressofyourrouter macaddressofyourrouter
This way, this entry will be permanently stored into the ARP cache.

2. Create an alert with arpwatch using e.g. the following line:
# arpwatch -d -i yourinterface
The arp database will reside in /var/lib/arpwatch/arp/dat

3. A way to check that there are less arp probes in the net then will be
# tcpdump -i yourinterface -n -v arp

If you change your router, remember to change your rc.local file accordingly.

In Windows, a nice tool is the one from irongeek called decaffeinatid.

This is not bulletproof but it saves you from the typical arp poisoning attack. If any reader would like to add any additional idea to this topic, please comment.

Happy browsing in a shared network ;-)!

Avoid ARP poisoning

Note to a comment: Arpon is a useful tool for this purpose. Besides, Arpon 2.7 was just release last July. Be aware that, according to Arpon site "it requires a deamon in every host of the connection".

The Value of Vulnerability Assessments

noreply@blogger.com (always peace) — Sat, 09 Jul 2011 23:21:00 +0000

With this out of sequence post we start a series of guest contributions. In these days of complexity in our everybay business of IT security, it is advisable to remember the foundations to protect your boxes from known threats. Here you are 7 down-to-Earth tips to secure your servers:

Do you know how your server measures up to potential threats? If you haven't performed a vulnerability
assessment on your servers yet, you may not be aware of issues that may leave you exposed to hackers and web-based attacks. A vulnerability assessment is the process of inventorying systems to check for possible security problems, and is an important part of system management and administration.

Vulnerabilities are weaknesses within a server or network that can be exploited in order to gain unauthorized access to a system, usually with the intention of performing malicious activities. The most common way to address many software-related vulnerabilities is through patches, which will usually be provided by the software manufacturer to correct security weaknesses or other bugs within a program.

However, there may be times when a patch is not available to address a possible security hole, and not all vulnerabilities are software-related to where a patch would be offered. This is where the concept of vulnerability assessments comes into play. Minimizing the attack surface and the effect that a potential hacking attempt could have on your system is a proactive way of effectively managing a server network.

Protecting your data vault

While there is no 100% way to protect your servers against vulnerabilities, in performing a vulnerability
assessment there are some steps you can take to minimize your risk:

Close unused ports
Ideally, your server network setup should include at least a network firewall and a server-level firewall to block undesired traffic. Undesired traffic would include traffic to ports that are unused or that correspond with services that shouldn't be publicly-available. These ports should be blocked in your firewall(s).

Don't over-share
If servers on your network are set up to share files with others, or to access network shares (such as file servers and other resources), make sure that those shares are configured to only allow access as appropriate. Hosts that don't participate in sharing resources should have that capability turned off completely.

Stop unnecessary services
The more services you have on your server, especially those that listen on network ports, the more avenues a hacker has to get into your system. This is especially true if you have services running that aren't being monitored or used, and therefore are unmaintained. Stop services that are not in use or necessary, and restrict access to others that are not intended for public access.

Remove unnecessary applications
Many operating systems come with a wide set of programs that may not be necessary for normal server
operations. Find out what software is installed on your system, and then determine which of those
applications are not necessary and remove them.

Change your passwords
Using default vendor passwords is more common than you may think – but since those passwords are usually publicly-known, they are often the first ones used during hacking attempts. Secure passwords should always be used in favor of the vendor defaults, and industry experts recommend changing them every 30-60 days.

Do some research
When software or new applications are installed, users often neglect the time needed to review their settings to ensure that everything is up to par with modern security standards. Take some time to research what you are installing and any security implications that it may have, including what features may be enabled that could introduce security problems, and what settings need to be adjusted.

Encrypt when possible
Many services and network hardware have the capability of encrypting traffic, which decreases the likelihood of information being “sniffed” out of your network. When transmitting sensitive data, such as passwords, always use an encrypted connection.

Regular vulnerability assessment is a vital part of maintaining system security. Not only will it help diminish the success or possible effects of malicious activity against your servers, but it's also a requirement for many modern compliance standards such as PCI DSS, HIPAA, SOX, GLB/GLBA, and other regulatory standards.

This guest post was provided by Vanessa Vasile on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI vulnerability assessment.

All product and company names herein may be trademarks of their respective owners.

SQL injection - Attacks and defense by Justin Clarke et al. - Book review

noreply@blogger.com (always peace) — Thu, 30 Jun 2011 22:47:00 +0000

This book was published by Syngress in 2009. It was the book of the year in 2009 for Richard Brejtlich in taosecurity. It has ten authors, the main one is Justin Clarke.

In my eyes, this is an obliged reference book for everyone testing web applications using a database (most of them, BTW) today (and in the last 10 years!)

The book is broken down into 10 chapters - Let's go one by one:

Chapter 1 - What is SQL injection?
A generic introduction to the topic of the book. A little bit confusing chapter. I would recommend to re-read it at the end. The reader will then have more than one eureka moment.

Chapter 2 - Testing for SQL injection
This chapter wears the "hacker's hat" and shows how to find SQL injection samples in a web application connected to a database. This is a nice intro to the rest of the book. It provides useful tips about displayed SQL errors in MS SQL server, MySQL and Oracle. One of the coolest points of this book is the collection of tools that most of the chapters offer at their end. This is also the case for chapter 2. Worth mentioning, mainly because it is a free tool (and a very good one!) is the Paros Proxy.

Chapter 3 - Reviewing code for SQL injection
This chapter wears the "developer's hat" and shows how to follow user data (the use the nice term of "tainted data") through lines of PHP, Java and C# code. The end of the chapter mentions some source code analysis tools like YASCA or the MS Source Code Analyzer for SQL Injection.

Chapter 4 - Exploiting SQL injection
These pages show the deep foundations of this art, with steps such as identifying the database, extracting data through UNION statements, using conditional statements, enumerating the database schema, escalating privileges, stealing password hashes, out-of-band communication and finally, they present some tools to automate SQL injection exploitation such as sqlmap and bobcat.

Chapter 5 - Blind SQL injection exploitation
This chapter wears the "advance hacker/detective's hat". Using time-based, binary search, bit-by-bit inference and response=based techniques, they present ways to infer knowledge out of the interaction with a database. They also mention some tools such as Absinthe, Sqlninja and Squeeza.

Chapter 6 - Exploiting the operating system
Normally a database is an application software residing on top of an operating system. In this chapter, they keep on wearing the "advanced hacker/detective's hat" and present ways to read and write files and execute OS commands.

Chapter 7 - Advanced topics
Richard Bretjlich considers funny that in this "advanced & technical" book the authors have inserted a chapter for "even more" advanced topics. I agree with him. Whatever our views are, this chapter describes ways to evade input filters, to exploit second-order SQL injection and to use hybrid attacks.

Chapter 8 - Code-level defenses
This is the chapter that "developers" should read without any doubt. The key to avoid SQL injection attacks is to completely code the access to a database based on customised parameters that are out of the users' reach. The authors propose a series of recommendations to validate input and to encode output.

Chapter 9 - Platform-level defenses
Together with excellent coding practices, there are some measures, related to the operating platform, that we can take to avoiod SQL injection. These are, for example, using web application firewalls, web server filters, IDSs and securing the database itself.

Chapter 10 - This chapter is the chapter every "white hat hacker" should have at hand when assessing a web app connected to a database. It is a great reference of SQL commands and SQL injection tweaks for SQL Server, MySQL, Oracle, PostgreSQL and even DB2. If you need to select only one chapter, focus on this
one.

You can also read Richard's reference to this book in Amazon.

All in all, a book worth its price, keep it as a web app pen test reference book! Thanks to the authors for this nice work. And also a special mention to the one who merged and composed the input from 10 different authors into a unique book.

Happy reading!

Brian Snow on Information Security in a malicious environment

noreply@blogger.com (always peace) — Tue, 31 May 2011 22:01:00 +0000

Risk based security is incredibly popular in information security nowadays. However, this is not the only way. I listened to the episode 191 of the Risky Business Podcast. In that episode, Patrick Gray interviews Brian Snow, former NSA director. He provides some experience-based thoughts on probabilistic risk assesment (PRA) and proposes alternative approaches in Infosec:

About PRA:
- Useful in scenarios with benign players (e.g. when Nature is the threat agent)
- Useful when there is enough good solid statistical information in the form of distributions curves and failure rates.
- The problem comes when trying to mitigate:
a. high impact risks with very very low probability or
b. a handful of low probability events with low impact that, if all of them happen in concert, the impact is huge.
- Probabilistic risk assessment does not take malice into consideration. When malice comes into play, distribution curves do not matter.
- Attackers do not use PRA as their main methodology to select targets (I would add, they choose their targets based on their relevance - benefit to risk ratio - and potential economic or mental benefit).
- PRA works well for reliability in a benign environment.

Thinking outside PRA (e.g in product security)

Designing security:
- Economic terms help i.e. let's design a system that is cheaper to create than the effort to attack it (this takes even decades!).
- How much (money) can the attacker devote to hit us?
- Forget studying the probability of malice-based acts, get some people in your security team thinking like the opponent. Look for the malice.
- Commercial product creators are not thought to counter malice.
- Military principles e.g. simple interfaces are required when you counter malice.
- It takes time to design security (quick time to market is not possible).
- Will the product work under attack? This is a key question to answer.

Practising security
- Have an holistic attack team, at the design time, to systematically attack the product.
- 3 recommendations:
a. Make sure that you study the interactions among the different scenario dimensions and players. Pay more attention to the interactions.
b. Once you are under attack, whom can you call for help? Look for partnerships (especially intelligence sharing) in the industry arena, even among competitors (e.g. CERTS already do that).
c. Have some attack scenarios that you exercise yourself (even at design time). Think in advance and try to prepare yourself against them already at design time.

Food for thought. Enjoy and digest it!
Happy June!

Black Hat Europe 2011 Keynote by Bruce Schneier

noreply@blogger.com (always peace) — Sat, 30 Apr 2011 23:01:00 +0000

The following lines constitute a subjective summary and/or collection of thoughts triggered by the keynote that Mr. Bruce Schneier offered at Black Hat Europe 2011. The title of the keynote was cyberwar. An exciting word that nowadays reaches TV channels, radios and newspapers around the globe.

- At war, it is always important to know who is at war and why. In the cyber world, these two w-questions usually have no answer.
- The word war is paradoxical: In real wars, media try to avoid the word. However, media use often the word war in a rhetorical manner (the war on terror, the war against poverty, etc.).
- The Internet kill switch idea opens a new threat vector i.e. what about that switch falling into wrong hands?
- Regarding targeted attacks, if a company or individual is targeted, it will eventually be compromised. No doubt. It is only a matter of time and effort.
- Even though international treaties are sometimes of doubtful effectiveness, they could bring good to the cyberspace.
- In a nutshell, the current attacks in Internet increasingly show war-related tactics, strategies and methods. Therefore the hype of the word cyberwar.

Some additional thoughts:
- Skype is not eavesdropping-friendly.
- Commercial companies deal with risk only up to the value of their business. This is the reason why States need to bear residual risks if they can affect citizens (e.g. risk born by critical infrastructures).
- Human beings fear human attackers the most, then animal attackers and finally natural threats.
- Human beings fear invisible threats much more than those visible ones (personal note: this can be the reason why nuclear energy is so much feared).

And finally, a title... "dishonest minorities", his forthcoming book!

The video of the keynote is available at Black Hat Archives Site (not always available) and also in youtube.
Happy viewing!

Enchanting... also in IT security

noreply@blogger.com (always peace) — Fri, 01 Apr 2011 21:37:00 +0000

Intro
A new excellent guest on the Entrepreneurial Thought Leaders Lecture Series - Guy Kawasaki - I recommend viewing the video or, at least, listening to the podcast. The following paragraphs are a personal summary of the ideas presented by Mr Kawasaki. My proposal will be to have the IT security world in mind when reading this text and think how much (or less) of all this we already do (or can do)?

He presented some recommendations on how to be enchanting. He used the 10 point format so that the audience know when the presentation ends. He mentioned that normally CxOs go long and they are boring when they present. Sometimes, in security conferences, I wish the presenter could be both specific and entertaining.

Tips for the art of enchantment
First, you need to be likeable. For this, improve your smile, using the muscles that surround your eyes, and certainly the jaw muscles, dress for a tie with your audience i.e. follow their same level of elegance and have a great handshake because first impressions are important.

Second, after likeability, the next step is trustworthiness. For that, I highlight these points:
- If you can't do something, find someone who could do it for you better.
- Don't ask someone something you would not do yourself.
- Empower people to do tasks.
- Don't micromanage.
- Provide people with a high purpose.

How to enchant as a leader
Provide your people with a MAP:
- Mastery: The possibility to learn and excel on the things they do.
- Autonomy: The chance to perform tasks themselves.
- A higher purpose.

- Any company needs first to trust their people (employees, customers) and then they will trust the company.
- There are 2 kinds of people, eaters and bakers, the first ones see situations as zero sum games, the bakers see ways to get bigger and more pies for everyone.
- If you would like to enchant, then default to yes, think how you can help that person.

How to enchant with your products
Your products need to be DICEE:
- deep
- intelligent
- complete
- elegant
- empowering

- Your message need to be short sweet and "swallowable".
- Important point, present in many thought leaders today, tell a story, why did you start your company, your plan, your adventure?

- Before failing, consider you have failed and conduct a pre-mortem analysis, that way everyone around a product can speak freely and with less emotional load.
- Plant many seeds to obtain your critical mass.
- Use simple and understandable features, salient points, to sell your product.
- Discover who are the influencers? Most of the times, the influencers are not the executives. Executives are very high in the ladder. The air is thinner high in the ladder. Thin air is not good for intelligence.
- Forget the use of money with your customers, it brings complexity and lack of veracity.
- Sharing and glory, people don't do it for money

Invoke reciprocation
More than answering a "thank you" with a "you are welcome", tell them "I know you would do the same thing for me". This way, you tell them that you have class and ...that they owe you.

Enchanting up
Do what managers tell you to do, create a quick prototype, take little time to come back to show them if you are on the right track and, show them problems early, and preferably, propose a way forward.

Final thoughts
- in every presentation, customise the intro with local photos, sell your dream when you speak, use 10 slides for 20 minutes and 30 points font.
- Eliminate complexity.
- Answer within 24 hours.
- Use social networking, don't leave it only for when you have spare time.

Do you enchant while doing your job in IT security?
Happy enchantment!

Jack Dorsey: Running a business idea - applicable to IT security?

noreply@blogger.com (always peace) — Mon, 28 Feb 2011 23:08:00 +0000

What does this post have to do with security? Well, we will soon see it. Stanford University's entrepreneurship corner is one of those reasons why Internet is, even just for this, a great invention. From your screen at home or from our smartphone or mp3 player, we have access to lectures given my current entrepreneurs.

One of the latest lectures is the one given by Jack Dorsey, creator of twitter and square. I took note of some learning points, maybe subjective, out of his talk.

They are brilliant points to consider when creating a start-up within the IT security world. Do not forget them!

"Instrument" your company from day 1. The first thing he did in square (and not in twitter) is writing an admin control panel for their servers.
Be a story teller. You need to inspire your team and your customers with a story, your idea.
In the company, you act as the editor, composing the stories.
The team you build is not permanent, different players will need to enter and exit according to their profiles, the current story and the "required edition".
Internal communication: Everyone in the company will have the same priorities.
External communication: You communicate with the product, your product is "your story for your customers".
Money in the bank: The company needs it, firstly from investors and secondly, and more critical, from revenue.
Limit the number of details. Those details that stay need to be perfect.
A last sentence from his side:"expect the unexpected and, whenever possible, be the unexpected".

If you see value in these points, then listen to the entire podcast or watch the lecture.

Happy listening!

ps Thanks to the Stanford's Entrepreneurial Thought Leaders Seminar crew!

Social-engineer.org crew interviews communication expert Joe Navarro

noreply@blogger.com (always peace) — Tue, 01 Feb 2011 00:13:00 +0000

The episode number 14 of the Social Engineer podcast features an interview with the author and expert in non-verbal communications, Joe Navarro. This is a post with learning points extracted from listening to his interview.

Disclaimer: These lines do not substitute the listening of the interview. The statements mentioned are close to literal or slightly summarised or just a subjective interpretation. Kudos to the social-engineer.org crew!

Minute 17: Inmigrants in a country using a different language than their mother tongue need to be sensitive to body language and observe carefully.

Minute 18: Babies mimic gestures since their third week of life.

Minute 19: Babies with eleven months look for mood clues coming from their mothers.

Minute 20: Blue is a smoothing colour. Blue is predominant on TV.

Minute 22: When we see something beautiful, our pupils dilate. When we see something ugly, ours pupils contract. Our limbic system controls this.

Minute 31: A good observer focuses not only on the face but on the entire body. It is more difficult to lie when there is space among our fingers and we show our thumb.

Minute 36 and 37: People talking while looking at the same direction are more relaxed than people talking facing each other. Facing people create tension when talking.

Minute 41: You can calm someone down just by exhaling in front of them (they will mirror you).

Minute 47: A biographer of Kennedy mentioned that you can get anyone anywhere anywhen talk to you, you just have to tell them that you treasure their opinion.

Minute 55: The meaning of words: People in their fifties like to talk about problems, people in their thirties talk about issues. People like to talk with people like them.

Minute 66: When performing social engineering, assess whether the person does look comfortable to you.

Minute 66: In the US, the amount of time one should look someone else at their eyes is 1.8 seconds.

Minute 68: Arch your eyebrows when you greet someone. When arching the eyebrows, we burn sugar. We only burn sugar when we care. Babies respond to this action already when they are a week's old.

Minute 70: If you show space between your fingers, you are confident of what you are saying.

Minute 72: Some tips on using body language with your children.

Happy interview listening!

Pauldotcom crew interview Brian Krebs - They talk about digital fraud

noreply@blogger.com (always peace) — Sun, 02 Jan 2011 23:01:00 +0000

The pauldotcom crew interviews Brian Krebs in episode 219 (part 1) of their podcast. This is a post with learning points extracted from the interview.

Disclaimer: These lines do not substitute the listening of the interview. The statements mentioned are close to literal or slightly summarised or just a subjective interpretation. Kudos to the pauldotcom crew!

Minute 8: Brian's IT network was taken over by the lion worm.

Minute 10: People start in security because either they were hacked or they were hacking and decided to change sides and go to the more difficult defence.

Minute 14: He writes about topics that are news to him. This way, they will also be news to everybody else.

Minute 18: A lot of the bad guys have multiple identities in different fora. Most of them specialise on a specific topic and they outsource the rest. [...] They are somehow open since they need to be reachable by their clientele.

Minute 21: Outsourcing in cybercrime is a constant. Even testing services to assess outsourced tasks are outsourced.

Minute 24-26: Ukraine is one of the main sources of attacks, even more than Russia: very technically savvy individuals with very low payslips in legal jobs.

Minute 32: A lot of people buy spam-announced pharmaceutical products.

Minute 34: Their prescription runs out, suddenly they see those announcements and they buy them. The medicine seems to work and it is a third of the real price. However, there is no guarantee that the medicine has the same quality every time [also from minute 44].

Minute 36: Some of those cheap medicines are made in China or India.

Minute 37: Usually those sites ship a pack of "Viasgra" for free with any other order medicine requested.

Minute 39-40: Rogue pharmacy is the driver of fraud on Internet nowadays. Although it is probably not the most lucrative business.

Minute 41: The most lucrative business in cybercrime is stealing from a corporate bank account through a piece of malware sent to someone in the organisation.

Minute 41: Changing your online banking credentials regularly is hardly done nowadays. This is why stolen credentials are still valid months after.

Minute 48: The gas station card skimmers is currently over the top as a real business.

Minute 50: ATM skimming figures - average skimmer scam takes around USD 60000 (not confirmed figure).

Minute 52: Gift card fraud is huge. However, given the high margins gift cards have, sellers tolerate it.

Minute 66: We need to clearly explain to people the consequences of not caring about security.

Minute 67: (Unfortunately) Only life-threatening factors will make people security conscientious.

Minute 73: Brian Krebs is reachable for any anonymous security news anyone would like to share with the public.

Happy reading/listening!
Happy new year 2011!

Gray hat hacking: The ethical hacker's handbook - Book review

noreply@blogger.com (always peace) — Wed, 01 Dec 2010 22:35:00 +0000

The following is a brief [and biased] review of the pages of Grey Hat Hacking (2nd edition - 2007). In one sentence, I would borrow the book from a library to read it. Alternatively, I would buy it, read it and sell it afterwards.

The book: Gray hat hacking: The ethical hacker's handbook.
The authors: Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness .
Publication year: 2007 - Second edition.
Publisher: McGraw-Hill.

chapter 1 ethics of ethical hacking
A very generic chapter, useful to read across and set the global scene. If you need to justify work in IT security - well structured and referenced such for example page 10 - the origin of the word hacker and ethical hacker. Clear statements such as security does not like complexity [however, I would add, we live in a complex world].

chapter 2 ethical hacking and the legal system
A summary of US laws related to IT security, for example the US Federal computer crime statutes and some acts like:
18 USC 1029, 18 USC 1030, 18 USC 2510, 18 USC 2701, Digital Milenium Copyright Act and Cyber Security Enhancement Act.

chapter 3 proper and ethical disclosure
A helicopter overview about ethical disclosure. They mention the month of the PHP/Browser bugs, the story of Michael Lynn and CISCO and refer to the CERT/CC vulnerability disclosure process of 45 days. The Organisation for Internet Safety and the Zero Day Initiative (by Tipping Point, owned by 3Com).

chapter 4 metasploit
It is a nice approach to launch and to own a box by learning how to use metasploit. They provide a thorough description of the use of the console and auxiliary modules. They start with a simple example, an unpatched XP Service Pack 1 machine missing the RRAS security update, mentioning first the basic use of basic commands to start with:

show
info
use
help
show options
set RHOST ipaddress
show payloads
set PAYLOAD payload-name
show options
show targets
set TARGET 1
exploit
info
show auxiliary
use option
show options
sessions -l
sessions -i number

and - second, exploiting client-side (browsers, email apps, media players, client sw in general) vulnerabilities with metasploit

A useful hint, to return to the metasploit console prompt we can use ctrl-z.
I would also highlight a curious comment: they mention that this way you can attack workstations protected by a firewall

I find very interesting the description they provide of meterpreter, a command interpreter to inject payload into the memory of the exploited process.
Meterpreter has core commands, file system commands, networking commands, system commands, user interface commands, making ven possible to migrate from one process to another.

They conclude this chapter with the use of metasploit as a man in the middle password stealer, configuring metasploit as a malicious SMB server. They also touch briefly cain (the password stealing tool) and finally they briefly refer to the link with nmap or nessus with db_autopwn and provide a brief description of what is inside a metasploit module.

chapter 5 - using backtrack
They talk about backtrack2. This chapter shows us how quickly things happen in the security arena. Their point on the usefulness of isorecorder and how to make changes in the distribution and make them persistent is somehow now outdated.

Part 2 of the book is called pen testing and tools - This name is a little bit misleading.

chapter 6 programming survival skills
I took with me: the year 1972, when Dennis Ritchie invented C, that Intel processors are little endian and Motorola are big endian. And some memorty related concepts:

- bss section is the below the stack section - to store global non initialised variables - the size is fixed at runtime
- heap section - to store dynamically allocated variables, it grows from lower addressed memory to higher addressed memory allocation of memory is controlled through malloc() and free() functions
- stack - used to keep track of function calls and grows from higher addressed memory to lower addressed memory - local variables exist in stack section

[ I think there is a typo, a 5 should be an index variable in page 131]

I also read the ATT assembly is normally used in linux and NASM is used by many windows assemblers and debuggers.

The chapter ends with assembly and python. Python objects are data types such as strings, numbers, lists, dictionaries and files dictionaries are similar to lists but their objects are referenced by a key. I like the python part - easy and to the point

chapter 7 basic linux exploits
You can read that a stack is FILO and some points on the importance of address space layout randomisation. I also took with me that perl is interpreted [e.g. perl -e 'print "A" x 600'] and that python is an interpreted object oriented language.

They mention sticky bits and the fact that shell code is actually binary. They keep providing valuable input regarding the memory:

- environment and arguments are stored in an area above the stack
- eip poins to the next instruction to be executed
- in metasploit we can find locations of opcodes with msfelfscan

chapter 8 advanced linux exploits
This chapter shows how to calculate the locations to overwrite the heap with buffer overflow exploits. They show how these techniques require time and effort. They explore the Windows debugger - from page 250 - and some point in OllyDbg on page 255. Important point, OllyDBg only works in userspace. For kernel space, we need to use another debugger like WinDbg. The end briefly mentioning the metasploit opcode database.

chapter 9 shellcode strategies
This is a very verbose and theoretical chapter. They include the use of gdb (debugger) and gcc (compiler) and mention the important role of objdump to get the shellcode.

chapter 10 writing linux shellcode
Interesting tips, the use of nasm -f elf, ld -0 and I think there is a typo on page 231.

chapter 11 basic windows exploits
This chapter states that Linux and Windows are driven by the same assembly language. The Microsoft C/C++ optimizing compiler and linker is touched upon,
cl.exe, together with cdb, ntsd and windbg.

chapter 12 basic passive analysis
The text turns now to present source code audit tools such as ITS4, rats, flowfinder and plint and a decompiler for Java named Jreversepro, stressing the importance of checking all user supplied data.

Code analysis tools mentioned in this chapter are:

- IDA pro as a powerful disassembler
- hex-ray (an IDA pro plug-in) as a decompiler
- binnavi - a graph-based analysis and debugging tool- binary code reverse engineering tool that was built to assist vulnerability researchers who look for vulnerabilities in disassembled code

and some other tools like:
- bugspam (an IDA plugin)
- chevarista (a static analyser)
- bindiff (useful to compare binaries and patched binaries)

chapter 13 advanced static analysis with IDA Pro
This chapter shows us that stripping a binary means removing all symbol information. We can also read that to learn what dynamic libraries an executable depends on, we can use dumpbin in WIndows, ldd in Linux and otool in Mac OS X. Additionally, this chapter also mentions:
- the fast library acquisition for identification and recognition (flair)
- the use of pelf and sigmake
- how to perform a manual load of program headers
- IDA's scripting language, IDC
- IDA plug-ins
- and finally, a brief reference to pro loaders and processor modules

chapter 14 advanced reverse engineering
This chapter starts with a nice statement: stress testing for SW developers is what vulnerability researchers call fuzzing. The tools they propose to use are:
- debuggers like gdb
- code coverage tools like process stalker
- profiling tools
- flow analysis tools
- menory use monitoring tools like valgrind, a memory debugging and profiling system
- and finally, fuzzers like SPIKE

chapter 15 client side browser exploits
This chapter mentions the concept of spear phishing (APT or targeted attacks are now the trendy name). As fuzzing tools, they propose:
- mangleme from freshmeat.net
- axfuzz and axenum - to check appearances of install, writeregval, runcmd, gethostname, rebootmachine
- AxMan and Internetexploiter
As a little detail, they use something called the "mark of the web" to make Internet Explorer behave as if we would be browsing external Internet zones.

chapter 16 exploiting Windows access control model for local elevation of privileges
These pages talk about SIDs and Access Tokens, Access Control Entries, SYstem ACLs and discretionary ACL while using some of the not so popular sysinternals tools.

chapter 17 Intelligent fuzzing with Scully
This chapter refers to the importance of protocol analysis in effective fuzzing. For that, they porpose the use of the Sulley fuzzing framework.

chapter 18 from vulnerability to exploit
As the title indicates, this chapter refers to the steps necessary to construct payloads (and the need to find the eip, the instruction pointer).

chapter 19 closing the holes: mitigation
Three concepts are described and discussed in this chapter: patching, binary mutation and third party patching.

chapter 20 collecting malware and initial analysis
They talk about malware and honeypots, the possibilities to avoid VM detection and the usefulness of honeyd and nepenthest. Names of tools proposed in this chapter for malware analysis are PEiD, UPX, strings, regshot, filemon, process explorer, process monitor (they don't mention this one but I do, together with capturebat log viewer), norman sandbox and map (malcode analysis software tool) from idefense.

chapter 21 hacking malware
More content yet on unpacking using PEiD, LordPE, IDA and Olly plugins and additional content on malware analysis.

Happy grey hacking reading!

Public DNS servers: Less privacy in exchange of a security layer

noreply@blogger.com (always peace) — Thu, 04 Nov 2010 01:23:00 +0000

There are several free public DNS servers on the Internet. Google, Scrubit and DNSadvantage are some of them. OpenDNS is the one I have selected to test in Ubuntu for a while. They offer web content filtering and basic protection against known phishing, botnets and some known worms.

Inserting in the /etc/resolv.conf the OpenDNS name servers is an easy task: Their name servers are 208.67.222.222 and 208.67.220.220. If you are using DHCP, add those name servers, separated by a comma, in the file /etc/dhcp3/dhclient.conf, using the following line:

prepend domain-name-servers 208.67.222.222,208.67.220.220;

There are however some additional steps to take if our ISP uses a dynamic public IP address. OpenDNS provides a simple utility for those using MS Windows or MacOS. In Linux, we have to follow the next steps. After visiting several sites that provide input on this scenario (e.g. in Ubuntu docs or in the ddclient site), I summarise only those effective valid steps:

0. Sign in to the OpenDNS site, create your network and configure your security and content filtering settings.

1. Install ddclient e.g. in Ubuntu

$ sudo apt-get install ddclient

2. Configure the file /etc/ddclient.conf in this manner
ssl=yes
daemon=300
protocol=dyndns2
use=web
server=updates.opendns.com
login=yourlogin
password=yourpassword
yournetworknameintheopendnssite

3. If there is a /var/cache/ddclient/ddclient.cache file, erase the "ip=" segment [although you can skip this step]

4. Now it is advisable to
4.1 Test ddclient using the command line
$ sudo ddclient -daemon=0 -noquiet -debug
4.2 Start the daemon at boot up by writing in the file /etc/rc.local the line
/usr/sbin/ddclient -daemon 300 -syslog
before exit 0.

5. The ddclient daemon can be stopped with
sudo killall ddclient
or started with
sudo /etc/rc.local

And ready to surf! Now they will gather all the sites you visit (privacy loss). However, that was already the case wih your ISP's name service.

These "secure" name servers can constitute an additional security layer for home browsers, provided that they require a naming service. However, if they type an IP address directly (or a trojan within their box), then there is no additional security layer. Sites like this one can provide the IP address of a site directly.

A little final note: These OpenDNS services, web filtering and basic phishing protection, take around 5 minutes to get updated with a new IPaddress. Take that into account, the first 5 minutes of use of your browser will provide "unprotected" web surfing.

Happy name resolution! (and happy to read your comments)

Little addendum triggered by a cunning comment from a committed reader: An alternative to the use of these public DNS servers is running your own DNS server, configured to obtain names from the Internet root domain name servers. Certainly, a better alternative from a security standpoint. However, this option is only viable for those IT savvy individuals with sufficient skills, and resources, to run their own name service.

Network Flow analysis by Michael W. Lucas - Book review

noreply@blogger.com (always peace) — Thu, 30 Sep 2010 22:28:00 +0000

Management schools teach you that someone or something is effective if they do the right things and they are efficient if they do the things right. The book "network flow analysis" by Michael W. Lucas (edited by no starch press and available in Amazon) is effective, it shows the thing you need to know about netflows, and efficient, it has the right lightweight format, although sometimes I have missed some explanatory drawings for those who learn visually.

The book is divided into an introduction and 9 chapters. Michael first explains the reason of the book in the intro and the difference between what network management tools give to the network expert and what working with network flows can provide.

I started then the book with chapter 1, where I really appreciated that the flow system architecture is right after the definition of a network flow. This avoids confusion and saves time to the reader. Actually, this topic of saving time to the reader and leading them to the point is a constant throughout the entire book. As a little suggestion, I would have added in this chapter a little disclaimer for the reader stating that some TCP/IP networking concepts should already be known by the reader (well, actually, surely readers will be network specialists).

Chapter 2 is the howto 101 to install and start operating with network sensors and collectors using the free flow-tools available in Google code. As a side note, I really liked to see in the book real command lines. This is the reason why I will keep the book close to my machine; it can really be used as a basic manual to install softflowd as a software-based network flow sensor and flow-capture as a flow collector. In addition to this, it was good to be reminded that the -arp switch in ifconfig enables a network interface without participating in arp.

Chapter 3 introduces the use of flow-cat and flow-print to view flows. In this chapter the junior network admin starts realising the potential value of net flows. My only "but" for this entire chapter is the reference to hexadecimal output. For future editions, I would propose to highlight and insert a little explanation when talking about flow-print -f 0 adding interface numbers by printing port and protocol info in hex.

Once the foundations have been laid out, chapter 4 refers to real life aspects of net flows such as filtering. For that, Michael proposes the use of flow-nfilter, building filters out of primitives, knowing that each primitive can only include one type of match. The bonus point for this chapter would be a nice little diagram showing how primitives relate to filters.

Chapter 5 follows the logical thread started by chapter 4: After filtering comes reporting. Actually, this is also a constant feature in this book. The reader never gets lost. It is easy to understand and follow the proposed script along the pages of the book. We learn how to use flow-cat in combination with flow-report and, later on, with flow-nfilter. This is one of the strong points of Michael's book. It is sure that smart network admins will come back to chapter 5 (and 6) regularly during their work time.

Chapter 6, at first glance, can be seen as hard core: Perl comes into the picture! However, Michael gives effectively readers through the jungle of installing Cflow.pm, so that FlowScan can work, while mentioning useful tools such as flowdumper, a tool that shows everything in the flow record. This chapter also mentions the difference between FlowScan and CUFLow.

Chapter 7 presents a collection of three tools: FlowViewer, FlowGrapher and FlowTracker. The first one is a web interface for flow-print and flow-nfilter, optimal mainly for network admins. The second one uses arbitrary flow data and the third one generates RDD-graphs based on flow data. This chapter introduces these tools and provides a basic manual, enough to start playing with them. Probably chapters 7 and 8 could trigger an entire new book on visualising net flows.

Chapter 8 is the step by step basic manual to use gnuplot, the generic graphical representation tool in Linux, in this occasion, certainly, for network flow data, but in itself, this chapter is a useful guide for anyone willing to start off "the gnuplot experience".

Chapter 9 belongs to the "swiss army knife" subset of this book (together with chapters 5 and 6). Once everything is installed, implemented and running. What do we do with it? Well, this chapter answers this question in a very practical way.

I have released a series of tweets (http://twitter.com/itsecuriteer) with a small number of valuable pearls coming out from reading this effective book. All in all, I agree with Mr. Bretjlich's comments about the book (see http://taosecurity.blogspot.com/2010/08/consider-reading-network-flow-analysis.html): A five-star book on network flows.

Finally, a little piece of advice, please read the afterword on page 189, where the author refer to key non-technical skills that all admins should have (and practise ;-)

Happy October reading!

Truecrypt and USB drives

noreply@blogger.com (always peace) — Thu, 02 Sep 2010 20:12:00 +0000

Human beings lose things. Laptops, smartphones and USB memory drives are things. We also lose them (see e.g. this piece of news). The data that any IT related hardware item can carry is often more valuable than the hardware itself. Truecrypt is a valid option to encrypt "losable" devices. This way, a third party would have a more difficult time to reach data stored e.g. in a USB memory drive.

Truecrypt exists for Linux, Mac OS and MS Windows (where there is also a portable version - however requiring local admin rights). Once it is installed, its GUI looks like this:

It can use both a file or an entire partition as encrypted container. Both options can be mounted in the system and all data stored there will be encrypted at rest. The symmetric encryption algorithms that Truecrypt can use are the following. According to speed and crypto strength needs, the use of AES is the recommendable option:

However, remember that the security of your container relies, not only on the strength of the encryption algorithm used, but also on the strength of the password used as authenticating credential. The tool also allows for the use, together with a strong password, of a keyfile, so that both elements are required to decrypt and use the container (it there is the need to base authenticating credentials, not only on something you know, but also on something you have).

Little note: If you need to encrypt a set of already existing files, then you first need to create an empty container, and afterwards, move the files there.

Final catch: The drawback of using Truecrypt to encrypt your USB memory drive is that you need Truecrypt executed whenever you use your files. The advantage, if your USB memory drive is lost, your data will be safer. Up to your risk management decision ;-).

Happy secure data transport!

Free of charge web-based photo geo-location - Exif data cleaning

noreply@blogger.com (always peace) — Sat, 07 Aug 2010 21:28:00 +0000

Digital photo files contain exif data. Typical items within exif data are camera model, date and time of the picture, and, if taken with a GPS-enabled device, also the GPS coordinates where the photo was taken. If that is the case, how can we geo-locate a picture?

The Exif Firefox Add-on is an easy way to read exif data. Once you have access to the GPS coordenates, the process is easy. Here we present the steps to geo-locate free of charge (and web-based) a photo:

From GPS coordinates to a real physical location:
- Go to tomtom routes and add the GPS coordinates as shown below,

For the reverse process, from a real physical location to GPS coordinates:
- Go to gpscoordinates.eu and enter the physical location as shown below,

A quick way to delete exif data in your pictures is opening them with GIMP, the GNU Image Manipulation Program, and saving them again unticking the advanced option of "save exif data".

Happy geo-location!

Sound in Ubuntu 10.04 - Security videos and podcasts

noreply@blogger.com (always peace) — Sun, 01 Aug 2010 19:08:00 +0000

Willing to enjoy security videos or podcasts such as the following ones?

Videos
- irongeek
- owasp
- schmoocon

Podcasts
- pauldotcom
- risky business
- eurotrash
- social engineer

... and, for whatever reason, your new installation of Ubuntu 10.04 does not provide you with sound in your laptop or desktop? Try this one:

user@machine:~$ sudo apt-get install gnome-alsamixer
user@machine:~$ gnome-alsamixer

This alsa-related sound app offers you a way to, usually successfully, control your speakers and micro in an easy manner. Pay special attention to the PCM control feature.

Happy listening!

By the way, does your machine enter into power saving mode while watching security videos? That is annoying. Try caffeine, a little python app.

Itsecuriteer in twitter

noreply@blogger.com (always peace) — Wed, 28 Jul 2010 21:10:00 +0000

Starting IT security and IT tweets here
Happy following ;-)

Decrypting AES-encrypted zip files

noreply@blogger.com (always peace) — Tue, 06 Jul 2010 23:57:00 +0000

7-Zip, available here with a GNU LGPL license, is capable of encrypting and decrypting with AES while compressing and decompressing files.

Once you install 7z in a Linux box (e.g. with the command line $ sudo apt-get install p7zip-full), the entire documentation on how to use the tool can be found locally in the path

/usr/share/doc/p7zip-full/DOCS/MANUAL/index.htm .

Some examples of command lines:

- to decrypt all docs while decompressing a zip file:
$ 7z e Zipfilename *.doc -r
- to create an encrypted zip file (or to add to an existing one):
$ 7z a Zipfilename -ppassword file.tozip
- to extract an encrypted zip file:
$ 7z x Zipfilename -ppassword

Happy 7z use!

Security Bloggers Network

noreply@blogger.com (always peace) — Tue, 06 Jul 2010 23:44:00 +0000

Dear readers,

This blog is now reachable from the security bloggers network. If you go to their site, the link appears on the right hand side, in the list of contributors.

Thanks to Alan Shimel, Chief Executive Officer of The CISO Group.