After a long wait, the definitive penetration testing livecd, Backtrack, has reached the final version and is released to the public. BT3 offers some tools new to the BT arsenal such as SAINT and Maltego.
SAINT has provided BT3 with a working version but you do have to request an IP range license with SAINT which is valid for 1 year (get 10.0.0.0/8 that ip range will work with any other range).
Paterva has provided BT3 with a special version of Montego with a community license especially for Backtrack users. Montego is a network inventory application with alot of nice features. Paterva has usage guides and videos on their website to check out.
Unfortunately, Tenable would not allow distribution of Nessus on Backtrack 3. This is unfortunate as Nessus is an essential part of any pentester's arsenal. Fortunately, Backtrack now comes in 3 flavors, livecd, USB, and VMWare. For the USB and VMWare versions, you can install Nessus on your own and have it there. I wish there was an open alternative to Nessus though, it seems like its always becoming more and more restricted. Then again, we do now have SAINT but I'll have to see if its restricted in any way by having been modified for distribution with Backtrack.
Great job, Backtrack Team. I'll be giving BT3 a looksee over the next few days and I'll give it a more thorough review once I'm more familiar with it.
Lynis is a nice little application that checks a linux (or possibly other UNIX-type operating systems) for standard misconfigurations and possible security threats. Unlike system integrity verifiers, like tripwire or aide, Lynix doesn't monitor file changes, rather system configurations and installed software for possible security threats.
It generates reports for review and includes a cron option that optimizes output for automated scanning (removes text color, uses certain switches automatically to decrease line lengths, prints only the warnings). You could even write a script to cron that emails you the results every time it runs so you can be kept up to date on its findings with minimal effort.
Lynis is still under development and it really doesn't do a great deal at the moment, but it does have plugin features so you can expand on its functionality. I'm sure with time, this software will evolve into something really useful. Don't be scared to contribute to this, if you're a system administrator or penetration tester, get in there and write some plugins or contribute code upstream.
Many of the internet attacks these days are DDoS, distributed denial of service attacks, that are carried out by an attacker that has infected hundreds if not thousands of PCs with a trojan designed to flood a target at his command. This is called a botnet, and the infected computers are called zombies. These zombie computers can be any computer in the world, the attacker doesn't care who his zombies are, just that they exist. That means that you could be the unwitting tool of a malicious user. Trend has released a new tool called RUBotted that runs in the background and looks for signs of zombie infections. I haven't personally tried this and I know very little about it but it can't hurt to run it once and see if you're infected. Even if you're not infected, it may not be a bad thing to keep it running in the background to make sure you stay that way. This could be an option for IT departments that worry about the PCs on their networks from becoming zombied, which is happening more often.
This is by no means a cureall and you should still run your antivirus and antispyware software regularly and use smart downloading practices as a first line of defense. RUBotted would only be a supplement to catch things your antispyware solution didn't catch.
SecurityTube.net is a new entry in the *tube genre of video aggregation websites. It specializes in security videos of all types. While YouTube and other sites have been a great resource for me, SecurityTube has the potential to be so much better. It is still in beta and new features are being added but its a fully functional site with lots of interesting videos to watch. The interface is a little bare to be honest but I think they're trying to seperate themselves from the rest of the crowd, but it does need some polishing, there are some features missing (like volume controls). Also, some of the videos are a bit hard to understand because the speaker is not a native English speaker, but you should be able to understand it enough.
Here is a sample video about IP packet injection.
The videos are divided into sections labeled Coding, Tools, Basics, and Fun so you should be able to find what you're looking for relatively fast. The site does have a search feature, of course so if you know exactly what you need, you can find that as well. Keep in mind that this is a new site, so it needs some people to upload content. I encourage everyone to do so and help make this site big!
Go read this fantastic post over on Ubuntu Unleased that tells you how to harden your system with the largely unknown command sysctl. With the script given there, you effectively protect yourself against most network-based attacks, including man in the middle attacks, packets from spoofed ips, and a couple other things. There are also some pretty geeky system tweaks in there like file system performance increases, and increases to the speed and efficiency of the tcp/ip stack.
I'm not sure this will work on other distributions, but if anyone wants to try it and report back, it'd be greatly appreciated. Please also note that getting 3 errors when running that script is normal, those particular options are removed from the latest Ubuntu's kernel. Read the comments on that page for more details.
I've found this nice tool for *nix systems called ArpON that helps detect and prevent ARP poisoning attacks, aka Man in the Middle attacks. It can operate in several different modes, the two primary modes being SARPI and DARPI.
SARPI stands for Static ARP Protection and in this mode, ArpON stores a static cache of all the ARP entries it finds and compares ARP replies on the network to this cache to check if the IP addresses match the existing entries.
DARPI stands for Dynamic ARP Protection. Operating in DARPI mode assumes that entries may already be poisoned and creates a new ARP cache. The way this mode works is a tad confusing so I won't go into much detail about it, rather I'll refer you to ArpON's own page describing both SARPI and DARPI in more detail.
I've been experimenting with this tool the past couple days and it seems that it does a good job of preventing MitM attacks. I've poisoned my own network with ArpON running and the poisoning doesn't seem to take effect. I'll be playing with it more and if I find any discrepancies, I'll make contact with the author and help resolve the issues and tell you about it so you can update if you have an older version. BTW, if you're running a version of this you downloaded pre-June 3rd 2008, you should update. a problem causing crashes in ArpON when poisoning was either enabled or disabled on the attacking machine was found and resolved.
The good folks over at Apple have released a nearly 250 page PDF detailing best practices, hardware security, the four token models in OSX (Belgium National Identification Card (BELPIC), Department of Defense Common Access Card (CAC), Japanese government PKI (JPKI), and the U.S. Federal Government Personal Identity Verification, aka FIPS-201(PIV)) and a bunch of other subjects. The guide is targeted at more experienced users, primarily IT technicians that have experience with the command line. Whether you have experience with the command line or not, its probably good to read it if you have a Mac. Who knows, you might learn something in the process. (You will, so read it).
Here's a chapter listing:
Chapter 1, “Introduction to Mac OS X Security Architecture,” explains the infrastructure of Mac OS X. It also discusses the layers of security in Mac OS X. Chapter 2, “Installing Mac OS X,” describes how to securely install Mac OS X. The chapter also discusses how to securely install software updates and explains permissions and how to repair them. Chapter 3, “Protecting System Hardware,” explains how to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect users of the computer. Chapter 4, “Securing Global System Settings,” describes how to secure global system settings such as firmware and Mac OS X startup. There is also information on setting up system logs to monitor system activity. Chapter 5, “Securing Accounts,” describes the types of user accounts and how to securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication. Chapter 6, “Securing System Preferences,” describes recommended settings to secure Mac OS X system preferences. Chapter 7, “Securing Data and Using Encryption,” describes how to encrypt data and how to use Secure Erase to verify that old data is completely removed. Chapter 8, “Securing System Swap and Hibernation Storage,” describes how to secure your system swap and hibernation space of sensitive information. Chapter 9, “Avoiding Multiple Simultaneous Account Access,” describes how to avoid fast user switching and local account access to the computer. Chapter 10, “Ensuring Data Integrity with Backups,” describes the Time Machine architecture and how to securely backup and restore your computer and data. Chapter 11, “Information Assurance with Applications,” describes how to protect your data while using Apple applications. Chapter 12, “Information Assurance with Services,” describes how to secure your computer services. It also describes how to protect the computer by securely configuring services.
Goosh is a neat new tool that provides a bash-like shell interface for interacting with Google. As far as I can tell, all the standard Google functions are accessible AND everything is output in plaintext and rendered very quickly. It feels natural and will make your Google hacking much faster and easier. By default it only shows the first 4 results, but you can show more by the 'more' command. You can get a list of available commands by typing help.
While the interface looks like a standard Linux(UNIX) command line, if you try to perform any of the familiar commands like 'ls', you'll just pull up a Google search for it, sorry :) Its not a real machine sitting somewhere letting you access a shell, its a specially crafted web app that emulates a shell while interacting with Google. Its an interesting, original, and just plain cool concept and I suggest you all go try it out with your favorite Google hacks and report back on how everything works.
The flaw affecting SSL certificates in Debian and Ubuntu systems has been fixed. You should make sure your system is up to date via apt and check to see if your keys are vulnerable. To check if your keys are vulnerable run
sudo ssh-vulnkey -a
This checks the validity of all the keys in standard locations.
ssh-vulnkey /path/to/key
With this you can specify any keys you've put in odd places. If you don't know if you've got keys in odd places, you don't. If you get a message from this command saying COMPROMISED then you know you've got a vulnerable key that is easily hacked. That means that your SSH and hosted SSL connections are easily hackable. If you do have compromised keys, all you need to do is run
ssh-keygen
This will regenerate your keys with updated security mechanisms that aren't vulnerable. Remember that if you try to login to that machine via SSH or SSL from another machine that's already logged into it, you'll have to update the keys. For SSH, all you have to do is edit your known_hosts file, just delete the entry for that machine and you'll get the new key when you login now. For more information, hit up the Ubuntu USN page.
I recently went on a rant about crappy programming tutorials and I stand by my word. I've recently been floating around in the world of Python and I gotta say, its a pretty nice language. It is a bit weird in the way it's structured but it feels natural if you have good programming practices anyway and at the end of the day, it takes some work away from the programmer. There are some pretty decent tutorials out there for it, but none stack up to How to Think Like a Computer Scientist - Learning with Python 2nd Edition by Jeffrey Elkner, Allen B. Downey and Chris Meyers,
This great free book presents both Python and programming concepts in a very easy to read format. The authors of this wonderful book have related simple programming knowledge into more understandable terms and would be a quick and easy read for non-programmers while providing some interesting insight to intermediate programmers without boring them with the same old details they've read a million times. It is my opinion that after reading this online book, anyone would be a better programmer. Kudos, authors.
