SecurityTube.net is a new entry in the *tube genre of video aggregation websites. It specializes in security videos of all types. While YouTube and other sites have been a great resource for me, SecurityTube has the potential to be so much better. It is still in beta and new features are being added but its a fully functional site with lots of interesting videos to watch. The interface is a little bare to be honest but I think they're trying to seperate themselves from the rest of the crowd, but it does need some polishing, there are some features missing (like volume controls). Also, some of the videos are a bit hard to understand because the speaker is not a native English speaker, but you should be able to understand it enough.
Here is a sample video about IP packet injection.
The videos are divided into sections labeled Coding, Tools, Basics, and Fun so you should be able to find what you're looking for relatively fast. The site does have a search feature, of course so if you know exactly what you need, you can find that as well. Keep in mind that this is a new site, so it needs some people to upload content. I encourage everyone to do so and help make this site big!
Go read this fantastic post over on Ubuntu Unleased that tells you how to harden your system with the largely unknown command sysctl. With the script given there, you effectively protect yourself against most network-based attacks, including man in the middle attacks, packets from spoofed ips, and a couple other things. There are also some pretty geeky system tweaks in there like file system performance increases, and increases to the speed and efficiency of the tcp/ip stack.
I'm not sure this will work on other distributions, but if anyone wants to try it and report back, it'd be greatly appreciated. Please also note that getting 3 errors when running that script is normal, those particular options are removed from the latest Ubuntu's kernel. Read the comments on that page for more details.
I've found this nice tool for *nix systems called ArpON that helps detect and prevent ARP poisoning attacks, aka Man in the Middle attacks. It can operate in several different modes, the two primary modes being SARPI and DARPI.
SARPI stands for Static ARP Protection and in this mode, ArpON stores a static cache of all the ARP entries it finds and compares ARP replies on the network to this cache to check if the IP addresses match the existing entries.
DARPI stands for Dynamic ARP Protection. Operating in DARPI mode assumes that entries may already be poisoned and creates a new ARP cache. The way this mode works is a tad confusing so I won't go into much detail about it, rather I'll refer you to ArpON's own page describing both SARPI and DARPI in more detail.
I've been experimenting with this tool the past couple days and it seems that it does a good job of preventing MitM attacks. I've poisoned my own network with ArpON running and the poisoning doesn't seem to take effect. I'll be playing with it more and if I find any discrepancies, I'll make contact with the author and help resolve the issues and tell you about it so you can update if you have an older version. BTW, if you're running a version of this you downloaded pre-June 3rd 2008, you should update. a problem causing crashes in ArpON when poisoning was either enabled or disabled on the attacking machine was found and resolved.
The good folks over at Apple have released a nearly 250 page PDF detailing best practices, hardware security, the four token models in OSX (Belgium National Identification Card (BELPIC), Department of Defense Common Access Card (CAC), Japanese government PKI (JPKI), and the U.S. Federal Government Personal Identity Verification, aka FIPS-201(PIV)) and a bunch of other subjects. The guide is targeted at more experienced users, primarily IT technicians that have experience with the command line. Whether you have experience with the command line or not, its probably good to read it if you have a Mac. Who knows, you might learn something in the process. (You will, so read it).
Here's a chapter listing:
Chapter 1, “Introduction to Mac OS X Security Architecture,” explains the infrastructure of Mac OS X. It also discusses the layers of security in Mac OS X. Chapter 2, “Installing Mac OS X,” describes how to securely install Mac OS X. The chapter also discusses how to securely install software updates and explains permissions and how to repair them. Chapter 3, “Protecting System Hardware,” explains how to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect users of the computer. Chapter 4, “Securing Global System Settings,” describes how to secure global system settings such as firmware and Mac OS X startup. There is also information on setting up system logs to monitor system activity. Chapter 5, “Securing Accounts,” describes the types of user accounts and how to securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication. Chapter 6, “Securing System Preferences,” describes recommended settings to secure Mac OS X system preferences. Chapter 7, “Securing Data and Using Encryption,” describes how to encrypt data and how to use Secure Erase to verify that old data is completely removed. Chapter 8, “Securing System Swap and Hibernation Storage,” describes how to secure your system swap and hibernation space of sensitive information. Chapter 9, “Avoiding Multiple Simultaneous Account Access,” describes how to avoid fast user switching and local account access to the computer. Chapter 10, “Ensuring Data Integrity with Backups,” describes the Time Machine architecture and how to securely backup and restore your computer and data. Chapter 11, “Information Assurance with Applications,” describes how to protect your data while using Apple applications. Chapter 12, “Information Assurance with Services,” describes how to secure your computer services. It also describes how to protect the computer by securely configuring services.
Goosh is a neat new tool that provides a bash-like shell interface for interacting with Google. As far as I can tell, all the standard Google functions are accessible AND everything is output in plaintext and rendered very quickly. It feels natural and will make your Google hacking much faster and easier. By default it only shows the first 4 results, but you can show more by the 'more' command. You can get a list of available commands by typing help.
While the interface looks like a standard Linux(UNIX) command line, if you try to perform any of the familiar commands like 'ls', you'll just pull up a Google search for it, sorry :) Its not a real machine sitting somewhere letting you access a shell, its a specially crafted web app that emulates a shell while interacting with Google. Its an interesting, original, and just plain cool concept and I suggest you all go try it out with your favorite Google hacks and report back on how everything works.
The flaw affecting SSL certificates in Debian and Ubuntu systems has been fixed. You should make sure your system is up to date via apt and check to see if your keys are vulnerable. To check if your keys are vulnerable run
sudo ssh-vulnkey -a
This checks the validity of all the keys in standard locations.
ssh-vulnkey /path/to/key
With this you can specify any keys you've put in odd places. If you don't know if you've got keys in odd places, you don't. If you get a message from this command saying COMPROMISED then you know you've got a vulnerable key that is easily hacked. That means that your SSH and hosted SSL connections are easily hackable. If you do have compromised keys, all you need to do is run
ssh-keygen
This will regenerate your keys with updated security mechanisms that aren't vulnerable. Remember that if you try to login to that machine via SSH or SSL from another machine that's already logged into it, you'll have to update the keys. For SSH, all you have to do is edit your known_hosts file, just delete the entry for that machine and you'll get the new key when you login now. For more information, hit up the Ubuntu USN page.
I recently went on a rant about crappy programming tutorials and I stand by my word. I've recently been floating around in the world of Python and I gotta say, its a pretty nice language. It is a bit weird in the way it's structured but it feels natural if you have good programming practices anyway and at the end of the day, it takes some work away from the programmer. There are some pretty decent tutorials out there for it, but none stack up to How to Think Like a Computer Scientist - Learning with Python 2nd Edition by Jeffrey Elkner, Allen B. Downey and Chris Meyers,
This great free book presents both Python and programming concepts in a very easy to read format. The authors of this wonderful book have related simple programming knowledge into more understandable terms and would be a quick and easy read for non-programmers while providing some interesting insight to intermediate programmers without boring them with the same old details they've read a million times. It is my opinion that after reading this online book, anyone would be a better programmer. Kudos, authors.
A new wave of malicious attack has been discovered. This one doesn't attack your programs or your data. It doesn't take advantage of some software flaw or bombard the network stack. This attack is more damaging. This attack is permanent. The Permanent Denial of Service attack is a relatively new method for attackers to cause harm to an organization.
Primarily targeting the update function in firmware, well planned PDoS attacks can decimate a company's network infrastructure, bricking every switch, router, and firewall in the building. While this attack is brand new and hasn't even been found in the wild, it presents a devastating risk to a fairly benign part of IT systems. Embedded device firmware is usually something IT managers don't have to worry about often and its quite possible that if PDoS attacks, aka "phlashing", become prevalent, millions of dollars in equipment could be lost.
The method of doing this was discovered by HP Systems Security Labs. RIch Smith of HPSSL demonstrated his phlashing tool, PhlashDance, at the EUSecWest conference in London. Its basically a fuzzer that attacks the firmware's binaries and update protocol.
By default, VirtualBox OSE when installed from apt in Ubuntu uses its own internal DHCP server and is segregated from your LAN. This may not be an issue if all you need to access is the Internet, but if you need to access other machines on your network from it or access it from other machines on your network, you'll need to setup a bridge. There are bits and peices of how to do this on the Ubuntu forums but I'm gonna lay it all out right here and tell you exactly what to do.
First, you'll need to setup a tun/tap interface in the Ubuntu host. We do that with the following commands:
We now have a new network interface called tap1. In VirtualBox, open your settings for whatever guest you're setting up and go to the Network section. Set "Attached to" to Host Interface and set the Interface Name to tap1.
That's it. You're done. Now your guest operating system will get its IP from your DHCP server. If for some reason, you're not using a DHCP server, all you have to do is replace the line
sudo dhclient br0
With
sudo ifconfig br0 youripaddress
To have the tap interface automatically start every time you boot, you can setup an init script.
Stick that in /etc/init.d and save it as vbox-networking or something to that effect and chmod +x it. It will then run every time your computer boots and you won't have to worry about it anymore. I'm using certain interfaces here like eth0, br0, tap1, etc., but you may have to change these depending on your system. eth0 is the nic that's connected to the network, br0 is the first bridge I have set up, tap1 is the first tap I have set up. You can change all these to suit your configuration.
Note: This is true with Ubuntu, but it should be completely portable with any other distribution.
A vulnerability in the popular open source IDS. It seems that Snort doesn't properly reassemble fragmented fragments, allowing an attacker to avoid detection. The issue has been fixed in Snort version 2.8.1 so if you can upgrade to that, you should immediately. Snort versions 2.6.x and 2.8.0 are vulnerable. Snort 2.4 is not vulnerable. There is a workaround if you can't upgrade right away. Find the preprocessor frag3_engine: ttl_limit line and set the value to 255 as such:
preprocessor frag3_engine: ttl_limit 255
This vulnerability allows an attacker to bypass all Snort rules. All that has to be done to exploit this vulnerability fragment IP packets to a specific host making sure the TTL difference is greater than the maximum allowed, which by default is 5. This is a very easily exploited vulnerability and you should update your Snort configurations immediately.
For more information regarding this vulnerability, read the public advisory over at iDefense.
