System7

Spread the word, information is free.

Archive for July, 2009

Reduce ssh brute force attempts…

Jul 26

Posted by The Gunslinger in linux, security | 1 Comment

In case you’re still running sshd on port 22 (which you should change!) you’re probably getting hammered with brute force attempts.  Take a peak at /var/log/secure or /var/log/wtmp or the “last” command and have a looksy.

There’s a great little application called “denyhosts” which will automatically add suspected brute forcers to your DENY list.

 

URL        : http://denyhosts.sourceforge.net/
License    : GPLv2
Description: DenyHosts is a Python script that analyzes the sshd server log
           : messages to determine which hosts are attempting to hack into your
           : system. It also determines what user accounts are being targeted.
           : It keeps track of the frequency of attempts from each host and,
           : upon discovering a repeated attack host, updates the
           : /etc/hosts.deny file to prevent future break-in attempts from that
           : host.  Email reports can be sent to a system admin.

Penetration Testing & Capture the Flag

Jul 23

Posted by The Gunslinger in forensics, hardware & software, news | 1 Comment

Penetration Testing

Nowadays penetration testing is where it’s at.  Whether trying to learn security, becoming a white hat, or consulting it’s a must have skill.  However, it can be intimidating on where to start.  Besides picking up books the next best way to learn is through capture the flag events.

Important truths about pen testing

Capture the Flag

Computer/hacking capture the flag events are usually team based timed events where you’re pitted against several opponents and trying to earn the highest score.  Points are awarded for both offensive and defensive maneuvers.  Typically each team will have a virtual machine they need to defend while trying to exploit vulnerabilities in other team’s VM.

The best place to find one in your area (besides attending a con) is your local 2600 chapter.  If they don’t hold CTFs then try a local information security club.  If you live in the mountains and can’t find either you can use Hack This Site which runs virtual CTF events 24/7.

Remember, hacker (white hat) and cracker (black hat).

Recap of Twitter document leak

Jul 21

Posted by procload in news | No Comments

There’s a great recap of the recent Twitter document leak here: http://www.thefaredge.com/?p=6996

In summary:

  • HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
  • HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
  • HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
  • HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
  • HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
  • Even at this point, Twitter had absolutely no idea they had been compromised.

    • Incident Response Plan Testing

    Jul 19

    Posted by The Gunslinger in news | No Comments

    Having a documented incident response plan is a must for any business (unless you’re using managed security services).  However, I’ve found that few organizations are actually testing their plans.  This also goes for DR and BCP plans — I don’t see any value in creating a plan if you’re not testing it regularly as new personnel come and go, changes roles etc.

    I was at a recent event where they provided some great sample exercises which I’ve included below.  Take a look, these really stretch your imagination but are things you need to be considering.  Have some fun, make a day out of it, and make sure you get the necessary folks involved.  If you don’t get the appropriate level of sponsorship you’re going to have trouble getting any plan to succeed.  Do you want to be woken up at 3:30 in the morning with a potential breach and have no idea where to start?

    Incident Response exercises

    Malware Analyzers Part deuce

    Jul 17

    Posted by The Gunslinger in hardware & software, malware | No Comments

    Several weeks ago I posted about different free malware analyzers (sandbox environments).  I’ve stumbled across another free tool from Mandiant which is their Red Curtain offering. Red Curtain will scan a given local directory or drive and analyze each file assigning it a threat score. It takes into effect whether the file is signed, packing, and the entropy which could be suspicious.

    Another plus is the tool can be remotely deployed which is great for LAN & enterprise environments.

    *I believe all their tools only run on Windows.

    Google Hacking

    Jul 15

    Posted by The Gunslinger in google | No Comments

    Google hacking has been around for a while but unfortunately it is still very relevant.  Basically because the Google crawler is so powerful you can use this to your advantage to discover sensitive data.  You can find password files as well as locating vulnerable versions of web servers, forum software, etc….

    Google hacking database: http://www.hackersforcharity.org/ghdb/

    UNetbootin: Live CDs to thumb drives made easy

    Jul 7

    Posted by The Gunslinger in hardware & software, news | No Comments

    I’ve always found it a major pain to correctly install a Live CD on a thumb drive.  You want to do this because of SPEED.  Have you tried running Backtrack from a thumb drive?  Load times are incredible and there’s none of that annoying spin of the cd drive.  Of course it’s faster, you’re comparing optical media to solid state.  Just like my R1 to your Civic SI….

    The tool could not be simpler, feed it any .ISO and tell it which mounted device it should install to.  It will handle creating the necessary [boot] partitions and sizing accordingly.   So far I’ve tried it with Backtrack 3, 4 and Helix.

    Download the multi-platform tool here: http://unetbootin.sourceforge.net/

    Tags: , , ,

    Unlock iPhone: Run unofficial applications

    Jul 4

    Posted by The Gunslinger in apple | No Comments

    I just came across these steps in Wired to unlock your iPhone:

    1. Update iTunes and Iphone app installe

    2. Download Pwnage Tool

    3. Select “simple mode” and install Cydia

    *If anything goes wrong you can reverse the process using the iTunes System restore.

    **I don’t own an iPhone.  I use a Blackberry because I would rather accidentally leave a Blackberry lying around then an iPhone.  There’s no comparison in terms of privacy, encryption, and the confidentiality of your data.  Maybe this will warrant a future post…

    Sourcefire (Snort) Network Security Seminar

    Jul 2

    Posted by Andre Lenoge in networking, news | No Comments

    Last week I attended a seminar by Sourcefire.  Their CTO, Martin Roesch, was the speaker.  The topic was “Your Network Security Isn’t Good Enough Anymore“.  This seminar was ultimately a sly sales pitch for Snort, their IDS product.  Roesch talked about how there are several equal quality IDS products available now — there is much less market differentiation between them.

    Two problems:

    1) No one is taking the time to properly configure / tune the IDS for the environment it’s placed in —> meaning thousands of events with many false positives.

    2) The IDS events being generated are not monitored —> the average breach to compromise time is down to minutes in some cases meaning you don’t have time to wait.

    The next generation Snort intends to solve both of the problems above.  Their calling their new version “Adaptive IPS” which features their real time network awareness (RNA) technology.  This RNA module constantly surveys your network taking inventory of OSes, services, protocols, and potential vulnerabilities that exist.  The RNA module then pushes configuration changes to Snort — auto tuning the IDS for your network!  I haven’t tried RNA myself but Roesch claimed several customers seeing a 90+% reduction in the number of IDS generated events.  With this dramatic reduction in events to monitor it should mean no excuses to not monitor your network.

    Now, if Sourcefire can create a module that will monitor and act on events we won’t need NoCs anymore….