ClearNet Security

I've been playing with a batch of OpenPGP cards that  I got a while back.   Very cool.   You can use it for secure storage of your normal PGP keys but you can also integrate it with PAM and SSH to use it for securing logins to your computer.  Passwords aren't enough anymore.

I haven't got it working with OS X yet but it looks like a pretty straight forward operation to get it setup.

Here is some more info. 

 

technorati tags: gnupg, openpgp, smartcard,

Sloshing around in rails and playing with AJAX is fun and all, but we hit a roadblock the other day when trying to view the html source of AJAX rendered components. You can't just hit cntrl-u in Firefox to see the source. After some googling, FireBug is the tool that rocks.

FireBug lets you explore the far corners of the DOM by keyboard or mouse. All of the tools you need to poke, prod, and monitor your JavaScript, CSS, HTML and Ajax are brought together into one seamless experience, including an error console, command line, and a variety of fun inspectors.

Not only is this helpful for debugging web applications, but it'll help when performing web assessments. I particularly liked the feature which highlights the elements on the html page when you select the corresponding code in the FireBug console.

I shouldn't be shocked, but I am. A piece of the conversation today we had with a client went something like this:

client: yeah, we also just found out we have an ex-employee logging in from the internet to our servers and helping other nurses with some computer tasks

us: um, you have an ex-employee logging into your servers remotely?

client: yes

Talk about scary. I wish I could say more. Let's just say this is relatively minor compared to other illegitimate activities this particular client is suffering from (e.g. knowledgeable attackers with clear targets).  It is quickly turning into one of those scenarios whereby you can’t trust the integrity of anything electronic.

On top of that, it’s another flare on why it is so important to just know what is and should be happening on your network.  Forget about all the fancy security solutions; what is important first is to understand why and how devices talk.  Do these systems over here need to talk to these systems here?  No.  Why are they talking then? 

This client has security point solutions in place, but they haven’t a clue what is happening or why.  If you spend the time to define the relationships, catching potentially illegitimate activity is a LOT easier.

Here is a great post about security products and the idealist vs the realist. Below are two snippets, but go read it, it's good.

"Idealist : all security products designed to stop attacks/attackers are useless and snake oil, because a skilled enough attacker can always evade the HIPS/evade the NIPS/defeat the heap protection/own you."

"Realist : security products are useful and worth purchasing because they can stop unskilled attackers armed with off the shelf (freely downloadable) exploit frameworks like metasploit (although hd's recent talk at cansec stated that the new nips evasion techniques evade almost every product) and they stop actual malware as seen on the internets."

Here is an great list and comparison chart for ... "known web-based tracker tools. I'm looking for a generic tool that can be used for anything (i.e. bug tracker, feature request tracker, and tech support/trouble ticket tracker"

http://geekswithblogs.net/flanakin/articles/CompareWebTrackers.aspx

Dave Aitel referenced an interesting government project I hadn't heard about until reading a posting by him on dailydave. The project: http://cryptome.org/traceback.htm. To spark your interest, I grabbed some snippets:

• " We seek to develop tools and techniques for the traceback of attacks carried out over information networks to their originating source."


• " We are soliciting research that will significantly improve the science and practice of network traceback, and are seeking tools and techniques to increase our knowledge of the true source of an attack. We are seeking solutions for both IPv4 and IPv6 networks. We are particularly interested in tracing attacks involving confidentiality and integrity of information on IC networks. Therefore techniques designed for tracing anonymous packet flooding attacks causing denial-of-service (DDOS and DOS) in IC networks back to their source are not of interest."


• "We are focused on tools and techniques for tracing attacks that involve single packets, encrypted payloads, "stepping stones" (compromised hosts), and similar attack attributes. We are seeking traceback solutions that perform in one or more of the following network environments: cooperative, non-cooperative, and hostile. Solutions for the non-cooperative and hostile network scenarios are of particular interest. We seek to develop a suite of IP traceback techniques that require:
  
  • Low to no Internet Service Provider (ISP) involvement
  • A minimum number of packets for traceback to include a single packet for certain traceback scenarios
  • Low memory requirements
  • Little or no overhead to the router."
  
  
• White papers should identify what concealment methods their proposed tool can use to mask its operation, and what concealment methods used by an adversary it can overcome. An adversary's obfuscation techniques can include:
  
  • Introducing random delays before a packet departs from a stepping stone
  • Inserting chaff (padding) into stepping stone connections
  • Encrypted payloads
  • Single packet triggers for prepositioned malicious software
  • Spoofed IP addresses.
  
  
• We are specifically interested in traceback techniques that can operate under one or more of the following conditions:
  Can perform without violating current protocol semantics
• Can perform without changes in the core routing structure
• Are difficult to detect and evade by the attacker
• Are useful for asymmetric communications (i.e., half duplex, in which only one direction of the communication is available)
• Can operate in a passive mode, without requiring interventions
• Are likely to be preserved across a long connection of stepping stones
• Work through multiple internet hops, across jurisdictions and with non-cooperative or hostile Internet Service Providers (ISPs)
• Can be performed without requiring interactive operational support from ISPs
• Can be performed "post-mortem" after an attack has completed
• Can be efficiently implemented and incrementally deployable.


• We are seeking techniques that can trace the origin of a single IP packet delivered by a TCP/IP network in the recent past. The techniques to track individual packets in a network must be accomplished in an efficient, scalable fashion.

Since working for Quova back in 2000, I've watched the default internet routing table grow from ~84,000 routes to 186,545 routes. A great mailing list to subscribe to for keeping abreast of statistics based on BGP summaries is [bgp-stats]. This APNIC page lets you subscribe to [bgp-stats] and you can learn about other APNIC mailing lists on this page.

One of the values I watched was the 'Number of addresses announced to Internet'. Currently it is 1,505,834,848 IP addresses. It was important at the time because Quova attempts to map every public IP address to a physical location. You can see % of available address space allocated, % of address space announced, and % of available address space announced. Anyway, chock-full of sometimes interesting numbers.

Below is a snippet (only the top section) of a single full analysis report:

Analysis Summary
----------------

BGP routing table entries examined: 186545
Prefixes after maximum aggregation: 103149
Unique aggregates announced to Internet: 91293
Total ASes present in the Internet Routing Table: 21958
Origin-only ASes present in the Internet Routing Table: 19079
Origin ASes announcing only one prefix: 9097
Transit ASes present in the Internet Routing Table: 2879
Transit-only ASes present in the Internet Routing Table: 69
Average AS path length visible in the Internet Routing Table: 4.5
Max AS path length visible: 24
Prefixes from unregistered ASNs in the Routing Table: 9
Special use prefixes present in the Routing Table: 0
Prefixes being announced from unallocated address space: 10
Number of addresses announced to Internet: 1505834848
Equivalent to 89 /8s, 193 /16s and 55 /24s
Percentage of available address space announced: 40.6
Percentage of allocated address space announced: 59.9
Percentage of available address space allocated: 67.8
Total number of prefixes smaller than registry allocations: 92023

To see the full analysis with all kinds of interesting information, here is the report for Sunday April 16th.

I did some recent forensic work on a Terminal Server and I found NetAnalysis from Digital Detective a great tool to quickly analyze users' internet browsing activities. Not to mention it is relatively cheap (~$200) compared to the more popular commercial forensics tools. One of my ex-colleagues performs forensic work full-time and provided me his hit list of preferred tools (what he uses 90% of the time):

EnCase: what is cool is you can mount via EnCase and boot an image in VMWare

AccessData's FTK: good for email and quick searching, and has a protected storage viewer so you can reveal passwords stored by IE, Outlook, list Autocomplete strings and passwords, etc.

Snapview, UltraEdit, IrfanView, SMART

 

Friday Fun Crossword Puzzle

I have been reading the Head First series of books and they have been very entertaining. I would say they are the most exciting technical books I have read. So in the spirit of learning through fun I have created a crossword puzzle for you guys to solve. It is compiled from a hodge podge of facts and should be fun to solve.

Good luck, and here are the answers.