You are viewing a read-only archive of the Blogs.Harvard network. Learn more.

SECRE.TS

I started developing a random idea over the holidays but never finished it. I’m releasing its description here with the hope that someone will steal and then implement it :)

a hybrid social media platform using rss feeds, twitter style messaging and public, private, and group key pair cryptography. it also solves the paradox of eventual decryption through the use of one time pads and very precise randomization.

secre.ts enables the user to share cryptographically protected messaging to allow use over untrusted publicly accessible networks like the Internet.

As a messaging solution secre.ts produces the greatest assets of email like services with the most secure traits of a virtual private network connection. vpn solutions are fragile connections and cumbersome on both bandwidth and the processor. secre.ts hybrid approach consumes processor but the messages are broadcast in public so connectivity is hugely increased and bandwidth isn’t impacted because the messages are received in cleartext.

Granted Wish: Traceroute pickling in scapy

A friend of mine sent in a script that worked for him.


#!/usr/bin/env python

import scapy, pickle

# pickler
tr, un = scapy.traceroute(["www.harvard.edu"])
f = open("/tmp/pickle-out", "w")
p = pickle.Pickler(f)
p.dump(tr)
f.close()

# unpickler
f = open("/tmp/pickle-out", "r")
u = pickle.Unpickler(f)
tr = u.load()
print " Original tr:----------------------------"
tr.display()

I still couldn’t get this to work on my Ubuntu box. However in a later chat with my colleague Elphine I found out that Ubuntu had it’s own package for scapy. So I used apt-get to install scapy and this time it DID work. This is great since now I can start sticking objects into a database and move on to the next task of combining arbitrary traceroutes for the purposes of making graphs. I’m still curious why this didn’t work when I simply downloaded the scapy.py code and executed it. Once I get some working code I’ll post it here.

A court ordered someone to switch to Windows to enable monitoring

A friend shared an interesting post with me from Ars Technica about a recent torrent website owner getting jailtime .

One of the more interesting facts from the article was the disposition of a previous case in 2007 which somehow escaped my attention back then. Scott McCausland was forced to have his computer monitored as a condition of his probation. He noted in his blog that, “their software doesn’t support GNU/Linux (which is what I use). So, he told me that if I want to use a computer, I would have to use an OS that the software can be installed on.”
I think there is a snarky lesson in all of this. Windows is the choice of those who want to monitor your every move. Irony aside McCausland “added a donation link to his blog to help pay for the cost of a Windows license.” This is a very real additional cost that wasn’t really considered by the judge. I’ve complained about this privately when the Extension School at Harvard offered a statistics class which only allowed the use of a Windows based statistics program. This was not known to me when I signed up and I subsequently withdrew from the course (costing me both time and money) because I refused to deal with a Windows only learning environment.

Tenable alters Nessus plug-in licensing. Still not Open

Dear Nessus Community,

On behalf of Tenable Network Security, we would like to thank you for making Tenable’s Nessus®
vulnerability scanner the most widely used scanner in the world. Over the last five years, we have seen
Nessus grow globally to over 5 million downloads and we have been there every step of the way. The core
Nessus engine is powered by our world-class vulnerability research content which includes over 20,000
plugins, enhanced features such as IPv6 scanning, free mailing lists, online search tools and free clients.
Nessus has become not only a popular tool for conducting security audits but we have extended its
capabilities to conduct agent-less patch audits and configuration audits, as well as locating sensitive data.
Looking forward, we plan to further increase functionality, such as SMBv2 support to better audit Windows
2008 and Windows Vista, and further expand our abilities to conduct even more comprehensive vulnerability
and configuration audits.

In the process, the Nessus scanning engine has been provided to our rapidly growing community as a free
download with research content licensed through two plugin subscriptions. Our Nessus users know these as
the “Registered Feed” and the “Direct Feed” subscriptions. These subscriptions have been available for over
three years and have been utilized by countless individuals, consultants, companies, governments and other
organizations.

We continually interact with the Nessus community and review our capabilities to ensure Nessus continues
to meet and exceed the needs of its users. Since creating and releasing the subscriptions, two distinct user
groups emerged. They are the home user and the commercial user. To better reflect the needs our
community, we have decided to update our Subscription licensing policy and are announcing the planned
change (as outlined below and accompanied by a FAQ) that will go into effect on July 31st, 2008.

First, we will continue to enable all users to download Nessus for free.

Second, due to computers and personal networks having become ubiquitous in homes around the
world, Tenable will launch a “HomeFeed” with all Nessus vulnerability plugin updates for home users
at no charge and with no delay. We are excited to offer the latest vulnerability checks for
personal, non-commercial use and strongly encourage home users to audit their computers and
networks for the newest security flaws.

Finally, Tenable’s “Direct Feed” will be re-named to the “ProfessionalFeed” and the “Registered Feed”
will be discontinued. The ProfessionalFeed will entitle subscribers to the latest vulnerability and
patch audits, configuration and content audits and commercial support for their Nessus 3
installation. The ProfessionalFeed will serve as Tenable’s commercial subscription and will be
required for individuals and organizations that want to use Tenable’s Nessus plugins commercially.

The decision to alter the licensing policy is the result of significant deliberation and will benefit both home
users and commercial users. The change will ensure our ability to invest in the future roadmap for Nessus
and to expand our research, support and training capabilities to serve our growing community. We realize
this may affect some individuals, corporations and organizations that use the currently available “Registered
Feed” in production audits and commercial services. Because of this, Tenable is offering a 25 percent rebate
for the Direct Feed subscription service (normally available at $1200 per year), beginning May 14, 2008 until
July 31, 2008 only when purchased through Tenable’s e-commerce site.
Additionally, we understand that there are those in the Nessus community that serve broad social and
educational objectives and we want to make certain that qualified charitable and information security
teaching/training organizations have access to the ProfessionalFeed free of charge. To this end, Tenable will
provide ProfessionalFeed subscriptions to charity and teaching/training organizations at no cost for those
that qualify.
As always, Tenable will continue to perform the in-depth research, testing and development to keep Nessus
the leading vulnerability and network auditing tool available to both home and professional users.

excerpt directly from Tenable Network Security, Inc.

wget recon technique

I was looking for a novel way to recon a network for webservers and came up with a command line combination involving wget and find. The first stage is to use wget and download the index page of any server that responds. The second stage is to remove all the zero length files that will be written for non responsive but active IP addresses.

WGET STAGE
If you are assigned to scout a network range from 192.168.1.1 – 192.168.1.255 you can use a for loop and wget to quickly download index pages. Obviously this technique could be adapted for larger ranges but in this published form is best for Class C only.

for i in `seq 1 255`
do
wget -O 192.168.1.$i.html 192.168.1.$i &
done

Expanding the parameters of the wget command we see that -O is used to write an ouput file with a specific name. Otherwise we will have filename collisions all over the place and more importantly we will have no idea what the originating server is. The & is used to put the process into the background and acts as a cheap form of parallel tasking. All of the requests will launch at the same time. Since we are limiting ourselves to a class C we won’t worry about overloading the machine.

ZERO LENGTH FILE STAGE
The resulting files will either have html in them or have a zero length. The zero length files will occur when the ip address is alive but there is no web server there to respond. To clean these we use a clever technique for discovering these files using the find command.

for i in `find . -empty -exec ls {} \;`
do
rm $i
done

What is left is html code saved with a fliename of the ip address where it was found.

Basic Ubuntu Server Hardening

This is a basic level of hardening for Ubuntu servers and should be considered a baseline. This tutorial will cover two topics: SSH and Firewall. This tutorial was prepared using Ubuntu Server 8.04 beta.

SSH
edit the ssh daemon configuration file to move the ssh port away from 22. Most worms or bots are programmed to look at 22 and bruteforce whatever is there. Moving to an unknown port is the easiest way to decrease the level of log activity.


zeroday> sudo vi /etc/ssh/sshd_config

Look for “Port 22” and change it to a different value. Anything above 1024 is fine.

# What ports, IPs and protocols we listen for
Port 65522

Now restart sshd

zeroday> sudo invoke-rc.d ssh restart

Firewall

Shorewall is an easy to configure Netfilter and provide a basic level of perimeter for your server's Internet facing interfaces.

zeroday> sudo apt-get install shorewall

Once the system is installed it will display an error message stating it can not start until configured. This is a "dummy proof" feature so that new users will not deploy Shorewall without making critical changes to the rules. Simply put it will lock out all inbound connections if deployed as is. This is a great way to stay secure but would prevent even ssh from working.

The first step is to copy the example configuration files

zeroday> sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall

To allow the most basic of services we will add rules to allow inbound connections for the web server and ssh server.


zeroday> sudo vi /etc/shorewall/rules

Look for "Permit all ICMP traffic FROM the firewall TO the net zone" and add the following lines after the icmp rule:

  • ACCEPT net fw tcp 65522
  • ACCEPT net fw tcp 80

Your rules file should now look like this:

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT $FW net icmp
ACCEPT net fw tcp 65522
ACCEPT net fw tcp 80

Now the last two steps are enabling the system to startup. The first location is in the shorewall.conf file.


zeroday> sudo vi /etc/shorewall/shorewall.conf

Look for the STARTUP_ENABLED variable and change it from "No" to "Yes". This is not case sensitive.

The file should end up looking like this:

#######################################
# S T A R T U P E N A B L E D
#######################################

STARTUP_ENABLED=YES

Lastly we need to change the shorewall file in /etc/default.


zeroday> sudo vi /etc/default/shorewall

Look for the "startup" parameter and change it from 0 to 1.

It should look like this when you are done

# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall to start

startup=1

Now you are ready to start your firewall. It is a good idea to double check your work. I like to compare my edited configuration files to the originals using diff.


zeroday> for i in `ls /etc/shorewall`;
do
diff /etc/shorewall/$i /usr/share/doc/shorewall-common/examples/one-interface/$i;
done

Once you have confirmed the changes start up the firewall.


zeroday> sudo invoke-rc.d shorewall start

mouseHole: A ruby web proxy

I have been thinking about writing a web proxy for a while. There are several projects that all involve web proxy technology. So tonight while searching for a simple one I found exactly what I’m looking for. mouseHole.

There are a lot of dependencies so be sure to run the following script.

echo "installing ruby and dev libraries"
sudo apt-get install ruby --assume-yes
sudo apt-get install ruby1.8-dev --assume-yes
echo "installing ruby gems"
sudo apt-get install rubygems --assume-yes
echo "installing hpricot gem"
sudo gem install hpricot --include-dependencies
echo "installing camping gem"
sudo gem install camping --include-dependencies
echo "installing activerecord gem"
sudo gem install activerecord --include-dependencies
echo "installing json gem"
sudo gem install json --include-dependencies
echo "installing mongrel gem"
sudo gem install mongrel --include-dependencies
echo "installing sqlite3 and libraries"
sudo apt-get install sqlite3 swig libsqlite3-ruby libsqlite3-dev --assume-yes
echo "installing sqlite3 gem"
sudo gem install sqlite3-ruby --include-dependencies

This is nearly automated however you will need to pick the versions of several of the gems (ruby, win32, jruby, etc). If there was a single piece of functionality I’d like from gem installs is the ability to automate this last bit. i’d like to have an option that says “assume the highest version of ruby” for each of those choices. –assume-highest-ruby-version ?

TrueCrypt finally coming to Mac OS X

Release scheduled for: February 4, 2008

Unfamiliar with TrueCrypt?


Creates a virtual encrypted disk within a file and mounts it as a real disk.

Encrypts an entire hard disk partition or a storage device such as USB flash drive.

Encryption is automatic, real-time (on-the-fly) and transparent.

Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Hidden volume.
2) No TrueCrypt volume can be identified
Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
Further information regarding features of the software may be found in the documentation.

Wireless Resources

Wireless Users Groups
bawug.org Bay Area Wireless Users Group
 
nycwireless.net NYC Wireless Group
 personaltelco.net Personal Telco Project
 frars.org.uk FRARS Wireless lan working group
 bawia.org Boston Area Wireless Internet Alliance
GBA 802.11 Greater Boston Area 802.11 Wireless Database
DC-WiFi Initiative Public WiFi advocates in Washington DC
Seattle Wireless Seattle Wireless group

Wardriving Resources

wardriving.com Wardriving news portal
www.sicheres-funknetz.de Wireless security portal (German)
 www.netagent.at Wardriving and Wireless site (German)

Remote Desktop Connection (RDC) Settings

Remote Desktop connections support three security settings:

* The low security setting enables 40-bit or 56-bit encryption of all data transmitted from the client, such as keyboard and mouse data.
* The medium security setting enables 40-bit or 56-bit encryption of all data transmitted between the client and server.
* The high security setting provides 128-bit encryption of all data transmitted between the client and server.