average admins

This is from another one of my favorite blogs: Didier Stevens.

I found this entry enjoyable because it’s yet another one of those “Owned by MySpace” posts. It’s also really well written and very easy to follow (even for a newcomer).

Here’s a link to the blog entry:
http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/

Embedding JavaScript inside a Quicktime movie is nothing new as GNUCitizen discussed back in September but it’s good to actually see that in the wild.

I found this at: http://kaosx.net/?q=node/6

Here’s an excert from the site:

Microsoft released private folder recently, which is something that is commonly asked for by users. “How do I create a password protected folder?” Im normally using fileshares off of a samba box and have permissions set so it’s not something I usually think about, but from those less technically inclined (or those that want some simple protection) this might be just the thing you’re looking for.

I know you 1337$@uC3 guys will be like “just use truecrypt” but if you already have a solution, thats great, rock on. I really do like truecrypt and have a partition on my flash drive so I hear you there.

But I digress.

Microsoft describes private folder as

“Microsoft Private Folder 1.0 is a useful tool for you to protect your private data when your friends, colleagues, kids or other people share your PC or account. With this tool, you will get one password protected folder called ‘My Private Folder’ in your account to save your personal files. Download and have your private folder today!

The following hardware and software are required to run Microsoft Private Folder 1.0:

Microsoft Windows XP Home Edition, Professional Edition and Media Center Edition with SP2
Super VGA (800 x 600) or higher-resolution video adapter and monitor

Please note: Microsoft Private Folder 1.0 is provided specifically for genuine Windows customers, and requires genuine Windows validation in order to download. The software is free, and does not come with product support. ”

Personally, I use TrueCrypt since it offers a lot more features than MS Private Folder, but for the avearge home user, this looks like a great piece of software.

THE Visual Guide To Penetration Testing

As posted on one of my favorite blogs, A Day in the Life of an Information Security Investigator

What’s that? You really want a visual guide to penetration testing? Something that covers:

- Enumeration tools (nmap, firewalk, amap, nbtscan, hping, scanrand, sinfp, etc.)

- General Vulnerability Scanning Tools (nessus, typon, NGS Squirrel, MatriXay, SARA)

- Exploit Engine Tools (metasploit, manual SQL injection, etherape, netwox, hijetta)

- Pre-inspection visit steps (EVERYTHING!)

- Password Cracking (JtR, L0pht, Rainbow, pwdump)

- Network Recon (whois, samspade, google, social engineering, dumpster diving, zone transfers)

- Enumeration results steps (what if a certain port IS open?)

- Command line examples of each tool

Something that could be printed out and be your all-in-one guide to penetration testing?

SHAZZAM!

Behold, your wish has been granted.

This is a must see!

Chief

TrueCrypt is a free open-source disk encryption software for Windows XP/2000/2003 and Linux. You can also create an encrypted volume on a USB key, load the “traveller” version of TrueCrypt on the USB key, and then mount and dismount your encrypted volume from any computer (that you have Admin privileges on).

IronGeek has put together a very nice video on using TrueCrypt. If you’ve never been to his site before, you have to check out his other tutorials and videos!

And on to the video: http://irongeek.com/i.php?page=videos/truecrypt1

If you know anything about wireless, you know it’s not secure. I’m not talking about hacking INTO a wireless network, I’m talking about eavesdropping on the other people connected to the same hotspot you’re connected to. OK, maybe YOU don’t like to eavesdrop on everyone else, but I do.

Since I like to eavesdrop, I assume that other people like to eavesdrop, and that bothers me. I don’t want someone knowing my POP3 password, or my AverageAdmins password, or my AIM password (though this article doesn’t cover protecting your AIM password), or any of my forum or other website passwords. I guess I could setup a VPN at my house, but that would require figuring out how (which is probably pretty easy) and more importantly, it would require that the router at the hotspot be programmed to allow vpn traffic through AND it would require my ISP at home to allow VPN connections inbound. Sure you could setup an SSL VPN, but my ISP blocks port 443 inbound.

So, why not SSH to your box at home, do a little port forwarding trickery, and then configure your webbrowser to use your proxy at home? Now all of your web traffic is proxied to your house over an encrypted SSH connection. No more eavesdropping!

It seems that joe over at AdminSpotting.com has written an excellent article on doing just this.

You can find his article here: http://adminspotting.net/howtos/Secure-and-Private-Browsing-with-Squid.html

===============================

Secure and Private Browsing with Squid

Browsing a site that supports SSL is a definite way to make sure no one can snoop in on what you’re doing — which is a good thing when you’re doing something personal like checking email over the web or buying something from amazon. But if you’re just doing stuff like reading the daily news or checking movie times, is privacy that important? The ultra-paranoid will give a resounding “yes” to that question while most people will just shrug. I find myself in between those two parties. At home while I’m reading the news, I could care less if the traffic is encrypted or not. However, when I’m at a public wi-fi spot, it does bother me a bit.

Most public areas that allow access to the internet have absolutely no security in place. Need a good eye-opener? Next time you’re at a public hotspot, take a copy of the dsniff tools.

This article will show you a way to protect yourself from something like this — in a way. This article will only show you how to protect your web traffic. If you still decide to talk to your CEO over AIM about some ultra-secret product coming out next week while waiting for your next flight, this won’t save you. Squid can, of course, proxy requests for other applications besides HTTP, but HTTP is all I’ll be covering. Maybe I’ll go over other applictions in another article.

OK, let’s get started. Here’s what we’ll need:

# A server running Squid on some other network.
# A laptop with ssh and port-forwarding support.

What we’re going to do is set up a Squid server somewhere outside the network we’re currently on. Squid will only accept connections from the server itself — no outside connections. Then how do we use it? We’ll create an SSH tunnel into it. Once the tunnel is created, we simply set our webbrowser to use a proxy server with the address of our SSH tunnel. Now any web traffic going out of our laptop to our Squid server will be encrypted.

But what about from the Squid server to the actual webpage? That stuff won’t be encrypted, unfortunately. But hey, atleast we got outside the unprotect LAN securely.

I’ll be using Debian Sarge for the Squid server, but you’re more than welcome to use whatever distro you want. After Squid is installed, the configuration will be the exact same. To install Squid on Debian, just do:

apt-get install squid

The default configuration for Debian (and maybe other distributions too — better check!) is to only allow connections from the localhost. This doesn’t harm anything, so we can leave it as is. However, we still need a way for us to connect externally. For that, we will add an acl that will prompt us for a password and if we’re authenticated it will let us in. We’ll add it right before the “deny all” portion” so it’ll look something like this:

acl localhost src 127.0.0.1/255.255.255.255
http_access allow localhost
http_access allow password
http_access deny all

By default, Squid listens on port 3128. I personally like 8080 better, so we’ll change it with:

http_port 8080

Next we need to set up authentication for Squid. There are a bunch of different authentication methods that come with the Debian package and they can be viewed with:

ls /usr/lib/squid/*auth

We’ll be using the pam_auth module. This will allow anyone who has a shell account to also be able to use the Squid server. Search for the auth_param section in the config and add these lines:

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Next search for this line and uncomment it:

acl password proxy_auth REQUIRED

Now create a pam module called /etc/pam.d/squid that contains:

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

You will need to give this file SUID access so chmod it 4755. Yeah, I know this isn’t the best way to do this but it’s the least complicated. You’re more than welcome to research the other methods on your own.

Squid should be all set and ready to go. Next make sure you have shell access to the server via SSH. It doesn’t matter if you use a password, passphrase, or blank passphrase. To set the tunnel up, run this:

ssh -L 8080:squidhost:8080 username@squidhost

You’ll be asked for authentication and if you’re successful, it’ll look like you’ve logged into the remote box. If you open another window up and type

telnet localhost 8080

You’ll see that you’re now talking to squid on the remote server.

Finally, tell your browser to use the SSH tunnel as a proxy. I won’t go over each individual browser here, but basically it’ll be somewhere in the preferences. For the hostname, just type in localhost and for the port, type in 8080.

Now whenever you browse to a webpage, you’ll be prompted for authentication. Type in your shell account information and you’ll be all set to go. The browser might give a warning about authenticating through plaintext — ignore it. It will be travelling through our SSH tunnel so it will be encrypted.

Congratulations! You may now surf the web without worry of anyone snooping on you. If anyone has any comments, fixes, or ways to improve this method, please let me know!

The Federal Trade Commission has created a web site to assist online users in protesting their private information as well as their Internet connected machines. Their web site for accomplishing this is located here, OnGuard Online. Want to attack hackers trying to get on your wireless network? Play the FTC’s online game titled Invasion of the Wireless Hackers.

While the game mentioned above is easy for those of us who are involved in technology on a daily basis, I think this is a good thing for novice users to check out. Other content on the OnGuard Online web site may be just the place to send family and friends to for furthering their education on safety on the Internet.

Until next time…

I e-mailed Jeff yesterday with the following question and he felt it safe and applicable for AA…

“I have a question for you and I feel it to be to sensitive for AA. I trust that YourPlace is similar to MyPlace in that you have a network (AD) password and passwords for various other software packages for the various types of software, e.g. Tellers, credit checks, and other secure software. How do you handle uses passwords. Do you have them renew every so often, Do they have different passwords for different software, do you have a lot of work orders to unlock or reset passwords.

The reason I ask is that here there are about 100 work orders a day for people needing to be unlocked in AD or Unix, and they have to keep up with several (3 to 5) passwords. I understand them forgetting them because I have a hard time keeping up with my own. The environment here is much more secure than a school and I understand having passwords expire, but they don’t all expire at the same time and the passwords have different length requirements. ”

He replied…

“We have the same problem. We have a lot of applications, Unix, AD, Banking Software, Intranet, NADA, etc. that require all users to use a different password due to them being changed all the time (30, 60, or 90 days). How do we handle it? We don’t! We reset passwords all of the time. Work request after work request and phone call after phone call.

We are looking at getting biometric authentication with single sign on capabilities. What this will do is allow the user to sign on to the PC with one fingerprint. If a password expires, the authentication software will randomly generate a password for that user and tie it to their finger print so the user never has to know what their password is as long as they bring their finger/fingerprint to work with them. Anyway, what’s your solution?! ”

What are ya’lls thoughts.

I ran across this link on a blog or something the other day and have been waiting to watch them when I had the time.

Well, I had the time last night and I have to say that these are very good.

As the title states, they’re for security awareness so the content won’t be anything highly technical nor do they contain 0day knowledge. However, they are very well done!

See for yourself at http://www.educause.edu/content.asp?bhjs=0&page_id=7103.

This is an awesome idea! These guys wrote a program that will monitor your web traffic while you browse sniffing for malware attacks. Once it detects an attack, it will emulate a valid response and log all communications. That’s just cool.

I learned about the tool from Richard Bejtlich’s blog, TaoSecurity. It’s called nepenthes and you can downlaod it from http://nepenthes.mwcollect.org/

One thing I really like about Richard Bejtlich’s blog posts is that he’s very thorough. You can read about his experience installing and using nepenthes at the following URLs:

http://taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html
http://taosecurity.blogspot.com/2006/01/nepenthes-installation-ive-been.html

This tool comes prepackaged for all the cool distros: Gentoo, Debian, and FreeBSD, but of course the source is also provided along with instructions with getting it compiled and running in Windows.

You can find the README at http://nepenthes.mwcollect.org/documentation:readme.