Wolves at YOUR door
Keeping them out-
And, we’re back…
Posted on August 31st, 2009 No comments
Sorry folks, I’ve been sidetracked by a number of projects and events, most of which I should not discuss..
Suffice to say the following:
“What’s on YOUR hard disk?“, Full Disk encryption and data theft
“Uh, Where are the backups?“, Backups, Backup Testing and Tape Rotations
“*&^*Q&^!!, Activate the DR Site!“, When was your last DR test ?
“&^%*&%#$@#$, Third Party Audit!!!“, Due Diligence and Diligence due…But onto today’s missive …
Security testers / Reviewers, myself included, LOVE, switches and routers as a favorite target when performing internal assessments. Why play ARP spoof games on the network when you can configure a span and bring the traffic to you? Controlling the switching infrastructure is simple and easy. Most sites I’ve test have been mine in very short order. Badly configured switches and routers are one of the single most common vulnerabilities I’ve found
My present this month was to put together a network/ DR site for one of our clients.
I asked, they bought and I configured. Moving to a new DR Site and new premises is just great for getting it right (well, so far) from the start.Now how to harden the networking devices so the next reviwer does not have a free pass to the network.
Some of the basics for switches:
- Default passwords
- SNMP
- Logging
- Management VLAN
- Management IPs
- SSH /Telnet
- Web interface
- Network Segmentation
- Port Security
- NTP
Change the ALL default passwords on the device. Most switches have multiple built in accounts, get them all
If the device supports V3 use it, otherwise use a complex community string, I never use SNMP for read/write as IT WILL BE compromised.
Use centralized syslog server for logging of switch activities.
Many switches support a management VLAN so configure it to a separate C&C network and then use ACL to control access to this VLAN. This should also include the logging function
Many switches allow you to configure the management IP addresses for the device. Configure these and you make life harder for attackers.
Use SSH v2, disable telnet.
Disable it, use ssh,
Set up VLANs to segregate your network segments, then use ACLs to control traffic flows between them. For network segments of different security requirements such as a DMZ, use a different physical switch.
802.1x port security is a PITA, but you can still do a few things, preventing ports from learning more than 1 mac address, assigning mac addresses to ports.
Sync the switch time to the local time source
Document the hardening steps for your environment and implement a process to make sure that the configurations do not change without approval. There are a number of tools around that will download the configuration from the switch and perform a comparison with a previous version.
Another thing to consider is to regularly dump the mac address tables on each of the devices so you can trace which device was connected to which switch. It allows you to identify devices on the network.
.
-
Audits, How to survive them and prosper
Posted on August 17th, 2009 No comments
Ok there are some things that will strike FEAR in the heart of the most staunch IT administrator.
Things like:
- Senior Systems Admin saying “Oops!”
- Overhead lights flickering
- And Corporate saying, “Time for a third party audit.”
-
Knoppix on a USB stick (Updated)
Posted on August 14th, 2009 No comments
As stated prior …As part of preparation for a set of presentations, I need to create a number of “data thief tools”, the simplest is a knoppix cd and a usb key to copy data to, but a cd is rather bulky…
What is really needed is a BIG (2gb or so) USB key, with Knoppix installed.
NOTE:
The following is information from the public domain, PenDrive Linux and others. I am not divulging any super secret, NSA style technology. This is a BASIC tool for recovery of data from failed systems, not a high end hacker trick.Now the folks over at PenDrive Linux , have smacked me around and explained I was doing this all old school. With the newer Knoppix 6.0 Adriane, there is an option to install to …. A USB FLASH DRIVE….
And it’s so easy even a ….. (see the lead photo..)
Read the rest of this entry » -
WIndows Cracker on USB Key
Posted on August 13th, 2009 No comments
As spoken prior
As part of preparation for a set of presentations, I need to create a number of “data thief tools”, the simplest is a password cracker on a cd, but a cd is rather bulky…
What is really needed is a BIG (2gb or so) USB key, with Toolz Installed installed.
NOTE:
The following is information from the public domain, PenDrive Linux and others. I am not divulging any super secret, NSA style technology. This is a BASIC tool for recovery of data from failed systems, not a high end hacker trick.Ophcrack is a free Windows password cracker or Windows Login Password Recovery tool that uses rainbow tables (ask about that story later) to retrieve Windows login passwords from password hashes. The tool is available in two versions (Vista Ophcrack and XP Ophcrack).
In this post, I create an All In One USB Ophcrack flash drive from both versions. This bootable flash drive utility can then be used to recover, reveal or crack both Windows XP and Windows Vista login passwords.
Read the rest of this entry » -
Knoppix on a USB Stick (Steal This Data)
Posted on August 12th, 2009 No comments
As part of preparation for a set of presentations, I need to create a number of “data thief tools”, the simplest is a knoppix cd and a usb key to copy data to, but a cd is rather bulky…
What is really needed is a BIG (2gb or so) USB key, with Knoppix installed.
NOTE:
The following is information from the public domain, PenDrive Linux and others. I am not divulging any super secret, NSA style technology. This is a BASIC tool for recovery of data from failed systems, not a high end hacker trick. -
Wireless Access Pointers
Posted on August 3rd, 2009 No comments
Most folks hurry through setting up wireless home networks to get their Internet connectivity working as quickly as possible. While this is understandable, it is also risky because unless properly secured, wireless networks are a security problem waiting to happen.
(The number of open networks to be found while sitting in a NYC park is amazing.)
Today’s Wi-Fi networking products don’t always help the situation either. Their security features can be time-consuming to set up correctly, but you need to be sure the job gets done right.
Read the rest of this entry »Commonsense, OpSec, SOP SOP, Top10 -
Nmap 5.0
Posted on July 20th, 2009 No comments
One of the MUST HAVE tools for every person doing anything related to IT security is definitely Nmap (I mean, which other tool, besides an SSH exploit, which my girl, Trinity used as well ). The Nmap developers work hard on this latest version which includes some very cool things like the Nmap Scripting Engine (NSE) which can be used to detect machines infected with the Conficker worm.
There are a lot of other neat new features and improvements, so don’t wait and go to http://nmap.org/5/ to download your copy of Nmap.
-
Mail Filters and Blacklists (UPDATED – What a SCAM!)
Posted on July 17th, 2009 No comments
What they are, how to use them
I have used blacklists myself for ten years or more. I’ve worked for companies and managed servers that have been listed on blacklists. I can’t help but notice some huge changes lists of yesteryear to the outright scams of today.
False indicators (positive and Negative)
True positives and true negatives will be petty much self correcting, the other two corner cases will require finding a balance.
False Positive
A blacklist for spammers that contains well behaving Internet users. Those users (might be your supplier, your customers, …) can’t communicate anymore with you, and might give up on you as you just seem to be ignoring them rudely.
False Negatives
A blacklist that passes more spam than legitimate mail..
The false negatives are what will prompt ever increasingly strict rules as there is still spam sneaking through. We know that getting ever more strict measures will also increase the false positives rate dramatically.
As the rules become more strict the number of legitimate messages “spammed” increase.
Basically blocking all email will guarantee you no false negatives, but it will also get you and empty mailbox. (but wait, how bad is that…
)
Read the rest of this entry » -
Open-SSH exploit in the wild, Update ! (FUD and CHUD)
Posted on July 12th, 2009 No comments
OK, it’s been a week since the great openown ssh vulnerability was “leaked“. Outside of several partial attack logs, nothing has been seen, and several people reviewing the attack logs have found “inconsistencies” that tend to erode the confidence in the alerts.
At the best, we have been prompted to check all the doors and windows, and update our security posture.
Due to lack of additional action, and shrinking confidence, one may want to write this off to FUD and CHUD.
-
Botnet worm in Has Self-Destruct code.
Posted on July 11th, 2009 No comments
Just when you thought surfing was safe again …..
From CNET.
The denial of service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.
There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn’t mean it wasn’t happening or won’t in the future, said Gerry Egan, a product manager in Symantec’s Security Technology Response group.
There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.
The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service and The Washington Post.
One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. “Basically, your system is in trouble if this executes,” Egan said.

