It is no news about Gawker Hack and today I learn from NetworkWorld that, one of the security researchers (HD Moore) who (well, *the GUY who created metasploit framework), have a way to find out if your email address/information has been compromised;

2 Step Process actually:-

Step 1: Go to http://pajhome.org.uk/crypt/md5/ , enter an e-mail address in the ‘Input’ field, click the ‘MD5′ button, then copy the hash from the ‘Result’ field.

Step 2: Go to http://www.google.com/fusiontables/DataSource?dsrcid=350662 , click ‘Show Options,’ then paste the already-obtained hash in the field to the right of the ‘=’ symbol. Change the left-most field to ‘MD5.’ Click ‘Apply.’

If the e-mail address is among those compromised, the search will show a result.

Read it directly from NetworkWorld if you want more information on it.

Oh well, if you’re more used to IPTables than any normal firewall software, then of course you’re gonna need that for your Windows machine as well. Nothing wrong about that, the interesting stuff here is about the technology, really and not who made it – if it works well.

Windows IP Firewall (WIPFW) is an open source project that gives you exactly that;

Checkout their page here

WHAT IS WIPFW?

WIPFW is a MS Windows operable version of IPFW for FreeBSD OS. You can use the same functionality and configure it as only you work with IPFW.

IPFW is a packet filtering and accounting system which resides in the kernelmode, and has a user-land control utility, ipfw. Together, they allow you to define and query the rules used by the kernel in its routing decisions.

There are two related parts to ipfw. The firewall section performs packet filtering. There is also an IP accounting section which tracks usage of the router, based on rules similar to those used in the firewall section. This allows the administrator to monitor how much traffic the router is getting from a certain machine, or how much WWW traffic it is forwarding, for example.

As a result of the way that ipfw is designed, you can use ipfw on non-router machines to perform packet filtering on incoming and outgoing connections. This is a special case of the more general use of ipfw, and the same commands and techniques should be used in this situation.

And one more important piece of info would be;

Q: Whats the difference between WIPFW and IPFW?

A: Now WIPFW is unable to change packets content, so it is impossible to redirect packets. Also WIPFW has no traffic shaper. In the future WIPFW will be using ndis driver which will allow all abilities.

As I mentioned before, my site was tagged for malware’s by Google and I had to put quite some effort to get it cleaned. I got a JavaScript injection attacks named ‘Yahoo! Counter Starts”, this seems relatively new and not much of authentic information is available at this moment. But there are a lot of forums/blogs that got affected by it and tagged by Google as well.

Seems that this thing basically has a redirection to an ip address residing somewhere in Russia and eventually takes the username/password details from the site/visitors etc. Pretty Scary if we look for the real meaning of this. Couple of sites helped me in cleaning it up and am consolidating here for the sake of others.

The script looks something like this;

<script language=javascript><!-- Yahoo! Counter starts
if(typeof(yahoo_counter)!=typeof(1))eval(unescape('|/#/@.~.!.................[keeps going]
<!-- counter end --></script>

Checkout this thread [ Click Here ] Also it may be possible that your actual php/html files are neat, since this kinda stuff can go into the base DB as well. It is a nasty one to fix. Check all your permissions on the files, is the best thing to do.

1. Google.com (Google webmaster tools)
   1. If you own a site, you can add your site address and a full sitemap here and Google will analyze the site for anything that is found wrong. [Click Here to Go] More information can be found [Here]
2. BadwareBusters.org
   1. These guys have a facility where you can provide your web address, they’ll scan and let you know the issues found. There is also an option for looking deep and to have a complete scan report (comes quite fast, 24 hours maximum)
3. BlacklistDoctor.com
   1. Again these guys have the facility to scan your website by giving the URL will let you know of any found scripts
4. UnmaskParasites.com
   1. It was in beta stage and when I tried wasn’t working. Lately it is seen to be working fine. Does scanning of your sites and also gives you an impression on whether it is black marked or not.
5. MalwareBytes
1. They have a utility to check your computer to see if there are any remnants of trojan files or affected file streams in your local system. This is very important since you cleaning up the site is ok on one hand but what if you reinfect it by yourselves again?
6. WP Security Scan
1. If you own a wordpress web site like me, this plugin is a good one to use. It does check this following.
1. -passwords
   
   -file permissions

   -database security

   -version hiding

   -WordPress admin protection/security

   -removes WP Generator META tag from core code

7. Also Read this [ Click Here ]

Once you do the cleaning, go back to Google Web Masters and/or other sites mentioned above for a reevaluation and they’d take off the malware warning tag from your blog once they verify the contents again.

For sure if the business I’m running has nothing to do with a country then I think it is not a bad idea considering the fact that you can’t let bad guys come in and do the damage, then you take an action on it. While this has mixed reviews I believe it is justified for the sole reason that it is my network and I choose what to come in here.

One of the commenter posted this site, http://www.countryipblocks.net/index.php

Beauty is that you can choose the entire ip data pertaining to a country. For example;

This is the list of IP range of IRAN. Just select and country and click to get the list of that country.

However, it still remains a challenge for your router/firewall to take a list of all rogue ip addresses and start blocking it for the mere horsepower that is required to process through it. Attributed to this if people start doing away by only allowing the country they are in (nowadays you can see every business have an internet connection, and the business is only to that country), then internet would be not be the internet we perceived in the first place!

Say an interior decorator working in a small state, doesn’t have to allow everybody in the world to see his site/resources, does he?

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference’s organizer.

This is in a way good to know in this way rather than the algorithm broken by the ‘bad guys’. So I welcome it

[Read the Full Story]

I’m sure a lot of enterprise is now looking or in the process of moving to WPA from WEP, this is going to stall some of ‘em.

Does DHCP provide any kind of security? NOPE! It is an admin’s job to use supplemental devices/software’s to prevent it.

2 attacks to look at;

1. DHCP Flooding :- Think about if someone keeps flooding the DHCP requests and the server keeps assigning until the pool is exhausted (Now, how difficult is that?) A tool which can generate random mac addresses in the requests, then it is done!

2. DHCP Serving :- Think of a rogue server giving away IP addresses causing service disruption. Better still, I can have the hosts send packets to choice of his/her Default Gateway and sniff the contents Or hand out incorrect DNS server IP, so that the connections can be redirected to incorrect/forged web sites? Simple enough (a Google search would give out the tools).

So how does one prevent these attacks from happening;

1. Situation 1 (DHCP Flooding) – Modern switches come up with DHCP snooping capabilities where one can restrict the number of mac addresses that can come into a specific ingress port of the switch. Also there are processes to watch over the spurious DHCP requests that seems unusual. The best part is, if you restrict to ONE mac address per port on port security, it can still be circumvented. An attacker can use a tool to use the same mac address, but in the DHCP request packet there is a field to mention the mac address and which is what the DHCP server assigns the IP for (not the original frame mac). So keep changing it and Voila, you’re done!

2. Situation 2 (DHCP Serving) – This is fairly simple to stop, configure switches to make sure “DHCP OFFER” message types do not come out of normal host access ports (Only allow the “DHCP OFFER” to come out from the DHCP server port, normal hosts have no business sending a “DHCP OFFER” message, isn’t it?).

Port Security has more value to it, since if compromised at layer 2, everything up is at stake!

When we speak about MAC flooding, almost everyone with Information Security insight knows about what it is. What do one achieve with MAC flooding? There are various ways of looking at it.

Take an enterprise class switch, and see the spec’s as to how many mac addresses can the switch store in its cache. It is very interesting to understand the already known fact (but less thought about), that a switch cannot learn mac address indefinitely, the simple reason is that it is impossible! A Cisco Catalyst 6500 switch can store ~130,000 mac cache entries. What would happen if all of them are filled up? The switch cannot store any more of newly learned MAC address thus stops to add it to the cache, which in turn floods traffic across all the ports if a traffic meant for that mac address comes in!

Such a massive switch, everyone obviously does VLAN on it. So in theory, a traffic in one VLAN is not seen by the other VLAN. However if we were to think about the lines above, if a MAC flooding happens in VLAN 1, hosts in VLAN 2 would be able to see all traffic in that VLAN 2 (in spite of having a 5 digit/6 digit valued switch). Reason ? Simple;

MAC Cache values defined in Switches are not VLAN specific, that is for the entire Switch Fabric. So if the MAC Cache Value is 10 entries, after 10 entries, broadcast flooding would happen in all other VLANs too for the newly learned MAC address.

Example;

Take a switch which can hold 10 MAC Cache Entries; There are 3 VLANS having 4 ports each in each VLAN, we call it VLAN1 VLAN2 VLAN3.

So from VLAN1, port 1, if we were to flood and fill all the 10 entries, Then the traffic flooding happens not only in VLAN1. Reason, if a new host comes on port 1 of VLAN 2, the switch cannot store the MAC address since the cache is full and is going to broadcast it, when a traffic for that MAC comes around.

Bottom line, if the mac cache is filled, everyone connected to the switch suffers and VLAN’s do not HELP! At that point; $50,000 SWITCH = $10 HUB

Of course the VLAN 2 doesn’t see anything from VLAN 1 however, every port in VLAN 2 sees everything that is happening in VLAN 2 (communication happening for all the 3 other ports).

That calls in for Layer-2 Security, for one aspect.

Well, Google for it and you can get N number of tools to do it, so I’m not going to write it down here.

How do you prevent it? MAC Security. Simple fact is to bind just 1 mac address per port. Well, it is easier said than done. In earlier switches, you have to manually do it. Now consider doing it for 348 ports? How much ever you pay, the guy ain’t gonna do it unless it is his head at stake

Good news is that, newer switches can dynamically learn one MAC address and then lock it down. Now if that happens, only the problems that arise due to change in port needs to be addressed. However with technology changes (think of IP Phone + Desktop plugged in 1 port), it kinda gets a bit ugly though! Some switches do offer to learn a limit of MAC addresses instead of just 1. All this comes with some cost obviously, the CPU load!

Google’s passive web security assessment tool is made available – open source.

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Download Page…

The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement.

Not that this is news, we’ve always had this planted in the head about James Bond and his gizmo-gadgets and then the story about Government placing some backdoor’s in network security gears for them to get access whenever needed – Yeah, I dunno – its a nice story to keep floating…

But look what is this man? US Military having Counterfeit gears?

Read Full Story { Redirect }

The other day I was talking to my colleague about how fast the wireless technologies have grown for data communications and almost every IT professional (at least) is having the power of WiFi at their homes, since it doesn’t cost more than 50 dollars to buy a cheap wireless router. Along with that we were also discussing about how easy now-a-days it is to get connected to somebody else’s wireless connections While it is a good growth in technology terms, users aren’t careful enough to protect their bandwidth – they just leave their AP open to others.

So was just Googling around and found this free product – Easy Wifi Radar

The tool basically does an analysis of the spectrum to see if there is an AP available and if there is a hole, it just connects to it providing instant *free* Internet access! Now people don’t even have to know how to search, just click to go on the tool and it will connect.

However, we’re looking at serious legal issues, if one were to use this tool to steal bandwidth.

Disclaimer : I do not hold any responsibility for issues that one might encounter if he/she were to misuse this tool. It is only for technical knowledge sharing.

Well I do have corporate solution for AntiVirus on my work laptop, however I got hit by a worm (regsvr.exe – typical Google lookup) while my AntiVirus software sat happily there! Eventually I got it on my cell phone as well

Removing that was no-brainer anyway’s; but my time! Not gonna spend time explaining how to remove this (just Google for regsvr.exe and you have ton’s of solutions).

Second; a guy approaches while I was happily watching TV, telling me that he can get me GAS (took a name of a well known GAS agency) with out having Ration Card (something that Indian’s would understand   ). I went to that store to see there is no guy by that name in the shop! Luckily I didn’t give any money to him as booking charges or so.

Then I receive this hoax letter – International  property disposition offering me a 2008 Land Rover or equivalent cash (about 1.8 Million Rupees) and all I have to send is 1000 Rupees in cash – couldn’t stop laughing. Then I thought may be there are guys who’re hit with this and so I did a Google search on ‘International Property Disposition + hoax’, Voila! First post, there are guys who had actually send that money twice and still waiting for the gift???? Whatz wrong with these people man? I do not understand, you just get 1.8 Million for just 1000 Rupees – then you can as well start printing money on your own…

That reminds me of an incident, one of my friend sold his DVD player – the buyer came while he wasn’t there and gave money, got change only to find later in the evening that the money given was a high quality photo copy!

Great Place to live – IT hub of India (Bangalore) – Come to get cheated…. (Last year at this time I got robbed). Yeah – they’re all onto me!

Adobe’s representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.

This was how GNUCitizen closed his post. So apparently there seems to be a defect in Adobe Reader 8.1 on XP SP2 (Verified by him). Read More [...]

There are 2 options of internet traffic for the VPN users;

1. Split-Tunneling enabled :: This means all the corporate traffic goes through the vpn tunnel and all the internet (local browsing etc) goes through the user’s local internet connection which improves the browsing speed/experience for the end user.
2. Split-Tunneling disabled :: This means all the corporate traffic and local user traffic to internet traverse over the vpn tunnel and the internet traffic first goes to the vpn end-point and then exits to internet

Now, point 1 seems to be interesting to some security professionals for the reason that, while connected through VPN there is no local interaction and thus no ” security risk “. The argument being while connected to the corporate through VPN, the public internet is secluded and thus there is more security in terms of somebody/something from internet gets to the corporate!

Well, let me see; the way I see it – First of all it makes the internet browsing poor for the end user who is probably browsing more but still is *ON* VPN just for mail checking in the late evening (If that is happening ). Now security-wise, does it mean by just disabling the split-tunneling, an administrator can be assured that the user won’t harm the corporate ? I don’t think so;

How About users’ machine infected with a Virus/Trojan/Some Crap, whether you have enabled split-tunneling or not, this is going to enter corporate ???? YES.

So what security are we talking about ?

The best approach would be to have Network Access/Admission Control which is integrated with an AntiVirus/AntiSpyware/IPS and Firewall module.

Now is there something obvious I’m not seeing here? May be somebody can shed some light and I would really appreciate that!

Drop -> The packet is dropped and never informed about the sender.

Reset -> A RST is sent to the sender to let him know that the port is not open.

Reject -> Reject is rather interesting, it is almost TCP reset but also sends an ICMP prohibited message saying that the port might be open but you’re not allowed to talk 

So if you’re tasked to configure a mode (any of the above), what will you choose for tearing down a connection ?

It depends on the requirement but I’d rather go with drop since “If I want to tear down the connection any ways, why send  a message saying that I teared it down ?” Doesn’t it add additional processing on the box which is doing rather other important IO

 A tool that is released for changing the mac address of Network Interface Cards which would facilitate both the good guys and the bad guys

So taste it here

Story?

In a hub network, traffic is seen by everybody connected so sniffing would be very easy and with the introduction of switches, you see only traffic that is destined for you. So that provides you security from sniffing and attacks later-on! Well not quite true as long as ARP is the way it is now…

So how does arp work? When a machine wants to talk to somebody – an arp broadcast is done for which only the machine intended would reply with its mac address, so that the communication goes through; very IDEAL scenario.

Now if someone were to send in an incorrect arp response [ pretending to be someone else ], the original machine would still entertain this reply and send the packet to this address. Inherently there is no authentication with ARP protocol, was not required at the time it was designed!

So lets see how it works;

• Port1 – Host A is connected with mac A
• Port2 – Host B is connected with mac B
• Port3 – Host C (attacker) is connected with mac C
• So Host C (attacker) sends an arp reply to Host A saying that I’m Host B. Similarly it sends another arp reply to Host B saying that I’m Host A
• So now Host A believes Host B is Host C   { AND }
• Host B believes Host A is Host C

So a simple software at Host C (attacker) would be able to read all the communication between Host A and Host B!

High end managed switches might not entertain the unasked ARP replies but the hosts would! For example Windows XP before SP2 entertains any gratuitous ARP packets and change their local ARP cache!

CVE Entry for this [ Here ]

A tool can be used to read the data and then forward the traffic to respective clients, facilitating that those hosts wouldn’t even know that there is something going on like this; the fashion as below;

• Host A sends ‘HI’ to Host B
• Traffic actually reaches Host C
• Host C reads the data and then forwards the packet to Host B
• Host B sends ‘hello’ to Host A
• Traffic actually reaches Host C
• Host C reads the data and then forwards the packet to Host A

Seems impossible? Well, there is rather a simple tool arpspoof which can perform this!

So how do you find out if there is something going on similar to this ? You could use arpwatch to perform the task

So many of these tools do this by the changes in tcp/ip stacks. The RFC for tcp/ip defines value types for TTL, Window Size, MTU etc but do not mandate a default value hence different OS implementations have adopted it to have different values. What does it make it easy? Recon… Just a ping packet would let one know the TTL value, so similar correlations for many parameters would yield the OS in place without much trouble.

Operating System Obfuscation is a method, using which you could change those parameters on the OS so that it looks like a totally different Operating System!

If you do not want much of technical details on how you do it, (although I must tell it is a piece of cake) you could use a tool to configure it.

{Sec_Cloak}

Test it out yourselves;

1. First do an nmap scan [ nmap -O2 <target_ip> ] => See the OS guesses.

2. Run Sec_Cloak on the machine and set it to appear as some linux flavor.

3. Repeat the first step again and watch for the OS guess.

   You’d get it by then….

Lets meet ‘tini’ ; as the name is, it is tiny (only 3kb in size) and can run without dragging attention.

So here is the behavior, Tini is an executable which listens on port 7777.

Since it is not a true backdoor it doesn’t execute by itself, someone has to execute it. Now by execute what it means is a simple ‘double click’.

On Host A run Tini

On Host B, open up a command prompt and do this ‘telnet <Host A> 7777′, you will be presented with the command prompt of Host A.

Beware that most of the AntiVirii/AntiSpyware products will identify this one and may cause problems so use it with due diligence. This is more of a useful tool than a destructive tool.

Also it is possible to change the port, all you need is a hex editor to open up the Tini binary

If some one would like to know, I would post that as well.

{Download and Understand Here}