Doug Vitale Tech Blog

Archive for the ‘Info Security and/or Ethical Hacking Tools’ Category

OSSEC, the free and open source IDS

Intrusion detection software is meant to monitor network traffic or host activities for malicious actions, such as successful or unsuccessful intrusion attempts, hostile traffic (i.e., malicious scans and denials of service), unauthorized configuration changes, malware symptoms, and user policy violations. An intrusion detection system (IDS) typically can produce reports describing the details of the potentially hazardous activity which generated alerts. OSSEC is particularly useful in this context for many reasons. First, it is an established, reputable product with a proven track record (OSSEC was first released in 2004 and has been owned by Trend Micro since 2009). Second, it is free and open source. Third, it is compatible with most modern operating systems such as Linux, Windows (Server 2008, Server 2003, 7, Vista, XP, 2000) BSD (Free/Open/Net), Unix (Solaris, HP-UX, AIX), and MacOS.

One of the key tenets of IT security is to keep intruders from gaining access to your organization’s network. Not only must the network’s edge be hardened to resist a myriad of attacks, but measures must be put into place to detect attackers who have successfully breached the perimeter. These two measures are important steps in achieving a “defense in depth” security posture, and OSSEC is an effective and affordable option to fulfill the IDS role.

OSSEC logo

Intrusion detection systems (IDS) are generally classified as either network-based or host-based in nature. A network-based IDS (NIDS) attempts to discover unauthorized access to a network by analyzing traffic as it flows between nodes for signs of malicious activity. A host-based IDS (HIDS), on the other hand, is designed to detect threats occurring on the hosts where they are installed (on servers, for example). A HIDS monitors local actions and attempts to identify those which could be hazardous. In this way a HIDS is similar to antivirus applications that identify and block certain attack patterns and raise alarms to alert users and administrators.

Read the rest of this entry »

Written by Doug Vitale

February 26, 2014 at 4:04 PM

Using TrueCrypt on Linux and Windows

After numerous revelations this year of the National Security Agency’s (NSA) frightening capabilities of mass spying on phone calls and Internet traffic (see, for example, PRISM), there has been a renewed interest in online privacy and the securing of our electronic data communications, such as Web and email activity. More and more Internet users are looking for solutions to keep their files, emails, and Web searches private. Help is not far off: one of the most effective ways to foil surveillance is by using encryption to make your data unreadable by other parties.

Data can be encrypted in two states – when it is in transmission through a communications network, or when it is at rest (i.e., stored on some sort of storage medium, such as a computer hard drive like the internal drive of your PC or an external USB flash drive). This blog has already covered SSH, RetroShare, and the Tor network as options for securing data in transit. Now we will look at TrueCrypt, perhaps the most popular solution for encrypting data at rest. This article will explain how TrueCrypt works and how you can utilize it on the two most popular operating systems, Microsoft Windows and Linux.

TrueCrypt logo

Read the rest of this entry »

Written by Doug Vitale

November 18, 2013 at 4:50 PM

Increase online privacy with RetroShare

In a previous article I described how to significantly increase your online privacy with the Tor service. RetroShare is another option for Internet users who are concerned with staying anonymous online. RetroShare is an application that lets you create private, secure network connections (based on 2048-bit RSA-encrypted SSL) with trusted individuals of your choice (a peer-to-peer network known as “Friend-2-Friend”, or F2F). Unlike some other P2P file sharing services like BitTorrent and Limewire/Frostwire which do not let you selectively share your files with certain users, RetroShare’s F2F functionality allows you to transfer files only with those users to whom you have given your explicit approval.

Once your computer establishes the decentralized F2F connection with your contacts, you can share files, send messages and chat, talk over VoIP, post and read messages in forums, etc. RetroShare not only fully encrypts all communications, it also provides reliable identification and authentication of your trusted contacts so you can be relatively sure that the other users participating in the F2F network are who they claim to be. RetroShare has the potential to be a completely independent social media venue where users’ private data and files are safe from advertisers, marketers, and other entities (i.e., Facebook, Google) looking to harvest personal information for profit, as well as entities engaging in surveillance and censorship. How safe is your online activity using RetroShare? As stated before, it uses SSL tunnels based on RSA 2048-bit encryption. To get an idea of how hard it would be to crack, this YouTube video should explain it.

Using RetroShare

Luckily, RetroShare is available for many different operating systems (Windows, Mac OSX, Linux, etc.). It is built on top of some very reputable and robust software libraries: GNU Privacy Guard/GPGME and OpenSSL.

After you download, install, and launch RetroShare you will first be prompted to create your RetroShare identity.

RetroShare create new identity

Then you will see the main graphical user interface (GUI) as shown below.

Read the rest of this entry »

Written by Doug Vitale

July 29, 2013 at 2:49 PM

Linux file permissions and chmod

When you view files and directories on Linux hosts, how can you tell which users have access? And how do you determine the extent of their access? Before approaching the sizable (but very important) subject of Linux (and Unix) file permissions, it is helpful to review the definitions of key terms which IT professionals need to be familiar with. Before proceeding, let’s define these terms clearly.

Common across all operating system (OS) platforms, files are the objects or things that OSes and user applications work with. More specifically, a file is a distinct collection of data that has a name and properties, or characteristics. Files can take the form of text documents, graphics, music, scripts, etc. If you prefer the geeky definition, Wikipedia states that a computer file is “a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage.”

Computer files can be created, edited, deleted, moved, and stored. The orderly arranging of files is accomplished by means of directories, which are simply containers for files and other directories. On the Windows operating system, directories are often called “folders” because they are visually represented by icons resembling the paper folders which you would find in filing cabinets. This method of depicting directories as paper folders has also been adopted by Linux desktop environments, such as KDE and GNOME.

Directories are arranged in a hierarchical model. Users and software can use these directories to navigate the file system to find certain files. Files are often logically co-located based on type and usage.

File system hierarchy

A simple example of a file system hierarchy

Operating systems support access control restrictions on files and directories because it is not a best practice to permit the same level of system access to all users of a host or network. Users may not want other users to access their files for reasons of privacy and separation of duties, while system administrators often do not want non-administrative personnel to be able to change or possibly delete critical files needed for proper OS function. Therefore, file permissions are designed to prevent the unwanted viewing, editing, or deletion of files and folders. Within the popular discretionary access control (DAC) model, file owners can adjust the access permissions of the files they own. That is, file owners can determine who can read, change, or delete the files belonging to them. On a Unix-like OS like Linux, we will examine how to work with these file permissions.

Read the rest of this entry »

Written by Doug Vitale

February 16, 2013 at 10:49 PM

Browser-based penetration testing with Firefox and Chrome

With the proper extensions installed, you can hack from the comfort of your Firefox or Chrome browser. Within Firefox, add-ons are divided into three categories: extensions, appearance themes, and plugins. Extensions extend the functionality of Firefox past simple web browsing. Appearance themes change the way Firefox looks, and plugins are necessary for Firefox to display specialized non-HTML Web content such as Flash, Java script, multimedia, etc.

The Firefox add-ons interface, accessible via Tools-->Add-ons in the menu bar

The Firefox add-ons interface, accessible via Tools–>Add-ons in the menu bar

Google Chrome labels all add-ons as “extensions”. The Chrome website lists them in the same column as “Apps” and “Themes”.

The Chrome extensions interface, accessible via Chrome Menu-->Tools-->Extensions

The Chrome extensions interface, accessible via Chrome Menu–>Tools–>Extensions

Read the rest of this entry »

Written by Doug Vitale

December 28, 2012 at 3:07 PM

Tor anonymity: how it works and how to use it

The Onion Router (TOR) network is intended to help protect the privacy of Internet users and promote greater freedom of expression online. Tor is a system of volunteer servers that acts as a buffer between Internet users and the resources they connect to. If you connect as a Tor client, your online access is channeled through this buffer before it reaches the general Internet. To understand clearly how Tor functions, you must first have a good idea of what proxy servers are, and of the role they play during network transmissions.

A proxy server acts as a middleman between a client computer and the target server or resource it is accessing. As such, proxies can be configured to log user activity and restrict Internet access; for example, by blocking certain websites or protocols. However, proxies can also help protect the client user’s privacy because the target server is only aware that it is communicating with the proxy, not with the client. For example, if you connect to a web proxy and then load a website, the site is only aware that it is being accessed by the proxy and it has no knowledge of your computer and IP address. The illustration below depicts network data flow when a proxy is deployed. Resources within the Internet icon (such as web servers) are only aware of the proxy server, not of the three clients behind it.

Internet access through a proxy server

The “Internet” only knows about the proxy, not the three clients

Now what if instead of using a single proxy server, you could connect to a network of them for increased bandwidth and availability? And what if you could encrypt your communication sessions for increased confidentiality? Using Tor, you can.

Read the rest of this entry »

Written by Doug Vitale

May 29, 2012 at 11:06 PM

Tenable Nessus

If Nmap is the most popular free network scanning tool, then Nessus by Tenable is undoubtedly the most widely used commercial security application. Nessus is designed to comprehensively scan network hosts for vulnerabilities and generate reports based on its findings. During its scans, Nessus probes ports and checks for potential software flaws that could be exploited by hackers or malware. Some of these flaws include outdated and vulnerable software, improper configurations such as accounts with default passwords or without password protection, and the presence of risky services or daemons. In this way Nessus is very similar to BeyondTrust Retina; however, these two tools have very different user interfaces and Nessus is undoubtedly more popular and widely used, as multiple surveys on SecTools.org have shown over the years.

Nessus is available for both Linux and Windows. On both operating systems, Nessus operates as a server and as a client. The Nessus server (a Windows service or a Linux daemon called nessusd) performs the actual scanning while the client presents the user with an interface and passes commands to the server. The Nessus server utilizes plugins to determine which flaws exist on the target hosts. Plugins are small programs that look for specific vulnerabilities (Nessus contains tens of thousands of them). When Nessus can connect to the Internet it automatically downloads the latest plugins which will enable it to recognize and report on the latest known software weaknesses (such as those disclosed by Mitre). There is even an embedded scripting language (known as NASL) for writing your own custom plugins.

Nessus login interface

Nessus v5.x login interface

Nessus login interface

Nessus v4.4.x login interface

Read the rest of this entry »

Written by Doug Vitale

March 2, 2012 at 2:08 PM

%d bloggers like this: