Looked for a 10/100 (0r /1000) ethernet hub lately? I hadn’t either until today. I found it surprisingly difficult to find a hub. Most searches pull up USB hubs, while the rest tend to recommend switches. Great, but I want a hub (or a network tap, but the cost difference is obvious). The only hub I did find in my quick searches today was a $40 job at CompUSA. Forty bucks?! Maybe I’m cheap about certain things, but a 10/100 hub shouldn’t be $40.

Silc is a secure chat network, much like an IRC network, only the communication channels are actually encrypted. However, you can still leak out your normal host, which steals away any shot at anonymity. But if you use Silc with Tor, you achieve not only privacy in the channel, but privacy in the connection as well. Nice! As I’ve seen it said, silc+tor may be the most secure way to communicate with someone on the net. (Yes, I guess you can add an exchange of keys to verify identities…)

First, install Silky. I am doing this work in an updated but newly installed Ubuntu system. Make sure the repositories are unlocked, which should be the first thing done with any Ubuntu install.

sudo apt-get install silky

This will actually also flag and get any dependencies like libsilc.

Start Silky either by typing “silky” into the shell or Applications->Internet->Silky. Being the first time run, it will want to generate keys. Automatic is sufficient. Close out, and let’s look into Tor.

sudo apt-get install tor privoxy tsocks

Again, the needed dependencies will be installed. We can then start Tor and call Silky.

torify silky

Click Server, and select a server or supply one you know under Preferences->Edit Preferences. Nothing special needs to be submitted, just use whatever address and port used normally. Connect, and check out the hostmask. That’s it! Other programs can start this way as well, such as “torify firefox” and then go to whatismyip.com and verify the external IP (there is a Tor extension which works beautifully, though).

Keep in mind that Tor is not the fastest of connections, and while IRC is pretty resilient, I’ve found SILC to be a bit more picky about some slowness. I’ve found Silky can stay up for a few days, but Torify (tsocks) eventually dumps out, so it is not something I’d expect to always leave on.

Now, if someone knows how to implement irssi+silc_plugin (or any silc plugin)+tor, I’d love to hear how! That way I could possibly stay connected on a server using screen to attach whenever I want. Granted, I think I’d need two irssi’s since Freenode only wants Tor users to use their special private entrance.

More stuff to Torify can be found on the web.

Check out WikiScanner if you want to pry a little bit. Use your own company name (and variations!) to see what people at your office have been doing on Wikipedia. Kinda puts some things in our digital world into perspective. He’s pretty busy right now, so you might have to reload the query a few times. When you get good hits, you’ll see a button that says something like “Wikipedia edits, ahoy!” Click it, then click the number links to expand a new frame with the edit itself.

In a similar vein to last week’s Cisco VPN client privilege escalation vulnerability, ZoneAlarm is also susceptible to executable file replacement.

Sadly, this isn’t 1998 anymore, and I don’t personally know anyone who still uses ZoneAlarm…

Rebecca got me thinking this afternoon about her post on how business and even schools may or are forming sanctions against their users of social networking sites.

It really sucks thinking about stuff like that, and I encourage reading the post and links she gives. I really feel that while some of that stuff is useful for hiring managers looking for appropriate team members, most of that stuff should belong to the realm of the individual. The exceptions being documented and reported harassment and disclosure of sensitive information. I also don’t mind hiring managers using such sources of information to determine if a potential employee may be a good fit. That’s cool too, in my books, namely using it to learn about someone a bit more.

Take this example. I have a few Suicide Girls t-shirts (I’d link, but it’s not work safe) which I don’t mind wearing (of note, they’re the most comfortable t-shirts I’ve ever owned) out in public. I’m not a member, but I used to be back when I knew people on the site, a bit before they got “big.” So that kinda illustrates a slight individual taste for me, or at least openness (especially to comfy t-shirts!!). While out and about, I might run into people that know me well enough to know where I work. I may meet others to whom I give out business cards with have my company name on it. This is very similar to how people may stumble upon my inappropriate MySpace site (no, I don’t really have one) and connect my company to the person’s habits.

It’s just life, and that’s how we are outside of work in our personal lives. We all have some things we’d rather not air out, on either side of the fence. And I really think trying to police social networking sites (which is really trying to steal individualism away from employees and enforcing Thought Police) is futile and detrimental to our culture as a whole.

If my company president saw me out in the street on a Saturday with my Suicide Girls shirt on, the earring I can’t wear when at work, and doing a wireless site survey on open wireless networks in the area just because I can, I’d hope that he’d be able to smile, say hi, and not let that carry over professionally or try to change who I am. Anything less, is superficially shallow, in my books.

I don’t think I posted it, so I thought I would jot down installing an SSH server on Ubuntu 7.04 (Feisty).

sudo apt-get install ssh
gksudo gedit /etc/ssh/sshd_config

Change the PermitRootLogon to no and change port to desired port number. Add a new line at the bottom, “AllowUsers username” where username is your username you want to allow. You can use “DenyUsers username,” but once the AllowUsers is set, all others are denied anyway.

Next, I want to add a little brute-force protection using pam-abl. These instructions may not be current, but they worked out for me. Add “deb http://ubuntu.tolero.org/ edgy main” to your/etc/apt/sources.lists file. Remember to open it as root so you can save it. And yes, I am using edgy instead of feisty in this line.

sudo aptitude update
sudo aptitude upgrade
sudo aptitude install libpam-abl
sudo /etc/init.d/ssh restart

Run “sudo pam_abl” to list the current blacklist, and use –help for more features or manual blocking. Failed logins are collected in /var/lib/abl. SSH logs are written to /var/log/auth.log, however it might be useful to increase the logging level and location. Change “LogLevel INFO” to “LogLevel VERBOSE” to get more out of the logging.

Further hardening can be done. The files /etc/hosts.allow and /etc/hosts.deny will allow or deny the listed users respectively. These lines will allow two IP address ranges to connect but deny all others.

# /etc/hosts.allow
sshd: 10.10.10.0/255.255.255.0
sshd: 192.168.1.0/255.255.255.0

# /etc/hosts.deny
sshd: ALL

Referenced Tolero.org for the pam-abl install. I also note an Ubuntu help file.

For future reference, Cisco released a passive network mapping tool called SMART, Safe Network Mapping And Reporting Tool.

Skype was down late last week for about 3 days or so. And not just every single user, but also downloads of the software on their site. This was supposedly due to a software algorithm update or something like that. Today I read this was due to the massive reboot of Microsoft Windows computers the night previous. TheRegister also has some info up, and is a little more cohesive.

I call bullshit. This is curiously close to poc code released that supposedly (I say that because I’ve not tested it, nor could anyone else since the servers were down) would freeze a Skype server, then move to the next one, and so on. It was posted to SecurityLabs.ru. If true, that is certainly a critical, fatal, flaw.

1. A security issue to Skype would be a very, very big deal. One of the biggest contention points with Skype use is its security. I’d do everything in my power as well to protect that, such as shut off all servers and all users and all downloads in an effort to hide the insecurity issue.

2. The Windows reboot shouldn’t have occured as late as it seemed like Skype was down. The reboot should occur Tuesday evenings in the dead of night, for automatic users, and at various times. I don’t think Skype was down until Thursday…

3. Why now? Why this month? Why not the last few months?

4. And Skype is going to tell us that a mass reboot of users exposed a vulnerability in the availability of their world class system? You have really got to be kidding me… But as much as that can be egg on their face, I would weigh that less than a security incident. Nonetheless, I can’t imagine the overhead of reconnecting to Skype truly caused such a showstopping event on the service’s login servers. I wonder how many Skypes get turned on every morning anyway?

Ever informative, the Internet Storm Center has an ongoing post which raises similar questions and more. I really like the thought that Skype needs Windows users to log in, so that means all these millions of users all had their machine auto-login? Again, right.

Someday (not soon!) I’ll likely satisfy a curious project of mine in making a more aggressively defensive network. And vulnerabilities like the recently posted Wireshark MMS DoS are a perfect example of having a slightly more dangerous network to interlopers. Put up an outdated Wireshark sniffer while I randomly send out these packets and you won’t get too much. Especially anyone who uses live cds with outdated software. In this case, it is not necessarily about protecting devices and data, but actively knocking off rogue intruders.

Networking is amazingly potent right now in our field. We have an amazingly growing number of XXXsec get-togethers in major parts of the country where like-minded geeks and security nuts can get together to hang out, share war stories, push technology to new limits, or just make new friends. Cons are still popping up here and there, and I think they truly are some of the highlights of the year for many a geek.

This has been growing on me, and I am enamored by the concept. Dan Kaminsky has been espousing the idea of “hackerspaces” on his romp through Europe. Hackerspaces are basically places set up where like-minded people can go and hang out, do things, fraternize, and all in a creative and supportive environment. Basically if you like coffee, you hang out at a coffeeshop and chill out; if you like reading, you hang out in a bookstore; if you like video games, you might try out a cyber bar or two with the buds or adopt someone’s basement as your playpen. Why not a hacker/geek/technology sort of space? It is an amazing idea, especially for someone like me who lives in a “networking-starved” middle of the country.

Metalab is one that Dan posted a link for. This concept is also a project of the Hacker Foundation. I hope Dan and the Hacker Foundation both continue to bring this to our attention; heck, the idea of presenting slideshows of his romps might be a nice shift of pace for Dan to present about! 🙂

I also think there is room for hackerspaces as a smaller concept. For instance, I bet many of us have decked out our offices (either cleanly or cluttered and dark!) at home in a way that best suits our work and helps our creativity. For instance, I tend to have black lights and other glowing things in lieu of lights (alone with the glow of monitors or course), in my workspace.

As a side thought, it is interesting that for such a virtualized culture as we have, and as much as we work and live on the net, we still (for the most part) desire physical proximity with like-minded persons.

The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That’s a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.

More information is posted on Cisco’s site. I saw this pass by the Full-Disclosure list. Local priv escalations don’t get much easier…

I’m not sure what to think about GoToSSH.com either. While this is something I’ve been kinda wondering when it would find a web interface (and likely has others, I just don’t know them), I’m not sure I would use it. I certainly would not use it for anything sensitive in nature. It doesn’t look like it supports certificates, but simply username/password challenge instead. This may make it somewhat moot to block outbound SSH anymore… (Yes, it always has been moot since it could use any port, but still…) Might be a site worth bookmarking or blacklisting depending on your view.

Network security continues as holding sand…

Snagged from Alex.

Peter Wood posted two lists to the SecurityFocus pen-test list recently, which I wanted to capture and reproduce here. Feel free to ignore this post.

First, Peter listed a bunch of tools and hardware he takes for on-site work:
1. Test laptop
2. Spare laptop
3. 4-way mains extension lead with regular plug and plug for computer room racks
4. Selection of Ethernet cables and couplers
5. Ethernet / Token Ring adapter (yes, there are still Token Ring users out there!)
6. Mini hub
7. Cisco console cable
8. Cross-over cable
9. External USB hard drive containing rainbow tables
10. USB key for backups
11. DOS bootable USB key
12. Selection of bootable CDs (Ophcrack Live, PasswordChangerPro, NTFSreader)
13. DVD containing copy of all my source files
14. Windows 2000 CD (for rebuilds!)
15. Swiss Army cyber tool
16. Spare laptop hard drive
17. Kensington lock (to comply with client policy if laptop left on site overnight)
18. Vodafone 3G card for Internet access if there’s no wireless
19. Laptop mouse x2
20. Mini USB hub
21. Modem cable and adapters (just in case!)
22. Magic markers
23. Blank CDs
24. Wheelie bag to carry it all in!

Second, he listed the directories found on the above-mentioned DVD of tools:
Absinthe
AccessChk
AccessEnum
Achilles
Active-at
adminpak
Amap
APak
AppDetective
ARPsniffer
ATA HD password
Athena
ATK
Beat LM
Buffer Overflow Utility
Cachedump
cain and abel
Cerberus
C-Force
Checkpoint-Rules
Chntpw
Cisco IOS HTTP Vuln
Citrix clients
Cobra
CommView
CookieViewer
Copernic
Core Impact
CRACKERS
        aefsdr
        AOPB
        AOPR
        APDFPRP
        Brutus
        CacheDump
        CMOSpwd
        IPR (Lotus Notes)
        John the Ripper
        L0phtcrack
        LCP
        LMCrack
        Lotus Notes Key
        LSASecretsDump
        MBSA
        NTPWD
        Ophcrack
        Passwd – recovery FULL
        POPcrack
        PWLTOOL
        SAMInside
        AZPR
Crowbar
Crypto4
CUPASS
Data Thief
Dell laptop cmos erase
DHCP Find
Dictionaries
Dumpsec
EFSdump
Essential NetTools
Ethereal Windows Version
Exploits
FGdump
Flash Decompiler
GetAcct
GetUserInfo
GTwhois
Hydra
Hyena
IDserve
IKE-scan
iShadow
KarenWare
Katapulta
LAN Surveyor
LANguard
LDAP Miner
LG
Locksmith
Maestro
Member of
Metasploit
MingSweeper
MSRDP client
MySQL query browser
NBTdump
NBTscan
Nessus
Netalert
NetBiosSpy
Netcat
NetScanTools Pro
Network Protocols Handbook
NetworkView
niktoogle
Nmap
NT Recover
NTFS Reader
NTFSDOS
NTFSRead
Oat
ObiWaN
oracle-sql-injection
Paros
PasswordsPro
Protected Storage PassView
Protos
PsLogList
Putty
PwdChangerPro
pwdump
Rainbow crack
RegBrws
Rempass
RPC scan
RPC Tools
SAMdump
SamInside
SamSpade
ScoopLM
SecuRemote client
ShareEnum
SID
Siphon
SiteDigger
SiVuS
SmartWhois
SMB Audit Tool
SMBcrack
SNMPing
SNScan
SNSI
SOAPbox
SoapMonitor
SolarWinds
Somar
SPIKEproXy
SSL Proxy
Streams
Subnet Calculator
Superscan
SWB
Sysinternals
SysRQ2
Tamper
Tools4Ever
Trojans
twwwscan
UBCD
Ultimate Boot CD
Unicorn Scan
URL discombobulator
USB boot
USBAuditor
Visual Web Spider
VNC
VOIP TESTING
WAR DIAL
WebDAVExplorer
WebInspect
WebScarab
WebSleuth
WinSID
WIRELESS
Wireshark
WPI
Zlash

I don’t usually pimp sites, but every now and then I see a blog that looks very cool to follow. RaDaJo seems to be an excellent site to add to my feed. Of note, I got linked to their ARP cache poisoning misconceptions post. As a bonus, check the comments for two more links, one to an awesome GIAC paper that is basically everything you’ll ever need to know about ARP poisoning, and the Oxid.it link as well. Maybe all that is left is more details on how to detect ARP cache poisoning, but Raul Siles may have covered that in his paper. I see he has a remediation section, but I’ve not gotten there yet. Arpwatch/Arpalert…anomalous trends in ARP traffic…

Kevin van Zonneveld has posted some notes on using crontab. I don’t use crontab enough, which means I always have to look up the time settings. However, that is easily done via Google. What I really liked about Kevin’s notes dealt with handling the errors and pointing them to a file rather than the user’s mailbox. I can see reasons for doing it either way.